From 35165bd58b1e3c851473371aa58d51aa5fe26199 Mon Sep 17 00:00:00 2001 From: wzj <244142824@qq.com> Date: Sun, 15 Jun 2025 06:51:55 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E6=A0=B9=E8=AF=81=E4=B9=A6?= =?UTF-8?q?=E4=BF=A1=E4=BB=BB=E9=97=AE=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app.py | 90 ++++++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 66 insertions(+), 24 deletions(-) diff --git a/app.py b/app.py index 1d525d7..7b57660 100644 --- a/app.py +++ b/app.py @@ -300,16 +300,43 @@ def create_ca(ca_name, common_name, organization, organizational_unit, country, key_path = os.path.join(ca_dir, f"{common_name}.key") cert_path = os.path.join(ca_dir, f"{common_name}.crt") + # 创建OpenSSL配置文件 + openssl_cnf = f""" + [ req ] + default_bits = {key_size} + distinguished_name = req_distinguished_name + x509_extensions = v3_ca + prompt = no + + [ req_distinguished_name ] + C = {country} + ST = {state} + L = {locality} + O = {organization} + OU = {organizational_unit} + CN = {common_name} + + [ v3_ca ] + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid:always,issuer:always + basicConstraints = CA:TRUE + keyUsage = digitalSignature, keyCertSign, cRLSign + """ + + config_path = os.path.join(ca_dir, 'openssl.cnf') + with open(config_path, 'w') as f: + f.write(openssl_cnf.strip()) + # 生成CA私钥 subprocess.run([ 'openssl', 'genrsa', '-out', key_path, str(key_size) ], check=True) - # 生成CA自签名证书 + # 生成CA自签名证书(使用配置文件) subprocess.run([ 'openssl', 'req', '-new', '-x509', '-days', str(days_valid), '-key', key_path, '-out', cert_path, - '-subj', f'/CN={common_name}/O={organization}/OU={organizational_unit}/C={country}/ST={state}/L={locality}' + '-config', config_path ], check=True) # 保存到数据库 @@ -362,14 +389,8 @@ default_bits = {key_size} prompt = no default_md = sha256 distinguished_name = dn -""" +req_extensions = req_ext - # 只有在有SAN时才添加扩展部分 - has_san = bool(san_dns or san_ip) - if has_san: - csr_config += "req_extensions = req_ext\n" - - csr_config += f""" [dn] CN = {common_name} O = {organization} @@ -377,26 +398,25 @@ OU = {organizational_unit} C = {country} ST = {state} L = {locality} -""" - if has_san: - csr_config += """ [req_ext] +basicConstraints = CA:FALSE +keyUsage = digitalSignature, keyEncipherment subjectAltName = @alt_names +extendedKeyUsage = serverAuth, clientAuth [alt_names]""" - # 添加DNS SAN条目 - if san_dns: - dns_entries = [dns.strip() for dns in san_dns.split(',') if dns.strip()] - for i, dns in enumerate(dns_entries, 1): - csr_config += f"\nDNS.{i} = {dns}" + # 添加SAN条目 + if san_dns: + dns_entries = [dns.strip() for dns in san_dns.split(',') if dns.strip()] + for i, dns in enumerate(dns_entries, 1): + csr_config += f"\nDNS.{i} = {dns}" - # 添加IP SAN条目 - if san_ip: - ip_entries = [ip.strip() for ip in san_ip.split(',') if ip.strip()] - for i, ip in enumerate(ip_entries, 1): - csr_config += f"\nIP.{i} = {ip}" + if san_ip: + ip_entries = [ip.strip() for ip in san_ip.split(',') if ip.strip()] + for i, ip in enumerate(ip_entries, 1): + csr_config += f"\nIP.{i} = {ip}" # 确保配置文件不以空行结尾 csr_config = csr_config.strip() @@ -417,12 +437,34 @@ subjectAltName = @alt_names print(csr_config) return None - # 使用CA签名证书 + # 使用CA签名证书(添加-extfile参数) try: + # 创建扩展配置文件 + ext_config = f""" + authorityKeyIdentifier=keyid,issuer + basicConstraints=CA:FALSE + keyUsage=digitalSignature, keyEncipherment + extendedKeyUsage=serverAuth, clientAuth + subjectAltName=@alt_names + + [alt_names]""" + + if san_dns: + for i, dns in enumerate(dns_entries, 1): + ext_config += f"\nDNS.{i} = {dns}" + + if san_ip: + for i, ip in enumerate(ip_entries, 1): + ext_config += f"\nIP.{i} = {ip}" + + ext_path = os.path.join(cert_dir, 'ext.cnf') + with open(ext_path, 'w') as f: + f.write(ext_config.strip()) + subprocess.run([ 'openssl', 'x509', '-req', '-in', csr_path, '-CA', ca['cert_path'], '-CAkey', ca['key_path'], '-CAcreateserial', '-out', cert_path, - '-days', str(days_valid), '-sha256' + '-days', str(days_valid), '-sha256', '-extfile', ext_path ], check=True) except subprocess.CalledProcessError as e: print(f"签名证书错误: {e}")