Permalink
Browse files

Add x509 extensions for dnsName and nsComment.

Many utilities that could use certmaster certs follow rules laid
out in RFC3280. At the moment I'm working on integrating rsyslog
TLS with mutual authentication. Certmaster certs currently only
work in "anon" mode where encryption is achieved, but no
authentication is performed.

To that end, a function _build_extension_list() is implemented in
this patch that is now used by both create_ca() and
create_slave_certificate() that attempts to add the extensions to
the cert before signing.

subjectKeyIdentifier will be explored in a subsequent patch.

Signed-off-by: Al Tobey <tobert@gmail.com>
  • Loading branch information...
1 parent c11b1ba commit 21b55436bc7e9f154c637a4213266e67aa0b6577 @tobert committed Mar 25, 2011
Showing with 26 additions and 10 deletions.
  1. +1 −1 certmaster/certmaster.py
  2. +25 −9 certmaster/certs.py
View
@@ -72,7 +72,7 @@ def __init__(self, conf_file=CERTMASTER_CONFIG):
if not os.path.exists(self.cfg.cadir):
os.makedirs(self.cfg.cadir)
if not os.path.exists(self.ca_key_file) and not os.path.exists(self.ca_cert_file):
- certs.create_ca(CN=mycn, ca_key_file=self.ca_key_file, ca_cert_file=self.ca_cert_file)
+ certs.create_ca(CN=mycn, ca_key_file=self.ca_key_file, ca_cert_file=self.ca_cert_file, dnsname=usename)
except (IOError, OSError), e:
print 'Cannot make certmaster certificate authority keys/certs, aborting: %s' % e
sys.exit(1)
View
@@ -88,8 +88,30 @@ def retrieve_cert_from_file(certfile):
cert = crypto.load_certificate(crypto.FILETYPE_PEM, buf)
return cert
+def _build_extension_list(cert, dnsname=None, ca_enabled=False):
+ subject = cert.get_subject()
+ extensions = []
-def create_ca(CN="Certmaster Certificate Authority", ca_key_file=None, ca_cert_file=None):
+ if ca_enabled is True:
+ extensions.append(crypto.X509Extension('basicConstraints', 1,'CA:TRUE'))
+ else:
+ extensions.append(crypto.X509Extension('basicConstraints', 1,'CA:FALSE'))
+
+ if dnsname is None:
+ dnsname = subject.CN
+
+ # modeled after StoneVPN/app.py
+ try:
+ extensions.append(crypto.X509Extension('nsComment', 0, "Created by certmaster."))
+ # set dnsName to commonName, which certmaster sets to the hostname
+ extensions.append(crypto.X509Extension('subjectAltName', 0, "DNS:%s" % dnsname))
+ # FIXME - add subjectkeyidentifier and authoritykeyidentifier extensions, too)
+ except ValueError:
+ print "Your version of pyOpenSSL does not support x509Extension properly. Try >= 0.9."
+
+ return extensions
+
+def create_ca(CN="Certmaster Certificate Authority", ca_key_file=None, ca_cert_file=None, dnsname=None):
cakey = make_keypair(dest=ca_key_file)
careq = make_csr(cakey, cn=CN)
cacert = crypto.X509()
@@ -100,16 +122,13 @@ def create_ca(CN="Certmaster Certificate Authority", ca_key_file=None, ca_cert_f
cacert.set_subject(careq.get_subject())
cacert.set_pubkey(careq.get_pubkey())
cacert.set_version(2)
- xt = crypto.X509Extension('basicConstraints',1,'CA:TRUE')
- # FIXME - add subjectkeyidentifier and authoritykeyidentifier extensions, too)
- cacert.add_extensions((xt,))
+ cacert.add_extensions(_build_extension_list(cert=cacert, dnsname=dnsname, ca_enabled=True))
cacert.sign(cakey, 'sha1')
if ca_cert_file:
destfo = open(ca_cert_file, 'w')
destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cacert))
destfo.close()
-
def _get_serial_number(cadir):
serial = '%s/serial.txt' % cadir
i = 1
@@ -132,7 +151,6 @@ def _set_serial_number(cadir, last):
f.write(str(last) + '\n')
f.close()
-
def create_slave_certificate(csr, cakey, cacert, cadir, slave_cert_file=None):
cert = crypto.X509()
cert.set_serial_number(_get_serial_number(cadir))
@@ -142,9 +160,7 @@ def create_slave_certificate(csr, cakey, cacert, cadir, slave_cert_file=None):
cert.set_subject(csr.get_subject())
cert.set_pubkey(csr.get_pubkey())
cert.set_version(2)
- xt = crypto.X509Extension('basicConstraints', False ,'CA:FALSE')
- # FIXME - add subjectkeyidentifier and authoritykeyidentifier extensions, too)
- cert.add_extensions((xt,))
+ cert.add_extensions(_build_extension_list(cert=cert))
cert.sign(cakey, 'sha1')
if slave_cert_file:
destfo = open(slave_cert_file, 'w')

0 comments on commit 21b5543

Please sign in to comment.