Robey
4570e74281
|
11 months ago | |
|---|---|---|
| lib | 11 months ago | |
| stubs | 11 months ago | |
| tests | 11 months ago | |
| .gitignore | 11 months ago | |
| LICENSE.txt | 11 months ago | |
| Makefile | 11 months ago | |
| README.md | 11 months ago | |
| certified.py | 11 months ago | |
| cheat-sheet.md | 11 months ago | |
| echo.py | 11 months ago | |
| mypy.ini | 11 months ago | |
| poetry.lock | 11 months ago | |
| pyproject.toml | 11 months ago | |
README.md
Certified
Certified is a small CLI tool for generating a TLS self-signed ("TOFU") ECC certificate and private key, suitable for using in small distributed networks, like gemini.
Two ECC formats are supported:
- Ed25519 aka Curve25519
- using PyNaCl, recommended and generally (as of 2021) considered the most trustworthy algorithm
- ECDSA using secp256r1 (aka nist256p1 aka prime256v1)
- using the python ecdsa library, subject to side channel attacks, and primarily for toy use
Why?
It's possible to use the openssl toolchain to create self-signed ECC certificates using curve 25519: check out the first reference link for a great explanation and example. But I think these tools are written for people who live, breathe, and swim in the world of X.509 arcana. This app is meant to demonstrate an imagined world where we don't care about hierarchical certificate authorities, or going through a three-step process to request and then confirm a request for a certificate to ourselves from ourselves, when that certificate is little more than a gold filigree doily wrapped around a public key.
You can just run this script, a bit over 500 lines of python, to generate the public/private key pair, and wrap them in the ceremony that makes them palatable to the TLS 1.3 infrastructure. Feel free to copy this code and its ideas for your own projects, subject only to the Apache 2.0 license.
Install
You need a basic python 3 installation, and poetry.
Clone this repository, and then:
poetry install
If you have some other preferred way of dealing with python packages, all of the dependencies are listed in pyproject.toml. They are:
- python 3.7+
- ecdsa
- PyNaCl
Usage
./certified.py --help
# create a new Ed25519 certificate in "myserver-x509-cert.pem" (and its
# private key in "myserver-x509-key.pem") with the CN "myserver", that will
# expire in 365 days:
./certified.py -g myserver-x509 --name myserver --days 365
# show the contents of the certificate:
./certified.py -p myserver-x509-cert.pem
# show the contents of the private key (_including the private key data_):
./certified.py -k myserver-x509-key.pem
# dump out the ASN.1 structure of any random pem file (if you like exploring):
./certified.py --pp myserver-x509-key.pem
Try it out by running the test program echo.py, which will start a snarky echo service over TLS on a local socket and tell you how to connect to it with openssl s_client. Type a line of text through s_client and if it's echoed back to you, congratulations! You have a certificate and key file that can be used in a TLS service!
./echo.py -c myserver-x509
Note that LibreSSL won't work here, because they haven't implemented Ed25519 certificate support yet. If you're on OS X, where LibreSSL is masquerading as openssl, you can install the real openssl via "brew" and run it from /usr/share/opt/openssl/bin/openssl.
References
- Create ED25519 certificates for TLS with OpenSSL
- RFC 5280: X.509 Certificates
- RFC 8410: X.509 Algorithm Identifiers for Ed25519, Ed448, X25519, and X448
- note that several of the examples are invalid (bad signature, incorrect encoding)
- RFC 8032: EdDSA
Authors
- Robey Pointer <robeypointer@gmail.com> https://mastodon.technology/@robey
License
Apache 2.0 license, included in LICENSE.txt.