Topdog.za.net http://www.topdog.za.net A bored sysadmin Fri, 26 Feb 2016 10:06:56 GMT Blogofile hourly 1 Generating Cryptography Keys in Python http://www.topdog.za.net/2012/03/27/generating-cryptography-keys-in-python Tue, 27 Mar 2012 09:18:00 SAST http://www.topdog.za.net/2012/03/27/generating-cryptography-keys-in-python Generating Cryptography Keys in Python PyOpenSSL may seem like the obvious option when working with cryptography keys in Python but i have found it to have some short coming such as the inability to save both the public and private key in a key pair.

M2Crypto on the other hand allows you to save both keys to either a file or store it in a buffer which is useful if you want to save the keys say to a database.

Examples of M2Crypto usage are hard to come by, hope my few examples will save someone else the effort of searching.

Examples

Generate Key pair in memory

import os

from M2Crypto import Rand, RSA, BIO

KEY_LENGTH = 1024

def blank_callback():
    "Replace the default dashes"
    return

# Random seed
Rand.rand_seed (os.urandom (KEY_LENGTH))
# Generate key pair
key = RSA.gen_key (KEY_LENGTH, 65537, blank_callback)
# Create memory buffers
pri_mem = BIO.MemoryBuffer()
pub_mem = BIO.MemoryBuffer()
# Save keys to buffers
key.save_key_bio(pri_mem, None)
key.save_pub_key_bio(pub_mem)

# Get keys 
public_key = pub_mem.getvalue()
private_key = pri_mem.getvalue()

Generate Key pair to file

from M2Crypto import Rand, RSA

KEY_LENGTH = 1024

def blank_callback():
    "Replace the default dashes"
    return

# Random seed
Rand.rand_seed (os.urandom (KEY_LENGTH))
# Generate key pair
key = RSA.gen_key (KEY_LENGTH, 65537, blank_callback)
# Non encrypted key
key.save_key('user-private.pem', None)
# Use a pass phrase to encrypt key
#key.save_key('user-private.pem')
key.save_pub_key('user-public.pem')

Encrypt a text using a public key

from M2Crypto import RSA

# Load the recipients public key
writer = RSA.load_pub_key('user-public.pem')
# Encrypt the message
cipher = writer.public_encrypt('Secret message', RSA.pkcs1_oaep_padding)
# store the encrypted message
msg = cipher.encode('base64')

Signing a message

from M2Crypto import RSA, EVP

# load private key
mykey = RSA.load_key('user-private.pem')
# generate a digest
thedigest = EVP.MessageDigest('sha1')
# update the cipher text
thedigest.update(cipher)
#sign the message
signature = mykey.sign_rsassa_pss(thedigest.digest())
# display the signature
print signature.encode('base64')

Decrypt a message

from M2Crypto import RSA

mykey = RSA.load_key ('user-private.pem')
plaintext = mykey.private_decrypt(cipher, RSA.pkcs1_oaep_padding)

Verify a message

from M2Crypto import RSA, EVP

senderkey = RSA.load_pub_key('sender-public.pem')
thedigest = EVP.MessageDigest('sha1')
thedigest.update(cipher)
senderkey.verify_rsassa_pss(thedigest.digest(), signature) == 1

References

]]> Creating a Cacert postfix certificate http://www.topdog.za.net/2008/02/03/creating-a-cacert-postfix-certificate Sun, 03 Feb 2008 18:58:00 SAST http://www.topdog.za.net/2008/02/03/creating-a-cacert-postfix-certificate Creating a Cacert postfix certificate Introduction

Cacert is a certification authority that provides free certificates, i guess using them is much better that having your own local CA.

Install root certificate

We need to download the cacert root certificate and install it on the server

Download and install

mkdir /etc/pki/postfix
wget -nv https://www.cacert.org/certs/root.crt --no-check-certificate -O /etc/pki/postfix/root.crt

Verify the certificate

openssl x509 -in /etc/pki/postfix/root.crt -text -noout

The output should look like this

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org
        Validity
            Not Before: Mar 30 12:29:49 2003 GMT
            Not After : Mar 29 12:29:49 2033 GMT
        Subject: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (4096 bit)
                Modulus (4096 bit):
                    00:ce:22:c0:e2:46:7d:ec:36:28:07:50:96:f2:a0:
                    33:40:8c:4b:f1:3b:66:3f:31:e5:6b:02:36:db:d6:
                    7c:f6:f1:88:8f:4e:77:36:05:41:95:f9:09:f0:12:
                    cf:46:86:73:60:b7:6e:7e:e8:c0:58:64:ae:cd:b0:
                    ad:45:17:0c:63:fa:67:0a:e8:d6:d2:bf:3e:e7:98:
                    c4:f0:4c:fa:e0:03:bb:35:5d:6c:21:de:9e:20:d9:
                    ba:cd:66:32:37:72:fa:f7:08:f5:c7:cd:58:c9:8e:
                    e7:0e:5e:ea:3e:fe:1c:a1:14:0a:15:6c:86:84:5b:
                    64:66:2a:7a:a9:4b:53:79:f5:88:a2:7b:ee:2f:0a:
                    61:2b:8d:b2:7e:4d:56:a5:13:ec:ea:da:92:9e:ac:
                    44:41:1e:58:60:65:05:66:f8:c0:44:bd:cb:94:f7:
                    42:7e:0b:f7:65:68:98:51:05:f0:f3:05:91:04:1d:
                    1b:17:82:ec:c8:57:bb:c3:6b:7a:88:f1:b0:72:cc:
                    25:5b:20:91:ec:16:02:12:8f:32:e9:17:18:48:d0:
                    c7:05:2e:02:30:42:b8:25:9c:05:6b:3f:aa:3a:a7:
                    eb:53:48:f7:e8:d2:b6:07:98:dc:1b:c6:34:7f:7f:
                    c9:1c:82:7a:05:58:2b:08:5b:f3:38:a2:ab:17:5d:
                    66:c9:98:d7:9e:10:8b:a2:d2:dd:74:9a:f7:71:0c:
                    72:60:df:cd:6f:98:33:9d:96:34:76:3e:24:7a:92:
                    b0:0e:95:1e:6f:e6:a0:45:38:47:aa:d7:41:ed:4a:
                    b7:12:f6:d7:1b:83:8a:0f:2e:d8:09:b6:59:d7:aa:
                    04:ff:d2:93:7d:68:2e:dd:8b:4b:ab:58:ba:2f:8d:
                    ea:95:a7:a0:c3:54:89:a5:fb:db:8b:51:22:9d:b2:
                    c3:be:11:be:2c:91:86:8b:96:78:ad:20:d3:8a:2f:
                    1a:3f:c6:d0:51:65:87:21:b1:19:01:65:7f:45:1c:
                    87:f5:7c:d0:41:4c:4f:29:98:21:fd:33:1f:75:0c:
                    04:51:fa:19:77:db:d4:14:1c:ee:81:c3:1d:f5:98:
                    b7:69:06:91:22:dd:00:50:cc:81:31:ac:12:07:7b:
                    38:da:68:5b:e6:2b:d4:7e:c9:5f:ad:e8:eb:72:4c:
                    f3:01:e5:4b:20:bf:9a:a6:57:ca:91:00:01:8b:a1:
                    75:21:37:b5:63:0d:67:3e:46:4f:70:20:67:ce:c5:
                    d6:59:db:02:e0:f0:d2:cb:cd:ba:62:b7:90:41:e8:
                    dd:20:e4:29:bc:64:29:42:c8:22:dc:78:9a:ff:43:
                    ec:98:1b:09:51:4b:5a:5a:c2:71:f1:c4:cb:73:a9:
                    e5:a1:0b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1
            X509v3 Authority Key Identifier:
                keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1
                DirName:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
                serial:00

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 CRL Distribution Points:
                URI:https://www.cacert.org/revoke.crl

            Netscape CA Revocation Url:
                https://www.cacert.org/revoke.crl
            Netscape CA Policy Url:
                http://www.cacert.org/index.php?id=10
            Netscape Comment:
                To get your own certificate for FREE head over to http://www.cacert.org
    Signature Algorithm: md5WithRSAEncryption
        28:c7:ee:9c:82:02:ba:5c:80:12:ca:35:0a:1d:81:6f:89:6a:
        99:cc:f2:68:0f:7f:a7:e1:8d:58:95:3e:bd:f2:06:c3:90:5a:
        ac:b5:60:f6:99:43:01:a3:88:70:9c:9d:62:9d:a4:87:af:67:
        58:0d:30:36:3b:e6:ad:48:d3:cb:74:02:86:71:3e:e2:2b:03:
        68:f1:34:62:40:46:3b:53:ea:28:f4:ac:fb:66:95:53:8a:4d:
        5d:fd:3b:d9:60:d7:ca:79:69:3b:b1:65:92:a6:c6:81:82:5c:
        9c:cd:eb:4d:01:8a:a5:df:11:55:aa:15:ca:1f:37:c0:82:98:
        70:61:db:6a:7c:96:a3:8e:2e:54:3e:4f:21:a9:90:ef:dc:82:
        bf:dc:e8:45:ad:4d:90:73:08:3c:94:65:b0:04:99:76:7f:e2:
        bc:c2:6a:15:aa:97:04:37:24:d8:1e:94:4e:6d:0e:51:be:d6:
        c4:8f:ca:96:6d:f7:43:df:e8:30:65:27:3b:7b:bb:43:43:63:
        c4:43:f7:b2:ec:68:cc:e1:19:8e:22:fb:98:e1:7b:5a:3e:01:
        37:3b:8b:08:b0:a2:f3:95:4e:1a:cb:9b:cd:9a:b1:db:b2:70:
        f0:2d:4a:db:d8:b0:e3:6f:45:48:33:12:ff:fe:3c:32:2a:54:
        f7:c4:f7:8a:f0:88:23:c2:47:fe:64:7a:71:c0:d1:1e:a6:63:
        b0:07:7e:a4:2f:d3:01:8f:dc:9f:2b:b6:c6:08:a9:0f:93:48:
        25:fc:12:fd:9f:42:dc:f3:c4:3e:f6:57:b0:d7:dd:69:d1:06:
        77:34:0a:4b:d2:ca:a0:ff:1c:c6:8c:c9:16:be:c4:cc:32:37:
        68:73:5f:08:fb:51:f7:49:53:36:05:0a:95:02:4c:f2:79:1a:
        10:f6:d8:3a:75:9c:f3:1d:f1:a2:0d:70:67:86:1b:b3:16:f5:
        2f:e5:a4:eb:79:86:f9:3d:0b:c2:73:0b:a5:99:ac:6f:fc:67:
        b8:e5:2f:0b:a6:18:24:8d:7b:d1:48:35:29:18:40:ac:93:60:
        e1:96:86:50:b4:7a:59:d8:8f:21:0b:9f:cf:82:91:c6:3b:bf:
        6b:dc:07:91:b9:97:56:23:aa:b6:6c:94:c6:48:06:3c:e4:ce:
        4e:aa:e4:f6:2f:09:dc:53:6f:2e:fc:74:eb:3a:63:99:c2:a6:
        ac:89:bc:a7:b2:44:a0:0d:8a:10:e3:6c:f2:24:cb:fa:9b:9f:
        70:47:2e:de:14:8b:d4:b2:20:09:96:a2:64:f1:24:1c:dc:a1:
        35:9c:15:b2:d4:bc:55:2e:7d:06:f5:9c:0e:55:f4:5a:d6:93:
        da:76:ad:25:73:4c:c5:43

Generate signing request

cd /etc/pki/postfix
openssl req -nodes -days 700 -newkey rsa:1024 -keyout key.pem -out req.pem

The signing request is in the file req.pem

Get the signed certificate

Next you need to login in to the cacert.org website and go to "server certificates" then "New" and paste the contents of req.pem in the text box provided then click submit. A certificate will be generated

Install certificate

Copy the certificate and paste into the file /etc/pki/postfix/server.pem

]]>