Mercurial > viff

changeset 821:b767a45cec65

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Generate keys and certificate using PyOpenSSL. This removes the dependency on make and the certtool program from GnuTLS.
author Martin Geisler <mg@daimi.au.dk>
date Sat, 12 Jul 2008 19:44:08 +0200
parents facc9f1f0bb1
children 4caf0ba0f517
files apps/generate-certificates apps/generate-certificates.py
diffstat 2 files changed, 97 insertions(+), 88 deletions(-) [+]
line wrap: on
line diff
--- a/apps/generate-certificates	Sat Jul 12 18:14:38 2008 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,88 +0,0 @@
-#!/usr/bin/make -f
-
-# Copyright 2007, 2008 VIFF Development Team.
-#
-# This file is part of VIFF, the Virtual Ideal Functionality Framework.
-#
-# VIFF is free software: you can redistribute it and/or modify it
-# under the terms of the GNU Lesser General Public License (LGPL) as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# VIFF is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General
-# Public License for more details.
-#
-# You should have received a copy of the GNU Lesser General Public
-# License along with VIFF. If not, see <http://www.gnu.org/licenses/>.
-
-# This file is a Makefile which will generate private keys and TLS
-# certificates for the players. An extra key and certificate is made
-# for signing the other keys.
-#
-# Each player needs three files to create a TLS connection: the
-# certificate (player-X.cert), the private key (player-X.key), and the
-# CA certificate (ca.cert).
-
-# TODO: This should probably be rewritten in Python. The optimal
-# solution would be a rewrite that uses the Python GNUTLS bindings.
-
-# Default number of players. To generate keys and certificates for,
-# say, 5 players, simply add 'N=5' as a command line argument when you
-# run the Makefile.
-N = 3
-
-PLAYERS = $(addprefix player-, $(shell seq $N))
-KEYS = $(addsuffix .key, $(PLAYERS) ca)
-CERTS = $(addsuffix .cert, $(PLAYERS) ca)
-REQUESTS = $(addsuffix .request, $(PLAYERS) ca)
-CFGS = $(addsuffix .cfg, $(PLAYERS) ca)
-
-
-.PHONY: all
-all: $(CERTS)
-
-.PHONY: clean
-clean:
-	rm -f $(CERTS)
-	rm -f $(REQUESTS)
-	rm -f $(CFGS)
-
-.PHONY: distclean
-distclean: clean
-	rm -f $(KEYS)
-
-%.key:
-	certtool --generate-privkey --outfile $@
-
-player-%.cfg:
-	@echo 'cn = "VIFF Player $*"' > $@
-	@echo 'serial = $*' >> $@ # The player number is encoded here.
-	@echo 'expiration_days = 365' >> $@
-	@echo 'signing_key' >> $@
-	@echo 'encryption_key' >> $@
-
-player-%.request: player-%.cfg player-%.key
-	certtool --generate-request --template player-$*.cfg \
-	 --load-privkey player-$*.key --outfile $@
-
-player-%.cert: player-%.request player-%.cfg ca.cert ca.key
-	certtool --generate-certificate --template player-$*.cfg \
-	 --load-request player-$*.request \
-	 --load-ca-certificate ca.cert --load-ca-privkey ca.key \
-	 --outfile $@
-
-ca.cfg:
-	@echo 'cn = "VIFF Certificate Authority"' > $@
-	@echo 'expiration_days = 365' >> $@
-	@echo 'ca' >> $@
-	@echo 'cert_signing_key' >> $@
-
-
-ca.cert: ca.cfg ca.key
-	certtool --generate-self-signed --template ca.cfg \
-	         --load-privkey ca.key --outfile ca.cert
-
-.INTERMEDIATE: ca.cfg
-.PRECIOUS: %.key
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/apps/generate-certificates.py	Sat Jul 12 19:44:08 2008 +0200
@@ -0,0 +1,97 @@
+#!/usr/bin/python
+
+# Copyright 2008 VIFF Development Team.
+#
+# This file is part of VIFF, the Virtual Ideal Functionality Framework.
+#
+# VIFF is free software: you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License (LGPL) as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# VIFF is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General
+# Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with VIFF. If not, see <http://www.gnu.org/licenses/>.
+
+# This program will generate private keys and SSL/TLS certificates for
+# the players. An extra key and certificate is made for signing the
+# other keys.
+#
+# Each player needs three files to create a SSL/TLS connection: the
+# certificate (player-X.cert), the private key (player-X.key), and the
+# CA certificate (ca.cert).
+
+from OpenSSL import crypto
+from optparse import OptionParser
+
+parser = OptionParser()
+parser.add_option("-p", "--prefix",
+                  help="output filename prefix")
+parser.add_option("-k", "--key-size", type="int",
+                  help="key size")
+parser.add_option("-n", "--players", dest="n", type="int",
+                  help="number of players")
+
+parser.set_defaults(n=3, key_size=1024, prefix='player')
+
+(options, args) = parser.parse_args()
+
+
+def create_key(bits, type=crypto.TYPE_RSA):
+    """Create a public/private key pair."""
+    pk = crypto.PKey()
+    pk.generate_key(type, bits)
+    return pk
+
+def save_key(key, filename):
+    """Save a key as a PEM file."""
+    fp = open(filename, "w")
+    fp.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key))
+    fp.close()
+
+def create_cert_request(pk, common_name, digest="sha1"):
+    """Create a certificate request."""
+    req = crypto.X509Req()
+    subj = req.get_subject()
+    subj.CN = common_name
+
+    req.set_pubkey(pk)
+    req.sign(pk, digest)
+    return req
+
+def create_cert(req, issuer_cert, issuer_sk, serial, valid=365, digest="sha1"):
+    """Generate a certificate given a certificate request."""
+    cert = crypto.X509()
+    cert.set_serial_number(serial)
+    cert.gmtime_adj_notBefore(0)
+    cert.gmtime_adj_notAfter(valid * 60 * 60 * 24)
+    cert.set_issuer(issuer_cert.get_subject())
+    cert.set_subject(req.get_subject())
+    cert.set_pubkey(req.get_pubkey())
+    cert.sign(issuer_sk, digest)
+    return cert
+
+def save_cert(cert, filename):
+    """Save a certificate as a PEM file."""
+    fp = open(filename, "w")
+    fp.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
+    fp.close()
+
+ca_key = create_key(options.key_size)
+ca_req = create_cert_request(ca_key, "VIFF Certificate Authority")
+ca_cert = create_cert(ca_req, ca_req, ca_key, 0)
+
+save_key(ca_key, "ca.key")
+save_cert(ca_cert, "ca.cert")
+
+for i in range(1, options.n + 1):
+    key = create_key(options.key_size)
+    req = create_cert_request(key, "VIFF Player %d" % i)
+    cert = create_cert(req, ca_cert, ca_key, i)
+
+    save_key(key, "%s-%d.key" % (options.prefix, i))
+    save_cert(cert, "%s-%d.cert" % (options.prefix, i))