kiwi-vpn/api/kiwi_vpn_api/easyrsa.py

119 lines
3 KiB
Python
Raw Permalink Normal View History

2022-03-22 00:34:06 +00:00
import subprocess
from datetime import datetime
from pathlib import Path
from OpenSSL import crypto
from passlib import pwd
class EasyRSA:
__directory: Path | None
__ca_password: str | None
def __init__(self, directory: Path) -> None:
self.__directory = directory
def set_ca_password(self, password: str | None = None) -> None:
if password is None:
password = pwd.genword(length=32, charset="ascii_62")
self.__ca_password = password
print(self.__ca_password)
def __easyrsa(
self,
*easyrsa_args: str,
) -> subprocess.CompletedProcess:
return subprocess.run(
[
"easyrsa", "--batch",
f"--pki-dir={self.__directory}",
*easyrsa_args,
],
stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,
check=True,
)
def __build_cert(
self,
cert_filename: Path,
*easyrsa_args: str,
) -> crypto.X509:
self.__easyrsa(*easyrsa_args)
with open(
self.__directory.joinpath(cert_filename), "r"
) as cert_file:
return crypto.load_certificate(
crypto.FILETYPE_PEM, cert_file.read()
)
def init_pki(self) -> bool:
self.__easyrsa("init-pki")
def build_ca(
self,
days: int = 365 * 50,
2022-03-22 00:57:09 +00:00
cn: str = "kiwi-vpn-ca"
2022-03-22 00:34:06 +00:00
) -> crypto.X509:
2022-03-24 23:27:35 +00:00
cert = self.__build_cert(
2022-03-22 00:34:06 +00:00
Path("ca.crt"),
f"--passout=pass:{self.__ca_password}",
f"--passin=pass:{self.__ca_password}",
# "--dn-mode=org",
# "--req-c=EX",
# "--req-st=EXAMPLE",
# "--req-city=EXAMPLE",
# "--req-org=EXAMPLE",
# "--req-ou=EXAMPLE",
# "--req-email=EXAMPLE",
f"--req-cn={cn}",
f"--days={days}",
2022-03-22 00:57:09 +00:00
# "--use-algo=ed",
# "--curve=ed25519",
2022-03-22 00:34:06 +00:00
"build-ca",
)
2022-03-24 23:27:35 +00:00
self.__easyrsa("gen-dh")
return cert
2022-03-22 00:34:06 +00:00
def issue(
self,
days: int = 365 * 50,
2022-03-22 00:57:09 +00:00
cn: str = "kiwi-vpn-client",
2022-03-22 00:34:06 +00:00
cert_type: str = "client"
) -> crypto.X509:
return self.__build_cert(
Path(f"issued/{cn}.crt"),
f"--passin=pass:{self.__ca_password}",
f"--days={days}",
f"build-{cert_type}-full",
cn,
"nopass",
)
if __name__ == "__main__":
2022-03-22 00:57:09 +00:00
easy_rsa = EasyRSA(Path("tmp/easyrsa"))
easy_rsa.init_pki()
easy_rsa.set_ca_password()
2022-03-22 00:34:06 +00:00
2022-03-22 00:57:09 +00:00
ca = easy_rsa.build_ca(cn="kiwi-vpn-ca")
server = easy_rsa.issue(cert_type="server", cn="kiwi-vpn-server")
client = easy_rsa.issue(cert_type="client", cn="kiwi-vpn-client")
2022-03-22 00:34:06 +00:00
date_format, encoding = "%Y%m%d%H%M%SZ", "ascii"
2022-03-22 00:57:09 +00:00
for cert in [ca, server, client]:
print(cert.get_subject().CN)
print(cert.get_signature_algorithm().decode(encoding))
print(datetime.strptime(
cert.get_notAfter().decode(encoding), date_format))