itdominator
/
EzyCA
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
EzyCA/src/signal_classes/mixins/CAGenerator.py

211 lines
8.7 KiB
Python
Raw Blame History

# Python imports
import threading, subprocess, os
# Gtk imports
# Application imports
class CAGenerator:
"""Empty docstring for CAGenerator"""
ca_settings = """# ----------------------------- NOTE
# Remember to disable very bottom when generating first ca key and pem.
# Check notes at [ CA_default ] section as well!
# ----------------------------- NOTE
HOME = {}
RANDFILE = $ENV::HOME/.rnd
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
default_days = 3000 # How long to certify for
default_crl_days = 3000 # How long before next CRL
default_md = sha256 # Use public key default MD
preserve = no # Keep passed DN ordering
x509_extensions = ca_extensions # The extensions to add to the cert
email_in_dn = no # Don't concat the email in the DN
copy_extensions = copy # Required to copy SANs from CSR to cert
# ca_default_additional_block_marker
####################################################################
[ req ]
default_bits = 4096
default_keyfile = cakey.pem
distinguished_name = ca_distinguished_name
x509_extensions = ca_extensions
string_mask = utf8only
####################################################################
[ ca_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = {}
stateOrProvinceName = State or Province Name (full name eg, 'North Carolina')
stateOrProvinceName_default = {}
localityName = Locality/City Name (full name eg, 'Durham')
localityName_default = {}
organizationName = Organization Name (eg, company 'Microsoft')
organizationName_default = {}
organizationalUnitName = Organizational Unit (eg, division)
organizationalUnitName_default = {}
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = {}
emailAddress = Email Address (eg, 'no-reply@microsoft.com')
emailAddress_default = {}
####################################################################
[ ca_extensions ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints = critical, CA:true
keyUsage = keyCertSign, cRLSign
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical,CA:true
# Key usage: This is typical for a CA certificate. However since it will prevent
# it being used as an test self-signed certificate it is best left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also...
# nsCertType = sslCA, emailCA
# subjectAltName=email:copy # Include email address in subject alt name: another PKIX recommendation
# issuerAltName=issuer:copy # Copy issuer details
# DER hex encoding of an extension: Beware experts only!
# obj=DER:02:03 # Where 'obj' is a standard or added object
# basicConstraints= critical, DER:30:03:01:01:FF # You can even override a supported extension.
####################################################################
[ crl_ext ]
# CRL extensions. Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName = issuer:copy
authorityKeyIdentifier = keyid:always
####################################################################
[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# nsCertType = server # This is OK for an SSL server.
# nsCertType = objsign # For an object signing certificate this would be used.
# nsCertType = client, email # For normal client using this is typical.
# nsCertType = client, email, objsign # For everything including object signing.
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = 'OpenSSL Generated Certificate'
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# subjectAltName = email:copy # Import the email address.
# subjectAltName = email:move # An alternative to produce certificates that aren't deprecated according to PKIX.
# issuerAltName = issuer:copy # Copy subject details
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
####################################################################
[ tsa ]
default_tsa = tsa_config1 # The default TSA section (Which is set below...)
[ tsa_config1 ]
# These are used by the TSA reply generation only.
dir = /etc/ssl # TSA root directory
serial = $dir/tsaserial # The current serial number
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate (optional)
certs = $dir/cacert.pem # Certificate chain to include in reply (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
signer_digest = sha256 # Signing digest to use. (optional)
default_policy = tsa_policy1 # Policy if request did not specify it (optional)
other_policies = tsa_policy2, tsa_policy3 # Acceptable policies (optional)
digests = sha1, sha256, sha384, sha512 # Acceptable message digests
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # Number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps? (optional, default: no)
tsa_name = yes # Must the TSA name be included in the reply? (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included? (optional, default: no)
ess_cert_id_alg = sha1 # Algorithm to compute certificate identifier (optional, default: sha1)
# ca_signing_block_marker
"""
ca_default_additional_block = """base_dir = {}
certificate = $base_dir/cacert.pem # The CA certifcate
private_key = $base_dir/cakey.pem # The CA private key
new_certs_dir = $base_dir/signed_certs/ # Location for new certs after signing
database = $base_dir/index.txt # Database index file
serial = $base_dir/serial.txt # The current serial number
unique_subject = no # Set to 'no' to allow creation of several certificates with same subject.
"""
ca_signing_block = """####################################################################
[ signing_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ signing_req ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
"""
def step_1_create_ca_settings(self, path, data):
print("Step 1: Creating CA Settings...")
all_data = [path] + data
fpath = path + "/openssl-ca-settings.cnf"
output_str = self.ca_settings.format(*all_data)
with open(fpath, "w") as f:
f.write(output_str)
def step_2_create_signing_ca_settings(self, path, data):
print("Step 2: Creating Signing CA Settings...")
all_data = [path] + data
fpath = path + "/openssl-signing-ca-settings.cnf"
output_str = self.ca_settings.format(*all_data)
ca_block = self.ca_default_additional_block.format(path)
output_str = output_str.replace("# ca_default_additional_block_marker", ca_block)
output_str = output_str.replace("# ca_signing_block_marker", self.ca_signing_block)
with open(fpath, "w") as f:
f.write(output_str)
Reference in New Issue View Git Blame Copy Permalink