[pyOpenSSL] CA signing question

[Arnaud Desmons]

> I'm trying to use your pyOpenSSL python wrapper to sign a .csr with a CA
> cerificate, however I don't understand how your code works (most
> domcumentation seems to be written with a client-server perspective of
> ecrypting communication).
> 
> I could find the
> > static PyObject *
> > crypto_X509_sign(crypto_X509Obj *self, PyObject *args)
> function (which seems to be what I'm looking for), but I do not
> understand how to instantiate an X509 object - the
> load_certificate(type, buffer) method seems to be relevant, but I fail
> to supply it with the correct arguments...

Hi,

Here is the code I use in vulture-pki to sign a certificat.
This is a certificat object's method (nothing to deal with pyOpenSSL).

    def sign(self):
        req = crypto.X509Req()
        subj = req.get_subject()
        setattr(subj, 'CN', self.cn)
        setattr(subj, 'emailAddress', self.mail)
        setattr(subj, 'ST', self.st)
        setattr(subj, 'O', self.organisation)
        setattr(subj, 'C', self.country)
        pkey = crypto.PKey()
        pkey.generate_key(self.profile.key_type, self.profile.key_size)
        req.set_pubkey(pkey)
        req.sign(pkey, 'md5')
        self.pkey = crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey)
        x509 = crypto.X509()
        x509.set_subject(req.get_subject())
        x509.set_pubkey(req.get_pubkey())
        cacert = crypto.load_certificate(crypto.FILETYPE_PEM, self.profile.ca_cert)
        cakey = crypto.load_privatekey(crypto.FILETYPE_PEM, self.profile.ca_key)
        x509.set_issuer(cacert.get_subject())
        x509.set_serial_number(self.id)
        x509.gmtime_adj_notBefore(0)
        delta = self.valid_until.date() - self.date.date();
        x509.gmtime_adj_notAfter(delta.days * 60 * 60 * 24)
        x509.sign(cakey, self.profile.digest)
        self.x509 = crypto.dump_certificate(crypto.FILETYPE_PEM, x509)


Hope it will help.
Regards,

-- 
Arnaud