summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2022-11-14 21:00:58 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2022-11-14 21:00:58 +0100
commite3dfaf8e03382508461d20b2b720f31f2164111d (patch)
tree611a89698968a8fc4acd2505feb9b19f02a953eb
parent9b114bb28935398d718be2e89b900e5a7cf31757 (diff)
downloadnixos-e3dfaf8e03382508461d20b2b720f31f2164111d.tar
nixos-e3dfaf8e03382508461d20b2b720f31f2164111d.tar.gz
nixos-e3dfaf8e03382508461d20b2b720f31f2164111d.tar.bz2
nixos-e3dfaf8e03382508461d20b2b720f31f2164111d.tar.xz
nixos-e3dfaf8e03382508461d20b2b720f31f2164111d.zip
ca: ...
-rw-r--r--tools/ca/ca/__main__.py12
1 files changed, 7 insertions, 5 deletions
diff --git a/tools/ca/ca/__main__.py b/tools/ca/ca/__main__.py
index 22dcaeed..b89d91ff 100644
--- a/tools/ca/ca/__main__.py
+++ b/tools/ca/ca/__main__.py
@@ -469,7 +469,7 @@ def new_client(ca_cert, ca_key, key_type, clock_skew, validity, subject, alterna
469 ).public_bytes(serialization.Encoding.PEM) 469 ).public_bytes(serialization.Encoding.PEM)
470 ) 470 )
471 471
472def to_pkcs12(random_password, filename, output): 472def to_pkcs12(random_password, random_password_length, weak_encryption, filename, output):
473 key_file = filename.with_suffix('.key') 473 key_file = filename.with_suffix('.key')
474 cert_file = filename.with_suffix('.crt') 474 cert_file = filename.with_suffix('.crt')
475 475
@@ -503,17 +503,17 @@ def to_pkcs12(random_password, filename, output):
503 else: 503 else:
504 from xkcdpass import xkcd_password as xp 504 from xkcdpass import xkcd_password as xp
505 ws = xp.generate_wordlist(wordfile=xp.locate_wordfile()) 505 ws = xp.generate_wordlist(wordfile=xp.locate_wordfile())
506 pw = xp.generate_xkcdpassword(ws, numwords=12) 506 pw = xp.generate_xkcdpassword(ws, numwords=random_password_length)
507 print(f'Password: {pw}', file=sys.stderr) 507 print(f'Password: {pw}', file=sys.stderr)
508 508
509 encryption = None 509 encryption = None
510 if pw: 510 if pw:
511 encryption = PrivateFormat.PKCS12.encryption_builder().kdf_rounds( 511 encryption = PrivateFormat.PKCS12.encryption_builder().kdf_rounds(
512 500000 512 500000 if not weak_encryption else 50000
513 ).key_cert_algorithm( 513 ).key_cert_algorithm(
514 pkcs12.PBES.PBESv2SHA256AndAES256CBC 514 pkcs12.PBES.PBESv2SHA256AndAES256CBC if not weak_encryption else pkcs12.PBES.PBESv1SHA1And3KeyTripleDESCBC
515 ).hmac_hash( 515 ).hmac_hash(
516 hashes.SHA256() 516 hashes.SHA256() if not weak_encryption else hashes.SHA1()
517 ).build(bytes(pw, 'utf-8')) 517 ).build(bytes(pw, 'utf-8'))
518 fh.write(pkcs12.serialize_key_and_certificates( 518 fh.write(pkcs12.serialize_key_and_certificates(
519 bytes(subject, 'utf-8'), 519 bytes(subject, 'utf-8'),
@@ -589,6 +589,8 @@ def main():
589 589
590 subparser = subparsers.add_parser('pkcs12', aliases=['p12', 'pfx'], formatter_class=argparse.ArgumentDefaultsHelpFormatter) 590 subparser = subparsers.add_parser('pkcs12', aliases=['p12', 'pfx'], formatter_class=argparse.ArgumentDefaultsHelpFormatter)
591 subparser.add_argument('--random-password', '--no-random-password', action=BooleanAction, default=True) 591 subparser.add_argument('--random-password', '--no-random-password', action=BooleanAction, default=True)
592 subparser.add_argument('--random-password-length', type=int, default=12)
593 subparser.add_argument('--weak-encryption', '--no-weak-encryption', action=BooleanAction, default=False)
592 subparser.add_argument('--output', type=Path) 594 subparser.add_argument('--output', type=Path)
593 subparser.add_argument('filename', metavar='BASENAME', type=Path) 595 subparser.add_argument('filename', metavar='BASENAME', type=Path)
594 subparser.set_defaults(cmd=to_pkcs12) 596 subparser.set_defaults(cmd=to_pkcs12)