| 
									
										
										
										
											2010-10-08 23:06:24 +00:00
										 |  |  | """Make the custom certificate and private key files used by test_ssl
 | 
					
						
							|  |  |  | and friends."""
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | import os | 
					
						
							| 
									
										
										
										
											2013-01-05 21:20:29 +01:00
										 |  |  | import shutil | 
					
						
							| 
									
										
										
										
											2010-10-08 23:06:24 +00:00
										 |  |  | import sys | 
					
						
							|  |  |  | import tempfile | 
					
						
							|  |  |  | from subprocess import * | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | req_template = """
 | 
					
						
							|  |  |  |     [req] | 
					
						
							|  |  |  |     distinguished_name     = req_distinguished_name | 
					
						
							|  |  |  |     x509_extensions        = req_x509_extensions | 
					
						
							|  |  |  |     prompt                 = no | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     [req_distinguished_name] | 
					
						
							|  |  |  |     C                      = XY | 
					
						
							|  |  |  |     L                      = Castle Anthrax | 
					
						
							|  |  |  |     O                      = Python Software Foundation | 
					
						
							|  |  |  |     CN                     = {hostname} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     [req_x509_extensions] | 
					
						
							|  |  |  |     subjectAltName         = DNS:{hostname} | 
					
						
							| 
									
										
										
										
											2013-01-05 21:20:29 +01:00
										 |  |  | 
 | 
					
						
							|  |  |  |     [ ca ] | 
					
						
							|  |  |  |     default_ca      = CA_default | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     [ CA_default ] | 
					
						
							|  |  |  |     dir = cadir | 
					
						
							|  |  |  |     database  = $dir/index.txt | 
					
						
							|  |  |  |     default_md = sha1 | 
					
						
							|  |  |  |     default_days = 3600 | 
					
						
							|  |  |  |     certificate = pycacert.pem | 
					
						
							|  |  |  |     private_key = pycakey.pem | 
					
						
							|  |  |  |     serial    = $dir/serial | 
					
						
							|  |  |  |     RANDFILE  = $dir/.rand | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     policy          = policy_match | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     [ policy_match ] | 
					
						
							|  |  |  |     countryName             = match | 
					
						
							|  |  |  |     stateOrProvinceName     = optional | 
					
						
							|  |  |  |     organizationName        = match | 
					
						
							|  |  |  |     organizationalUnitName  = optional | 
					
						
							|  |  |  |     commonName              = supplied | 
					
						
							|  |  |  |     emailAddress            = optional | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     [ policy_anything ] | 
					
						
							|  |  |  |     countryName   = optional | 
					
						
							|  |  |  |     stateOrProvinceName = optional | 
					
						
							|  |  |  |     localityName    = optional | 
					
						
							|  |  |  |     organizationName  = optional | 
					
						
							|  |  |  |     organizationalUnitName  = optional | 
					
						
							|  |  |  |     commonName    = supplied | 
					
						
							|  |  |  |     emailAddress    = optional | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     [ v3_ca ] | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     subjectKeyIdentifier=hash | 
					
						
							|  |  |  |     authorityKeyIdentifier=keyid:always,issuer | 
					
						
							|  |  |  |     basicConstraints = CA:true | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2010-10-08 23:06:24 +00:00
										 |  |  |     """
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | here = os.path.abspath(os.path.dirname(__file__)) | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-01-05 21:20:29 +01:00
										 |  |  | def make_cert_key(hostname, sign=False): | 
					
						
							|  |  |  |     print("creating cert for " + hostname) | 
					
						
							| 
									
										
										
										
											2010-10-08 23:06:24 +00:00
										 |  |  |     tempnames = [] | 
					
						
							|  |  |  |     for i in range(3): | 
					
						
							|  |  |  |         with tempfile.NamedTemporaryFile(delete=False) as f: | 
					
						
							|  |  |  |             tempnames.append(f.name) | 
					
						
							|  |  |  |     req_file, cert_file, key_file = tempnames | 
					
						
							|  |  |  |     try: | 
					
						
							|  |  |  |         with open(req_file, 'w') as f: | 
					
						
							|  |  |  |             f.write(req_template.format(hostname=hostname)) | 
					
						
							| 
									
										
										
										
											2013-01-05 21:20:29 +01:00
										 |  |  |         args = ['req', '-new', '-days', '3650', '-nodes', | 
					
						
							| 
									
										
										
										
											2010-10-08 23:06:24 +00:00
										 |  |  |                 '-newkey', 'rsa:1024', '-keyout', key_file, | 
					
						
							| 
									
										
										
										
											2013-01-05 21:20:29 +01:00
										 |  |  |                 '-config', req_file] | 
					
						
							|  |  |  |         if sign: | 
					
						
							|  |  |  |             with tempfile.NamedTemporaryFile(delete=False) as f: | 
					
						
							|  |  |  |                 tempnames.append(f.name) | 
					
						
							|  |  |  |                 reqfile = f.name | 
					
						
							|  |  |  |             args += ['-out', reqfile ] | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         else: | 
					
						
							|  |  |  |             args += ['-x509', '-out', cert_file ] | 
					
						
							| 
									
										
										
										
											2010-10-08 23:06:24 +00:00
										 |  |  |         check_call(['openssl'] + args) | 
					
						
							| 
									
										
										
										
											2013-01-05 21:20:29 +01:00
										 |  |  | 
 | 
					
						
							|  |  |  |         if sign: | 
					
						
							|  |  |  |             args = ['ca', '-config', req_file, '-out', cert_file, '-outdir', 'cadir', | 
					
						
							|  |  |  |                     '-policy', 'policy_anything', '-batch', '-infiles', reqfile ] | 
					
						
							|  |  |  |             check_call(['openssl'] + args) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2010-10-08 23:06:24 +00:00
										 |  |  |         with open(cert_file, 'r') as f: | 
					
						
							|  |  |  |             cert = f.read() | 
					
						
							|  |  |  |         with open(key_file, 'r') as f: | 
					
						
							|  |  |  |             key = f.read() | 
					
						
							|  |  |  |         return cert, key | 
					
						
							|  |  |  |     finally: | 
					
						
							|  |  |  |         for name in tempnames: | 
					
						
							|  |  |  |             os.remove(name) | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-01-05 21:20:29 +01:00
										 |  |  | TMP_CADIR = 'cadir' | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | def unmake_ca(): | 
					
						
							|  |  |  |     shutil.rmtree(TMP_CADIR) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | def make_ca(): | 
					
						
							|  |  |  |     os.mkdir(TMP_CADIR) | 
					
						
							|  |  |  |     with open(os.path.join('cadir','index.txt'),'a+') as f: | 
					
						
							|  |  |  |         pass # empty file | 
					
						
							|  |  |  |     with open(os.path.join('cadir','index.txt.attr'),'w+') as f: | 
					
						
							|  |  |  |         f.write('unique_subject = no') | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     with tempfile.NamedTemporaryFile("w") as t: | 
					
						
							|  |  |  |         t.write(req_template.format(hostname='our-ca-server')) | 
					
						
							|  |  |  |         t.flush() | 
					
						
							|  |  |  |         with tempfile.NamedTemporaryFile() as f: | 
					
						
							|  |  |  |             args = ['req', '-new', '-days', '3650', '-extensions', 'v3_ca', '-nodes', | 
					
						
							|  |  |  |                     '-newkey', 'rsa:2048', '-keyout', 'pycakey.pem', | 
					
						
							|  |  |  |                     '-out', f.name, | 
					
						
							|  |  |  |                     '-subj', '/C=XY/L=Castle Anthrax/O=Python Software Foundation CA/CN=our-ca-server'] | 
					
						
							|  |  |  |             check_call(['openssl'] + args) | 
					
						
							|  |  |  |             args = ['ca', '-config', t.name, '-create_serial', | 
					
						
							|  |  |  |                     '-out', 'pycacert.pem', '-batch', '-outdir', TMP_CADIR, | 
					
						
							|  |  |  |                     '-keyfile', 'pycakey.pem', '-days', '3650', | 
					
						
							|  |  |  |                     '-selfsign', '-extensions', 'v3_ca', '-infiles', f.name ] | 
					
						
							|  |  |  |             check_call(['openssl'] + args) | 
					
						
							| 
									
										
										
										
											2010-10-08 23:06:24 +00:00
										 |  |  | 
 | 
					
						
							|  |  |  | if __name__ == '__main__': | 
					
						
							|  |  |  |     os.chdir(here) | 
					
						
							|  |  |  |     cert, key = make_cert_key('localhost') | 
					
						
							|  |  |  |     with open('ssl_cert.pem', 'w') as f: | 
					
						
							|  |  |  |         f.write(cert) | 
					
						
							|  |  |  |     with open('ssl_key.pem', 'w') as f: | 
					
						
							|  |  |  |         f.write(key) | 
					
						
							| 
									
										
										
										
											2013-01-05 21:20:29 +01:00
										 |  |  |     print("password protecting ssl_key.pem in ssl_key.passwd.pem") | 
					
						
							|  |  |  |     check_call(['openssl','rsa','-in','ssl_key.pem','-out','ssl_key.passwd.pem','-des3','-passout','pass:somepass']) | 
					
						
							|  |  |  |     check_call(['openssl','rsa','-in','ssl_key.pem','-out','keycert.passwd.pem','-des3','-passout','pass:somepass']) | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2010-10-08 23:06:24 +00:00
										 |  |  |     with open('keycert.pem', 'w') as f: | 
					
						
							|  |  |  |         f.write(key) | 
					
						
							|  |  |  |         f.write(cert) | 
					
						
							| 
									
										
										
										
											2013-01-05 21:20:29 +01:00
										 |  |  | 
 | 
					
						
							|  |  |  |     with open('keycert.passwd.pem', 'a+') as f: | 
					
						
							|  |  |  |         f.write(cert) | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2010-10-13 10:36:15 +00:00
										 |  |  |     # For certificate matching tests | 
					
						
							| 
									
										
										
										
											2013-01-05 21:20:29 +01:00
										 |  |  |     make_ca() | 
					
						
							| 
									
										
										
										
											2010-10-13 10:36:15 +00:00
										 |  |  |     cert, key = make_cert_key('fakehostname') | 
					
						
							|  |  |  |     with open('keycert2.pem', 'w') as f: | 
					
						
							|  |  |  |         f.write(key) | 
					
						
							|  |  |  |         f.write(cert) | 
					
						
							| 
									
										
										
										
											2013-01-05 21:20:29 +01:00
										 |  |  | 
 | 
					
						
							|  |  |  |     cert, key = make_cert_key('localhost', True) | 
					
						
							|  |  |  |     with open('keycert3.pem', 'w') as f: | 
					
						
							|  |  |  |         f.write(key) | 
					
						
							|  |  |  |         f.write(cert) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     cert, key = make_cert_key('fakehostname', True) | 
					
						
							|  |  |  |     with open('keycert4.pem', 'w') as f: | 
					
						
							|  |  |  |         f.write(key) | 
					
						
							|  |  |  |         f.write(cert) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     unmake_ca() | 
					
						
							|  |  |  |     print("\n\nPlease change the values in test_ssl.py, test_parse_cert function related to notAfter,notBefore and serialNumber") | 
					
						
							|  |  |  |     check_call(['openssl','x509','-in','keycert.pem','-dates','-serial','-noout']) |