From tribaal at gmail.com  Tue Nov 20 17:12:25 2007
From: tribaal at gmail.com (Tribaal)
Date: Tue, 20 Nov 2007 17:12:25 +0100
Subject: [pyOpenSSL] CA signing question
Message-ID: <47430769.8020002@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi List

I'm trying to use your pyOpenSSL python wrapper to sign a .csr with a CA
cerificate, however I don't understand how your code works (most
domcumentation seems to be written with a client-server perspective of
ecrypting communication).

I could find the
> static PyObject *
> crypto_X509_sign(crypto_X509Obj *self, PyObject *args)
function (which seems to be what I'm looking for), but I do not
understand how to instantiate an X509 object - the
load_certificate(type, buffer) method seems to be relevant, but I fail
to supply it with the correct arguments...

Could you please give me a quick pointer? I'll try to gather my
experience in a python script and will send it back to you to use it as
an example in case somebody else needs to sign a certificate with a CA.

Thank you very much for your help - I really appreciate it.

- - Trib'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHQwdpND4mi+cKVzQRAoSZAJ9c9u4TYxh0ZsA40o597DkNMkcZ6wCgjSEB
hr3qbxi0rDF8qghqfj/j+h8=
=Qfk0
-----END PGP SIGNATURE-----



From arnaud.desmons at free.fr  Tue Nov 20 19:34:07 2007
From: arnaud.desmons at free.fr (Arnaud Desmons)
Date: Tue, 20 Nov 2007 19:34:07 +0100
Subject: [pyOpenSSL] CA signing question
In-Reply-To: <47430769.8020002@gmail.com>
References: <47430769.8020002@gmail.com>
Message-ID: <20071120183406.GA18263@sd-4748.dedibox.fr>

> I'm trying to use your pyOpenSSL python wrapper to sign a .csr with a CA
> cerificate, however I don't understand how your code works (most
> domcumentation seems to be written with a client-server perspective of
> ecrypting communication).
> 
> I could find the
> > static PyObject *
> > crypto_X509_sign(crypto_X509Obj *self, PyObject *args)
> function (which seems to be what I'm looking for), but I do not
> understand how to instantiate an X509 object - the
> load_certificate(type, buffer) method seems to be relevant, but I fail
> to supply it with the correct arguments...

Hi,

Here is the code I use in vulture-pki to sign a certificat.
This is a certificat object's method (nothing to deal with pyOpenSSL).

    def sign(self):
        req = crypto.X509Req()
        subj = req.get_subject()
        setattr(subj, 'CN', self.cn)
        setattr(subj, 'emailAddress', self.mail)
        setattr(subj, 'ST', self.st)
        setattr(subj, 'O', self.organisation)
        setattr(subj, 'C', self.country)
        pkey = crypto.PKey()
        pkey.generate_key(self.profile.key_type, self.profile.key_size)
        req.set_pubkey(pkey)
        req.sign(pkey, 'md5')
        self.pkey = crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey)
        x509 = crypto.X509()
        x509.set_subject(req.get_subject())
        x509.set_pubkey(req.get_pubkey())
        cacert = crypto.load_certificate(crypto.FILETYPE_PEM, self.profile.ca_cert)
        cakey = crypto.load_privatekey(crypto.FILETYPE_PEM, self.profile.ca_key)
        x509.set_issuer(cacert.get_subject())
        x509.set_serial_number(self.id)
        x509.gmtime_adj_notBefore(0)
        delta = self.valid_until.date() - self.date.date();
        x509.gmtime_adj_notAfter(delta.days * 60 * 60 * 24)
        x509.sign(cakey, self.profile.digest)
        self.x509 = crypto.dump_certificate(crypto.FILETYPE_PEM, x509)


Hope it will help.
Regards,

-- 
Arnaud