From e3dfaf8e03382508461d20b2b720f31f2164111d Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Mon, 14 Nov 2022 21:00:58 +0100 Subject: ca: ... --- tools/ca/ca/__main__.py | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'tools') diff --git a/tools/ca/ca/__main__.py b/tools/ca/ca/__main__.py index 22dcaeed..b89d91ff 100644 --- a/tools/ca/ca/__main__.py +++ b/tools/ca/ca/__main__.py @@ -469,7 +469,7 @@ def new_client(ca_cert, ca_key, key_type, clock_skew, validity, subject, alterna ).public_bytes(serialization.Encoding.PEM) ) -def to_pkcs12(random_password, filename, output): +def to_pkcs12(random_password, random_password_length, weak_encryption, filename, output): key_file = filename.with_suffix('.key') cert_file = filename.with_suffix('.crt') @@ -503,17 +503,17 @@ def to_pkcs12(random_password, filename, output): else: from xkcdpass import xkcd_password as xp ws = xp.generate_wordlist(wordfile=xp.locate_wordfile()) - pw = xp.generate_xkcdpassword(ws, numwords=12) + pw = xp.generate_xkcdpassword(ws, numwords=random_password_length) print(f'Password: {pw}', file=sys.stderr) encryption = None if pw: encryption = PrivateFormat.PKCS12.encryption_builder().kdf_rounds( - 500000 + 500000 if not weak_encryption else 50000 ).key_cert_algorithm( - pkcs12.PBES.PBESv2SHA256AndAES256CBC + pkcs12.PBES.PBESv2SHA256AndAES256CBC if not weak_encryption else pkcs12.PBES.PBESv1SHA1And3KeyTripleDESCBC ).hmac_hash( - hashes.SHA256() + hashes.SHA256() if not weak_encryption else hashes.SHA1() ).build(bytes(pw, 'utf-8')) fh.write(pkcs12.serialize_key_and_certificates( bytes(subject, 'utf-8'), @@ -589,6 +589,8 @@ def main(): subparser = subparsers.add_parser('pkcs12', aliases=['p12', 'pfx'], formatter_class=argparse.ArgumentDefaultsHelpFormatter) subparser.add_argument('--random-password', '--no-random-password', action=BooleanAction, default=True) + subparser.add_argument('--random-password-length', type=int, default=12) + subparser.add_argument('--weak-encryption', '--no-weak-encryption', action=BooleanAction, default=False) subparser.add_argument('--output', type=Path) subparser.add_argument('filename', metavar='BASENAME', type=Path) subparser.set_defaults(cmd=to_pkcs12) -- cgit v1.2.3