# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-# Copyright (c) 2007 Red Hat, inc
+# Copyright (c) 2007 Red Hat, inc
#- Written by Seth Vidal skvidal @ fedoraproject.org
from OpenSSL import crypto
destfd = os.open(dest, os.O_RDWR|os.O_CREAT, 0600)
os.write(destfd, (crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey)))
os.close(destfd)
-
+
return pkey
-def make_csr(pkey, dest=None, cn=None, hostname=None):
+def make_csr(pkey, dest=None, cn=None, hostname=None, emailaddr=None):
req = crypto.X509Req()
req.get_subject()
subj = req.get_subject()
else:
subj.CN = utils.gethostname()
- subj.emailAddress = 'root@%s' % subj.CN
-
+ if emailaddr:
+ subj.emailAddress = emailaddr
+ else:
+ subj.emailAddress = 'root@%s' % subj.CN
+
req.set_pubkey(pkey)
req.sign(pkey, 'md5')
if dest:
keypair = crypto.load_privatekey(crypto.FILETYPE_PEM, buf)
return keypair
-
+
def retrieve_csr_from_file(csrfile):
fo = open(csrfile, 'r')
buf = fo.read()
return cert
-def create_ca(CN="Certmaster Certificate Authority", ca_key_file=None, ca_cert_file=None):
+def create_ca(CN="Certmaster Certificate Authority", ca_key_file=None, ca_cert_file=None, hash_function='sha256'):
cakey = make_keypair(dest=ca_key_file)
careq = make_csr(cakey, cn=CN)
cacert = crypto.X509()
xt = crypto.X509Extension('basicConstraints',1,'CA:TRUE')
# FIXME - add subjectkeyidentifier and authoritykeyidentifier extensions, too)
cacert.add_extensions((xt,))
- cacert.sign(cakey, 'sha1')
+ cacert.sign(cakey, hash_function)
if ca_cert_file:
destfo = open(ca_cert_file, 'w')
destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cacert))
destfo.close()
-
-
+
+
def _get_serial_number(cadir):
serial = '%s/serial.txt' % cadir
i = 1
f = f.replace('\n','')
try:
i = int(f)
- i+=1
+ i+=1
except ValueError, e:
i = 1
-
- _set_serial_number(cadir, i)
+
+ _set_serial_number(cadir, i)
return i
f = open(serial, 'w')
f.write(str(last) + '\n')
f.close()
-
-
-def create_slave_certificate(csr, cakey, cacert, cadir, slave_cert_file=None):
+
+
+def create_slave_certificate(csr, cakey, cacert, cadir, slave_cert_file=None, hash_function='sha256'):
cert = crypto.X509()
cert.set_serial_number(_get_serial_number(cadir))
cert.gmtime_adj_notBefore(0)
cert.set_subject(csr.get_subject())
cert.set_pubkey(csr.get_pubkey())
cert.set_version(2)
- xt = crypto.X509Extension('basicConstraints', False ,'CA:False')
- # FIXME - add subjectkeyidentifier and authoritykeyidentifier extensions, too)
- cacert.add_extensions((xt,))
- cert.sign(cakey, 'sha1')
+ xt = crypto.X509Extension('basicConstraints', False ,'CA:FALSE')
+ # FIXME - add subjectkeyidentifier and authoritykeyidentifier extensions, too)
+ cert.add_extensions((xt,))
+ cert.sign(cakey, hash_function)
if slave_cert_file:
destfo = open(slave_cert_file, 'w')
destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
projects / certmaster.git / blobdiff