openmedialibrary/oml/node/cert.py

# -*- coding: utf-8 -*-

import hashlib
import os

import OpenSSL

import settings

def get_fingerprint():
    with open(settings.ssl_cert_path) as fd:
        data = fd.read()
    cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, data)
    return hashlib.sha256(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_ASN1, cert)).hexdigest()

def generate_ssl():
    key = OpenSSL.crypto.PKey()
    key.generate_key(OpenSSL.crypto.TYPE_RSA, 1024)
    with open(settings.ssl_key_path, 'wb') as fd:
        os.chmod(settings.ssl_key_path, 0o600)
        fd.write(OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, key))
        os.chmod(settings.ssl_key_path, 0o400)

    ca = OpenSSL.crypto.X509()
    ca.set_version(2)
    ca.set_serial_number(1)
    ca.get_subject().CN = settings.USER_ID
    ca.gmtime_adj_notBefore(0)
    ca.gmtime_adj_notAfter(24 * 60 * 60)
    ca.set_issuer(ca.get_subject())
    ca.set_pubkey(key)
    ca.add_extensions([
      OpenSSL.crypto.X509Extension(b"basicConstraints", True, b"CA:TRUE, pathlen:0"),
      OpenSSL.crypto.X509Extension(b"nsCertType", True, b"sslCA"),
      OpenSSL.crypto.X509Extension(b"extendedKeyUsage", True,
        b"serverAuth,clientAuth,emailProtection,timeStamping,msCodeInd,msCodeCom,msCTLSign,msSGC,msEFS,nsSGC"),
      OpenSSL.crypto.X509Extension(b"keyUsage", False, b"keyCertSign, cRLSign"),
      OpenSSL.crypto.X509Extension(b"subjectKeyIdentifier", False, b"hash", subject=ca),
    ])
    ca.sign(key, "sha1")
    with open(settings.ssl_cert_path, 'wb') as fd:
        fd.write(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, ca))
    return get_fingerprint()
meta 2014-05-14 09:57:11 +00:00			`# -- coding: utf-8 --`

			`import hashlib`
cleanup imports 2014-08-12 08:16:57 +00:00			`import os`

meta 2014-05-14 09:57:11 +00:00			`import OpenSSL`
cleanup imports 2014-08-12 08:16:57 +00:00
meta 2014-05-14 09:57:11 +00:00			`import settings`

			`def get_fingerprint():`
			`with open(settings.ssl_cert_path) as fd:`
			`data = fd.read()`
			`cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, data)`
support longer tls fingerprints 2014-09-05 23:44:17 +00:00			`return hashlib.sha256(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_ASN1, cert)).hexdigest()`
meta 2014-05-14 09:57:11 +00:00
			`def generate_ssl():`
			`key = OpenSSL.crypto.PKey()`
use tor hidden service instead of ed25515 as peer id 2015-11-26 00:26:10 +00:00			`key.generate_key(OpenSSL.crypto.TYPE_RSA, 1024)`
meta 2014-05-14 09:57:11 +00:00			`with open(settings.ssl_key_path, 'wb') as fd:`
port to python3 2014-09-02 22:32:44 +00:00			`os.chmod(settings.ssl_key_path, 0o600)`
meta 2014-05-14 09:57:11 +00:00			`fd.write(OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, key))`
port to python3 2014-09-02 22:32:44 +00:00			`os.chmod(settings.ssl_key_path, 0o400)`
meta 2014-05-14 09:57:11 +00:00
			`ca = OpenSSL.crypto.X509()`
			`ca.set_version(2)`
			`ca.set_serial_number(1)`
			`ca.get_subject().CN = settings.USER_ID`
			`ca.gmtime_adj_notBefore(0)`
			`ca.gmtime_adj_notAfter(24 * 60 * 60)`
			`ca.set_issuer(ca.get_subject())`
			`ca.set_pubkey(key)`
			`ca.add_extensions([`
more python3 fixes 2014-10-31 17:47:48 +00:00			`OpenSSL.crypto.X509Extension(b"basicConstraints", True, b"CA:TRUE, pathlen:0"),`
			`OpenSSL.crypto.X509Extension(b"nsCertType", True, b"sslCA"),`
			`OpenSSL.crypto.X509Extension(b"extendedKeyUsage", True,`
			`b"serverAuth,clientAuth,emailProtection,timeStamping,msCodeInd,msCodeCom,msCTLSign,msSGC,msEFS,nsSGC"),`
			`OpenSSL.crypto.X509Extension(b"keyUsage", False, b"keyCertSign, cRLSign"),`
			`OpenSSL.crypto.X509Extension(b"subjectKeyIdentifier", False, b"hash", subject=ca),`
meta 2014-05-14 09:57:11 +00:00			`])`
			`ca.sign(key, "sha1")`
			`with open(settings.ssl_cert_path, 'wb') as fd:`
			`fd.write(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, ca))`
			`return get_fingerprint()`