mkcert: create ecc cert by default

b79fc75a · Nicolas KAROLAK · e11b5e47 · b79fc75a
Commit b79fc75a authored 6 years ago by Nicolas KAROLAK
--- a/utils.py
+++ b/utils.py
@@ -4,6 +4,7 @@

 from collections import OrderedDict
 import os
+from pathlib import Path
 import subprocess
 import sys
 from typing import Any
@@ -346,25 +347,53 @@ subjectKeyIdentifier = hash
 basicConstraints     = CA:FALSE
 keyUsage             = digitalSignature, keyEncipherment
 subjectAltName       = @alternate_names
-nsComment            = "OpenSSL Generated Certificate"

 [ alternate_names ]

 """

-def mkcert(domains: list, keysize: int = 4096, days: int = 1825, config_tpl: str = OPENSSL_CONFIG_TEMPLATE):
+def mkcert(domains: list, ecc: bool = True, days: int = 3650, config_tpl: str = OPENSSL_CONFIG_TEMPLATE):
+    """Generate a self-signed certificate for the domains list.
+
+    :param domains: Domains for which the certificates will be self-signed
+    :type domains: list
+    :param ecc: Wether to use Elliptic Curve cryptography or not, defaults to True, if Fasle RSA is used
+    :param ecc: bool, optional
+    :param days: Validity lifetime of the certificate, defaults to 3650
+    :param days: int, optional
+    :param config_tpl: OpenSSL config file template, defaults to OPENSSL_CONFIG_TEMPLATE
+    :param config_tpl: str, optional
+    """
+
+    # create certs dir
+    cert_dir = "/etc/ssl/envsetup"
+    Path(cert_dir).mkdir(mode=0o755, parents=True, exist_ok=True)
    # populate template with domains
    for i, domain in enumerate(domains, start=1):
        config_tpl = config_tpl + "DNS.{} = {}\n".format(i, domain)
    # write openssl config file
-    with open("/etc/ssl/envsetup.conf", "w") as config_fh:
+    with open(cert_dir + "/conf", "w") as config_fh:
        config_fh.write(config_tpl)
+    # key type: elliptic curve (default) or rsa
+    if ecc:
+        subprocess.check_call([
+            "openssl", "ecparam",
+            "-name", "secp384r1",
+            "-out", cert_dir + "/ecparam"
+        ])
+        keytype = "ec:" + cert_dir +  "/ecparam"
+    else:
+        keytype = "rsa"
    # execute openssl to generate keypair
    subprocess.check_call([
        "openssl", "req",
-        "-config", "/etc/ssl/envsetup.conf",
-        "-new", "-x509", "-sha256", "-newkey", "rsa:{}".format(str(keysize)), "-nodes",
-        "-keyout", "/etc/ssl/private/envsetup.key.pem",
+        "-config", cert_dir + "/conf",
+        "-new",
+        "-x509",
+        "-sha256",
+        "-nodes",
+        "-newkey", keytype,
+        "-keyout", cert_dir + "/key.pem",
        "-days", str(days),
-        "-out", "/etc/ssl/certs/envsetup.cert.pem"
+        "-out", cert_dir + "/cert.pem"
    ])