211 lines
8.7 KiB
Python
211 lines
8.7 KiB
Python
# Python imports
|
|
import threading, subprocess, os
|
|
|
|
# Gtk imports
|
|
|
|
# Application imports
|
|
|
|
|
|
class CAGenerator:
|
|
"""Empty docstring for CAGenerator"""
|
|
ca_settings = """# ----------------------------- NOTE
|
|
# Remember to disable very bottom when generating first ca key and pem.
|
|
# Check notes at [ CA_default ] section as well!
|
|
# ----------------------------- NOTE
|
|
|
|
HOME = {}
|
|
RANDFILE = $ENV::HOME/.rnd
|
|
|
|
####################################################################
|
|
[ ca ]
|
|
default_ca = CA_default # The default ca section
|
|
|
|
[ CA_default ]
|
|
default_days = 3000 # How long to certify for
|
|
default_crl_days = 3000 # How long before next CRL
|
|
default_md = sha256 # Use public key default MD
|
|
preserve = no # Keep passed DN ordering
|
|
x509_extensions = ca_extensions # The extensions to add to the cert
|
|
email_in_dn = no # Don't concat the email in the DN
|
|
copy_extensions = copy # Required to copy SANs from CSR to cert
|
|
|
|
# ca_default_additional_block_marker
|
|
|
|
####################################################################
|
|
[ req ]
|
|
default_bits = 4096
|
|
default_keyfile = cakey.pem
|
|
distinguished_name = ca_distinguished_name
|
|
x509_extensions = ca_extensions
|
|
string_mask = utf8only
|
|
|
|
|
|
####################################################################
|
|
[ ca_distinguished_name ]
|
|
countryName = Country Name (2 letter code)
|
|
countryName_default = {}
|
|
stateOrProvinceName = State or Province Name (full name eg, 'North Carolina')
|
|
stateOrProvinceName_default = {}
|
|
localityName = Locality/City Name (full name eg, 'Durham')
|
|
localityName_default = {}
|
|
organizationName = Organization Name (eg, company 'Microsoft')
|
|
organizationName_default = {}
|
|
organizationalUnitName = Organizational Unit (eg, division)
|
|
organizationalUnitName_default = {}
|
|
commonName = Common Name (e.g. server FQDN or YOUR name)
|
|
commonName_default = {}
|
|
emailAddress = Email Address (eg, 'no-reply@microsoft.com')
|
|
emailAddress_default = {}
|
|
|
|
|
|
####################################################################
|
|
[ ca_extensions ]
|
|
subjectKeyIdentifier = hash
|
|
authorityKeyIdentifier = keyid:always, issuer
|
|
basicConstraints = critical, CA:true
|
|
keyUsage = keyCertSign, cRLSign
|
|
|
|
# Extensions for a typical CA
|
|
# PKIX recommendation.
|
|
subjectKeyIdentifier = hash
|
|
authorityKeyIdentifier = keyid:always,issuer
|
|
basicConstraints = critical,CA:true
|
|
|
|
# Key usage: This is typical for a CA certificate. However since it will prevent
|
|
# it being used as an test self-signed certificate it is best left out by default.
|
|
# keyUsage = cRLSign, keyCertSign
|
|
|
|
# Some might want this also...
|
|
# nsCertType = sslCA, emailCA
|
|
|
|
# subjectAltName=email:copy # Include email address in subject alt name: another PKIX recommendation
|
|
# issuerAltName=issuer:copy # Copy issuer details
|
|
|
|
# DER hex encoding of an extension: Beware experts only!
|
|
# obj=DER:02:03 # Where 'obj' is a standard or added object
|
|
# basicConstraints= critical, DER:30:03:01:01:FF # You can even override a supported extension.
|
|
|
|
|
|
####################################################################
|
|
[ crl_ext ]
|
|
# CRL extensions. Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
|
|
# issuerAltName = issuer:copy
|
|
authorityKeyIdentifier = keyid:always
|
|
|
|
|
|
####################################################################
|
|
[ proxy_cert_ext ]
|
|
# These extensions should be added when creating a proxy certificate
|
|
# This goes against PKIX guidelines but some CAs do it and some software
|
|
# requires this to avoid interpreting an end user certificate as a CA.
|
|
basicConstraints=CA:FALSE
|
|
|
|
# Here are some examples of the usage of nsCertType. If it is omitted
|
|
# the certificate can be used for anything *except* object signing.
|
|
# nsCertType = server # This is OK for an SSL server.
|
|
# nsCertType = objsign # For an object signing certificate this would be used.
|
|
# nsCertType = client, email # For normal client using this is typical.
|
|
# nsCertType = client, email, objsign # For everything including object signing.
|
|
|
|
# This is typical in keyUsage for a client certificate.
|
|
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
|
|
|
# This will be displayed in Netscape's comment listbox.
|
|
nsComment = 'OpenSSL Generated Certificate'
|
|
|
|
# PKIX recommendations harmless if included in all certificates.
|
|
subjectKeyIdentifier=hash
|
|
authorityKeyIdentifier=keyid,issuer
|
|
|
|
# This stuff is for subjectAltName and issuerAltname.
|
|
# subjectAltName = email:copy # Import the email address.
|
|
# subjectAltName = email:move # An alternative to produce certificates that aren't deprecated according to PKIX.
|
|
# issuerAltName = issuer:copy # Copy subject details
|
|
|
|
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
|
|
#nsBaseUrl
|
|
#nsRevocationUrl
|
|
#nsRenewalUrl
|
|
#nsCaPolicyUrl
|
|
#nsSslServerName
|
|
|
|
# This really needs to be in place for it to be a proxy certificate.
|
|
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
|
|
|
|
|
|
####################################################################
|
|
[ tsa ]
|
|
default_tsa = tsa_config1 # The default TSA section (Which is set below...)
|
|
|
|
[ tsa_config1 ]
|
|
# These are used by the TSA reply generation only.
|
|
dir = /etc/ssl # TSA root directory
|
|
serial = $dir/tsaserial # The current serial number
|
|
crypto_device = builtin # OpenSSL engine to use for signing
|
|
signer_cert = $dir/tsacert.pem # The TSA signing certificate (optional)
|
|
certs = $dir/cacert.pem # Certificate chain to include in reply (optional)
|
|
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
|
|
signer_digest = sha256 # Signing digest to use. (optional)
|
|
default_policy = tsa_policy1 # Policy if request did not specify it (optional)
|
|
other_policies = tsa_policy2, tsa_policy3 # Acceptable policies (optional)
|
|
digests = sha1, sha256, sha384, sha512 # Acceptable message digests
|
|
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
|
|
clock_precision_digits = 0 # Number of digits after dot. (optional)
|
|
ordering = yes # Is ordering defined for timestamps? (optional, default: no)
|
|
tsa_name = yes # Must the TSA name be included in the reply? (optional, default: no)
|
|
ess_cert_id_chain = no # Must the ESS cert id chain be included? (optional, default: no)
|
|
ess_cert_id_alg = sha1 # Algorithm to compute certificate identifier (optional, default: sha1)
|
|
|
|
# ca_signing_block_marker
|
|
"""
|
|
|
|
ca_default_additional_block = """base_dir = {}
|
|
certificate = $base_dir/cacert.pem # The CA certifcate
|
|
private_key = $base_dir/cakey.pem # The CA private key
|
|
new_certs_dir = $base_dir/signed_certs/ # Location for new certs after signing
|
|
database = $base_dir/index.txt # Database index file
|
|
serial = $base_dir/serial.txt # The current serial number
|
|
unique_subject = no # Set to 'no' to allow creation of several certificates with same subject.
|
|
"""
|
|
|
|
ca_signing_block = """####################################################################
|
|
[ signing_policy ]
|
|
countryName = optional
|
|
stateOrProvinceName = optional
|
|
localityName = optional
|
|
organizationName = optional
|
|
organizationalUnitName = optional
|
|
commonName = supplied
|
|
emailAddress = optional
|
|
|
|
[ signing_req ]
|
|
subjectKeyIdentifier = hash
|
|
authorityKeyIdentifier = keyid,issuer
|
|
basicConstraints = CA:FALSE
|
|
keyUsage = digitalSignature, keyEncipherment
|
|
"""
|
|
|
|
|
|
def step_1_create_ca_settings(self, path, data):
|
|
print("Step 1: Creating CA Settings...")
|
|
all_data = [path] + data
|
|
fpath = path + "/openssl-ca-settings.cnf"
|
|
output_str = self.ca_settings.format(*all_data)
|
|
|
|
with open(fpath, "w") as f:
|
|
f.write(output_str)
|
|
|
|
|
|
def step_2_create_signing_ca_settings(self, path, data):
|
|
print("Step 2: Creating Signing CA Settings...")
|
|
all_data = [path] + data
|
|
fpath = path + "/openssl-signing-ca-settings.cnf"
|
|
output_str = self.ca_settings.format(*all_data)
|
|
ca_block = self.ca_default_additional_block.format(path)
|
|
|
|
output_str = output_str.replace("# ca_default_additional_block_marker", ca_block)
|
|
output_str = output_str.replace("# ca_signing_block_marker", self.ca_signing_block)
|
|
|
|
with open(fpath, "w") as f:
|
|
f.write(output_str)
|