我们从Python开源项目中,提取了以下50个代码示例,用于说明如何使用OpenSSL.crypto.TYPE_RSA。
def generateCertificateObjects(organization, organizationalUnit): pkey = crypto.PKey() pkey.generate_key(crypto.TYPE_RSA, 512) req = crypto.X509Req() subject = req.get_subject() subject.O = organization subject.OU = organizationalUnit req.set_pubkey(pkey) req.sign(pkey, "md5") # Here comes the actual certificate cert = crypto.X509() cert.set_serial_number(1) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(60) # Testing certificates need not be long lived cert.set_issuer(req.get_subject()) cert.set_subject(req.get_subject()) cert.set_pubkey(req.get_pubkey()) cert.sign(pkey, "md5") return pkey, req, cert
def create_ca(): pkey = crypto.PKey() pkey.generate_key(crypto.TYPE_RSA, 2048) ca = crypto.X509() ca.set_version(2) ca.set_serial_number(0) subject = ca.get_subject() subject.countryName = 'CN' subject.stateOrProvinceName = 'Internet' subject.localityName = 'Cernet' subject.organizationName = ca_vendor subject.organizationalUnitName = '%s Root' % ca_vendor subject.commonName = '%s CA' % ca_vendor #???????????????????? ca.gmtime_adj_notBefore(ca_time_b) ca.gmtime_adj_notAfter(ca_time_a) ca.set_issuer(subject) ca.set_pubkey(pkey) ca.add_extensions([ crypto.X509Extension(b'basicConstraints', True, b'CA:TRUE, pathlen:0'), crypto.X509Extension(b'extendedKeyUsage', True, b'serverAuth,emailProtection,timeStamping'), crypto.X509Extension(b'keyUsage', False, b'keyCertSign, cRLSign'), crypto.X509Extension(b'subjectKeyIdentifier', False, b'hash', subject=ca), ]) ca.sign(pkey, ca_digest) return pkey, ca
def setUp(self): """ Create a new private key and start a certificate request (for a test method to finish in one way or another). """ # Basic setup stuff to generate a certificate self.pkey = PKey() self.pkey.generate_key(TYPE_RSA, 384) self.req = X509Req() self.req.set_pubkey(self.pkey) # Authority good you have. self.req.get_subject().commonName = "Yoda root CA" self.x509 = X509() self.subject = self.x509.get_subject() self.subject.commonName = self.req.get_subject().commonName self.x509.set_issuer(self.subject) self.x509.set_pubkey(self.pkey) now = datetime.now().strftime("%Y%m%d%H%M%SZ") expire = (datetime.now() + timedelta(days=100)).strftime("%Y%m%d%H%M%SZ") self.x509.set_notBefore(now) self.x509.set_notAfter(expire)
def test_set_passwd_cb(self): """ L{Context.set_passwd_cb} accepts a callable which will be invoked when a private key is loaded from an encrypted PEM. """ key = PKey() key.generate_key(TYPE_RSA, 128) pemFile = self.mktemp() fObj = file(pemFile, 'w') passphrase = "foobar" fObj.write(dump_privatekey(FILETYPE_PEM, key, "blowfish", passphrase)) fObj.close() calledWith = [] def passphraseCallback(maxlen, verify, extra): calledWith.append((maxlen, verify, extra)) return passphrase context = Context(TLSv1_METHOD) context.set_passwd_cb(passphraseCallback) context.use_privatekey_file(pemFile) self.assertTrue(len(calledWith), 1) self.assertTrue(isinstance(calledWith[0][0], int)) self.assertTrue(isinstance(calledWith[0][1], int)) self.assertEqual(calledWith[0][2], None)
def makeCertificate(**kw): keypair = PKey() keypair.generate_key(TYPE_RSA, 1024) certificate = X509() certificate.gmtime_adj_notBefore(0) certificate.gmtime_adj_notAfter(60 * 60 * 24 * 365) # One year for xname in certificate.get_issuer(), certificate.get_subject(): for (k, v) in kw.items(): setattr(xname, k, v) certificate.set_serial_number(counter()) certificate.set_pubkey(keypair) certificate.sign(keypair, "md5") return keypair, certificate
def x509_data(): """ Create a new private key and start a certificate request (for a test to finish in one way or another). """ # Basic setup stuff to generate a certificate pkey = PKey() pkey.generate_key(TYPE_RSA, 384) req = X509Req() req.set_pubkey(pkey) # Authority good you have. req.get_subject().commonName = "Yoda root CA" x509 = X509() subject = x509.get_subject() subject.commonName = req.get_subject().commonName x509.set_issuer(subject) x509.set_pubkey(pkey) now = datetime.now() expire = datetime.now() + timedelta(days=100) x509.set_notBefore(now.strftime("%Y%m%d%H%M%SZ").encode()) x509.set_notAfter(expire.strftime("%Y%m%d%H%M%SZ").encode()) yield pkey, x509
def test_sign(self): """ `X509Req.sign` succeeds when passed a private key object and a valid digest function. `X509Req.verify` can be used to check the signature. """ request = self.signable() key = PKey() key.generate_key(TYPE_RSA, 512) request.set_pubkey(key) request.sign(key, GOOD_DIGEST) # If the type has a verify method, cover that too. if getattr(request, 'verify', None) is not None: pub = request.get_pubkey() assert request.verify(pub) # Make another key that won't verify. key = PKey() key.generate_key(TYPE_RSA, 512) with pytest.raises(Error): request.verify(key)
def generate(self, passphrase: str = None, common_name=None, days=DEFAULT_CERT_VALIDITY, is_server=False): k = crypto.PKey() k.generate_key(crypto.TYPE_RSA, self.key_length) cert = crypto.X509() # cert.get_subject().CN = common_name cert.get_subject().commonName = common_name cert.set_serial_number(random.randint(990000, 999999999999999999999999999)) cert.gmtime_adj_notBefore(-600) cert.gmtime_adj_notAfter(int(datetime.timedelta(days=days).total_seconds())) cert.set_issuer(self.ca_cert.get_subject()) cert.set_pubkey(k) cert = self._add_extensions(cert, is_server) cert.sign(self.ca_key, self.digest) self.certificate = crypto.dump_certificate(crypto.FILETYPE_PEM, cert) if passphrase: self.private_key = crypto.dump_privatekey(crypto.FILETYPE_PEM, k, cipher="DES-EDE3-CBC", passphrase=passphrase.encode()) else: self.private_key = crypto.dump_privatekey(crypto.FILETYPE_PEM, k) return self
def setUp(self): """ Create a new private key and start a certificate request (for a test method to finish in one way or another). """ super(X509ExtTests, self).setUp() # Basic setup stuff to generate a certificate self.pkey = PKey() self.pkey.generate_key(TYPE_RSA, 384) self.req = X509Req() self.req.set_pubkey(self.pkey) # Authority good you have. self.req.get_subject().commonName = "Yoda root CA" self.x509 = X509() self.subject = self.x509.get_subject() self.subject.commonName = self.req.get_subject().commonName self.x509.set_issuer(self.subject) self.x509.set_pubkey(self.pkey) now = b(datetime.now().strftime("%Y%m%d%H%M%SZ")) expire = b((datetime.now() + timedelta(days=100)).strftime("%Y%m%d%H%M%SZ")) self.x509.set_notBefore(now) self.x509.set_notAfter(expire)
def test_sign(self): """ :py:meth:`X509Req.sign` succeeds when passed a private key object and a valid digest function. :py:meth:`X509Req.verify` can be used to check the signature. """ request = self.signable() key = PKey() key.generate_key(TYPE_RSA, 512) request.set_pubkey(key) request.sign(key, GOOD_DIGEST) # If the type has a verify method, cover that too. if getattr(request, 'verify', None) is not None: pub = request.get_pubkey() self.assertTrue(request.verify(pub)) # Make another key that won't verify. key = PKey() key.generate_key(TYPE_RSA, 512) self.assertRaises(Error, request.verify, key)
def makeCertificate(**kw): keypair = PKey() keypair.generate_key(TYPE_RSA, 768) certificate = X509() certificate.gmtime_adj_notBefore(0) certificate.gmtime_adj_notAfter(60 * 60 * 24 * 365) # One year for xname in certificate.get_issuer(), certificate.get_subject(): for (k, v) in kw.items(): setattr(xname, k, nativeString(v)) certificate.set_serial_number(counter()) certificate.set_pubkey(keypair) certificate.sign(keypair, "md5") return keypair, certificate
def setUp(self): """ Create a new private key and start a certificate request (for a test method to finish in one way or another). """ # Basic setup stuff to generate a certificate self.pkey = PKey() self.pkey.generate_key(TYPE_RSA, 384) self.req = X509Req() self.req.set_pubkey(self.pkey) # Authority good you have. self.req.get_subject().commonName = "Yoda root CA" self.x509 = X509() self.subject = self.x509.get_subject() self.subject.commonName = self.req.get_subject().commonName self.x509.set_issuer(self.subject) self.x509.set_pubkey(self.pkey) now = b(datetime.now().strftime("%Y%m%d%H%M%SZ")) expire = b((datetime.now() + timedelta(days=100)).strftime("%Y%m%d%H%M%SZ")) self.x509.set_notBefore(now) self.x509.set_notAfter(expire)
def test_sign(self): """ L{X509Req.sign} succeeds when passed a private key object and a valid digest function. C{X509Req.verify} can be used to check the signature. """ request = self.signable() key = PKey() key.generate_key(TYPE_RSA, 512) request.set_pubkey(key) request.sign(key, 'MD5') # If the type has a verify method, cover that too. if getattr(request, 'verify', None) is not None: pub = request.get_pubkey() self.assertTrue(request.verify(pub)) # Make another key that won't verify. key = PKey() key.generate_key(TYPE_RSA, 512) self.assertRaises(Error, request.verify, key)
def create_group_cert(cli): k = crypto.PKey() k.generate_key(crypto.TYPE_RSA, 2048) # generate RSA key-pair cert = crypto.X509() cert.get_subject().countryName = "US" cert.get_subject().stateOrProvinceName = "CA" cert.get_subject().organizationName = "mini-fulfillment" cert.get_subject().organizationalUnitName = "demo" cert.get_subject().commonName = "mini-fulfillment" cert.set_serial_number(1000) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(5 * 365 * 24 * 60 * 60) # 5 year expiry date cert.set_issuer(cert.get_subject()) # self-sign this certificate cert.set_pubkey(k) san_list = ["IP:{0}".format(cli.ip_address)] extension_list = [ crypto.X509Extension(type_name=b"basicConstraints", critical=False, value=b"CA:false"), crypto.X509Extension(type_name=b"subjectAltName", critical=True, value=", ".join(san_list)), # crypto.X509Extension(type_name=b"subjectKeyIdentifier", # critical=True, value=b"hash") ] cert.add_extensions(extension_list) cert.sign(k, 'sha256') prefix = str(cli.out_dir) + '/' + cli.group_name open("{0}-server.crt".format(prefix), 'wt').write( crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) open("{0}-server-private.key".format(prefix), 'wt').write( crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey=k)) open("{0}-server-public.key".format(prefix), 'wt').write( crypto.dump_publickey(crypto.FILETYPE_PEM, pkey=k))
def generate_temporary_tls_certificate(): """ generate an intentionally weak self-signed certificate :param dst: destination file path for autogenerated server.pem """ from OpenSSL import crypto import tempfile key = crypto.PKey() key.generate_key(crypto.TYPE_RSA, 1024) cert = crypto.X509() cert_subject = cert.get_subject() cert_subject.C = "IO" cert_subject.ST = "Striptls" cert_subject.L = "Striptls" cert_subject.O = "github.com/tintinweb" cert_subject.OU = "github.com/tintinweb" cert_subject.CN = "striptls.localhost.localdomain" cert.set_serial_number(1) cert.gmtime_adj_notBefore(-32 * 24 * 60 * 60) cert.gmtime_adj_notAfter(32 * 24 * 60 * 60) cert.set_issuer(cert_subject) cert.set_pubkey(key) cert.sign(key, 'sha1') tmp_fname = tempfile.mktemp(prefix="striptls-", suffix=".pem") with open(tmp_fname, 'w') as f: f.write('\n'.join([crypto.dump_certificate(crypto.FILETYPE_PEM, cert), crypto.dump_privatekey(crypto.FILETYPE_PEM, key)])) return tmp_fname
def generate_adhoc_ssl_pair(cn=None): from random import random crypto = _get_openssl_crypto_module() # pretty damn sure that this is not actually accepted by anyone if cn is None: cn = '*' cert = crypto.X509() cert.set_serial_number(int(random() * sys.maxsize)) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(60 * 60 * 24 * 365) subject = cert.get_subject() subject.CN = cn subject.O = 'Dummy Certificate' issuer = cert.get_issuer() issuer.CN = 'Untrusted Authority' issuer.O = 'Self-Signed' pkey = crypto.PKey() pkey.generate_key(crypto.TYPE_RSA, 1024) cert.set_pubkey(pkey) cert.sign(pkey, 'md5') return cert, pkey
def test_failedGeneration(self): """ L{PKeyType.generate_key} takes two arguments, the first giving the key type as one of L{TYPE_RSA} or L{TYPE_DSA} and the second giving the number of bits to generate. If an invalid type is specified or generation fails, L{Error} is raised. If an invalid number of bits is specified, L{ValueError} or L{Error} is raised. """ key = PKey() self.assertRaises(TypeError, key.generate_key) self.assertRaises(TypeError, key.generate_key, 1, 2, 3) self.assertRaises(TypeError, key.generate_key, "foo", "bar") self.assertRaises(Error, key.generate_key, -1, 0) self.assertRaises(ValueError, key.generate_key, TYPE_RSA, -1) self.assertRaises(ValueError, key.generate_key, TYPE_RSA, 0) # XXX RSA generation for small values of bits is fairly buggy in a wide # range of OpenSSL versions. I need to figure out what the safe lower # bound for a reasonable number of OpenSSL versions is and explicitly # check for that in the wrapper. The failure behavior is typically an # infinite loop inside OpenSSL. # self.assertRaises(Error, key.generate_key, TYPE_RSA, 2) # XXX DSA generation seems happy with any number of bits. The DSS # says bits must be between 512 and 1024 inclusive. OpenSSL's DSA # generator doesn't seem to care about the upper limit at all. For # the lower limit, it uses 512 if anything smaller is specified. # So, it doesn't seem possible to make generate_key fail for # TYPE_DSA with a bits argument which is at least an int. # self.assertRaises(Error, key.generate_key, TYPE_DSA, -7)
def test_rsaGeneration(self): """ L{PKeyType.generate_key} generates an RSA key when passed L{TYPE_RSA} as a type and a reasonable number of bits. """ bits = 128 key = PKey() key.generate_key(TYPE_RSA, bits) self.assertEqual(key.type(), TYPE_RSA) self.assertEqual(key.bits(), bits)
def test_regeneration(self): """ L{PKeyType.generate_key} can be called multiple times on the same key to generate new keys. """ key = PKey() for type, bits in [(TYPE_RSA, 512), (TYPE_DSA, 576)]: key.generate_key(type, bits) self.assertEqual(key.type(), type) self.assertEqual(key.bits(), bits)
def test_signWithPublicKey(self): """ L{X509Req.sign} raises L{ValueError} when pass a L{PKey} with no private part as the signing key. """ request = self.signable() key = PKey() key.generate_key(TYPE_RSA, 512) request.set_pubkey(key) pub = request.get_pubkey() self.assertRaises(ValueError, request.sign, pub, 'MD5')
def inspect(self): t = self.original.type() if t == crypto.TYPE_RSA: ts = 'RSA' elif t == crypto.TYPE_DSA: ts = 'DSA' else: ts = '(Unknown Type!)' L = (self.original.bits(), ts, self.keyHash()) return '%s-bit %s Key Pair with Hash: %s' % L
def generate(Class, kind=crypto.TYPE_RSA, size=1024): pkey = crypto.PKey() pkey.generate_key(kind, size) return Class(pkey)
def generate_adhoc_ssl_pair(cn=None): from random import random crypto = _get_openssl_crypto_module() # pretty damn sure that this is not actually accepted by anyone if cn is None: cn = '*' cert = crypto.X509() cert.set_serial_number(int(random() * sys.maxsize)) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(60 * 60 * 24 * 365) subject = cert.get_subject() subject.CN = cn subject.O = 'Dummy Certificate' issuer = cert.get_issuer() issuer.CN = 'Untrusted Authority' issuer.O = 'Self-Signed' pkey = crypto.PKey() pkey.generate_key(crypto.TYPE_RSA, 2048) cert.set_pubkey(pkey) cert.sign(pkey, 'sha256') return cert, pkey
def generateSSLCert(): if not os.path.exists(os.path.join(config.DATA_DIR, 'plexivity.key')) or not os.path.exists(os.path.join(config.DATA_DIR, 'plexivity.crt')): logger.warning("plexivity was started with ssl support but no cert was found, trying to generating cert and key now") try: from OpenSSL import crypto, SSL from socket import gethostname # create a key pair k = crypto.PKey() k.generate_key(crypto.TYPE_RSA, 1024) # create a self-signed cert cert = crypto.X509() cert.get_subject().C = "US" cert.get_subject().ST = "plex land" cert.get_subject().L = "plex land" cert.get_subject().O = "plexivity" cert.get_subject().OU = "plexivity" cert.get_subject().CN = gethostname() cert.set_serial_number(1000) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(10*365*24*60*60) cert.set_issuer(cert.get_subject()) cert.set_pubkey(k) cert.sign(k, 'sha1') open(os.path.join(config.DATA_DIR, 'plexivity.crt'), "wt").write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) open(os.path.join(config.DATA_DIR, 'plexivity.key'), "wt").write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k)) logger.info("ssl cert and key generated and saved to: %s" % config.DATA_DIR) except: logger.error("unable to generate ssl key and cert")
def create_self_signed_cert(): """ If ssl.cert and ssl.key don't exist in config, create a new self-signed cert and keypair and write them into that directory. """ if not isfile(CERT_FILE) or not isfile(KEY_FILE): # create a key pair k = crypto.PKey() k.generate_key(crypto.TYPE_RSA, 4096) # create a self-signed certificate cert = crypto.X509() subj = cert.get_subject() subj.C = "DE" subj.ST = "Hessen" subj.L = "Darmstadt" subj.O = "github.com/BjoernPetersen/MusicBot" cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(5 * 365 * 24 * 60 * 60) cert.set_issuer(subj) cert.set_pubkey(k) cert.sign(k, "sha256") with open(KEY_FILE, 'wb') as key_file: key_file.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k)) with open(CERT_FILE, 'wb') as cert_file: cert_file.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
def generate_adhoc_ssl_pair(cn=None): from random import random from OpenSSL import crypto # pretty damn sure that this is not actually accepted by anyone if cn is None: cn = '*' cert = crypto.X509() cert.set_serial_number(int(random() * sys.maxint)) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(60 * 60 * 24 * 365) subject = cert.get_subject() subject.CN = cn subject.O = 'Dummy Certificate' issuer = cert.get_issuer() issuer.CN = 'Untrusted Authority' issuer.O = 'Self-Signed' pkey = crypto.PKey() pkey.generate_key(crypto.TYPE_RSA, 768) cert.set_pubkey(pkey) cert.sign(pkey, 'md5') return cert, pkey
def create_key_pair(self, bits=4096, type=crypto.TYPE_RSA): """ Create a key pair for use in PKI Arguments: bits - the number of bits to use in the private key type - the type of key (currently only crypto.TYPE_RSA supported) """ if bits % 1024 != 0 or bits < 2048 != 0: raise ValueError("This implementation requires a key size evenly divisible by 1024 and larger than 2048.") k = crypto.PKey() k.generate_key(crypto.TYPE_RSA, bits) return k
def generate_self_signed_cert_pair(key_size, valid_for_days, signature_alg, subject): """Generate self signed certificate and key pair""" validate_cert_params(key_size, valid_for_days, signature_alg, subject) # generate key pair key = crypto.PKey() key.generate_key(crypto.TYPE_RSA, key_size) # generate certificate cert = crypto.X509() cert.get_subject().C = subject.get(CERT_SUBJECT_COUNTRY, 'US') cert.get_subject().ST = subject.get(CERT_SUBJECT_STATE, 'California') cert.get_subject().O = subject.get(CERT_SUBJECT_ORG, 'MyOrg') cert.get_subject().OU = subject.get(CERT_SUBJECT_UNIT, 'MyUnit') cert.get_subject().CN = subject.get(CERT_SUBJECT_HOST, 'myorg.com') cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(valid_for_days * 24 * 60 * 60) cert.set_issuer(cert.get_subject()) cert.set_pubkey(key) cert.set_serial_number(int(time())) cert.sign(key, signature_alg) return cert, key
def generate_csr_and_key(user='TestUser'): """ TestUser is the user proposed by the documentation, which will be ignored """ key = crypto.PKey() key.generate_key(crypto.TYPE_RSA, 1024) req = crypto.X509Req() req.get_subject().CN = user req.set_pubkey(key) req.sign(key, "sha1") # print("CSR", key, req) return key, req
def certificateUpdate(): print art print "\nCertificate Update Script - Block SSL\n" # create a key pair or use the old one ans = raw_input("Do you have your old keys.key file with your key pair? [Y]es [N]o, default: [Y]\n") if ans == "n" or ans == "N": k = crypto.PKey() k.generate_key(crypto.TYPE_RSA, 1024) print "Creating a new key pair:" print "Warning: This is a pseudo-random generation.\n" else: print "Place your keys.key file in the scripts directory.\n" k = crypto.PKey() with open("keys.key", "r") as k: k = crypto.load_privatekey(crypto.FILETYPE_PEM, k.read()) # create a self-signed cert cert = crypto.X509() createCert(k, cert) open("certificate.crt", "wt").write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) print "\nCertificate created in file: certificate.crt" if ans == "n" or ans == "N": open("keys.key", "wt").write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k)) print "\nKeys saved in file: keys.key\n" ans2 = raw_input("Do you want to send your certificate to the blockchain? [Y]es [N]o, default: [Y]") if ans2 == "Y" or ans2 == "y" or ans2 == "" or ans2 == " ": i = 2 sendCertificate(i) sys.exit()
def certificateUpdate(): print art print "\nCertificate Update Script - Block SSL\n" # create a key pair or use the old one ans = raw_input("Do you have your old keys.key file with your key pair? [Y]es [N]o, default: [Y]\n") if ans == "n" or ans == "N": k = crypto.PKey() k.generate_key(crypto.TYPE_RSA, 4096) print "Creating a new key pair:" print "Warning: This is a pseudo-random generation.\n" else: print "Place your keys.key file in the scripts directory.\n" k = crypto.PKey() with open("keys.key", "r") as k: k = crypto.load_privatekey(crypto.FILETYPE_PEM, k.read()) # create a self-signed cert cert = crypto.X509() createCert(k, cert) open("certificate.crt", "wt").write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) print "\nCertificate created in file: certificate.crt" if ans == "n" or ans == "N": open("keys.key", "wt").write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k)) print "\nKeys saved in file: keys.key\n" ans2 = raw_input("Do you want to send your certificate to the blockchain? [Y]es [N]o, default: [Y]") if ans2 == "Y" or ans2 == "y" or ans2 == "" or ans2 == " ": i = 2 sendCertificate(i) sys.exit()
def createKeyPair(type, bits): """ Create a public/private key pair. Arguments: type - Key type, must be one of TYPE_RSA and TYPE_DSA bits - Number of bits to use in the key Returns: The public/private key pair in a PKey object """ pkey = crypto.PKey() pkey.generate_key(type, bits) return pkey
