diff --git a/peerlink/settings.py b/peerlink/settings.py index 6e0e677..9791bf7 100644 --- a/peerlink/settings.py +++ b/peerlink/settings.py @@ -46,8 +46,8 @@ ENCODING='base64' USER_ID = vk.to_ascii(encoding=ENCODING) if not os.path.exists(tls_cert_path): - import utils - server['cert'] = utils.create_tls_certificate() + from tls import create_certificate + server['cert'] = create_certificate(tls_key_path, tls_cert_path, USER_ID) VERSION="0.0" USER_AGENT = 'PeerLink/%s' % VERSION diff --git a/peerlink/tls.py b/peerlink/tls.py new file mode 100644 index 0000000..410df9f --- /dev/null +++ b/peerlink/tls.py @@ -0,0 +1,39 @@ +import hashlib +import os +import OpenSSL + +# tls utils +def get_fingerprint(tls_cert_path): + with open(tls_cert_path, 'rb') as fd: + data = fd.read() + cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, data) + return hashlib.sha1(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_ASN1, cert)).hexdigest() + +def create_certificate(tls_key_path, tls_cert_path, USER_ID): + key = OpenSSL.crypto.PKey() + key.generate_key(OpenSSL.crypto.TYPE_RSA, 2048) + with open(tls_key_path, 'wb') as fd: + os.chmod(tls_key_path, 0600) + fd.write(OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, key)) + os.chmod(tls_key_path, 0400) + + ca = OpenSSL.crypto.X509() + ca.set_version(2) + ca.set_serial_number(1) + ca.get_subject().CN = USER_ID + ca.gmtime_adj_notBefore(0) + ca.gmtime_adj_notAfter(24 * 60 * 60) + ca.set_issuer(ca.get_subject()) + ca.set_pubkey(key) + ca.add_extensions([ + OpenSSL.crypto.X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0"), + OpenSSL.crypto.X509Extension("nsCertType", True, "sslCA"), + OpenSSL.crypto.X509Extension("extendedKeyUsage", True, + "serverAuth,clientAuth,emailProtection,timeStamping,msCodeInd,msCodeCom,msCTLSign,msSGC,msEFS,nsSGC"), + OpenSSL.crypto.X509Extension("keyUsage", False, "keyCertSign, cRLSign"), + OpenSSL.crypto.X509Extension("subjectKeyIdentifier", False, "hash", subject=ca), + ]) + ca.sign(key, "sha1") + with open(tls_cert_path, 'wb') as fd: + fd.write(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, ca)) + return get_fingerprint(tls_cert_path) diff --git a/peerlink/utils.py b/peerlink/utils.py index 37f5434..4c3ab35 100644 --- a/peerlink/utils.py +++ b/peerlink/utils.py @@ -4,15 +4,12 @@ from __future__ import division from functools import wraps from threading import Thread -import hashlib -import os import socket import subprocess import sys from urlparse import urlparse import ed25519 -import OpenSSL import settings @@ -98,38 +95,3 @@ def valid(key, value, sig): return False return True -# tls utils -def get_fingerprint(): - with open(settings.tls_cert_path) as fd: - data = fd.read() - cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, data) - return hashlib.sha1(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_ASN1, cert)).hexdigest() - -def create_tls_certificate(): - key = OpenSSL.crypto.PKey() - key.generate_key(OpenSSL.crypto.TYPE_RSA, 2048) - with open(settings.tls_key_path, 'wb') as fd: - os.chmod(settings.tls_key_path, 0600) - fd.write(OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, key)) - os.chmod(settings.tls_key_path, 0400) - - ca = OpenSSL.crypto.X509() - ca.set_version(2) - ca.set_serial_number(1) - ca.get_subject().CN = settings.USER_ID - ca.gmtime_adj_notBefore(0) - ca.gmtime_adj_notAfter(24 * 60 * 60) - ca.set_issuer(ca.get_subject()) - ca.set_pubkey(key) - ca.add_extensions([ - OpenSSL.crypto.X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0"), - OpenSSL.crypto.X509Extension("nsCertType", True, "sslCA"), - OpenSSL.crypto.X509Extension("extendedKeyUsage", True, - "serverAuth,clientAuth,emailProtection,timeStamping,msCodeInd,msCodeCom,msCTLSign,msSGC,msEFS,nsSGC"), - OpenSSL.crypto.X509Extension("keyUsage", False, "keyCertSign, cRLSign"), - OpenSSL.crypto.X509Extension("subjectKeyIdentifier", False, "hash", subject=ca), - ]) - ca.sign(key, "sha1") - with open(settings.tls_cert_path, 'wb') as fd: - fd.write(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, ca)) - return get_fingerprint()