From 51c85082c6f03cabe5a492bc89ac5edbde348719 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Wed, 15 Nov 2023 16:49:37 +0100 Subject: x509: add internal ca for chaos-at-home --- roles/x509/ownca/contrib/gen-ca.py | 72 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100755 roles/x509/ownca/contrib/gen-ca.py (limited to 'roles/x509/ownca/contrib/gen-ca.py') diff --git a/roles/x509/ownca/contrib/gen-ca.py b/roles/x509/ownca/contrib/gen-ca.py new file mode 100755 index 00000000..f5bc1fe7 --- /dev/null +++ b/roles/x509/ownca/contrib/gen-ca.py @@ -0,0 +1,72 @@ +#!/usr/bin/env python3 + +from cryptography import x509 +from cryptography.hazmat.primitives import hashes, serialization +from cryptography.hazmat.primitives.asymmetric import rsa +from cryptography.x509.oid import NameOID +import datetime +import argparse + +parser = argparse.ArgumentParser("spreadspace ansible CA-generator") +parser.add_argument("-n", "--varaiable-name", dest='varname', help="ansible variable name to be used", type=str, required=True) +parser.add_argument("-CN", "--common-name", dest='CN', help="Common Name field of the CA's subject", type=str, required=True) +parser.add_argument("-O", "--organization-name", dest='O', help="Organization Name field of the CA's subject", type=str) +parser.add_argument("-OU", "--organizational-unit", dest='OU', help="Organizational Unit field of the CA's subject", type=str) +parser.add_argument("-C", "--country-name", dest='C', help="Country Name field of the CA's subject", type=str) +parser.add_argument("-ST", "--state-or-provice", dest='ST', help="State-or-Province field of the CA's subject", type=str) +parser.add_argument("-L", "--locality", dest='L', help="Locality Name field of the CA's subject", type=str) +args = parser.parse_args() + +subject_fields = [] +if args.CN: + subject_fields.append(x509.NameAttribute(NameOID.COMMON_NAME, args.CN)) +if args.O: + subject_fields.append(x509.NameAttribute(NameOID.ORGANIZATION_NAME, args.O)) +if args.OU: + subject_fields.append(x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, args.OU)) +if args.C: + subject_fields.append(x509.NameAttribute(NameOID.COUNTRY_NAME, args.C)) +if args.ST: + subject_fields.append(x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, args.ST)) +if args.L: + subject_fields.append(x509.NameAttribute(NameOID.LOCALITY_NAME, args.L)) + +subject = issuer = x509.Name(subject_fields) +private_key = rsa.generate_private_key( + public_exponent=65537, + key_size=4096, +) +public_key = private_key.public_key() + +builder = x509.CertificateBuilder() +builder = builder.subject_name(subject) +builder = builder.issuer_name(issuer) +builder = builder.not_valid_before(datetime.datetime.today() - datetime.timedelta(days=1)) +builder = builder.not_valid_after(datetime.datetime.today() + datetime.timedelta(weeks=2080)) # about 20years +builder = builder.serial_number(x509.random_serial_number()) +builder = builder.public_key(public_key) +builder = builder.add_extension(x509.BasicConstraints(ca=True, path_length=1), critical=True) +certificate = builder.sign(private_key=private_key, algorithm=hashes.SHA256()) + + +private_key_pem = private_key.private_bytes(encoding=serialization.Encoding.PEM, + format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption()) +certificate_pem = certificate.public_bytes(serialization.Encoding.PEM) + + +print("## Add this to vault file") +print("") +print("vault_%s_key: |" % (args.varname)) +for line in private_key_pem.splitlines(): + print(" {}".format(line.decode('utf-8'))) + +print("") +print("") +print("") +print("") +print("## Add this to vars file") +print("") +print("%s_key: \"{{ vault_%s_key }}\"" % (args.varname, args.varname)) +print("%s_cert: |" % (args.varname)) +for line in certificate_pem.splitlines(): + print(" {}".format(line.decode('utf-8'))) -- cgit v1.2.3