Synnefo » snf-ganeti

# For RSA keys more bits are better, but they also make operations more

# expensive. NIST SP 800-131 recommends a minimum of 2048 bits from the year

# 2010 on.

RSA_KEY_BITS = 2048

# Digest used to sign certificates ("openssl x509" uses SHA1 by default)

X509_CERT_SIGN_DIGEST = "SHA1"

import OpenSSL

def GetClosedTempfile(*args, **kwargs):

  """Creates a temporary file and returns its path.

  """

  (fd, path) = tempfile.mkstemp(*args, **kwargs)

  _CloseFDNoErr(fd)

  return path

def GenerateSelfSignedX509Cert(common_name, validity):

  """Generates a self-signed X509 certificate.

  @type common_name: string

  @param common_name: commonName value

  @param validity: Validity for certificate in seconds

  # Create private and public key

  key = OpenSSL.crypto.PKey()

  key.generate_key(OpenSSL.crypto.TYPE_RSA, constants.RSA_KEY_BITS)

  # Create self-signed certificate

  cert = OpenSSL.crypto.X509()

  if common_name:

    cert.get_subject().CN = common_name

  cert.set_serial_number(1)

  cert.gmtime_adj_notBefore(0)

  cert.gmtime_adj_notAfter(validity)

  cert.set_issuer(cert.get_subject())

  cert.set_pubkey(key)

  cert.sign(key, constants.X509_CERT_SIGN_DIGEST)

  key_pem = OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, key)

  cert_pem = OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, cert)

  return (key_pem, cert_pem)

def GenerateSelfSignedSslCert(filename, validity=(5 * 365)):

  """Legacy function to generate self-signed X509 certificate.

  """

  (key_pem, cert_pem) = GenerateSelfSignedX509Cert(None,

                                                   validity * 24 * 60 * 60)

  WriteFile(filename, mode=0400, data=key_pem + cert_pem)

import OpenSSL

class TestGenerateSelfSignedX509Cert(unittest.TestCase):

  def _checkRsaPrivateKey(self, key):

    return ("-----BEGIN RSA PRIVATE KEY-----" in lines and

            "-----END RSA PRIVATE KEY-----" in lines)

  def _checkCertificate(self, cert):

    return ("-----BEGIN CERTIFICATE-----" in lines and

            "-----END CERTIFICATE-----" in lines)

  def test(self):

    for common_name in [None, ".", "Ganeti", "node1.example.com"]:

      (key_pem, cert_pem) = utils.GenerateSelfSignedX509Cert(common_name, 300)

      self._checkRsaPrivateKey(key_pem)

      self._checkCertificate(cert_pem)

      key = OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM,

                                           key_pem)

      self.assert_(key.bits() >= 1024)

      self.assertEqual(key.bits(), constants.RSA_KEY_BITS)

      self.assertEqual(key.type(), OpenSSL.crypto.TYPE_RSA)

      x509 = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM,

                                             cert_pem)

      self.failIf(x509.has_expired())

      self.assertEqual(x509.get_issuer().CN, common_name)

      self.assertEqual(x509.get_subject().CN, common_name)

      self.assertEqual(x509.get_pubkey().bits(), constants.RSA_KEY_BITS)

  def testLegacy(self):

    self.assert_(self._checkRsaPrivateKey(cert1))

    self.assert_(self._checkCertificate(cert1))