def generateCertificateObjects(organization, organizationalUnit):
pkey = crypto.PKey()
pkey.generate_key(crypto.TYPE_RSA, 512)
req = crypto.X509Req()
subject = req.get_subject()
subject.O = organization
subject.OU = organizationalUnit
req.set_pubkey(pkey)
req.sign(pkey, "md5")
# Here comes the actual certificate
cert = crypto.X509()
cert.set_serial_number(1)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(60) # Testing certificates need not be long lived
cert.set_issuer(req.get_subject())
cert.set_subject(req.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.sign(pkey, "md5")
return pkey, req, cert
python类TYPE_RSA的实例源码
def create_ca():
pkey = crypto.PKey()
pkey.generate_key(crypto.TYPE_RSA, 2048)
ca = crypto.X509()
ca.set_version(2)
ca.set_serial_number(0)
subject = ca.get_subject()
subject.countryName = 'CN'
subject.stateOrProvinceName = 'Internet'
subject.localityName = 'Cernet'
subject.organizationName = ca_vendor
subject.organizationalUnitName = '%s Root' % ca_vendor
subject.commonName = '%s CA' % ca_vendor
#????????????????????
ca.gmtime_adj_notBefore(ca_time_b)
ca.gmtime_adj_notAfter(ca_time_a)
ca.set_issuer(subject)
ca.set_pubkey(pkey)
ca.add_extensions([
crypto.X509Extension(b'basicConstraints', True, b'CA:TRUE, pathlen:0'),
crypto.X509Extension(b'extendedKeyUsage', True, b'serverAuth,emailProtection,timeStamping'),
crypto.X509Extension(b'keyUsage', False, b'keyCertSign, cRLSign'),
crypto.X509Extension(b'subjectKeyIdentifier', False, b'hash', subject=ca), ])
ca.sign(pkey, ca_digest)
return pkey, ca
def setUp(self):
"""
Create a new private key and start a certificate request (for a test
method to finish in one way or another).
"""
# Basic setup stuff to generate a certificate
self.pkey = PKey()
self.pkey.generate_key(TYPE_RSA, 384)
self.req = X509Req()
self.req.set_pubkey(self.pkey)
# Authority good you have.
self.req.get_subject().commonName = "Yoda root CA"
self.x509 = X509()
self.subject = self.x509.get_subject()
self.subject.commonName = self.req.get_subject().commonName
self.x509.set_issuer(self.subject)
self.x509.set_pubkey(self.pkey)
now = datetime.now().strftime("%Y%m%d%H%M%SZ")
expire = (datetime.now() + timedelta(days=100)).strftime("%Y%m%d%H%M%SZ")
self.x509.set_notBefore(now)
self.x509.set_notAfter(expire)
def test_set_passwd_cb(self):
"""
L{Context.set_passwd_cb} accepts a callable which will be invoked when
a private key is loaded from an encrypted PEM.
"""
key = PKey()
key.generate_key(TYPE_RSA, 128)
pemFile = self.mktemp()
fObj = file(pemFile, 'w')
passphrase = "foobar"
fObj.write(dump_privatekey(FILETYPE_PEM, key, "blowfish", passphrase))
fObj.close()
calledWith = []
def passphraseCallback(maxlen, verify, extra):
calledWith.append((maxlen, verify, extra))
return passphrase
context = Context(TLSv1_METHOD)
context.set_passwd_cb(passphraseCallback)
context.use_privatekey_file(pemFile)
self.assertTrue(len(calledWith), 1)
self.assertTrue(isinstance(calledWith[0][0], int))
self.assertTrue(isinstance(calledWith[0][1], int))
self.assertEqual(calledWith[0][2], None)
def makeCertificate(**kw):
keypair = PKey()
keypair.generate_key(TYPE_RSA, 1024)
certificate = X509()
certificate.gmtime_adj_notBefore(0)
certificate.gmtime_adj_notAfter(60 * 60 * 24 * 365) # One year
for xname in certificate.get_issuer(), certificate.get_subject():
for (k, v) in kw.items():
setattr(xname, k, v)
certificate.set_serial_number(counter())
certificate.set_pubkey(keypair)
certificate.sign(keypair, "md5")
return keypair, certificate
def x509_data():
"""
Create a new private key and start a certificate request (for a test
to finish in one way or another).
"""
# Basic setup stuff to generate a certificate
pkey = PKey()
pkey.generate_key(TYPE_RSA, 384)
req = X509Req()
req.set_pubkey(pkey)
# Authority good you have.
req.get_subject().commonName = "Yoda root CA"
x509 = X509()
subject = x509.get_subject()
subject.commonName = req.get_subject().commonName
x509.set_issuer(subject)
x509.set_pubkey(pkey)
now = datetime.now()
expire = datetime.now() + timedelta(days=100)
x509.set_notBefore(now.strftime("%Y%m%d%H%M%SZ").encode())
x509.set_notAfter(expire.strftime("%Y%m%d%H%M%SZ").encode())
yield pkey, x509
def test_sign(self):
"""
`X509Req.sign` succeeds when passed a private key object and a
valid digest function. `X509Req.verify` can be used to check
the signature.
"""
request = self.signable()
key = PKey()
key.generate_key(TYPE_RSA, 512)
request.set_pubkey(key)
request.sign(key, GOOD_DIGEST)
# If the type has a verify method, cover that too.
if getattr(request, 'verify', None) is not None:
pub = request.get_pubkey()
assert request.verify(pub)
# Make another key that won't verify.
key = PKey()
key.generate_key(TYPE_RSA, 512)
with pytest.raises(Error):
request.verify(key)
def generate(self, passphrase: str = None, common_name=None, days=DEFAULT_CERT_VALIDITY, is_server=False):
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, self.key_length)
cert = crypto.X509()
# cert.get_subject().CN = common_name
cert.get_subject().commonName = common_name
cert.set_serial_number(random.randint(990000, 999999999999999999999999999))
cert.gmtime_adj_notBefore(-600)
cert.gmtime_adj_notAfter(int(datetime.timedelta(days=days).total_seconds()))
cert.set_issuer(self.ca_cert.get_subject())
cert.set_pubkey(k)
cert = self._add_extensions(cert, is_server)
cert.sign(self.ca_key, self.digest)
self.certificate = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
if passphrase:
self.private_key = crypto.dump_privatekey(crypto.FILETYPE_PEM, k, cipher="DES-EDE3-CBC", passphrase=passphrase.encode())
else:
self.private_key = crypto.dump_privatekey(crypto.FILETYPE_PEM, k)
return self
def setUp(self):
"""
Create a new private key and start a certificate request (for a test
method to finish in one way or another).
"""
# Basic setup stuff to generate a certificate
self.pkey = PKey()
self.pkey.generate_key(TYPE_RSA, 384)
self.req = X509Req()
self.req.set_pubkey(self.pkey)
# Authority good you have.
self.req.get_subject().commonName = "Yoda root CA"
self.x509 = X509()
self.subject = self.x509.get_subject()
self.subject.commonName = self.req.get_subject().commonName
self.x509.set_issuer(self.subject)
self.x509.set_pubkey(self.pkey)
now = datetime.now().strftime("%Y%m%d%H%M%SZ")
expire = (datetime.now() + timedelta(days=100)).strftime("%Y%m%d%H%M%SZ")
self.x509.set_notBefore(now)
self.x509.set_notAfter(expire)
def test_set_passwd_cb(self):
"""
L{Context.set_passwd_cb} accepts a callable which will be invoked when
a private key is loaded from an encrypted PEM.
"""
key = PKey()
key.generate_key(TYPE_RSA, 128)
pemFile = self.mktemp()
fObj = file(pemFile, 'w')
passphrase = "foobar"
fObj.write(dump_privatekey(FILETYPE_PEM, key, "blowfish", passphrase))
fObj.close()
calledWith = []
def passphraseCallback(maxlen, verify, extra):
calledWith.append((maxlen, verify, extra))
return passphrase
context = Context(TLSv1_METHOD)
context.set_passwd_cb(passphraseCallback)
context.use_privatekey_file(pemFile)
self.assertTrue(len(calledWith), 1)
self.assertTrue(isinstance(calledWith[0][0], int))
self.assertTrue(isinstance(calledWith[0][1], int))
self.assertEqual(calledWith[0][2], None)
def makeCertificate(**kw):
keypair = PKey()
keypair.generate_key(TYPE_RSA, 1024)
certificate = X509()
certificate.gmtime_adj_notBefore(0)
certificate.gmtime_adj_notAfter(60 * 60 * 24 * 365) # One year
for xname in certificate.get_issuer(), certificate.get_subject():
for (k, v) in kw.items():
setattr(xname, k, v)
certificate.set_serial_number(counter())
certificate.set_pubkey(keypair)
certificate.sign(keypair, "md5")
return keypair, certificate
def setUp(self):
"""
Create a new private key and start a certificate request (for a test
method to finish in one way or another).
"""
super(X509ExtTests, self).setUp()
# Basic setup stuff to generate a certificate
self.pkey = PKey()
self.pkey.generate_key(TYPE_RSA, 384)
self.req = X509Req()
self.req.set_pubkey(self.pkey)
# Authority good you have.
self.req.get_subject().commonName = "Yoda root CA"
self.x509 = X509()
self.subject = self.x509.get_subject()
self.subject.commonName = self.req.get_subject().commonName
self.x509.set_issuer(self.subject)
self.x509.set_pubkey(self.pkey)
now = b(datetime.now().strftime("%Y%m%d%H%M%SZ"))
expire = b((datetime.now() + timedelta(days=100)).strftime("%Y%m%d%H%M%SZ"))
self.x509.set_notBefore(now)
self.x509.set_notAfter(expire)
def test_sign(self):
"""
:py:meth:`X509Req.sign` succeeds when passed a private key object and a valid
digest function. :py:meth:`X509Req.verify` can be used to check the signature.
"""
request = self.signable()
key = PKey()
key.generate_key(TYPE_RSA, 512)
request.set_pubkey(key)
request.sign(key, GOOD_DIGEST)
# If the type has a verify method, cover that too.
if getattr(request, 'verify', None) is not None:
pub = request.get_pubkey()
self.assertTrue(request.verify(pub))
# Make another key that won't verify.
key = PKey()
key.generate_key(TYPE_RSA, 512)
self.assertRaises(Error, request.verify, key)
def makeCertificate(**kw):
keypair = PKey()
keypair.generate_key(TYPE_RSA, 768)
certificate = X509()
certificate.gmtime_adj_notBefore(0)
certificate.gmtime_adj_notAfter(60 * 60 * 24 * 365) # One year
for xname in certificate.get_issuer(), certificate.get_subject():
for (k, v) in kw.items():
setattr(xname, k, nativeString(v))
certificate.set_serial_number(counter())
certificate.set_pubkey(keypair)
certificate.sign(keypair, "md5")
return keypair, certificate
def setUp(self):
"""
Create a new private key and start a certificate request (for a test
method to finish in one way or another).
"""
super(X509ExtTests, self).setUp()
# Basic setup stuff to generate a certificate
self.pkey = PKey()
self.pkey.generate_key(TYPE_RSA, 384)
self.req = X509Req()
self.req.set_pubkey(self.pkey)
# Authority good you have.
self.req.get_subject().commonName = "Yoda root CA"
self.x509 = X509()
self.subject = self.x509.get_subject()
self.subject.commonName = self.req.get_subject().commonName
self.x509.set_issuer(self.subject)
self.x509.set_pubkey(self.pkey)
now = b(datetime.now().strftime("%Y%m%d%H%M%SZ"))
expire = b((datetime.now() + timedelta(days=100)).strftime("%Y%m%d%H%M%SZ"))
self.x509.set_notBefore(now)
self.x509.set_notAfter(expire)
def test_sign(self):
"""
:py:meth:`X509Req.sign` succeeds when passed a private key object and a valid
digest function. :py:meth:`X509Req.verify` can be used to check the signature.
"""
request = self.signable()
key = PKey()
key.generate_key(TYPE_RSA, 512)
request.set_pubkey(key)
request.sign(key, GOOD_DIGEST)
# If the type has a verify method, cover that too.
if getattr(request, 'verify', None) is not None:
pub = request.get_pubkey()
self.assertTrue(request.verify(pub))
# Make another key that won't verify.
key = PKey()
key.generate_key(TYPE_RSA, 512)
self.assertRaises(Error, request.verify, key)
def setUp(self):
"""
Create a new private key and start a certificate request (for a test
method to finish in one way or another).
"""
# Basic setup stuff to generate a certificate
self.pkey = PKey()
self.pkey.generate_key(TYPE_RSA, 384)
self.req = X509Req()
self.req.set_pubkey(self.pkey)
# Authority good you have.
self.req.get_subject().commonName = "Yoda root CA"
self.x509 = X509()
self.subject = self.x509.get_subject()
self.subject.commonName = self.req.get_subject().commonName
self.x509.set_issuer(self.subject)
self.x509.set_pubkey(self.pkey)
now = b(datetime.now().strftime("%Y%m%d%H%M%SZ"))
expire = b((datetime.now() + timedelta(days=100)).strftime("%Y%m%d%H%M%SZ"))
self.x509.set_notBefore(now)
self.x509.set_notAfter(expire)
def test_sign(self):
"""
L{X509Req.sign} succeeds when passed a private key object and a valid
digest function. C{X509Req.verify} can be used to check the signature.
"""
request = self.signable()
key = PKey()
key.generate_key(TYPE_RSA, 512)
request.set_pubkey(key)
request.sign(key, 'MD5')
# If the type has a verify method, cover that too.
if getattr(request, 'verify', None) is not None:
pub = request.get_pubkey()
self.assertTrue(request.verify(pub))
# Make another key that won't verify.
key = PKey()
key.generate_key(TYPE_RSA, 512)
self.assertRaises(Error, request.verify, key)
man_cert_setup.py 文件源码
项目:aws-greengrass-mini-fulfillment
作者: awslabs
项目源码
文件源码
阅读 21
收藏 0
点赞 0
评论 0
def create_group_cert(cli):
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 2048) # generate RSA key-pair
cert = crypto.X509()
cert.get_subject().countryName = "US"
cert.get_subject().stateOrProvinceName = "CA"
cert.get_subject().organizationName = "mini-fulfillment"
cert.get_subject().organizationalUnitName = "demo"
cert.get_subject().commonName = "mini-fulfillment"
cert.set_serial_number(1000)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(5 * 365 * 24 * 60 * 60) # 5 year expiry date
cert.set_issuer(cert.get_subject()) # self-sign this certificate
cert.set_pubkey(k)
san_list = ["IP:{0}".format(cli.ip_address)]
extension_list = [
crypto.X509Extension(type_name=b"basicConstraints",
critical=False, value=b"CA:false"),
crypto.X509Extension(type_name=b"subjectAltName",
critical=True, value=", ".join(san_list)),
# crypto.X509Extension(type_name=b"subjectKeyIdentifier",
# critical=True, value=b"hash")
]
cert.add_extensions(extension_list)
cert.sign(k, 'sha256')
prefix = str(cli.out_dir) + '/' + cli.group_name
open("{0}-server.crt".format(prefix), 'wt').write(
crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
open("{0}-server-private.key".format(prefix), 'wt').write(
crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey=k))
open("{0}-server-public.key".format(prefix), 'wt').write(
crypto.dump_publickey(crypto.FILETYPE_PEM, pkey=k))
def generate_temporary_tls_certificate():
"""
generate an intentionally weak self-signed certificate
:param dst: destination file path for autogenerated server.pem
"""
from OpenSSL import crypto
import tempfile
key = crypto.PKey()
key.generate_key(crypto.TYPE_RSA, 1024)
cert = crypto.X509()
cert_subject = cert.get_subject()
cert_subject.C = "IO"
cert_subject.ST = "Striptls"
cert_subject.L = "Striptls"
cert_subject.O = "github.com/tintinweb"
cert_subject.OU = "github.com/tintinweb"
cert_subject.CN = "striptls.localhost.localdomain"
cert.set_serial_number(1)
cert.gmtime_adj_notBefore(-32 * 24 * 60 * 60)
cert.gmtime_adj_notAfter(32 * 24 * 60 * 60)
cert.set_issuer(cert_subject)
cert.set_pubkey(key)
cert.sign(key, 'sha1')
tmp_fname = tempfile.mktemp(prefix="striptls-", suffix=".pem")
with open(tmp_fname, 'w') as f:
f.write('\n'.join([crypto.dump_certificate(crypto.FILETYPE_PEM, cert),
crypto.dump_privatekey(crypto.FILETYPE_PEM, key)]))
return tmp_fname
def generate_adhoc_ssl_pair(cn=None):
from random import random
crypto = _get_openssl_crypto_module()
# pretty damn sure that this is not actually accepted by anyone
if cn is None:
cn = '*'
cert = crypto.X509()
cert.set_serial_number(int(random() * sys.maxsize))
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(60 * 60 * 24 * 365)
subject = cert.get_subject()
subject.CN = cn
subject.O = 'Dummy Certificate'
issuer = cert.get_issuer()
issuer.CN = 'Untrusted Authority'
issuer.O = 'Self-Signed'
pkey = crypto.PKey()
pkey.generate_key(crypto.TYPE_RSA, 1024)
cert.set_pubkey(pkey)
cert.sign(pkey, 'md5')
return cert, pkey
def generate_adhoc_ssl_pair(cn=None):
from random import random
crypto = _get_openssl_crypto_module()
# pretty damn sure that this is not actually accepted by anyone
if cn is None:
cn = '*'
cert = crypto.X509()
cert.set_serial_number(int(random() * sys.maxsize))
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(60 * 60 * 24 * 365)
subject = cert.get_subject()
subject.CN = cn
subject.O = 'Dummy Certificate'
issuer = cert.get_issuer()
issuer.CN = 'Untrusted Authority'
issuer.O = 'Self-Signed'
pkey = crypto.PKey()
pkey.generate_key(crypto.TYPE_RSA, 1024)
cert.set_pubkey(pkey)
cert.sign(pkey, 'md5')
return cert, pkey
def generate_adhoc_ssl_pair(cn=None):
from random import random
crypto = _get_openssl_crypto_module()
# pretty damn sure that this is not actually accepted by anyone
if cn is None:
cn = '*'
cert = crypto.X509()
cert.set_serial_number(int(random() * sys.maxsize))
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(60 * 60 * 24 * 365)
subject = cert.get_subject()
subject.CN = cn
subject.O = 'Dummy Certificate'
issuer = cert.get_issuer()
issuer.CN = 'Untrusted Authority'
issuer.O = 'Self-Signed'
pkey = crypto.PKey()
pkey.generate_key(crypto.TYPE_RSA, 1024)
cert.set_pubkey(pkey)
cert.sign(pkey, 'md5')
return cert, pkey
def test_failedGeneration(self):
"""
L{PKeyType.generate_key} takes two arguments, the first giving the key
type as one of L{TYPE_RSA} or L{TYPE_DSA} and the second giving the
number of bits to generate. If an invalid type is specified or
generation fails, L{Error} is raised. If an invalid number of bits is
specified, L{ValueError} or L{Error} is raised.
"""
key = PKey()
self.assertRaises(TypeError, key.generate_key)
self.assertRaises(TypeError, key.generate_key, 1, 2, 3)
self.assertRaises(TypeError, key.generate_key, "foo", "bar")
self.assertRaises(Error, key.generate_key, -1, 0)
self.assertRaises(ValueError, key.generate_key, TYPE_RSA, -1)
self.assertRaises(ValueError, key.generate_key, TYPE_RSA, 0)
# XXX RSA generation for small values of bits is fairly buggy in a wide
# range of OpenSSL versions. I need to figure out what the safe lower
# bound for a reasonable number of OpenSSL versions is and explicitly
# check for that in the wrapper. The failure behavior is typically an
# infinite loop inside OpenSSL.
# self.assertRaises(Error, key.generate_key, TYPE_RSA, 2)
# XXX DSA generation seems happy with any number of bits. The DSS
# says bits must be between 512 and 1024 inclusive. OpenSSL's DSA
# generator doesn't seem to care about the upper limit at all. For
# the lower limit, it uses 512 if anything smaller is specified.
# So, it doesn't seem possible to make generate_key fail for
# TYPE_DSA with a bits argument which is at least an int.
# self.assertRaises(Error, key.generate_key, TYPE_DSA, -7)
def test_rsaGeneration(self):
"""
L{PKeyType.generate_key} generates an RSA key when passed
L{TYPE_RSA} as a type and a reasonable number of bits.
"""
bits = 128
key = PKey()
key.generate_key(TYPE_RSA, bits)
self.assertEqual(key.type(), TYPE_RSA)
self.assertEqual(key.bits(), bits)
def test_regeneration(self):
"""
L{PKeyType.generate_key} can be called multiple times on the same
key to generate new keys.
"""
key = PKey()
for type, bits in [(TYPE_RSA, 512), (TYPE_DSA, 576)]:
key.generate_key(type, bits)
self.assertEqual(key.type(), type)
self.assertEqual(key.bits(), bits)
def test_signWithPublicKey(self):
"""
L{X509Req.sign} raises L{ValueError} when pass a L{PKey} with no
private part as the signing key.
"""
request = self.signable()
key = PKey()
key.generate_key(TYPE_RSA, 512)
request.set_pubkey(key)
pub = request.get_pubkey()
self.assertRaises(ValueError, request.sign, pub, 'MD5')
def inspect(self):
t = self.original.type()
if t == crypto.TYPE_RSA:
ts = 'RSA'
elif t == crypto.TYPE_DSA:
ts = 'DSA'
else:
ts = '(Unknown Type!)'
L = (self.original.bits(), ts, self.keyHash())
return '%s-bit %s Key Pair with Hash: %s' % L
def generate(Class, kind=crypto.TYPE_RSA, size=1024):
pkey = crypto.PKey()
pkey.generate_key(kind, size)
return Class(pkey)
def generateCertificateObjects(organization, organizationalUnit):
pkey = crypto.PKey()
pkey.generate_key(crypto.TYPE_RSA, 512)
req = crypto.X509Req()
subject = req.get_subject()
subject.O = organization
subject.OU = organizationalUnit
req.set_pubkey(pkey)
req.sign(pkey, "md5")
# Here comes the actual certificate
cert = crypto.X509()
cert.set_serial_number(1)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(60) # Testing certificates need not be long lived
cert.set_issuer(req.get_subject())
cert.set_subject(req.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.sign(pkey, "md5")
return pkey, req, cert
