Bases: object
Generate files for PKI signing using OpenSSL.
Signed tokens require a private key and signing certificate which itself
must be signed by a CA. This class generates them with workable defaults
if each of the files are not present
-
build_ca_cert()
-
build_private_key()
-
build_signing_cert()
-
build_ssl_config_file()
-
exec_command(command)
-
run()
-
sslconfig = '\n# OpenSSL configuration file.\n#\n\n# Establish working directory.\n\ndir = %(conf_dir)s\n[ ca ]\ndefault_ca = CA_default\n\n[ CA_default ]\nnew_certs_dir = $dir\nserial = $dir/serial\ndatabase = $dir/index.txt\ncertificate = %(ca_cert)s\nprivate_key = %(ca_private_key)s\ndefault_days = 365\ndefault_md = md5\npreserve = no\nemail_in_dn = no\nnameopt = default_ca\ncertopt = default_ca\npolicy = policy_match\n[ policy_match ]\ncountryName = match\nstateOrProvinceName = match\norganizationName = match\norganizationalUnitName = optional\ncommonName = supplied\nemailAddress = optional\n\n[ req ]\ndefault_bits = 1024 # Size of keys\ndefault_keyfile = key.pem # name of generated keys\ndefault_md = md5 # message digest algorithm\nstring_mask = nombstr # permitted characters\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n\n[ req_distinguished_name ]\n0.organizationName = Organization Name (company)\norganizationalUnitName = Organizational Unit Name (department, division)\nemailAddress = Email Address\nemailAddress_max = 40\nlocalityName = Locality Name (city, district)\nstateOrProvinceName = State or Province Name (full name)\ncountryName = Country Name (2 letter code)\ncountryName_min = 2\ncountryName_max = 2\ncommonName = Common Name (hostname, IP, or your name)\ncommonName_max = 64\n# Default values for the above, for consistency and less typing.\n0.organizationName_default = Openstack, Inc\nlocalityName_default = Undefined\nstateOrProvinceName_default = Undefined\ncountryName_default = US\ncommonName_default = %(ca_cert_cn)s\n\n[ v3_ca ]\nbasicConstraints = CA:TRUE\nsubjectKeyIdentifier = hash\nauthorityKeyIdentifier = keyid:always,issuer:always\n\n[ v3_req ]\nbasicConstraints = CA:FALSE\nsubjectKeyIdentifier = hash'