tools/sslkeygen.py - cassandra-dtest - Git at Google

 import os
 import os.path
 import tempfile
 import subprocess


 def generate_credentials(ip, cakeystore=None, cacert=None):

     tmpdir = tempfile.mkdtemp()

     if not cakeystore:
         cakeystore = generate_cakeypair(tmpdir, 'ca')
     if not cacert:
         cacert = generate_cert(tmpdir, "ca", cakeystore)

     # create keystore with new private key
     name = "ip" + ip
     jkeystore = generate_ipkeypair(tmpdir, name, ip)

     # create signed cert
     csr = generate_sign_request(tmpdir, name, jkeystore, ['-ext', 'san=ip:' + ip])
     cert = sign_request(tmpdir, "ca", cakeystore, csr, ['-ext', 'san=ip:' + ip])

     # import cert chain into keystore
     import_cert(tmpdir, "ca", cacert, jkeystore)
     import_cert(tmpdir, name, cert, jkeystore)

     return SecurityCredentials(jkeystore, cert, cakeystore, cacert)


 def generate_cakeypair(dir, name):
     return generate_keypair(dir, name, name, ['-ext', 'bc:c'])


 def generate_ipkeypair(dir, name, ip):
     return generate_keypair(dir, name, ip, ['-ext', 'san=ip:' + ip])


 def generate_dnskeypair(dir, name, hostname):
     return generate_keypair(dir, name, hostname, ['-ext', 'san=dns:' + hostname])


 def generate_keypair(dir, name, cn, opts):
     kspath = os.path.join(dir, name + '.keystore')
     return _exec_keytool(dir, kspath, ['-alias', name, '-genkeypair', '-keyalg', 'RSA', '-dname',
                                        "cn={}, ou=cassandra, o=apache.org, c=US".format(cn), '-keypass', 'cassandra'] + opts)


 def generate_cert(dir, name, keystore, opts=[]):
     fn = os.path.join(dir, name + '.pem')
     _exec_keytool(dir, keystore, ['-alias', name, '-exportcert', '-rfc', '-file', fn] + opts)
     return fn


 def generate_sign_request(dir, name, keystore, opts=[]):
     fn = os.path.join(dir, name + '.csr')
     _exec_keytool(dir, keystore, ['-alias', name, '-keypass', 'cassandra', '-certreq', '-file', fn] + opts)
     return fn


 def sign_request(dir, name, keystore, csr, opts=[]):
     fnout = os.path.splitext(csr)[0] + '.pem'
     _exec_keytool(dir, keystore, ['-alias', name, '-keypass', 'cassandra', '-gencert',
                                   '-rfc', '-infile', csr, '-outfile', fnout] + opts)
     return fnout


 def import_cert(dir, name, cert, keystore, opts=[]):
     _exec_keytool(dir, keystore, ['-alias', name, '-keypass', 'cassandra', '-importcert', '-noprompt', '-file', cert] + opts)
     return cert


 def _exec_keytool(dir, keystore, opts):
     args = ['keytool', '-keystore', keystore, '-storepass', 'cassandra', '-deststoretype', 'pkcs12'] + opts
     subprocess.check_call(args)
     return keystore


 class SecurityCredentials():

     def __init__(self, keystore, cert, cakeystore, cacert):
         self.keystore = keystore
         self.cert = cert
         self.cakeystore = cakeystore
         self.cacert = cacert
         self.basedir = os.path.dirname(self.keystore)

     def __str__(self):
         return "keystore: {}, cert: {}, cakeystore: {}, cacert: {}".format(
                self.keystore, self.cert, self.cakeystore, self.cacert)
	import os
	import os.path
	import tempfile
	import subprocess


	def generate_credentials(ip, cakeystore=None, cacert=None):

	tmpdir = tempfile.mkdtemp()

	if not cakeystore:
	cakeystore = generate_cakeypair(tmpdir, 'ca')
	if not cacert:
	cacert = generate_cert(tmpdir, "ca", cakeystore)

	# create keystore with new private key
	name = "ip" + ip
	jkeystore = generate_ipkeypair(tmpdir, name, ip)

	# create signed cert
	csr = generate_sign_request(tmpdir, name, jkeystore, ['-ext', 'san=ip:' + ip])
	cert = sign_request(tmpdir, "ca", cakeystore, csr, ['-ext', 'san=ip:' + ip])

	# import cert chain into keystore
	import_cert(tmpdir, "ca", cacert, jkeystore)
	import_cert(tmpdir, name, cert, jkeystore)

	return SecurityCredentials(jkeystore, cert, cakeystore, cacert)


	def generate_cakeypair(dir, name):
	return generate_keypair(dir, name, name, ['-ext', 'bc:c'])


	def generate_ipkeypair(dir, name, ip):
	return generate_keypair(dir, name, ip, ['-ext', 'san=ip:' + ip])


	def generate_dnskeypair(dir, name, hostname):
	return generate_keypair(dir, name, hostname, ['-ext', 'san=dns:' + hostname])


	def generate_keypair(dir, name, cn, opts):
	kspath = os.path.join(dir, name + '.keystore')
	return _exec_keytool(dir, kspath, ['-alias', name, '-genkeypair', '-keyalg', 'RSA', '-dname',
	"cn={}, ou=cassandra, o=apache.org, c=US".format(cn), '-keypass', 'cassandra'] + opts)


	def generate_cert(dir, name, keystore, opts=[]):
	fn = os.path.join(dir, name + '.pem')
	_exec_keytool(dir, keystore, ['-alias', name, '-exportcert', '-rfc', '-file', fn] + opts)
	return fn


	def generate_sign_request(dir, name, keystore, opts=[]):
	fn = os.path.join(dir, name + '.csr')
	_exec_keytool(dir, keystore, ['-alias', name, '-keypass', 'cassandra', '-certreq', '-file', fn] + opts)
	return fn


	def sign_request(dir, name, keystore, csr, opts=[]):
	fnout = os.path.splitext(csr)[0] + '.pem'
	_exec_keytool(dir, keystore, ['-alias', name, '-keypass', 'cassandra', '-gencert',
	'-rfc', '-infile', csr, '-outfile', fnout] + opts)
	return fnout


	def import_cert(dir, name, cert, keystore, opts=[]):
	_exec_keytool(dir, keystore, ['-alias', name, '-keypass', 'cassandra', '-importcert', '-noprompt', '-file', cert] + opts)
	return cert


	def _exec_keytool(dir, keystore, opts):
	args = ['keytool', '-keystore', keystore, '-storepass', 'cassandra', '-deststoretype', 'pkcs12'] + opts
	subprocess.check_call(args)
	return keystore


	class SecurityCredentials():

	def __init__(self, keystore, cert, cakeystore, cacert):
	self.keystore = keystore
	self.cert = cert
	self.cakeystore = cakeystore
	self.cacert = cacert
	self.basedir = os.path.dirname(self.keystore)

	def __str__(self):
	return "keystore: {}, cert: {}, cakeystore: {}, cacert: {}".format(
	self.keystore, self.cert, self.cakeystore, self.cacert)