From f2e2a0de2e67b212ee3c724d1dc732d894ec6dc7 Mon Sep 17 00:00:00 2001 From: Jim Shaver Date: Tue, 28 Apr 2015 23:55:08 -0400 Subject: [PATCH 01/12] make certgen.py and mk_cer... example scripts python3-able --- examples/certgen.py | 6 ++++-- examples/mk_simple_certs.py | 12 ++++++++---- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/examples/certgen.py b/examples/certgen.py index f1572357d..d14823e1f 100644 --- a/examples/certgen.py +++ b/examples/certgen.py @@ -45,14 +45,14 @@ def createCertRequest(pkey, digest="md5", **name): req = crypto.X509Req() subj = req.get_subject() - for (key,value) in name.items(): + for (key,value) in list(name.items()): setattr(subj, key, value) req.set_pubkey(pkey) req.sign(pkey, digest) return req -def createCertificate(req, (issuerCert, issuerKey), serial, (notBefore, notAfter), digest="md5"): +def createCertificate(req, issuerCertKey, serial, validityPeriod, digest="md5"): """ Generate a certificate given a certificate request. @@ -67,6 +67,8 @@ def createCertificate(req, (issuerCert, issuerKey), serial, (notBefore, notAfter digest - Digest method to use for signing, default is md5 Returns: The signed certificate in an X509 object """ + (issuerCert, issuerKey) = issuerCertKey + (notBefore, notAfter) = validityPeriod cert = crypto.X509() cert.set_serial_number(serial) cert.gmtime_adj_notBefore(notBefore) diff --git a/examples/mk_simple_certs.py b/examples/mk_simple_certs.py index 9dfdd2ed5..a451f9512 100644 --- a/examples/mk_simple_certs.py +++ b/examples/mk_simple_certs.py @@ -7,11 +7,15 @@ cakey = createKeyPair(TYPE_RSA, 1024) careq = createCertRequest(cakey, CN='Certificate Authority') cacert = createCertificate(careq, (careq, cakey), 0, (0, 60*60*24*365*5)) # five years -open('simple/CA.pkey', 'w').write(crypto.dump_privatekey(crypto.FILETYPE_PEM, cakey)) -open('simple/CA.cert', 'w').write(crypto.dump_certificate(crypto.FILETYPE_PEM, cacert)) +open('simple/CA.pkey', 'w').write(crypto.dump_privatekey(crypto.FILETYPE_PEM, cakey).decode('utf-8') +) +open('simple/CA.cert', 'w').write(crypto.dump_certificate(crypto.FILETYPE_PEM, cacert).decode('utf-8') +) for (fname, cname) in [('client', 'Simple Client'), ('server', 'Simple Server')]: pkey = createKeyPair(TYPE_RSA, 1024) req = createCertRequest(pkey, CN=cname) cert = createCertificate(req, (cacert, cakey), 1, (0, 60*60*24*365*5)) # five years - open('simple/%s.pkey' % (fname,), 'w').write(crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey)) - open('simple/%s.cert' % (fname,), 'w').write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) + open('simple/%s.pkey' % (fname,), 'w').write(crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey).decode('utf-8') +) + open('simple/%s.cert' % (fname,), 'w').write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode('utf-8') +) From 0d4ec3eca43db8b1411f387317dd8db60baa311f Mon Sep 17 00:00:00 2001 From: Jim Shaver Date: Tue, 28 Apr 2015 23:56:19 -0400 Subject: [PATCH 02/12] Change md5->sha256 in certgen.py --- examples/certgen.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/certgen.py b/examples/certgen.py index d14823e1f..89c7ca408 100644 --- a/examples/certgen.py +++ b/examples/certgen.py @@ -25,7 +25,7 @@ def createKeyPair(type, bits): pkey.generate_key(type, bits) return pkey -def createCertRequest(pkey, digest="md5", **name): +def createCertRequest(pkey, digest="sha256", **name): """ Create a certificate request. @@ -52,7 +52,7 @@ def createCertRequest(pkey, digest="md5", **name): req.sign(pkey, digest) return req -def createCertificate(req, issuerCertKey, serial, validityPeriod, digest="md5"): +def createCertificate(req, issuerCertKey, serial, validityPeriod, digest="sha256"): """ Generate a certificate given a certificate request. From 71ad368c4f77ae19e9bc718cc3f60162faeebe29 Mon Sep 17 00:00:00 2001 From: Jim Shaver Date: Wed, 29 Apr 2015 00:09:14 -0400 Subject: [PATCH 03/12] update examples/simple/client.py and server.py to work with Python3 --- examples/simple/client.py | 6 +++--- examples/simple/server.py | 24 ++++++++++++------------ 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/examples/simple/client.py b/examples/simple/client.py index 0247c676e..c051bf4a4 100644 --- a/examples/simple/client.py +++ b/examples/simple/client.py @@ -13,11 +13,11 @@ def verify_cb(conn, cert, errnum, depth, ok): # This obviously has to be updated - print 'Got certificate: %s' % cert.get_subject() + print('Got certificate: %s' % cert.get_subject()) return ok if len(sys.argv) < 3: - print 'Usage: python[2] client.py HOST PORT' + print('Usage: python[2] client.py HOST PORT') sys.exit(1) dir = os.path.dirname(sys.argv[0]) @@ -44,7 +44,7 @@ def verify_cb(conn, cert, errnum, depth, ok): sys.stdout.write(sock.recv(1024)) sys.stdout.flush() except SSL.Error: - print 'Connection died unexpectedly' + print('Connection died unexpectedly') break diff --git a/examples/simple/server.py b/examples/simple/server.py index 37e36ddfc..539e773d0 100644 --- a/examples/simple/server.py +++ b/examples/simple/server.py @@ -14,11 +14,11 @@ def verify_cb(conn, cert, errnum, depth, ok): # This obviously has to be updated - print 'Got certificate: %s' % cert.get_subject() + print('Got certificate: %s' % cert.get_subject()) return ok if len(sys.argv) < 2: - print 'Usage: python[2] server.py PORT' + print('Usage: python[2] server.py PORT') sys.exit(1) dir = os.path.dirname(sys.argv[0]) @@ -44,12 +44,12 @@ def verify_cb(conn, cert, errnum, depth, ok): def dropClient(cli, errors=None): if errors: - print 'Client %s left unexpectedly:' % (clients[cli],) - print ' ', errors + print('Client %s left unexpectedly:' % (clients[cli],)) + print(' ', errors) else: - print 'Client %s left politely' % (clients[cli],) + print('Client %s left politely' % (clients[cli],)) del clients[cli] - if writers.has_key(cli): + if cli in writers: del writers[cli] if not errors: cli.shutdown() @@ -57,14 +57,14 @@ def dropClient(cli, errors=None): while 1: try: - r,w,_ = select.select([server]+clients.keys(), writers.keys(), []) + r,w,_ = select.select([server]+list(clients.keys()), list(writers.keys()), []) except: break for cli in r: if cli == server: cli,addr = server.accept() - print 'Connection from %s' % (addr,) + print('Connection from %s' % (addr,)) clients[cli] = addr else: @@ -74,10 +74,10 @@ def dropClient(cli, errors=None): pass except SSL.ZeroReturnError: dropClient(cli) - except SSL.Error, errors: + except SSL.Error as errors: dropClient(cli, errors) else: - if not writers.has_key(cli): + if cli not in writers: writers[cli] = '' writers[cli] = writers[cli] + ret @@ -88,13 +88,13 @@ def dropClient(cli, errors=None): pass except SSL.ZeroReturnError: dropClient(cli) - except SSL.Error, errors: + except SSL.Error as errors: dropClient(cli, errors) else: writers[cli] = writers[cli][ret:] if writers[cli] == '': del writers[cli] -for cli in clients.keys(): +for cli in list(clients.keys()): cli.close() server.close() From 8a4a7ae68ac54d80ae36fa799010239791ffd934 Mon Sep 17 00:00:00 2001 From: Jim Shaver Date: Wed, 29 Apr 2015 01:17:33 -0400 Subject: [PATCH 04/12] no longer requires running with 'python2' --- examples/simple/client.py | 2 +- examples/simple/server.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/simple/client.py b/examples/simple/client.py index c051bf4a4..aa591ca7a 100644 --- a/examples/simple/client.py +++ b/examples/simple/client.py @@ -17,7 +17,7 @@ def verify_cb(conn, cert, errnum, depth, ok): return ok if len(sys.argv) < 3: - print('Usage: python[2] client.py HOST PORT') + print('Usage: python client.py HOST PORT') sys.exit(1) dir = os.path.dirname(sys.argv[0]) diff --git a/examples/simple/server.py b/examples/simple/server.py index 539e773d0..22e1b72bd 100644 --- a/examples/simple/server.py +++ b/examples/simple/server.py @@ -18,7 +18,7 @@ def verify_cb(conn, cert, errnum, depth, ok): return ok if len(sys.argv) < 2: - print('Usage: python[2] server.py PORT') + print('Usage: python server.py PORT') sys.exit(1) dir = os.path.dirname(sys.argv[0]) From a6d16be2c4cae7dfabedbe9c7782795713228b17 Mon Sep 17 00:00:00 2001 From: Jim Shaver Date: Wed, 29 Apr 2015 01:35:50 -0400 Subject: [PATCH 05/12] md5->sha256 in usage details --- examples/certgen.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/certgen.py b/examples/certgen.py index 89c7ca408..c88ed38c2 100644 --- a/examples/certgen.py +++ b/examples/certgen.py @@ -30,7 +30,7 @@ def createCertRequest(pkey, digest="sha256", **name): Create a certificate request. Arguments: pkey - The key to associate with the request - digest - Digestion method to use for signing, default is md5 + digest - Digestion method to use for signing, default is sha256 **name - The name of the subject of the request, possible arguments are: C - Country name @@ -64,7 +64,7 @@ def createCertificate(req, issuerCertKey, serial, validityPeriod, digest="sha256 starts being valid notAfter - Timestamp (relative to now) when the certificate stops being valid - digest - Digest method to use for signing, default is md5 + digest - Digest method to use for signing, default is sha256 Returns: The signed certificate in an X509 object """ (issuerCert, issuerKey) = issuerCertKey From 473fe6ac0453c5f2f8ade81a8af8b670238c9b86 Mon Sep 17 00:00:00 2001 From: Jim Shaver Date: Wed, 29 Apr 2015 09:42:39 -0400 Subject: [PATCH 06/12] removed unnecessary brackets and lists --- examples/certgen.py | 6 +++--- examples/simple/server.py | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/examples/certgen.py b/examples/certgen.py index c88ed38c2..bf11c6e99 100644 --- a/examples/certgen.py +++ b/examples/certgen.py @@ -45,7 +45,7 @@ def createCertRequest(pkey, digest="sha256", **name): req = crypto.X509Req() subj = req.get_subject() - for (key,value) in list(name.items()): + for key,value in name.items(): setattr(subj, key, value) req.set_pubkey(pkey) @@ -67,8 +67,8 @@ def createCertificate(req, issuerCertKey, serial, validityPeriod, digest="sha256 digest - Digest method to use for signing, default is sha256 Returns: The signed certificate in an X509 object """ - (issuerCert, issuerKey) = issuerCertKey - (notBefore, notAfter) = validityPeriod + issuerCert, issuerKey = issuerCertKey + notBefore, notAfter = validityPeriod cert = crypto.X509() cert.set_serial_number(serial) cert.gmtime_adj_notBefore(notBefore) diff --git a/examples/simple/server.py b/examples/simple/server.py index 22e1b72bd..30a3cea92 100644 --- a/examples/simple/server.py +++ b/examples/simple/server.py @@ -95,6 +95,6 @@ def dropClient(cli, errors=None): if writers[cli] == '': del writers[cli] -for cli in list(clients.keys()): +for cli in clients.keys(): cli.close() server.close() From aab9dddb60efaeb2c6cc6f20a7e9bda4a393721a Mon Sep 17 00:00:00 2001 From: Jim Shaver Date: Wed, 29 Apr 2015 23:11:48 -0400 Subject: [PATCH 07/12] convert cert and private key creation to use context managers --- examples/mk_simple_certs.py | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/examples/mk_simple_certs.py b/examples/mk_simple_certs.py index 7a24a4ffa..84429f48f 100644 --- a/examples/mk_simple_certs.py +++ b/examples/mk_simple_certs.py @@ -9,9 +9,11 @@ cacert = createCertificate(careq, (careq, cakey), 0, (0, 60*60*24*365*5)) # five years print('Creating Certificate Authority private key in "simple/CA.pkey"') -open('simple/CA.pkey', 'w').write(crypto.dump_privatekey(crypto.FILETYPE_PEM, cakey).decode('utf-8')) +with open('simple/CA.pkey', 'w') as capkey: + capkey.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, cakey).decode('utf-8')) print('Creating Certificate Authority certificate in "simple/CA.cert"') -open('simple/CA.cert', 'w').write(crypto.dump_certificate(crypto.FILETYPE_PEM, cacert).decode('utf-8')) +with open('simple/CA.cert', 'w') as ca: + ca.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cacert).decode('utf-8')) for (fname, cname) in [('client', 'Simple Client'), ('server', 'Simple Server')]: pkey = createKeyPair(TYPE_RSA, 2048) @@ -19,6 +21,9 @@ cert = createCertificate(req, (cacert, cakey), 1, (0, 60*60*24*365*5)) # five years print('Creating Certificate %s private key in "simple/%s.pkey"' % (fname, fname)) - open('simple/%s.pkey' % (fname,), 'w').write(crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey).decode('utf-8')) + with open('simple/%s.pkey' % (fname,), 'w') as leafpkey: + leafpkey.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey).decode('utf-8')) print('Creating Certificate %s certificate in "simple/%s.cert"' % (fname, fname)) - open('simple/%s.cert' % (fname,), 'w').write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode('utf-8')) + with open('simple/%s.cert' % (fname,), 'w') as leafcert: + leafcert.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode('utf-8')) + From 4852ef49298dbb4c477b61f2940f497ab34adbe9 Mon Sep 17 00:00:00 2001 From: Jim Shaver Date: Wed, 29 Apr 2015 23:15:42 -0400 Subject: [PATCH 08/12] remove last of lists --- examples/simple/server.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/simple/server.py b/examples/simple/server.py index 30a3cea92..97e18a7a0 100644 --- a/examples/simple/server.py +++ b/examples/simple/server.py @@ -57,7 +57,7 @@ def dropClient(cli, errors=None): while 1: try: - r,w,_ = select.select([server]+list(clients.keys()), list(writers.keys()), []) + r, w, _ = select.select([server]+clients.keys(), writers.keys(), []) except: break From b2ff5bedccc666469d6456509cd6936e32b3b773 Mon Sep 17 00:00:00 2001 From: Jim Shaver Date: Thu, 30 Apr 2015 08:26:29 -0400 Subject: [PATCH 09/12] switched to identifying certificate by CN instead of ugly suject. Minor cleanup --- examples/simple/client.py | 8 +++++--- examples/simple/server.py | 10 ++++++---- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/examples/simple/client.py b/examples/simple/client.py index aa591ca7a..a9a0effec 100644 --- a/examples/simple/client.py +++ b/examples/simple/client.py @@ -8,12 +8,14 @@ Simple SSL client, using blocking I/O """ -from OpenSSL import SSL +from OpenSSL import SSL, crypto import sys, os, select, socket def verify_cb(conn, cert, errnum, depth, ok): # This obviously has to be updated - print('Got certificate: %s' % cert.get_subject()) + certsubject = crypto.X509Name(cert.get_subject()) + commonname = certsubject.commonName + print('Got certificate: ' + commonname) return ok if len(sys.argv) < 3: @@ -41,7 +43,7 @@ def verify_cb(conn, cert, errnum, depth, ok): break try: sock.send(line) - sys.stdout.write(sock.recv(1024)) + sys.stdout.write(sock.recv(1024).decode('utf-8')) sys.stdout.flush() except SSL.Error: print('Connection died unexpectedly') diff --git a/examples/simple/server.py b/examples/simple/server.py index 97e18a7a0..f07cfc209 100644 --- a/examples/simple/server.py +++ b/examples/simple/server.py @@ -8,13 +8,15 @@ Simple echo server, using nonblocking I/O """ -from OpenSSL import SSL +from OpenSSL import SSL, crypto import sys, os, select, socket def verify_cb(conn, cert, errnum, depth, ok): # This obviously has to be updated - print('Got certificate: %s' % cert.get_subject()) + certsubject = crypto.X509Name(cert.get_subject()) + commonname = certsubject.commonName + print(('Got certificate: ' + commonname)) return ok if len(sys.argv) < 2: @@ -57,7 +59,7 @@ def dropClient(cli, errors=None): while 1: try: - r, w, _ = select.select([server]+clients.keys(), writers.keys(), []) + r, w, _ = select.select([server] + list(clients.keys()), list(writers.keys()), []) except: break @@ -69,7 +71,7 @@ def dropClient(cli, errors=None): else: try: - ret = cli.recv(1024) + ret = cli.recv(1024).decode('utf-8') except (SSL.WantReadError, SSL.WantWriteError, SSL.WantX509LookupError): pass except SSL.ZeroReturnError: From 90a3117a251ab1ee22c8997d0f06c71281533c4e Mon Sep 17 00:00:00 2001 From: Jim Shaver Date: Thu, 30 Apr 2015 08:32:49 -0400 Subject: [PATCH 10/12] fix spacing in certgen.py --- examples/certgen.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/certgen.py b/examples/certgen.py index bf11c6e99..53c19b1c1 100644 --- a/examples/certgen.py +++ b/examples/certgen.py @@ -45,7 +45,7 @@ def createCertRequest(pkey, digest="sha256", **name): req = crypto.X509Req() subj = req.get_subject() - for key,value in name.items(): + for key, value in name.items(): setattr(subj, key, value) req.set_pubkey(pkey) From 677402f29a3d64cc0f2a7697378ad4a2b9f4ab43 Mon Sep 17 00:00:00 2001 From: Jim Shaver Date: Sun, 3 May 2015 09:27:15 -0400 Subject: [PATCH 11/12] Remove vestigial comments. --- examples/mk_simple_certs.py | 1 - examples/simple/client.py | 1 - examples/simple/server.py | 1 - 3 files changed, 3 deletions(-) diff --git a/examples/mk_simple_certs.py b/examples/mk_simple_certs.py index 84429f48f..7129f1349 100644 --- a/examples/mk_simple_certs.py +++ b/examples/mk_simple_certs.py @@ -19,7 +19,6 @@ pkey = createKeyPair(TYPE_RSA, 2048) req = createCertRequest(pkey, CN=cname) cert = createCertificate(req, (cacert, cakey), 1, (0, 60*60*24*365*5)) # five years - print('Creating Certificate %s private key in "simple/%s.pkey"' % (fname, fname)) with open('simple/%s.pkey' % (fname,), 'w') as leafpkey: leafpkey.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey).decode('utf-8')) diff --git a/examples/simple/client.py b/examples/simple/client.py index a9a0effec..36c37cd54 100644 --- a/examples/simple/client.py +++ b/examples/simple/client.py @@ -12,7 +12,6 @@ import sys, os, select, socket def verify_cb(conn, cert, errnum, depth, ok): - # This obviously has to be updated certsubject = crypto.X509Name(cert.get_subject()) commonname = certsubject.commonName print('Got certificate: ' + commonname) diff --git a/examples/simple/server.py b/examples/simple/server.py index f07cfc209..df7c5a4e3 100644 --- a/examples/simple/server.py +++ b/examples/simple/server.py @@ -13,7 +13,6 @@ def verify_cb(conn, cert, errnum, depth, ok): - # This obviously has to be updated certsubject = crypto.X509Name(cert.get_subject()) commonname = certsubject.commonName print(('Got certificate: ' + commonname)) From 75feb89552309fcd3fd5a2a965165b185934b621 Mon Sep 17 00:00:00 2001 From: Jim Shaver Date: Wed, 6 May 2015 09:38:31 -0400 Subject: [PATCH 12/12] add keys and certs made by mk_simple_certs.py to .gitignore --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index 288f2add3..7b183797f 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,5 @@ __pycache__ doc/_build/ .coverage .eggs +examples/simple/*.cert +examples/simple/*.pkey