Merge remote-tracking branch 'refs/remotes/origin/gh-windows' into gh-windows

purplesyringa · purplesyringa · commit d5380f6061e4 · 2020-03-07T21:45:06.000+03:00
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -77,7 +77,7 @@ jobs:
       run: |
         echo "::set-env name=ZERONET_OPENSSL_BIN::$((Get-Command openssl).definition)"
         openssl version -a
-        openssl rand -hex 256
+        openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -config openssl.cnf -subj "/C=US/O=Amazon/OU=Server CA 1B/CN=Amazon" -keyout cakey-rsa.pem -out cacert-rsa.pem -batch
 
     - name: Test
       run: |
diff --git a/openssl.cnf b/openssl.cnf
@@ -0,0 +1,58 @@
+[ req ]
+default_bits        = 2048
+default_keyfile     = server-key.pem
+distinguished_name  = subject
+req_extensions      = req_ext
+x509_extensions     = x509_ext
+string_mask         = utf8only
+
+# The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description).
+#   Its sort of a mashup. For example, RFC 4514 does not provide emailAddress.
+[ subject ]
+countryName         = US
+stateOrProvinceName = NY
+localityName        = New York
+organizationName    = Example, LLC
+
+# Use a friendly name here because its presented to the user. The server's DNS
+#   names are placed in Subject Alternate Names. Plus, DNS names here is deprecated
+#   by both IETF and CA/Browser Forums. If you place a DNS name here, then you
+#   must include the DNS name in the SAN too (otherwise, Chrome and others that
+#   strictly follow the CA/Browser Baseline Requirements will fail).
+commonName          = Example Company
+
+emailAddress        = test@example.com
+
+# Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ...
+[ x509_ext ]
+
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid,issuer
+
+basicConstraints        = CA:FALSE
+keyUsage                = digitalSignature, keyEncipherment
+extendedKeyUsage        = clientAuth, serverAuth
+subjectAltName          = @alternate_names
+
+# RFC 5280, Section 4.2.1.12 makes EKU optional
+# CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
+# extendedKeyUsage  = serverAuth, clientAuth
+
+# Section req_ext is used when generating a certificate signing request. I.e., openssl req ...
+[ req_ext ]
+
+subjectKeyIdentifier    = hash
+
+basicConstraints        = CA:FALSE
+keyUsage                = digitalSignature, keyEncipherment
+extendedKeyUsage        = clientAuth, serverAuth
+subjectAltName          = @alternate_names
+
+# RFC 5280, Section 4.2.1.12 makes EKU optional
+# CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
+# extendedKeyUsage  = serverAuth, clientAuth
+
+[ alternate_names ]
+
+DNS.1       = python.org
+DNS.2       = www.python.org
diff --git a/src/Crypt/CryptConnection.py b/src/Crypt/CryptConnection.py
@@ -158,8 +158,6 @@ def createSslRsaCert(self):
         proc.wait()
         print(back)
 
-        print(subprocess.run(self.openssl_bin + " rand -hex 65536", shell=True, stdout=subprocess.PIPE).stdout.decode(errors="replace"))
-
         if not (os.path.isfile(self.cacert_pem) and os.path.isfile(self.cakey_pem)):
             self.log.error("RSA ECC SSL CAcert generation failed, CAcert or CAkey files not exist. (%s)" % back)
             return False
