This patch adds x509 extensions for dnsName and nsComment to certmaster. I've only done light testing at this point, but it seems to work on my Fedora 14 machine. The try/catch should allow things to keep working on older distros with broken x509Extension support in pyOpenSSL. I'll be testing on CentOS 5.3 soon, since that's my target platform.
My goal is to get full mutual authentication working with rsyslog 4.2.2 TLS (4.2.2 is shipped with EL6).
FromÂopenssl x509 -in /etc/pki/certmaster/xxxxxx.cert -text
    X509v3 extensions:
      X509v3 Basic Constraints: critical
        CA:FALSE
      Netscape Comment:Â
        Created by certmaster.
      X509v3 Subject Alternative Name:Â
        DNS:xxxxxx
AndÂopenssl x509 -in /etc/pki/certmaster/ca.cert -text
    X509v3 extensions:
      X509v3 Basic Constraints: critical
        CA:TRUE
      Netscape Comment:Â
        Created by certmaster.
      X509v3 Subject Alternative Name:Â
        DNS:xxxxxx
Thanks,
-Al Tobey
commit 21b55436bc7e9f154c637a4213266e67aa0b6577
Author: Al Tobey <tobert@xxxxxxxxx>
Date: Â Fri Mar 25 14:14:57 2011 -0700
  Add x509 extensions for dnsName and nsComment.
 ÂÂ
  Many utilities that could use certmaster certs follow rules laid
  out in RFC3280. At the moment I'm working on integrating rsyslog
  TLS with mutual authentication. Certmaster certs currently only
  work in "anon" mode where encryption is achieved, but no
  authentication is performed.
 ÂÂ
  To that end, a function _build_extension_list() is implemented in
  this patch that is now used by both create_ca() and
  create_slave_certificate() that attempts to add the extensions to
  the cert before signing.
 ÂÂ
  subjectKeyIdentifier will be explored in a subsequent patch.
 ÂÂ
From 21b55436bc7e9f154c637a4213266e67aa0b6577 Mon Sep 17 00:00:00 2001
From: Al Tobey <tobert@xxxxxxxxx>
Date: Fri, 25 Mar 2011 14:14:57 -0700
Subject: [PATCH] Add x509 extensions for dnsName and nsComment.
Many utilities that could use certmaster certs follow rules laid
out in RFC3280. At the moment I'm working on integrating rsyslog
TLS with mutual authentication. Certmaster certs currently only
work in "anon" mode where encryption is achieved, but no
authentication is performed.
To that end, a function _build_extension_list() is implemented in
this patch that is now used by both create_ca() and
create_slave_certificate() that attempts to add the extensions to
the cert before signing.
subjectKeyIdentifier will be explored in a subsequent patch.
Signed-off-by: Al Tobey <tobert@xxxxxxxxx>
---
certmaster/certmaster.py | 2 +-
certmaster/certs.py | 34 +++++++++++++++++++++++++---------
2 files changed, 26 insertions(+), 10 deletions(-)
diff --git a/certmaster/certmaster.py b/certmaster/certmaster.py
index 7b133df..2171ef8 100644
--- a/certmaster/certmaster.py
+++ b/certmaster/certmaster.py
@@ -72,7 +72,7 @@ class CertMaster(object):
if not os.path.exists(self.cfg.cadir):
os.makedirs(self.cfg.cadir)
if not os.path.exists(self.ca_key_file) and not os.path.exists(self.ca_cert_file):
- certs.create_ca(CN=mycn, ca_key_file=self.ca_key_file, ca_cert_file=self.ca_cert_file)
+ certs.create_ca(CN=mycn, ca_key_file=self.ca_key_file, ca_cert_file=self.ca_cert_file, dnsname=usename)
except (IOError, OSError), e:
print 'Cannot make certmaster certificate authority keys/certs, aborting: %s' % e
sys.exit(1)
diff --git a/certmaster/certs.py b/certmaster/certs.py
index d6f8b14..9e417ed 100644
--- a/certmaster/certs.py
+++ b/certmaster/certs.py
@@ -88,8 +88,30 @@ def retrieve_cert_from_file(certfile):
cert = crypto.load_certificate(crypto.FILETYPE_PEM, buf)
return cert
+def _build_extension_list(cert, dnsname=None, ca_enabled=False):
+ subject = cert.get_subject()
+ extensions = []
-def create_ca(CN="Certmaster Certificate Authority", ca_key_file=None, ca_cert_file=None):
+ if ca_enabled is True:
+ extensions.append(crypto.X509Extension('basicConstraints', 1,'CA:TRUE'))
+ else:
+ extensions.append(crypto.X509Extension('basicConstraints', 1,'CA:FALSE'))
+
+ if dnsname is None:
+ dnsname = subject.CN
+
+ # modeled after StoneVPN/app.py
+ try:
+ extensions.append(crypto.X509Extension('nsComment', 0, "Created by certmaster."))
+ # set dnsName to commonName, which certmaster sets to the hostname
+ extensions.append(crypto.X509Extension('subjectAltName', 0, "DNS:%s" % dnsname))
+ # FIXME - add subjectkeyidentifier and authoritykeyidentifier extensions, too)
+ except ValueError:
+ print "Your version of pyOpenSSL does not support x509Extension properly. Try >= 0.9."
+
+ return extensions
+
+def create_ca(CN="Certmaster Certificate Authority", ca_key_file=None, ca_cert_file=None, dnsname=None):
cakey = make_keypair(dest=ca_key_file)
careq = make_csr(cakey, cn=CN)
cacert = crypto.X509()
@@ -100,16 +122,13 @@ def create_ca(CN="Certmaster Certificate Authority", ca_key_file=None, ca_cert_f
cacert.set_subject(careq.get_subject())
cacert.set_pubkey(careq.get_pubkey())
cacert.set_version(2)
- xt = crypto.X509Extension('basicConstraints',1,'CA:TRUE')
- # FIXME - add subjectkeyidentifier and authoritykeyidentifier extensions, too)
- cacert.add_extensions((xt,))
+ cacert.add_extensions(_build_extension_list(cert=cacert, dnsname=dnsname, ca_enabled=True))
cacert.sign(cakey, 'sha1')
if ca_cert_file:
destfo = open(ca_cert_file, 'w')
destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cacert))
destfo.close()
-
def _get_serial_number(cadir):
serial = '%s/serial.txt' % cadir
i = 1
@@ -132,7 +151,6 @@ def _set_serial_number(cadir, last):
f.write(str(last) + '\n')
f.close()
-
def create_slave_certificate(csr, cakey, cacert, cadir, slave_cert_file=None):
cert = crypto.X509()
cert.set_serial_number(_get_serial_number(cadir))
@@ -142,9 +160,7 @@ def create_slave_certificate(csr, cakey, cacert, cadir, slave_cert_file=None):
cert.set_subject(csr.get_subject())
cert.set_pubkey(csr.get_pubkey())
cert.set_version(2)
- xt = crypto.X509Extension('basicConstraints', False ,'CA:FALSE')
- # FIXME - add subjectkeyidentifier and authoritykeyidentifier extensions, too)
- cert.add_extensions((xt,))
+ cert.add_extensions(_build_extension_list(cert=cert))
cert.sign(cakey, 'sha1')
if slave_cert_file:
destfo = open(slave_cert_file, 'w')
--
1.7.4
_______________________________________________ Func-list mailing list Func-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/func-list
