tyler.durden
/
PyKMIP
mirror of https://github.com/OpenKMIP/PyKMIP.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add a certificate creation script 

This change adds a certificate creation script to the library bin,
allowing for easy creation of root CA, server, and various client
certificates. The resulting certificates can be used for testing
and the script itself can be adapted to generate any certificates
needed by users or PyKMIP deployers.
This commit is contained in:
Peter Hamilton 2018-04-02 10:13:29 -04:00
parent 6bda8ec999
commit 0c8f39e069
1 changed files with 203 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

203
bin/create_certificates.py Executable file
View File

@ -0,0 +1,203 @@
#!/usr/bin/env python
from cryptography import x509
from cryptography.hazmat import backends
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
import datetime
def create_rsa_private_key(key_size=2048, public_exponent=65537):
private_key = rsa.generate_private_key(
public_exponent=public_exponent,
key_size=key_size,
backend=backends.default_backend()
)
return private_key
def create_self_signed_certificate(subject_name, private_key, days_valid=365):
subject = x509.Name([
x509.NameAttribute(x509.NameOID.ORGANIZATION_NAME, u"Test, Inc."),
x509.NameAttribute(x509.NameOID.COMMON_NAME, subject_name)
])
certificate = x509.CertificateBuilder().subject_name(
subject
).issuer_name(
subject
).public_key(
private_key.public_key()
).serial_number(
x509.random_serial_number()
).not_valid_before(
datetime.datetime.utcnow()
).not_valid_after(
datetime.datetime.utcnow() + datetime.timedelta(days=days_valid)
).sign(private_key, hashes.SHA256(), backends.default_backend())
return certificate
def create_certificate(subject_name,
private_key,
signing_certificate,
signing_key,
days_valid=365,
client_auth=False):
subject = x509.Name([
x509.NameAttribute(x509.NameOID.ORGANIZATION_NAME, u"Test, Inc."),
x509.NameAttribute(x509.NameOID.COMMON_NAME, subject_name)
])
builder = x509.CertificateBuilder().subject_name(
subject
).issuer_name(
signing_certificate.subject
).public_key(
private_key.public_key()
).serial_number(
x509.random_serial_number()
).not_valid_before(
datetime.datetime.utcnow()
).not_valid_after(
datetime.datetime.utcnow() + datetime.timedelta(days=days_valid)
)
if client_auth:
builder = builder.add_extension(
x509.ExtendedKeyUsage([x509.ExtendedKeyUsageOID.CLIENT_AUTH]),
critical=True
)
certificate = builder.sign(
signing_key,
hashes.SHA256(),
backends.default_backend()
)
return certificate
def main():
root_key = create_rsa_private_key()
root_certificate = create_self_signed_certificate(
u"Root CA",
root_key
)
server_key = create_rsa_private_key()
server_certificate = create_certificate(
u"Server Certificate",
server_key,
root_certificate,
root_key
)
john_doe_client_key = create_rsa_private_key()
john_doe_client_certificate = create_certificate(
u"John Doe",
john_doe_client_key,
root_certificate,
root_key,
client_auth=True
)
jane_doe_client_key = create_rsa_private_key()
jane_doe_client_certificate = create_certificate(
u"Jane Doe",
jane_doe_client_key,
root_certificate,
root_key,
client_auth=True
)
john_smith_client_key = create_rsa_private_key()
john_smith_client_certificate = create_certificate(
u"John Smith",
john_smith_client_key,
root_certificate,
root_key,
client_auth=True
)
jane_smith_client_key = create_rsa_private_key()
jane_smith_client_certificate = create_certificate(
u"Jane Smith",
jane_smith_client_key,
root_certificate,
root_key,
)
with open("root_key.pem", "w") as f:
f.write(root_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption()
))
with open("root_certificate.pem", "w") as f:
f.write(
root_certificate.public_bytes(
serialization.Encoding.PEM
)
)
with open("server_key.pem", "w") as f:
f.write(server_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption()
))
with open("server_certificate.pem", "w") as f:
f.write(
server_certificate.public_bytes(
serialization.Encoding.PEM
)
)
with open("client_key_john_doe.pem", "w") as f:
f.write(john_doe_client_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption()
))
with open("client_certificate_john_doe.pem", "w") as f:
f.write(
john_doe_client_certificate.public_bytes(
serialization.Encoding.PEM
)
)
with open("client_key_jane_doe.pem", "w") as f:
f.write(jane_doe_client_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption()
))
with open("client_certificate_jane_doe.pem", "w") as f:
f.write(
jane_doe_client_certificate.public_bytes(
serialization.Encoding.PEM
)
)
with open("client_key_john_smith.pem", "w") as f:
f.write(john_smith_client_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption()
))
with open("client_certificate_john_smith.pem", "w") as f:
f.write(
john_smith_client_certificate.public_bytes(
serialization.Encoding.PEM
)
)
with open("client_key_jane_smith.pem", "w") as f:
f.write(jane_smith_client_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption()
))
with open("client_certificate_jane_smith.pem", "w") as f:
f.write(
jane_smith_client_certificate.public_bytes(
serialization.Encoding.PEM
)
)
if __name__ == '__main__':
main()