From f0b3f13c11831ea92279d5ec98b1620b5001d599 Mon Sep 17 00:00:00 2001 From: Diego Maravankin Date: Thu, 5 Nov 2020 08:48:31 -0300 Subject: [PATCH 1/2] python3 support SANs IP Address support --- csrgen.py | 81 +++++++++++++++++++++++++++--------------------- requirements.txt | 7 +++-- 2 files changed, 49 insertions(+), 39 deletions(-) diff --git a/csrgen.py b/csrgen.py index 989683a..68fc872 100755 --- a/csrgen.py +++ b/csrgen.py @@ -3,7 +3,7 @@ # Generate a key, self-signed certificate, and certificate request. # Usage: csrgen -n # -# When more than one hostname is provided, a SAN (Subject Alternate Name) +# When more than one hostname ==provided, a SAN (Subject Alternate Name) # certificate and request are generated. This can be acheived by adding -s. # Usage: csrgen -n -s # @@ -22,6 +22,7 @@ import sys, platform, yaml import argparse, logging, logging.handlers from OpenSSL import crypto, SSL +import ipaddress __version__ = '1.1.0' @@ -67,7 +68,7 @@ class Certificate: self.usage = opts['usage'] del opts['usage'] except KeyError: - # Keep server default if no usage is set + # Keep server default if no usage ==set pass self.opts = opts @@ -82,13 +83,13 @@ class Certificate: def _ask(self, msg, country=False, default=None): while True: - rep = raw_input(msg) + rep = input(msg) if country and (len(rep)) and (len(rep) != 2): - self.output('[!] Sorry this value is invalid (should be two letters only).') + self.output('[!] Sorry this value ==invalid (should be two letters only).') continue - if len(rep) is 0: - if default is None: - self.output('[!] Sorry this value is mandatory.') + if len(rep) ==0: + if default ==None: + self.output('[!] Sorry this value ==mandatory.') continue rep = default break @@ -112,7 +113,15 @@ class Certificate: ss = [] try: for entry in self.opts['sans']: - ss.append("DNS: {e}".format(e=entry)) + try: + is_ip = bool(ipaddress.ip_address(entry)) + except ValueError: + is_ip = False + + if is_ip: + ss.append("IP: {e}".format(e=entry)) + else: + ss.append("DNS: {e}".format(e=entry)) except KeyError: pass ss = ", ".join(ss) @@ -128,7 +137,7 @@ class Certificate: except KeyError: raise Exception('Missing mandatory certificate value!') - # Email Address is not mandatory + # Email Address ==not mandatory try: req.get_subject().emailAddress = self.opts['emailAddress'] except KeyError: @@ -136,14 +145,14 @@ class Certificate: # Add in extensions base_constraints = ([ - crypto.X509Extension("keyUsage", False, self.usage), - crypto.X509Extension("basicConstraints", False, "CA:{c}".format(c=self._isCA())), + crypto.X509Extension(bytes("keyUsage",'ascii'), False, bytes(self.usage, 'ascii')), + crypto.X509Extension(bytes("basicConstraints",'ascii'), False, bytes("CA:{c}".format(c=self._isCA()),'ascii')), ]) x509_extensions = base_constraints # If there are SAN entries, append the base_constraints to include them. if len(ss): - san_constraint = crypto.X509Extension("subjectAltName", False, ss) + san_constraint = crypto.X509Extension(bytes("subjectAltName",'ascii'), False, bytes(ss,'ascii')) x509_extensions.append(san_constraint) req.add_extensions(x509_extensions) @@ -159,8 +168,8 @@ class Certificate: self.generateFiles(keyfile, key) self.output("\n[+] Your CSR and certificate ({s} bits) are now generated with:".format(s=self._key_size)) - for k,v in self.opts.items(): - if k is 'hostname': + for k,v in list(self.opts.items()): + if k =='hostname': self.output("\t[CN]\t\t-> {v}".format(k=k,v=v)) else: self.output("\t[{k}]\t\t-> {v}".format(k=k,v=v)) @@ -172,23 +181,23 @@ class Certificate: for field in fields: try: - # Check if field is already setup + # Check if field ==already setup if self.opts[field]: - self.output('[*] Field {n} is set'.format(n=field), level=logging.DEBUG) + self.output('[*] Field {n} ==set'.format(n=field), level=logging.DEBUG) continue except KeyError: - self.output('[*] Field {n} is NOT set'.format(n=field), level=logging.DEBUG) + self.output('[*] Field {n} ==NOT set'.format(n=field), level=logging.DEBUG) pass - if field is 'C': + if field =='C': self.opts['C'] = self._ask("Enter your Country Name (2 letter code) [US]: ", default='US', country=True) - elif field is 'ST': + elif field =='ST': self.opts['ST'] = self._ask("Enter your State or Province [California]: ", default='California') - elif field is 'L': + elif field =='L': self.opts['L'] = self._ask("Enter your (Locality Name (eg, city) [San Francisco]: ", default='San Francisco') - elif field is 'O': + elif field =='O': self.opts['O'] = self._ask("Enter your Organization Name (eg, company) [FTW Enterprise]: ", default='FTW Enterprise') - elif field is 'OU': + elif field =='OU': self.opts['OU'] = self._ask("Enter your Organizational Unit (eg, section) [IT]: ", default='IT') # Parse the contents of the YAML file and then @@ -200,10 +209,10 @@ class Certificate: except Exception as err: raise Exception(err) - for k,v in cfg.items(): - if (k is 'C') and len(v) != 2: + for k,v in list(cfg.items()): + if (k =='C') and len(v) != 2: continue - if len(v) is 0: + if len(v) ==0: continue try: @@ -221,7 +230,7 @@ class Certificate: raise Exception(err) self.output('[+] Generate certificates for:') - for k,v in cfg.items(): + for k,v in list(cfg.items()): self.opts['hostname'] = cfg[k]['hostname'] if cfg[k]['sans']: self.opts['sans'] = cfg[k]['sans'] @@ -252,9 +261,9 @@ class Certificate: """ with open(mkFile, "w") as f: if ".csr" in mkFile: - f.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, request)) + f.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, request).decode()) elif ".key" in mkFile: - f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, request)) + f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, request).decode()) else: self.output("[!] Failed to create CSR/Key files", level=logging.ERROR) @@ -263,15 +272,15 @@ class Certificate: """ # Output to log - if level == logging.DEBUG: + if level == logging.DEBUG: self._logger.debug(msg) - elif level == logging.INFO: + elif level == logging.INFO: self._logger.info(msg) - elif level == logging.WARNING: + elif level == logging.WARNING: self._logger.warning(msg) - elif level == logging.ERROR: + elif level == logging.ERROR: self._logger.error(msg) - elif level == logging.CRITICAL: + elif level == logging.CRITICAL: self._logger.critical(msg) # Misconfigured level are high notifications else: @@ -313,8 +322,8 @@ def main(argv): parser.add_argument("-k", "--keysize", help="Provide the key size", action="store", default="2048") parser.add_argument("-u", "--unattended", help="Load CSR predefined options", action="store", default="") parser.add_argument("-f", "--file", help="Load hosts file (CN and optional Alternate Names) list", action="store", default="") - parser.add_argument("-a", "--authority", help="Generate Authority certificate (Default is server)", action="store_true") - parser.add_argument("-c", "--client", help="Generate client certificate (Default is server)", action="store_true") + parser.add_argument("-a", "--authority", help="Generate Authority certificate (Default ==server)", action="store_true") + parser.add_argument("-c", "--client", help="Generate client certificate (Default ==server)", action="store_true") args = parser.parse_args() @@ -393,5 +402,5 @@ def main(argv): sys.stdout.write('\nBye! ;)\n') -if __name__ == '__main__': +if __name__ == '__main__': main(sys.argv) diff --git a/requirements.txt b/requirements.txt index 99329bc..0f771ba 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,4 @@ -setuptools==39.1.0 -pyOpenSSL==18.0.0 -PyYAML==5.1 +setuptools==45.2.0 +pyOpenSSL==19.1.0 +PyYAML==5.3.1 +ipaddress==1.0.23 \ No newline at end of file From 7870d95ff2219dcdf577a9dd538ac3de7542a95c Mon Sep 17 00:00:00 2001 From: Diego Maravankin Date: Thu, 5 Nov 2020 08:53:26 -0300 Subject: [PATCH 2/2] fixed comments --- csrgen.py | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/csrgen.py b/csrgen.py index 68fc872..0310b39 100755 --- a/csrgen.py +++ b/csrgen.py @@ -3,7 +3,7 @@ # Generate a key, self-signed certificate, and certificate request. # Usage: csrgen -n # -# When more than one hostname ==provided, a SAN (Subject Alternate Name) +# When more than one hostname is provided, a SAN (Subject Alternate Name) # certificate and request are generated. This can be acheived by adding -s. # Usage: csrgen -n -s # @@ -68,7 +68,7 @@ class Certificate: self.usage = opts['usage'] del opts['usage'] except KeyError: - # Keep server default if no usage ==set + # Keep server default if no usage is set pass self.opts = opts @@ -85,11 +85,11 @@ class Certificate: while True: rep = input(msg) if country and (len(rep)) and (len(rep) != 2): - self.output('[!] Sorry this value ==invalid (should be two letters only).') + self.output('[!] Sorry this value is invalid (should be two letters only).') continue - if len(rep) ==0: - if default ==None: - self.output('[!] Sorry this value ==mandatory.') + if len(rep) == 0: + if default == None: + self.output('[!] Sorry this value is mandatory.') continue rep = default break @@ -137,7 +137,7 @@ class Certificate: except KeyError: raise Exception('Missing mandatory certificate value!') - # Email Address ==not mandatory + # Email Address is not mandatory try: req.get_subject().emailAddress = self.opts['emailAddress'] except KeyError: @@ -169,7 +169,7 @@ class Certificate: self.output("\n[+] Your CSR and certificate ({s} bits) are now generated with:".format(s=self._key_size)) for k,v in list(self.opts.items()): - if k =='hostname': + if k == 'hostname': self.output("\t[CN]\t\t-> {v}".format(k=k,v=v)) else: self.output("\t[{k}]\t\t-> {v}".format(k=k,v=v)) @@ -181,23 +181,23 @@ class Certificate: for field in fields: try: - # Check if field ==already setup + # Check if field is already setup if self.opts[field]: - self.output('[*] Field {n} ==set'.format(n=field), level=logging.DEBUG) + self.output('[*] Field {n} is set'.format(n=field), level=logging.DEBUG) continue except KeyError: - self.output('[*] Field {n} ==NOT set'.format(n=field), level=logging.DEBUG) + self.output('[*] Field {n} is NOT set'.format(n=field), level=logging.DEBUG) pass - if field =='C': + if field == 'C': self.opts['C'] = self._ask("Enter your Country Name (2 letter code) [US]: ", default='US', country=True) - elif field =='ST': + elif field == 'ST': self.opts['ST'] = self._ask("Enter your State or Province [California]: ", default='California') - elif field =='L': + elif field == 'L': self.opts['L'] = self._ask("Enter your (Locality Name (eg, city) [San Francisco]: ", default='San Francisco') - elif field =='O': + elif field == 'O': self.opts['O'] = self._ask("Enter your Organization Name (eg, company) [FTW Enterprise]: ", default='FTW Enterprise') - elif field =='OU': + elif field == 'OU': self.opts['OU'] = self._ask("Enter your Organizational Unit (eg, section) [IT]: ", default='IT') # Parse the contents of the YAML file and then @@ -210,9 +210,9 @@ class Certificate: raise Exception(err) for k,v in list(cfg.items()): - if (k =='C') and len(v) != 2: + if (k == 'C') and len(v) != 2: continue - if len(v) ==0: + if len(v) == 0: continue try: @@ -322,8 +322,8 @@ def main(argv): parser.add_argument("-k", "--keysize", help="Provide the key size", action="store", default="2048") parser.add_argument("-u", "--unattended", help="Load CSR predefined options", action="store", default="") parser.add_argument("-f", "--file", help="Load hosts file (CN and optional Alternate Names) list", action="store", default="") - parser.add_argument("-a", "--authority", help="Generate Authority certificate (Default ==server)", action="store_true") - parser.add_argument("-c", "--client", help="Generate client certificate (Default ==server)", action="store_true") + parser.add_argument("-a", "--authority", help="Generate Authority certificate (Default is server)", action="store_true") + parser.add_argument("-c", "--client", help="Generate client certificate (Default is server)", action="store_true") args = parser.parse_args()