viff

changeset 821:b767a45cec65

Generate keys and certificate using PyOpenSSL. This removes the dependency on make and the certtool program from GnuTLS.
author Martin Geisler <mg@daimi.au.dk>
date Sat, 12 Jul 2008 19:44:08 +0200
parents facc9f1f0bb1
children 4caf0ba0f517
files apps/generate-certificates apps/generate-certificates.py
diffstat 2 files changed, 97 insertions(+), 88 deletions(-) [+]
line diff
     1.1 --- a/apps/generate-certificates	Sat Jul 12 18:14:38 2008 +0200
     1.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.3 @@ -1,88 +0,0 @@
     1.4 -#!/usr/bin/make -f
     1.5 -
     1.6 -# Copyright 2007, 2008 VIFF Development Team.
     1.7 -#
     1.8 -# This file is part of VIFF, the Virtual Ideal Functionality Framework.
     1.9 -#
    1.10 -# VIFF is free software: you can redistribute it and/or modify it
    1.11 -# under the terms of the GNU Lesser General Public License (LGPL) as
    1.12 -# published by the Free Software Foundation, either version 3 of the
    1.13 -# License, or (at your option) any later version.
    1.14 -#
    1.15 -# VIFF is distributed in the hope that it will be useful, but WITHOUT
    1.16 -# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
    1.17 -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General
    1.18 -# Public License for more details.
    1.19 -#
    1.20 -# You should have received a copy of the GNU Lesser General Public
    1.21 -# License along with VIFF. If not, see <http://www.gnu.org/licenses/>.
    1.22 -
    1.23 -# This file is a Makefile which will generate private keys and TLS
    1.24 -# certificates for the players. An extra key and certificate is made
    1.25 -# for signing the other keys.
    1.26 -#
    1.27 -# Each player needs three files to create a TLS connection: the
    1.28 -# certificate (player-X.cert), the private key (player-X.key), and the
    1.29 -# CA certificate (ca.cert).
    1.30 -
    1.31 -# TODO: This should probably be rewritten in Python. The optimal
    1.32 -# solution would be a rewrite that uses the Python GNUTLS bindings.
    1.33 -
    1.34 -# Default number of players. To generate keys and certificates for,
    1.35 -# say, 5 players, simply add 'N=5' as a command line argument when you
    1.36 -# run the Makefile.
    1.37 -N = 3
    1.38 -
    1.39 -PLAYERS = $(addprefix player-, $(shell seq $N))
    1.40 -KEYS = $(addsuffix .key, $(PLAYERS) ca)
    1.41 -CERTS = $(addsuffix .cert, $(PLAYERS) ca)
    1.42 -REQUESTS = $(addsuffix .request, $(PLAYERS) ca)
    1.43 -CFGS = $(addsuffix .cfg, $(PLAYERS) ca)
    1.44 -
    1.45 -
    1.46 -.PHONY: all
    1.47 -all: $(CERTS)
    1.48 -
    1.49 -.PHONY: clean
    1.50 -clean:
    1.51 -	rm -f $(CERTS)
    1.52 -	rm -f $(REQUESTS)
    1.53 -	rm -f $(CFGS)
    1.54 -
    1.55 -.PHONY: distclean
    1.56 -distclean: clean
    1.57 -	rm -f $(KEYS)
    1.58 -
    1.59 -%.key:
    1.60 -	certtool --generate-privkey --outfile $@
    1.61 -
    1.62 -player-%.cfg:
    1.63 -	@echo 'cn = "VIFF Player $*"' > $@
    1.64 -	@echo 'serial = $*' >> $@ # The player number is encoded here.
    1.65 -	@echo 'expiration_days = 365' >> $@
    1.66 -	@echo 'signing_key' >> $@
    1.67 -	@echo 'encryption_key' >> $@
    1.68 -
    1.69 -player-%.request: player-%.cfg player-%.key
    1.70 -	certtool --generate-request --template player-$*.cfg \
    1.71 -	 --load-privkey player-$*.key --outfile $@
    1.72 -
    1.73 -player-%.cert: player-%.request player-%.cfg ca.cert ca.key
    1.74 -	certtool --generate-certificate --template player-$*.cfg \
    1.75 -	 --load-request player-$*.request \
    1.76 -	 --load-ca-certificate ca.cert --load-ca-privkey ca.key \
    1.77 -	 --outfile $@
    1.78 -
    1.79 -ca.cfg:
    1.80 -	@echo 'cn = "VIFF Certificate Authority"' > $@
    1.81 -	@echo 'expiration_days = 365' >> $@
    1.82 -	@echo 'ca' >> $@
    1.83 -	@echo 'cert_signing_key' >> $@
    1.84 -
    1.85 -
    1.86 -ca.cert: ca.cfg ca.key
    1.87 -	certtool --generate-self-signed --template ca.cfg \
    1.88 -	         --load-privkey ca.key --outfile ca.cert
    1.89 -
    1.90 -.INTERMEDIATE: ca.cfg
    1.91 -.PRECIOUS: %.key
     2.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     2.2 +++ b/apps/generate-certificates.py	Sat Jul 12 19:44:08 2008 +0200
     2.3 @@ -0,0 +1,97 @@
     2.4 +#!/usr/bin/python
     2.5 +
     2.6 +# Copyright 2008 VIFF Development Team.
     2.7 +#
     2.8 +# This file is part of VIFF, the Virtual Ideal Functionality Framework.
     2.9 +#
    2.10 +# VIFF is free software: you can redistribute it and/or modify it
    2.11 +# under the terms of the GNU Lesser General Public License (LGPL) as
    2.12 +# published by the Free Software Foundation, either version 3 of the
    2.13 +# License, or (at your option) any later version.
    2.14 +#
    2.15 +# VIFF is distributed in the hope that it will be useful, but WITHOUT
    2.16 +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
    2.17 +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General
    2.18 +# Public License for more details.
    2.19 +#
    2.20 +# You should have received a copy of the GNU Lesser General Public
    2.21 +# License along with VIFF. If not, see <http://www.gnu.org/licenses/>.
    2.22 +
    2.23 +# This program will generate private keys and SSL/TLS certificates for
    2.24 +# the players. An extra key and certificate is made for signing the
    2.25 +# other keys.
    2.26 +#
    2.27 +# Each player needs three files to create a SSL/TLS connection: the
    2.28 +# certificate (player-X.cert), the private key (player-X.key), and the
    2.29 +# CA certificate (ca.cert).
    2.30 +
    2.31 +from OpenSSL import crypto
    2.32 +from optparse import OptionParser
    2.33 +
    2.34 +parser = OptionParser()
    2.35 +parser.add_option("-p", "--prefix",
    2.36 +                  help="output filename prefix")
    2.37 +parser.add_option("-k", "--key-size", type="int",
    2.38 +                  help="key size")
    2.39 +parser.add_option("-n", "--players", dest="n", type="int",
    2.40 +                  help="number of players")
    2.41 +
    2.42 +parser.set_defaults(n=3, key_size=1024, prefix='player')
    2.43 +
    2.44 +(options, args) = parser.parse_args()
    2.45 +
    2.46 +
    2.47 +def create_key(bits, type=crypto.TYPE_RSA):
    2.48 +    """Create a public/private key pair."""
    2.49 +    pk = crypto.PKey()
    2.50 +    pk.generate_key(type, bits)
    2.51 +    return pk
    2.52 +
    2.53 +def save_key(key, filename):
    2.54 +    """Save a key as a PEM file."""
    2.55 +    fp = open(filename, "w")
    2.56 +    fp.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key))
    2.57 +    fp.close()
    2.58 +
    2.59 +def create_cert_request(pk, common_name, digest="sha1"):
    2.60 +    """Create a certificate request."""
    2.61 +    req = crypto.X509Req()
    2.62 +    subj = req.get_subject()
    2.63 +    subj.CN = common_name
    2.64 +
    2.65 +    req.set_pubkey(pk)
    2.66 +    req.sign(pk, digest)
    2.67 +    return req
    2.68 +
    2.69 +def create_cert(req, issuer_cert, issuer_sk, serial, valid=365, digest="sha1"):
    2.70 +    """Generate a certificate given a certificate request."""
    2.71 +    cert = crypto.X509()
    2.72 +    cert.set_serial_number(serial)
    2.73 +    cert.gmtime_adj_notBefore(0)
    2.74 +    cert.gmtime_adj_notAfter(valid * 60 * 60 * 24)
    2.75 +    cert.set_issuer(issuer_cert.get_subject())
    2.76 +    cert.set_subject(req.get_subject())
    2.77 +    cert.set_pubkey(req.get_pubkey())
    2.78 +    cert.sign(issuer_sk, digest)
    2.79 +    return cert
    2.80 +
    2.81 +def save_cert(cert, filename):
    2.82 +    """Save a certificate as a PEM file."""
    2.83 +    fp = open(filename, "w")
    2.84 +    fp.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
    2.85 +    fp.close()
    2.86 +
    2.87 +ca_key = create_key(options.key_size)
    2.88 +ca_req = create_cert_request(ca_key, "VIFF Certificate Authority")
    2.89 +ca_cert = create_cert(ca_req, ca_req, ca_key, 0)
    2.90 +
    2.91 +save_key(ca_key, "ca.key")
    2.92 +save_cert(ca_cert, "ca.cert")
    2.93 +
    2.94 +for i in range(1, options.n + 1):
    2.95 +    key = create_key(options.key_size)
    2.96 +    req = create_cert_request(key, "VIFF Player %d" % i)
    2.97 +    cert = create_cert(req, ca_cert, ca_key, i)
    2.98 +
    2.99 +    save_key(key, "%s-%d.key" % (options.prefix, i))
   2.100 +    save_cert(cert, "%s-%d.cert" % (options.prefix, i))