This is a pre-production deployment of Warehouse, however changes made here WILL affect the production instance of PyPI.
Latest Version Dependencies status unknown Test status unknown Test coverage unknown
Project Description

Introduction

This library provides some utility classes and functions for deailing with X509 certificates. Most of the tasks performed by these classes are trivial but they require use of the M2Crypto classes which can be a pain. The problem isn’t that the M2Crypto classes are complex, it just that when doing GSI tasks i find myself repeating work in different projects.

>>> import arcs.gsi.certificate
>>> r = arcs.gsi.certificate.CertificateRequest()
>>> r.set_dn("DC=au,DC=org,DC=arcs,DC=test,O=VPAC,CN=Russell Sim")
>>> r.sign()
>>> print r.get_cert_req().as_text()
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: DC=au, DC=org, DC=arcs, DC=test, O=VPAC, CN=Russell Sim
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    ...
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha1WithRSAEncryption
        ...
<BLANKLINE>

Generating a request with a 1024 bit key for compatablity with older applications.

>>> r = arcs.gsi.certificate.CertificateRequest(dn="DC=au,DC=org,DC=arcs,DC=test,O=VPAC,CN=Russell Sim", keySize=1024)
>>> r.sign()
>>> print r
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: DC=au, DC=org, DC=arcs, DC=test, O=VPAC, CN=Russell Sim
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    ...
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha1WithRSAEncryption
        ...
<BLANKLINE>

It’s easier to access a certificate without needing to introspect M2Crypto to figure out the calls.

>>> r
-----BEGIN CERTIFICATE REQUEST-----
...
-----END CERTIFICATE REQUEST-----
<BLANKLINE>
>>> r = arcs.gsi.certificate.CertificateRequest(dn="DC=au,DC=org,DC=arcs,DC=test,O=VPAC,CN=Russell Sim", keySize=1024)

Extensions are passed in as a list of dictionarys.

>>> r.add_extensions([{'critical': False, 'name': 'ExtendedKeyUsage', 'value': 'clientAuth'}, {'critical': True, 'name': 'KeyUsage', 'value': 'Digital Signature, Key Encipherment'}, {'critical': False, 'name': 'CertificatePolicies', 'value': '1.3.6.1.4.1.31863.1.0.1'}, {'critical': False, 'name': 'SubjectAltName', 'value': 'email:russell@vpac.org'}])
>>> r.sign()
>>> print r
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: DC=au, DC=org, DC=arcs, DC=test, O=VPAC, CN=Russell Sim
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                ...
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Certificate Policies:
                Policy: 1.3.6.1.4.1.31863.1.0.1
<BLANKLINE>
            X509v3 Subject Alternative Name:
                email:russell@vpac.org
    Signature Algorithm: sha1WithRSAEncryption
    ...
<BLANKLINE>

Creating certificates

Creating a certificate, currently this can’t be done from a request because there are no methods to extract the extensions from a request.

>>> c = arcs.gsi.certificate.Certificate()
>>> c.set_dn("DC=au,DC=org,DC=arcs,DC=test,O=VPAC,CN=Russell Sim")
>>> c.add_extensions([{'critical': False, 'name': 'ExtendedKeyUsage', 'value': 'clientAuth'}, {'critical': True, 'name': 'KeyUsage', 'value': 'Digital Signature, Key Encipherment'}, {'critical': False, 'name': 'CertificatePolicies', 'value': '1.3.6.1.4.1.31863.1.0.1'}, {'critical': False, 'name': 'SubjectAltName', 'value': 'email:russell@vpac.org'}])
>>> c.set_version(2)
>>> c.set_serial_number()
>>> c.set_times()
>>> c.set_issuer_name(c.get_subject())
>>> k = arcs.gsi.key.Key()
>>> c.sign(k)

Creating a proxy certificate

>>> p = arcs.gsi.proxy.ProxyCertificate(c)
>>> p.sign()
>>> print p
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: ... (0x...)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: DC=au, DC=org, DC=arcs, DC=test, O=VPAC, CN=Russell Sim
        Validity
            Not Before: ...
            Not After : ...
        Subject: DC=au, DC=org, DC=arcs, DC=test, O=VPAC, CN=Russell Sim, CN=...
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                ...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Data Encipherment
            Proxy Certificate Information: critical
                Path Length Constraint: infinite
                Policy Language: Inherit all
<BLANKLINE>
    Signature Algorithm: sha1WithRSAEncryption
        ...
<BLANKLINE>

Changelog

1.2 - Unreleased

  • Key class now accepts PEM formated keys [Russell]
  • Python 2.6 compatability, removed dependency on xpath [Russell]
  • Now using nose testing [Russell]

1.1 - (2009-10-29)

  • updated documentation, including addition of sphinx [Russell]
  • Jython hack added to support webstart [Markus]
  • Jython example code added [Markus]
  • added slcs support functions [Russell]
  • Centos ignores M2Crypto requirement [Russell]
  • New certificates now have a start time of -5min [Sam]
  • Updated proxy name generation to avoid encoding errors [Russell]

1.0 (2009-07-08)

  • Initial release
  • Certificate Classes added
  • Proxy Classes added
  • Key Classes added
Release History

Release History

1.2

This version

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

1.2dev-20091120

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

1.0

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

Supported By

WebFaction WebFaction Technical Writing Elastic Elastic Search Pingdom Pingdom Monitoring Dyn Dyn DNS Sentry Sentry Error Logging CloudAMQP CloudAMQP RabbitMQ Heroku Heroku PaaS Kabu Creative Kabu Creative UX & Design Fastly Fastly CDN DigiCert DigiCert EV Certificate Rackspace Rackspace Cloud Servers DreamHost DreamHost Log Hosting