我们从Python开源项目中,提取了以下50个代码示例,用于说明如何使用OpenSSL.crypto.PKey()。
def setUp(self): """ Create a new private key and start a certificate request (for a test method to finish in one way or another). """ # Basic setup stuff to generate a certificate self.pkey = PKey() self.pkey.generate_key(TYPE_RSA, 384) self.req = X509Req() self.req.set_pubkey(self.pkey) # Authority good you have. self.req.get_subject().commonName = "Yoda root CA" self.x509 = X509() self.subject = self.x509.get_subject() self.subject.commonName = self.req.get_subject().commonName self.x509.set_issuer(self.subject) self.x509.set_pubkey(self.pkey) now = datetime.now().strftime("%Y%m%d%H%M%SZ") expire = (datetime.now() + timedelta(days=100)).strftime("%Y%m%d%H%M%SZ") self.x509.set_notBefore(now) self.x509.set_notAfter(expire)
def test_type_errors(self): """ The L{PKCS12} setter functions (C{set_certificate}, C{set_privatekey}, C{set_ca_certificates}, and C{set_friendlyname}) raise L{TypeError} when passed objects of types other than those expected. """ p12 = PKCS12() self.assertRaises(TypeError, p12.set_certificate, 3) self.assertRaises(TypeError, p12.set_certificate, PKey()) self.assertRaises(TypeError, p12.set_certificate, X509) self.assertRaises(TypeError, p12.set_privatekey, 3) self.assertRaises(TypeError, p12.set_privatekey, 'legbone') self.assertRaises(TypeError, p12.set_privatekey, X509()) self.assertRaises(TypeError, p12.set_ca_certificates, 3) self.assertRaises(TypeError, p12.set_ca_certificates, X509()) self.assertRaises(TypeError, p12.set_ca_certificates, (3, 4)) self.assertRaises(TypeError, p12.set_ca_certificates, ( PKey(), )) self.assertRaises(TypeError, p12.set_friendlyname, 6) self.assertRaises(TypeError, p12.set_friendlyname, ('foo', 'bar'))
def test_set_passwd_cb(self): """ L{Context.set_passwd_cb} accepts a callable which will be invoked when a private key is loaded from an encrypted PEM. """ key = PKey() key.generate_key(TYPE_RSA, 128) pemFile = self.mktemp() fObj = file(pemFile, 'w') passphrase = "foobar" fObj.write(dump_privatekey(FILETYPE_PEM, key, "blowfish", passphrase)) fObj.close() calledWith = [] def passphraseCallback(maxlen, verify, extra): calledWith.append((maxlen, verify, extra)) return passphrase context = Context(TLSv1_METHOD) context.set_passwd_cb(passphraseCallback) context.use_privatekey_file(pemFile) self.assertTrue(len(calledWith), 1) self.assertTrue(isinstance(calledWith[0][0], int)) self.assertTrue(isinstance(calledWith[0][1], int)) self.assertEqual(calledWith[0][2], None)
def makeCertificate(**kw): keypair = PKey() keypair.generate_key(TYPE_RSA, 1024) certificate = X509() certificate.gmtime_adj_notBefore(0) certificate.gmtime_adj_notAfter(60 * 60 * 24 * 365) # One year for xname in certificate.get_issuer(), certificate.get_subject(): for (k, v) in kw.items(): setattr(xname, k, v) certificate.set_serial_number(counter()) certificate.set_pubkey(keypair) certificate.sign(keypair, "md5") return keypair, certificate
def otherMakeCertificate(**kw): keypair = PKey() keypair.generate_key(TYPE_RSA, 1024) req = X509Req() subj = req.get_subject() for (k, v) in kw.items(): setattr(subj, k, v) req.set_pubkey(keypair) req.sign(keypair, "md5") cert = X509() cert.set_serial_number(counter()) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(60 * 60 * 24 * 365) # One year cert.set_issuer(req.get_subject()) cert.set_subject(req.get_subject()) cert.set_pubkey(req.get_pubkey()) cert.sign(keypair, "md5") return keypair, cert
def generate(self, passphrase: str = None, common_name=None, days=DEFAULT_CERT_VALIDITY, is_server=False): k = crypto.PKey() k.generate_key(crypto.TYPE_RSA, self.key_length) cert = crypto.X509() # cert.get_subject().CN = common_name cert.get_subject().commonName = common_name cert.set_serial_number(random.randint(990000, 999999999999999999999999999)) cert.gmtime_adj_notBefore(-600) cert.gmtime_adj_notAfter(int(datetime.timedelta(days=days).total_seconds())) cert.set_issuer(self.ca_cert.get_subject()) cert.set_pubkey(k) cert = self._add_extensions(cert, is_server) cert.sign(self.ca_key, self.digest) self.certificate = crypto.dump_certificate(crypto.FILETYPE_PEM, cert) if passphrase: self.private_key = crypto.dump_privatekey(crypto.FILETYPE_PEM, k, cipher="DES-EDE3-CBC", passphrase=passphrase.encode()) else: self.private_key = crypto.dump_privatekey(crypto.FILETYPE_PEM, k) return self
def setUp(self): """ Create a new private key and start a certificate request (for a test method to finish in one way or another). """ super(X509ExtTests, self).setUp() # Basic setup stuff to generate a certificate self.pkey = PKey() self.pkey.generate_key(TYPE_RSA, 384) self.req = X509Req() self.req.set_pubkey(self.pkey) # Authority good you have. self.req.get_subject().commonName = "Yoda root CA" self.x509 = X509() self.subject = self.x509.get_subject() self.subject.commonName = self.req.get_subject().commonName self.x509.set_issuer(self.subject) self.x509.set_pubkey(self.pkey) now = b(datetime.now().strftime("%Y%m%d%H%M%SZ")) expire = b((datetime.now() + timedelta(days=100)).strftime("%Y%m%d%H%M%SZ")) self.x509.set_notBefore(now) self.x509.set_notAfter(expire)
def test_sign(self): """ :py:meth:`X509Req.sign` succeeds when passed a private key object and a valid digest function. :py:meth:`X509Req.verify` can be used to check the signature. """ request = self.signable() key = PKey() key.generate_key(TYPE_RSA, 512) request.set_pubkey(key) request.sign(key, GOOD_DIGEST) # If the type has a verify method, cover that too. if getattr(request, 'verify', None) is not None: pub = request.get_pubkey() self.assertTrue(request.verify(pub)) # Make another key that won't verify. key = PKey() key.generate_key(TYPE_RSA, 512) self.assertRaises(Error, request.verify, key)
def test_type_errors(self): """ The :py:obj:`PKCS12` setter functions (:py:obj:`set_certificate`, :py:obj:`set_privatekey`, :py:obj:`set_ca_certificates`, and :py:obj:`set_friendlyname`) raise :py:obj:`TypeError` when passed objects of types other than those expected. """ p12 = PKCS12() self.assertRaises(TypeError, p12.set_certificate, 3) self.assertRaises(TypeError, p12.set_certificate, PKey()) self.assertRaises(TypeError, p12.set_certificate, X509) self.assertRaises(TypeError, p12.set_privatekey, 3) self.assertRaises(TypeError, p12.set_privatekey, 'legbone') self.assertRaises(TypeError, p12.set_privatekey, X509()) self.assertRaises(TypeError, p12.set_ca_certificates, 3) self.assertRaises(TypeError, p12.set_ca_certificates, X509()) self.assertRaises(TypeError, p12.set_ca_certificates, (3, 4)) self.assertRaises(TypeError, p12.set_ca_certificates, ( PKey(), )) self.assertRaises(TypeError, p12.set_friendlyname, 6) self.assertRaises(TypeError, p12.set_friendlyname, ('foo', 'bar'))
def test_key_only(self): """ A :py:obj:`PKCS12` with only a private key can be exported using :py:obj:`PKCS12.export` and loaded again using :py:obj:`load_pkcs12`. """ passwd = b"blah" p12 = PKCS12() pkey = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM) p12.set_privatekey(pkey) self.assertEqual(None, p12.get_certificate()) self.assertEqual(pkey, p12.get_privatekey()) try: dumped_p12 = p12.export(passphrase=passwd, iter=2, maciter=3) except Error: # Some versions of OpenSSL will throw an exception # for this nearly useless PKCS12 we tried to generate: # [('PKCS12 routines', 'PKCS12_create', 'invalid null argument')] return p12 = load_pkcs12(dumped_p12, passwd) self.assertEqual(None, p12.get_ca_certificates()) self.assertEqual(None, p12.get_certificate()) # OpenSSL fails to bring the key back to us. So sad. Perhaps in the # future this will be improved. self.assertTrue(isinstance(p12.get_privatekey(), (PKey, type(None))))
def keyHash(self): """ Compute a hash of the underlying PKey object. The purpose of this method is to allow you to determine if two certificates share the same public key; it is not really useful for anything else. In versions of Twisted prior to 15.0, C{keyHash} used a technique involving certificate requests for computing the hash that was not stable in the face of changes to the underlying OpenSSL library. @return: Return a 32-character hexadecimal string uniquely identifying this public key, I{for this version of Twisted}. @rtype: native L{str} """ raw = crypto.dump_publickey(crypto.FILETYPE_ASN1, self.original) h = md5() h.update(raw) return h.hexdigest()
def makeCertificate(**kw): keypair = PKey() keypair.generate_key(TYPE_RSA, 768) certificate = X509() certificate.gmtime_adj_notBefore(0) certificate.gmtime_adj_notAfter(60 * 60 * 24 * 365) # One year for xname in certificate.get_issuer(), certificate.get_subject(): for (k, v) in kw.items(): setattr(xname, k, nativeString(v)) certificate.set_serial_number(counter()) certificate.set_pubkey(keypair) certificate.sign(keypair, "md5") return keypair, certificate
def setUp(self): """ Create a new private key and start a certificate request (for a test method to finish in one way or another). """ # Basic setup stuff to generate a certificate self.pkey = PKey() self.pkey.generate_key(TYPE_RSA, 384) self.req = X509Req() self.req.set_pubkey(self.pkey) # Authority good you have. self.req.get_subject().commonName = "Yoda root CA" self.x509 = X509() self.subject = self.x509.get_subject() self.subject.commonName = self.req.get_subject().commonName self.x509.set_issuer(self.subject) self.x509.set_pubkey(self.pkey) now = b(datetime.now().strftime("%Y%m%d%H%M%SZ")) expire = b((datetime.now() + timedelta(days=100)).strftime("%Y%m%d%H%M%SZ")) self.x509.set_notBefore(now) self.x509.set_notAfter(expire)
def create_group_cert(cli): k = crypto.PKey() k.generate_key(crypto.TYPE_RSA, 2048) # generate RSA key-pair cert = crypto.X509() cert.get_subject().countryName = "US" cert.get_subject().stateOrProvinceName = "CA" cert.get_subject().organizationName = "mini-fulfillment" cert.get_subject().organizationalUnitName = "demo" cert.get_subject().commonName = "mini-fulfillment" cert.set_serial_number(1000) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(5 * 365 * 24 * 60 * 60) # 5 year expiry date cert.set_issuer(cert.get_subject()) # self-sign this certificate cert.set_pubkey(k) san_list = ["IP:{0}".format(cli.ip_address)] extension_list = [ crypto.X509Extension(type_name=b"basicConstraints", critical=False, value=b"CA:false"), crypto.X509Extension(type_name=b"subjectAltName", critical=True, value=", ".join(san_list)), # crypto.X509Extension(type_name=b"subjectKeyIdentifier", # critical=True, value=b"hash") ] cert.add_extensions(extension_list) cert.sign(k, 'sha256') prefix = str(cli.out_dir) + '/' + cli.group_name open("{0}-server.crt".format(prefix), 'wt').write( crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) open("{0}-server-private.key".format(prefix), 'wt').write( crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey=k)) open("{0}-server-public.key".format(prefix), 'wt').write( crypto.dump_publickey(crypto.FILETYPE_PEM, pkey=k))
def generate_temporary_tls_certificate(): """ generate an intentionally weak self-signed certificate :param dst: destination file path for autogenerated server.pem """ from OpenSSL import crypto import tempfile key = crypto.PKey() key.generate_key(crypto.TYPE_RSA, 1024) cert = crypto.X509() cert_subject = cert.get_subject() cert_subject.C = "IO" cert_subject.ST = "Striptls" cert_subject.L = "Striptls" cert_subject.O = "github.com/tintinweb" cert_subject.OU = "github.com/tintinweb" cert_subject.CN = "striptls.localhost.localdomain" cert.set_serial_number(1) cert.gmtime_adj_notBefore(-32 * 24 * 60 * 60) cert.gmtime_adj_notAfter(32 * 24 * 60 * 60) cert.set_issuer(cert_subject) cert.set_pubkey(key) cert.sign(key, 'sha1') tmp_fname = tempfile.mktemp(prefix="striptls-", suffix=".pem") with open(tmp_fname, 'w') as f: f.write('\n'.join([crypto.dump_certificate(crypto.FILETYPE_PEM, cert), crypto.dump_privatekey(crypto.FILETYPE_PEM, key)])) return tmp_fname
def generate_adhoc_ssl_pair(cn=None): from random import random crypto = _get_openssl_crypto_module() # pretty damn sure that this is not actually accepted by anyone if cn is None: cn = '*' cert = crypto.X509() cert.set_serial_number(int(random() * sys.maxsize)) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(60 * 60 * 24 * 365) subject = cert.get_subject() subject.CN = cn subject.O = 'Dummy Certificate' issuer = cert.get_issuer() issuer.CN = 'Untrusted Authority' issuer.O = 'Self-Signed' pkey = crypto.PKey() pkey.generate_key(crypto.TYPE_RSA, 1024) cert.set_pubkey(pkey) cert.sign(pkey, 'md5') return cert, pkey
def test_type(self): """ L{PKey} and L{PKeyType} refer to the same type object and can be used to create instances of that type. """ self.assertIdentical(PKey, PKeyType) self.assertConsistentType(PKey, 'PKey')
def test_construction(self): """ L{PKey} takes no arguments and returns a new L{PKey} instance. """ self.assertRaises(TypeError, PKey, None) key = PKey() self.assertTrue( isinstance(key, PKeyType), "%r is of type %r, should be %r" % (key, type(key), PKeyType))
def test_pregeneration(self): """ L{PKeyType.bits} and L{PKeyType.type} return C{0} before the key is generated. """ key = PKey() self.assertEqual(key.type(), 0) self.assertEqual(key.bits(), 0)
def test_failedGeneration(self): """ L{PKeyType.generate_key} takes two arguments, the first giving the key type as one of L{TYPE_RSA} or L{TYPE_DSA} and the second giving the number of bits to generate. If an invalid type is specified or generation fails, L{Error} is raised. If an invalid number of bits is specified, L{ValueError} or L{Error} is raised. """ key = PKey() self.assertRaises(TypeError, key.generate_key) self.assertRaises(TypeError, key.generate_key, 1, 2, 3) self.assertRaises(TypeError, key.generate_key, "foo", "bar") self.assertRaises(Error, key.generate_key, -1, 0) self.assertRaises(ValueError, key.generate_key, TYPE_RSA, -1) self.assertRaises(ValueError, key.generate_key, TYPE_RSA, 0) # XXX RSA generation for small values of bits is fairly buggy in a wide # range of OpenSSL versions. I need to figure out what the safe lower # bound for a reasonable number of OpenSSL versions is and explicitly # check for that in the wrapper. The failure behavior is typically an # infinite loop inside OpenSSL. # self.assertRaises(Error, key.generate_key, TYPE_RSA, 2) # XXX DSA generation seems happy with any number of bits. The DSS # says bits must be between 512 and 1024 inclusive. OpenSSL's DSA # generator doesn't seem to care about the upper limit at all. For # the lower limit, it uses 512 if anything smaller is specified. # So, it doesn't seem possible to make generate_key fail for # TYPE_DSA with a bits argument which is at least an int. # self.assertRaises(Error, key.generate_key, TYPE_DSA, -7)
def test_dsaGeneration(self): """ L{PKeyType.generate_key} generates a DSA key when passed L{TYPE_DSA} as a type and a reasonable number of bits. """ # 512 is a magic number. The DSS (Digital Signature Standard) # allows a minimum of 512 bits for DSA. DSA_generate_parameters # will silently promote any value below 512 to 512. bits = 512 key = PKey() key.generate_key(TYPE_DSA, bits) self.assertEqual(key.type(), TYPE_DSA) self.assertEqual(key.bits(), bits)
def test_regeneration(self): """ L{PKeyType.generate_key} can be called multiple times on the same key to generate new keys. """ key = PKey() for type, bits in [(TYPE_RSA, 512), (TYPE_DSA, 576)]: key.generate_key(type, bits) self.assertEqual(key.type(), type) self.assertEqual(key.bits(), bits)
def test_signWithUngenerated(self): """ L{X509Req.sign} raises L{ValueError} when pass a L{PKey} with no parts. """ request = self.signable() key = PKey() self.assertRaises(ValueError, request.sign, key, 'MD5')
def test_signWithPublicKey(self): """ L{X509Req.sign} raises L{ValueError} when pass a L{PKey} with no private part as the signing key. """ request = self.signable() key = PKey() key.generate_key(TYPE_RSA, 512) request.set_pubkey(key) pub = request.get_pubkey() self.assertRaises(ValueError, request.sign, pub, 'MD5')
def test_load_privatekey_passphrase(self): """ L{load_privatekey} can create a L{PKey} object from an encrypted PEM string if given the passphrase. """ key = load_privatekey( FILETYPE_PEM, encryptedPrivateKeyPEM, encryptedPrivateKeyPEMPassphrase) self.assertTrue(isinstance(key, PKeyType))
def test_load_privatekey_passphraseCallback(self): """ L{load_privatekey} can create a L{PKey} object from an encrypted PEM string if given a passphrase callback which returns the correct password. """ called = [] def cb(writing): called.append(writing) return encryptedPrivateKeyPEMPassphrase key = load_privatekey(FILETYPE_PEM, encryptedPrivateKeyPEM, cb) self.assertTrue(isinstance(key, PKeyType)) self.assertEqual(called, [False])
def test_use_privatekey(self): """ L{Context.use_privatekey} takes an L{OpenSSL.crypto.PKey} instance. """ key = PKey() key.generate_key(TYPE_RSA, 128) ctx = Context(TLSv1_METHOD) ctx.use_privatekey(key) self.assertRaises(TypeError, ctx.use_privatekey, "")
def generate(Class, kind=crypto.TYPE_RSA, size=1024): pkey = crypto.PKey() pkey.generate_key(kind, size) return Class(pkey)
def generate_adhoc_ssl_pair(cn=None): from random import random crypto = _get_openssl_crypto_module() # pretty damn sure that this is not actually accepted by anyone if cn is None: cn = '*' cert = crypto.X509() cert.set_serial_number(int(random() * sys.maxsize)) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(60 * 60 * 24 * 365) subject = cert.get_subject() subject.CN = cn subject.O = 'Dummy Certificate' issuer = cert.get_issuer() issuer.CN = 'Untrusted Authority' issuer.O = 'Self-Signed' pkey = crypto.PKey() pkey.generate_key(crypto.TYPE_RSA, 2048) cert.set_pubkey(pkey) cert.sign(pkey, 'sha256') return cert, pkey
def generateSSLCert(): if not os.path.exists(os.path.join(config.DATA_DIR, 'plexivity.key')) or not os.path.exists(os.path.join(config.DATA_DIR, 'plexivity.crt')): logger.warning("plexivity was started with ssl support but no cert was found, trying to generating cert and key now") try: from OpenSSL import crypto, SSL from socket import gethostname # create a key pair k = crypto.PKey() k.generate_key(crypto.TYPE_RSA, 1024) # create a self-signed cert cert = crypto.X509() cert.get_subject().C = "US" cert.get_subject().ST = "plex land" cert.get_subject().L = "plex land" cert.get_subject().O = "plexivity" cert.get_subject().OU = "plexivity" cert.get_subject().CN = gethostname() cert.set_serial_number(1000) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(10*365*24*60*60) cert.set_issuer(cert.get_subject()) cert.set_pubkey(k) cert.sign(k, 'sha1') open(os.path.join(config.DATA_DIR, 'plexivity.crt'), "wt").write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) open(os.path.join(config.DATA_DIR, 'plexivity.key'), "wt").write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k)) logger.info("ssl cert and key generated and saved to: %s" % config.DATA_DIR) except: logger.error("unable to generate ssl key and cert")
def create_self_signed_cert(): """ If ssl.cert and ssl.key don't exist in config, create a new self-signed cert and keypair and write them into that directory. """ if not isfile(CERT_FILE) or not isfile(KEY_FILE): # create a key pair k = crypto.PKey() k.generate_key(crypto.TYPE_RSA, 4096) # create a self-signed certificate cert = crypto.X509() subj = cert.get_subject() subj.C = "DE" subj.ST = "Hessen" subj.L = "Darmstadt" subj.O = "github.com/BjoernPetersen/MusicBot" cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(5 * 365 * 24 * 60 * 60) cert.set_issuer(subj) cert.set_pubkey(k) cert.sign(k, "sha256") with open(KEY_FILE, 'wb') as key_file: key_file.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k)) with open(CERT_FILE, 'wb') as cert_file: cert_file.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
def generate_adhoc_ssl_pair(cn=None): from random import random from OpenSSL import crypto # pretty damn sure that this is not actually accepted by anyone if cn is None: cn = '*' cert = crypto.X509() cert.set_serial_number(int(random() * sys.maxint)) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(60 * 60 * 24 * 365) subject = cert.get_subject() subject.CN = cn subject.O = 'Dummy Certificate' issuer = cert.get_issuer() issuer.CN = 'Untrusted Authority' issuer.O = 'Self-Signed' pkey = crypto.PKey() pkey.generate_key(crypto.TYPE_RSA, 768) cert.set_pubkey(pkey) cert.sign(pkey, 'md5') return cert, pkey
def create_key_pair(self, bits=4096, type=crypto.TYPE_RSA): """ Create a key pair for use in PKI Arguments: bits - the number of bits to use in the private key type - the type of key (currently only crypto.TYPE_RSA supported) """ if bits % 1024 != 0 or bits < 2048 != 0: raise ValueError("This implementation requires a key size evenly divisible by 1024 and larger than 2048.") k = crypto.PKey() k.generate_key(crypto.TYPE_RSA, bits) return k
