diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-11-14 21:00:58 +0100 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-11-14 21:00:58 +0100 |
commit | e3dfaf8e03382508461d20b2b720f31f2164111d (patch) | |
tree | 611a89698968a8fc4acd2505feb9b19f02a953eb | |
parent | 9b114bb28935398d718be2e89b900e5a7cf31757 (diff) | |
download | nixos-e3dfaf8e03382508461d20b2b720f31f2164111d.tar nixos-e3dfaf8e03382508461d20b2b720f31f2164111d.tar.gz nixos-e3dfaf8e03382508461d20b2b720f31f2164111d.tar.bz2 nixos-e3dfaf8e03382508461d20b2b720f31f2164111d.tar.xz nixos-e3dfaf8e03382508461d20b2b720f31f2164111d.zip |
ca: ...
-rw-r--r-- | tools/ca/ca/__main__.py | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/tools/ca/ca/__main__.py b/tools/ca/ca/__main__.py index 22dcaeed..b89d91ff 100644 --- a/tools/ca/ca/__main__.py +++ b/tools/ca/ca/__main__.py | |||
@@ -469,7 +469,7 @@ def new_client(ca_cert, ca_key, key_type, clock_skew, validity, subject, alterna | |||
469 | ).public_bytes(serialization.Encoding.PEM) | 469 | ).public_bytes(serialization.Encoding.PEM) |
470 | ) | 470 | ) |
471 | 471 | ||
472 | def to_pkcs12(random_password, filename, output): | 472 | def to_pkcs12(random_password, random_password_length, weak_encryption, filename, output): |
473 | key_file = filename.with_suffix('.key') | 473 | key_file = filename.with_suffix('.key') |
474 | cert_file = filename.with_suffix('.crt') | 474 | cert_file = filename.with_suffix('.crt') |
475 | 475 | ||
@@ -503,17 +503,17 @@ def to_pkcs12(random_password, filename, output): | |||
503 | else: | 503 | else: |
504 | from xkcdpass import xkcd_password as xp | 504 | from xkcdpass import xkcd_password as xp |
505 | ws = xp.generate_wordlist(wordfile=xp.locate_wordfile()) | 505 | ws = xp.generate_wordlist(wordfile=xp.locate_wordfile()) |
506 | pw = xp.generate_xkcdpassword(ws, numwords=12) | 506 | pw = xp.generate_xkcdpassword(ws, numwords=random_password_length) |
507 | print(f'Password: {pw}', file=sys.stderr) | 507 | print(f'Password: {pw}', file=sys.stderr) |
508 | 508 | ||
509 | encryption = None | 509 | encryption = None |
510 | if pw: | 510 | if pw: |
511 | encryption = PrivateFormat.PKCS12.encryption_builder().kdf_rounds( | 511 | encryption = PrivateFormat.PKCS12.encryption_builder().kdf_rounds( |
512 | 500000 | 512 | 500000 if not weak_encryption else 50000 |
513 | ).key_cert_algorithm( | 513 | ).key_cert_algorithm( |
514 | pkcs12.PBES.PBESv2SHA256AndAES256CBC | 514 | pkcs12.PBES.PBESv2SHA256AndAES256CBC if not weak_encryption else pkcs12.PBES.PBESv1SHA1And3KeyTripleDESCBC |
515 | ).hmac_hash( | 515 | ).hmac_hash( |
516 | hashes.SHA256() | 516 | hashes.SHA256() if not weak_encryption else hashes.SHA1() |
517 | ).build(bytes(pw, 'utf-8')) | 517 | ).build(bytes(pw, 'utf-8')) |
518 | fh.write(pkcs12.serialize_key_and_certificates( | 518 | fh.write(pkcs12.serialize_key_and_certificates( |
519 | bytes(subject, 'utf-8'), | 519 | bytes(subject, 'utf-8'), |
@@ -589,6 +589,8 @@ def main(): | |||
589 | 589 | ||
590 | subparser = subparsers.add_parser('pkcs12', aliases=['p12', 'pfx'], formatter_class=argparse.ArgumentDefaultsHelpFormatter) | 590 | subparser = subparsers.add_parser('pkcs12', aliases=['p12', 'pfx'], formatter_class=argparse.ArgumentDefaultsHelpFormatter) |
591 | subparser.add_argument('--random-password', '--no-random-password', action=BooleanAction, default=True) | 591 | subparser.add_argument('--random-password', '--no-random-password', action=BooleanAction, default=True) |
592 | subparser.add_argument('--random-password-length', type=int, default=12) | ||
593 | subparser.add_argument('--weak-encryption', '--no-weak-encryption', action=BooleanAction, default=False) | ||
592 | subparser.add_argument('--output', type=Path) | 594 | subparser.add_argument('--output', type=Path) |
593 | subparser.add_argument('filename', metavar='BASENAME', type=Path) | 595 | subparser.add_argument('filename', metavar='BASENAME', type=Path) |
594 | subparser.set_defaults(cmd=to_pkcs12) | 596 | subparser.set_defaults(cmd=to_pkcs12) |