GitLocker: The Coding Marketplace

Description:

picoca 1.0.0

PicoCA is a simple CA intended for use in situations where the CA operator
also operates each host where a certificate will be used. It automatically
generates both a key and a certificate when asked to produce a certificate.
It does not offer OCSP or CRL services. PicoCA is appropriate, for instance,
for generating certificates for RPC systems or microservices.
On first run, PicoCA will generate a keypair and a root certificate in the
certificates subdirectory, and will reuse that same keypair and root
certificate unless they are deleted.
On each further run, PicoCA will generate a keypair and sign an end-entity (leaf)
certificate for that keypair. The certificate will contain a list of DNS names
and/or IP addresses from the command line flags. The key and certificate are
placed in the same directory as the root key and certificate, with a file name
chosen based upon the first domain name or IP address specified on the command
line. It will overwrite existing keys and certificates, e.g. for renewals.
The certificate will have a validity of 366 days, although this can be changed
by using the --lifespan flag. You can also change the directory where the
root and end-entity certificates are stored by using the --cert-path flag.
The code is designed to be simple and easy-to-read, for educational purposes.
If you stumble across a decision that doesn't make sense, please open an
issue so that it may be addressed.
PicoCA should work with Python 2.7, despite the incredible soul-rendering pain
this has caused me.
Installation
$ python setup.py install

$ picoca --help
usage: picoca [-h] [--cert-path path] [--lifespan days] hostname [hostname ...]

positional arguments:
hostname domains and IP addresses to add to certificate

optional arguments:
-h, --help show this help message and exit
--cert-path path Directory to store keys and certificates (default: "./certificates")
--lifespan days Number of days for certificate to be valid (default: 366)

Usage
# Initialize the certificate authority and sign a certificate for "foo.com":
$ picoca foo.com
Successfully initialized PicoCA to: certificates/__root__.key and certificates/__root__.pem
Successfully wrote files to: certificates/foo.com.pem and certificates/foo.com.key

# Generate another certificate using the same certificate authority generated above
$ picoca bar.org baz.net 127.0.0.1 2001:0db8:85a3:0000:0000:8a2e:0370:7334 qux.io
Successfully wrote files to: certificates/bar.org.pem and certificates/bar.org.key

# Store the certs in /etc/picoca instead, for use by multiple applications
$ picoca --cert-path /etc/picoca bar.org baz.net 127.0.0.1 qux.io
Successfully initialized PicoCA to: /etc/picoca/__root__.pem and /etc/picoca/__root__.key
Successfully wrote files to: /etc/picoca/bar.org.pem and /etc/picoca/bar.org.key

Verification
# Verify that a proper certificate was generated
$ openssl verify -x509_strict -purpose sslclient -purpose sslserver -CAfile certificates/__root__.pem certificates/bar.org.pem
certificates/bar.org.pem: OK

# Look at the final generated certificate
$ openssl x509 -in certificates/bar.org.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4d:c5:c9:d7:ca:7e:48:40:85:36:d3:1d:79:69:70:2e
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN = PicoCA Root Certificate Authority, OU = PicoCA, O = PicoCA
Validity
Not Before: Jul 30 11:36:31 2020 GMT
Not After : Aug 1 11:36:31 2021 GMT
Subject: CN = bar.org
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:cd:36:8b:e2:10:50:4d:a5:90:d1:e5:9f:43:56:
c2:55:b0:df:55:a5:e1:61:a8:9a:fd:4a:be:f5:9c:
75:dc:b6:8b:98:d0:ed:70:41:ed:1b:9b:8d:cf:85:
6c:e0:fd:78:a9:06:a0:d8:70:00:0b:18:7b:2e:2c:
f4:aa:5d:2d:8b
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Key Identifier:
2D:B2:48:97:2E:D7:81:5B:D9:A1:91:C5:79:58:A3:03:2C:68:CF:E2
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Alternative Name:
DNS:bar.org, DNS:baz.net, DNS:qux.io, IP Address:127.0.0.1, IP Address:2001:DB8:85A3:0:0:8A2E:370:7334
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Authority Key Identifier:
keyid:48:02:99:16:C6:6E:5B:BA:89:AD:AB:24:14:51:F9:7E:1C:88:8D:5A

Signature Algorithm: ecdsa-with-SHA256
30:64:02:30:30:5a:7b:b8:5c:d5:19:62:90:a6:16:86:c4:5a:
4a:fd:9c:7a:1f:97:56:ea:21:17:50:6c:47:ab:fa:9d:71:38:
ae:b0:fe:f1:8a:ca:75:40:37:02:86:49:0d:f3:c9:d5:02:30:
58:e7:97:e6:c3:95:15:c6:11:94:a2:a2:e2:78:f7:e7:b8:d0:
74:b5:64:47:1b:91:33:a4:99:c6:bc:fe:1b:b3:47:03:af:b4:
95:6e:aa:05:44:b3:d5:84:92:f4:45:46

# And the generated certificate authority, verifying the aKI field matches
$ openssl x509 -in certificates/__root__.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f4:c4:4d:84:5f:b8:42:03:b6:cf:56:ad:ac:09:14:dd
Signature Algorithm: ecdsa-with-SHA384
Issuer: CN = PicoCA Root Certificate Authority, OU = PicoCA, O = PicoCA
Validity
Not Before: Jul 30 11:36:31 2020 GMT
Not After : Jul 30 11:36:31 2040 GMT
Subject: CN = PicoCA Root Certificate Authority, OU = PicoCA, O = PicoCA
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:39:e6:3d:66:cd:15:ad:c7:65:38:02:20:71:f8:
8f:11:fa:f2:d6:25:80:05:f4:37:a2:35:84:72:fc:
27:45:f5:f2:3d:5f:8f:23:cc:e3:b0:7c:e9:3a:3f:
f9:a1:b4:b2:22:ba:0f:54:30:b7:52:15:a0:dc:48:
3c:ff:1c:ab:de:2e:4f:98:3e:a9:1e:f7:9c:d8:fc:
2b:cb:00:1f:53:40:bb:5a:9f:3c:05:1f:03:1c:47:
ee:68:df:c1:a4:87:11
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Subject Key Identifier:
48:02:99:16:C6:6E:5B:BA:89:AD:AB:24:14:51:F9:7E:1C:88:8D:5A
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign
Signature Algorithm: ecdsa-with-SHA384
30:64:02:30:5b:fc:75:2b:03:82:30:0b:3e:f8:ec:e5:ee:07:
e8:c1:81:9b:a6:ff:50:49:fb:44:d5:a7:57:0b:55:22:0c:8d:
81:cb:fe:22:af:03:cc:eb:a6:0c:ec:67:1d:58:9f:8e:02:30:
46:fc:e8:1b:1c:dd:00:54:24:03:f5:c4:93:9c:26:8e:a7:ea:
74:ee:7b:17:29:a5:4c:37:91:89:57:1c:10:5a:5f:c1:19:55:
bd:43:23:f7:9f:33:35:51:82:fb:7c:ad

# Verify that TLS works
$ openssl s_server -quiet -www -port 443 -cert certificates/bar.org.pem -key certificates/bar.org.key

# And launching curl in a separate terminal
$ curl --cacert certificates/__root__.pem --output /dev/null "https://127.0.0.1/"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5070 0 5070 0 0 1650k 0 --:--:-- --:--:-- --:--:-- 1650k

Authors
Thus far, April King (april@pokeinthe.io) is the only author.
Credits
PicoCA was directly inspired by Jacob Hoffman-Andrew's
minica, and builds on top of the towering amount
of work done in pyca/cryptography by
Alex Gaynor, Paul Kehrer and
a ton of other heroic volunteers.