Merge pull request #32 from CasperLabs/dev

Merging Dev to Master for Publishing 0.20.2

README.md

@@ -98,7 +98,7 @@ C:\Users\alice>python -m pip install casperlabs-client
 The package `casperlabs-client` includes command line interface (CLI)
 script called `casperlabs_client`.
 
-Type `casperlabs-client --help` to see short synopsis with a list of
+Type `casperlabs_client --help` to see short synopsis with a list of
 available commands
 
 ```
@@ -168,7 +168,7 @@ casperlabs_client --host deploy.casperlabs.io vdag --depth 10 --out dag.png
 will produce an image file similar to the one below:
 
 
-![DAG visualization example](https://raw.githubusercontent.com/CasperLabs/CasperLabs/dev/integration-testing/client/CasperLabsClient/example_vdag_output.png)
+![DAG visualization example](https://raw.githubusercontent.com/CasperLabs/client-py/dev/example_vdag_output.png)
 
 Small boxes represent blocks, labeled with short prefixes of their block hashes.
 Blocks are aligned in "lanes" representing validators that created them.

casperlabs_client/VERSION

@@ -1 +1 @@
-0.20.1
+0.20.2

casperlabs_client/casperlabs_client.py

@@ -939,10 +939,10 @@ def validator_keygen(directory: Union[Path, str]) -> None:
         key_pair.save_hex_base64_files(directory, consts.VALIDATOR_FILENAME_PREFIX)
 
         private_key, public_key = crypto.generate_secp256r1_key_pair()
-        node_cert, key_pem = crypto.generate_node_certificates(private_key, public_key)
+        cert_pem, key_pem = crypto.generate_node_certificates(private_key, public_key)
 
         io.write_binary_file(node_private_path, key_pem)
-        io.write_binary_file(node_cert_path, node_cert)
+        io.write_binary_file(node_cert_path, cert_pem)
         io.write_file(node_id_path, crypto.node_public_address(public_key))
 
     @api

casperlabs_client/crypto.py

@@ -11,7 +11,6 @@
 from cryptography.hazmat.primitives.asymmetric import ec
 from cryptography import x509
 from cryptography.hazmat.primitives import hashes
-from cryptography.x509.oid import NameOID
 from Crypto.Hash import keccak
 from pyblake2 import blake2b
 
@@ -46,24 +45,35 @@ def int_to_32_bytes(x):
 def generate_node_certificates(private_key, public_key):
     today = datetime.datetime.today()
     one_day = datetime.timedelta(1, 0, 0)
-    address = node_public_address(
-        public_key
-    )  # .map(Base16.to_protobuf).getOrElse("local")
-    owner = f"CN={address}"
-
+    address = node_public_address(public_key)
     builder = x509.CertificateBuilder()
     builder = builder.not_valid_before(today)
 
     # TODO: Where's documentation of the decision to make keys valid for 1 year only?
     builder = builder.not_valid_after(today + 365 * one_day)
-    builder = builder.subject_name(
-        x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, owner)])
-    )
-    builder = builder.issuer_name(
-        x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, owner)])
+    issuer = x509.Name(
+        [
+            x509.NameAttribute(x509.NameOID.COUNTRY_NAME, "US"),
+            x509.NameAttribute(x509.NameOID.STATE_OR_PROVINCE_NAME, "CA"),
+            x509.NameAttribute(x509.NameOID.LOCALITY_NAME, "San-Diego"),
+            x509.NameAttribute(x509.NameOID.ORGANIZATION_NAME, "CasperLabs, LLC"),
+            x509.NameAttribute(x509.NameOID.ORGANIZATIONAL_UNIT_NAME, "IT Department"),
+            x509.NameAttribute(x509.NameOID.COMMON_NAME, address),
+        ]
     )
+    builder = builder.issuer_name(issuer)
+    builder = builder.subject_name(issuer)
     builder = builder.public_key(public_key)
     builder = builder.serial_number(x509.random_serial_number())
+    ski = x509.SubjectKeyIdentifier.from_public_key(public_key)
+    builder = builder.add_extension(ski, critical=False)
+    builder = builder.add_extension(
+        x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(ski),
+        critical=False,
+    )
+    builder = builder.add_extension(
+        x509.BasicConstraints(ca=True, path_length=None), critical=True
+    )
     certificate = builder.sign(
         private_key=private_key, algorithm=hashes.SHA256(), backend=default_backend()
     )