## https://sploitus.com/exploit?id=002440C3-543A-52F1-B1BB-6BB29229A17E
# Secure CSR Generator ๐
[](https://github.com/nemekath/csrgenerator-secure/actions/workflows/security.yml)
[](https://github.com/nemekath/csrgenerator-secure)
[](https://github.com/nemekath/csrgenerator-secure)
A Flask-based web application for generating Certificate Signing Requests (CSRs) and verifying CSR/private key pairs. This security-enhanced fork builds on [David Wittman's CSR Generator](https://github.com/DavidWittman/csrgenerator.com), incorporating security fixes, enhanced features, and comprehensive documentation.
> **โ ๏ธ Hobby Project**: This is maintained in spare time with no guaranteed support. See [full disclaimer](HOBBY_PROJECT_DISCLAIMER.md).
## ๐ก๏ธ Security Enhancements and New Features
Key improvements over the original:
- **Security Fixes**: Patched critical vulnerabilities (CVE-2024-6345, GHSA-5rjg-fvgr-3xxf)
- **Dependency Updates**: All packages upgraded to latest secure versions
- **Enhanced Cryptography**: Added ECDSA support (P-256, P-384, P-521) alongside RSA
- **HTTPS Integration**: Automatic self-signed certificate generation
- **Key Verification**: Added CSR/private key pair verification functionality
- **Comprehensive Documentation**: Detailed guides for setup, development, and security
## ๐ Quick Start
### Docker (Easiest)
```bash
# Build and run
docker build -t csrgenerator-secure:latest .
docker run -d -p 5555:5555 --name csrgenerator-secure csrgenerator-secure:latest
# Access at https://localhost:5555
# (Ignore the browser security warning - it's a self-signed certificate)
```
### Local Development
```bash
# Clone and install
git clone https://github.com/nemekath/csrgenerator-secure.git
cd csrgenerator-secure
pip install -r requirements.txt
# Run the app
python start_server.py
# Access at https://localhost:5555
```
## ๐ Key Features
### Core Functionality
- **CSR Generation**: Create secure certificate signing requests
- **Key Pair Verification**: Verify CSRs match with private keys
- **RSA and ECDSA Support**: Work with RSA (2048/4096-bit) and ECDSA (P-256, P-384, P-521) keys
- **Secure HTTPS**: Self-signed certificates provided for HTTPS
- **Multidomain Support**: Generate certificates with Subject Alternative Names (SANs)
### User Experience
- **Responsive Design**: Works on desktops, tablets, and phones
- **Interactive Controls**: Dynamic switching between RSA and ECDSA inputs
- **Ease of Use**: Clear copying options for generated CSRs and keys
- **Validation Feedback**: Client and server-side validation for inputs
### Technical Details
- **Framework**: Built with Python and Flask
- **Deployment Options**: Run locally or via Docker container
- **Testing**: Comprehensive automated test suite included
- **Documentation**: Guides available for setup, development, and usage
- **Security**: Strong cryptographic defaults enforced
## ๐ง Configuration
### Environment Variables
- `PORT` - Port to run the application (default: 5555)
- `SECRET_KEY` - Flask secret key for session security
- `WORKERS` - Number of Gunicorn workers (auto-calculated by default)
### Supported Cryptography
#### RSA Key Sizes
- **2048-bit**: Default, broadly compatible and secure
- **4096-bit**: Enhanced security, larger size
#### ECDSA Curves
- **P-256 (secp256r1)**: Fast and very popular
- **P-384 (secp384r1)**: Stronger security without major performance hit
- **P-521 (secp521r1)**: Offers maximum security
*Note: 1024-bit RSA keys are deprecated and not supported.*
### Operation Modes
- **Development**: Single-process using Flask (`python start_server.py`)
- **Docker**: Multi-process with Gunicorn
- **Advanced**: Start manually with Gunicorn (`gunicorn --config gunicorn.conf.py app:app`)
## ๐ Documentation
Comprehensive documentation is available covering various aspects:
- **[๐ Documentation Index](docs/README.md)** - Central hub for all guides
- **[๐๏ธ System Architecture](docs/ARCHITECTURE.md)** - Design principles and component structure
- **[๐ Code Structure](docs/CODE_STRUCTURE.md)** - File-by-file analysis and walkthroughs
- **[๐ Cryptography Guide](docs/CRYPTOGRAPHY_GUIDE.md)** - Security implementation and concepts
- **[โ๏ธ Development Guide](docs/DEVELOPMENT_GUIDE.md)** - Setup, testing, and deployment instructions
- **[๐ Validation Details](VALIDATION_VERIFICATION.md)** - RFC-compliant domain validation specifics
## ๐ Security Details
### Dependency Versions
| Package | Version | Security Status |
|---------|---------|----------------|
| pyOpenSSL | 25.1.0 | โ Latest (CVE-2024-6345 fixed) |
| cryptography | 45.0.4 | โ Latest |
| setuptools | โฅ80.9.0 | โ Latest (GHSA-5rjg-fvgr-3xxf fixed) |
| Flask | 3.1.1 | โ Latest |
| Werkzeug | 3.1.3 | โ Latest |
| Gunicorn | 23.0.0 | โ Latest |
| zipp | โฅ3.19.1 | โ Latest (CVE-2023-45853 fixed) |
### Security Measures
- Container runs as non-root user
- No 1024-bit RSA key generation (deprecated)
- SHA-256 hashing for signatures
- Dependencies updated for known vulnerabilities
- Basic vulnerability scanning in CI/CD
## ๐งช Testing
```bash
# Run tests
python3 -m pytest tests.py
# Run linting
python3 -m flake8 --max-line-length=120 .
# Run development dependencies test
pip install -r requirements-dev.txt
python3 -m pytest tests.py -v
```
## ๐ Deployment Options
### WSGI Server with Gunicorn
For better performance than Flask's development server:
- **Multi-worker processing** for handling concurrent requests
- **Worker management** and automatic restart on failures
- **Improved performance** compared to single-threaded Flask dev server
- **Basic health monitoring** capabilities
*Note: This is suitable for small-scale use. For larger deployments, consider additional infrastructure.*
### Development vs Production Setup
| Feature | Development | Production Setup |
|---------|-------------|------------------|
| Server | Flask dev server | Gunicorn WSGI |
| Workers | 1 (single-threaded) | Multiple workers |
| Performance | Basic | Improved |
| Concurrent Requests | Limited | Better handling |
| Suitable For | Development/Testing | Small to medium usage |
### Manual Setup
```bash
# Install dependencies
pip install -r requirements.txt
# Run with Gunicorn
gunicorn --config gunicorn.conf.py app:app
# Or with custom settings
gunicorn --bind 0.0.0.0:5555 --workers 4 app:app
```
## ๐ณ Docker Commands
```bash
# Build image
docker build -t csrgenerator-secure:latest .
# Run container
docker run -d -p 5555:5555 --name csrgenerator-secure csrgenerator-secure:latest
# View logs
docker logs csrgenerator-secure
# Stop container
docker stop csrgenerator-secure
# Remove container
docker rm csrgenerator-secure
```
## ๐ค Contributing
Contributions are welcome! Please follow these steps:
1. Fork the repository
2. Create a feature branch (`git checkout -b feature/amazing-feature`)
3. Commit your changes (`git commit -m 'Add amazing feature'`)
4. Push to the branch (`git push origin feature/amazing-feature`)
5. Open a Pull Request
### Development Guidelines
- Follow PEP 8 style guidelines
- Add tests for new features
- Update documentation as needed
- Run security checks before submitting
## ๐ License
This project is licensed under the GNU General Public License v3.0 - see the [LICENSE](LICENSE) file for details.
## ๐ Acknowledgments
### Original Project
This project is a security-enhanced fork of the excellent work by **David Wittman**:
- **Original Repository**: [csrgenerator.com](https://github.com/DavidWittman/csrgenerator.com)
- **Original Author**: [David Wittman](https://github.com/DavidWittman)
- **Original License**: GNU General Public License v3.0
**Thank you to David Wittman** for creating this valuable tool and making it available as open source. This fork builds upon his solid foundation to provide comprehensive security, UI/UX, and infrastructure enhancements while preserving the original CSR generation core.
### What This Fork Adds
**Security Fixes:**
- Fixed CVE-2024-6345 and GHSA-5rjg-fvgr-3xxf
- Updated dependencies to newer versions
- Added HTTPS support (self-signed certificates)
- Container runs as non-root user
**Features Added:**
- ECDSA key support (P-256, P-384, P-521)
- CSR/private key verification
- Better web interface
- JSON API responses
- Automated tests
**Documentation:**
- Added setup and development guides
- Explained how the crypto works
- Added troubleshooting info
### About This Fork
This is an enhanced version that:
- Keeps full credit to the original author
- Uses the same GPL v3.0 license
- Adds security fixes and new features
- Maintains the core CSR generation functionality
**Please also check out:**
- โญ The [original repository](https://github.com/DavidWittman/csrgenerator.com)
- ๐ David Wittman's other projects
### Community
- Special thanks to the open source community
- Security researchers who identified the vulnerabilities
- Contributors to all the underlying libraries (Flask, pyOpenSSL, cryptography)
## ๐ Support
**โ ๏ธ Hobby Project Disclaimer**: This is a personal project maintained in spare time. **[Read Full Disclaimer](HOBBY_PROJECT_DISCLAIMER.md)** for complete details.
- **No SLA**: No guaranteed response times or support commitments
- **Best Effort**: Issues will be addressed when time permits
- **Community Driven**: Feel free to fork if you need faster fixes or features
- **Use at Your Own Risk**: Provided as-is without warranties
If you encounter any issues or have questions:
1. Check the [Issues](https://github.com/nemekath/csrgenerator-secure/issues) page
2. Create a new issue with detailed information
3. Include system information and error logs
4. Consider contributing fixes via pull requests
## โจ Latest Release (v2.3.2) - 2025-06-30
### ๐ Security Monitoring
- **Dependency Scanning**: GitHub Dependabot configured for weekly dependency updates
- **Vulnerability Scanning**: Automated scans using Safety, pip-audit, Trivy, and CodeQL
- **Security Dashboard**: Basic security monitoring via GitHub Security tab
- **Vulnerability Reporting**: Security policy for responsible disclosure via GitHub
- **Basic Validation**: Automated checks for secure cryptographic configuration
### ๐ Documentation & Transparency
- **Project Scope Clarity**: Added disclaimer explaining hobby project limitations
- **Honest Documentation**: Adjusted claims to reflect actual capabilities
- **Documentation Consistency**: Fixed inconsistencies across guide files
- **Validation Documentation**: Aligned RFC compliance docs with implementation
- **Architecture Documentation**: Updated docs to match actual codebase structure
### ๐ง Code Quality Improvements
- **Missing Dependencies**: Fixed ipaddress import in app.py
- **Server Startup**: Corrected documentation to recommend start_server.py over app.py
- **CVE-2023-45853**: Pinned zipp >= 3.19.1 to prevent path traversal vulnerability
- **Function Documentation**: Ensured all validation function names match actual implementation
## ๐ Previous Major Updates
### Version 2.3.1 (Documentation & Infrastructure)
- **Documentation Accuracy**: Fixed version mismatches and build instructions
- **Build System**: Enhanced Makefile and consistent Docker commands
- **Test Verification**: Confirmed all 69 tests pass and are documented correctly
### Version 2.3.0 (HTTPS & UI Enhancements)
- **HTTPS by Default**: Auto-generates self-signed certificates
- **Enhanced Interface**: Separate areas for CSR and private key with copy buttons
- **JSON API**: Modern structured API responses
- **Gunicorn Integration**: Better performance with multi-worker setup
## ๐ Changelog
### v2.3.1 (Documentation & Infrastructure Release) - 2025-06-30
- ๐ง **Infrastructure**: Enhanced Makefile with modern workflow targets (docker, test, lint, check)
- ๐ณ **Build System**: Fixed all Docker commands to use consistent naming (csrgenerator:latest)
- ๐ฆ **Dependencies**: Added gunicorn to requirements.txt for local production setup
- ๐ **Command Consistency**: Standardized all commands to use `python3 -m` syntax for reliability
- ๐ **README Accuracy**: Updated to reflect extensive enhancements as "extensively enhanced fork"
- ๐ฏ **Attribution Clarity**: Properly acknowledged significant additions while honoring original work
- ๐ **Version Alignment**: Resolved all version mismatches across documentation and dependencies
- ๐ **Python Support**: Updated badges and docs to reflect actual support (Python 3.9+)
- ๐ **Requirements Sync**: Ensured requirements.txt and requirements-dev.txt are fully consistent
- ๐ **Build Instructions**: Updated all build, test, and deployment instructions to current working state
- ๐๏ธ **Code Structure**: Fixed CODE_STRUCTURE.md to reflect actual project layout and test classes
- โ **Quality Assurance**: Comprehensive documentation audit ensuring all docs align with implementation
- ๐งช **Test Accuracy**: Accurate reporting of 69 tests across 9 test classes
- ๐ท๏ธ **Version Labels**: Dockerfile and all version references updated to v2.3.1
### v2.3.0 (Security & Functional Release) - 2025-06-30
- ๐ **HTTPS by Default**: Automatic SSL certificate generation and secure connections
- ๐ **JSON API**: Modernized `/generate` endpoint to return structured JSON responses
- ๐จ **Enhanced UI**: Perfect field alignment, resizable text areas, and professional styling
- ๐๏ธ **Gunicorn Integration**: Production WSGI server configured and integrated
- ๐ **Structural Documentation**: Comprehensive guides for HTTPS setup and certificate management
- ๐ก๏ธ **Security Headers**: HSTS, X-Frame-Options, and enhanced security policies
- ๐ **Separate Output Fields**: CSR and private key in distinct, copyable areas with copy buttons
- ๐ณ **Docker Enhancements**: Updated container configuration for HTTPS support and health checks
### v2.2.0 (Verification Feature & Documentation Release) - 2025-06-30
- โจ **MAJOR NEW FEATURE**: CSR and Private Key verification functionality
- ๐ **Dual-Mode Interface**: Toggle between "Generate CSR" and "Verify CSR/Key Match" modes
- ๐ **Real-Time Verification**: Instant feedback with detailed success/error messaging
- ๐ **Universal Support**: Works with both RSA and ECDSA key pairs
- ๐ฏ **New `/verify` Endpoint**: Dedicated API for CSR/private key verification
- ๐จ **Enhanced UI**: Mode switching buttons and dynamic form display
- ๐ฑ **Toast Notifications**: User-friendly verification result messages
- ๐งช **Comprehensive Testing**: Complete test suite for verification scenarios
- ๐ **NEW**: Comprehensive documentation suite covering architecture, code structure, cryptography, and development
- ๐๏ธ **NEW**: Architecture documentation with layered design patterns
- ๐ **NEW**: Complete code structure analysis with file-by-file walkthroughs
- ๐ **NEW**: In-depth cryptography guide explaining security measures and implementation
- โ๏ธ **NEW**: Development guide with setup, testing, deployment, and troubleshooting
- ๐ฏ **NEW**: Documentation index for easy navigation by different audiences
### v2.1.0 (ECDSA Support Release) - 2025-06-30
- โจ **NEW**: Added ECDSA key support with P-256, P-384, and P-521 curves
- โจ **NEW**: Dynamic UI with key type selection (RSA/ECDSA)
- โจ **NEW**: Interactive form fields that adapt based on key type
- ๐งช **Enhanced**: Comprehensive test suite covering ECDSA generation
- ๐ง **Improved**: Enhanced error handling for ECDSA-specific errors
- ๐ **Updated**: Documentation with ECDSA feature details
- ๐จ **UI**: Added JavaScript toggle between RSA and ECDSA options
- ๐ **Security**: Maintained secure curve selection (no weak curves)
### v2.0.1 (Security Update)
- Updated setuptools to 80.9.0 (latest secure version)
- Updated Python version support to 3.11 in Pipfile
- Added Gunicorn to dependency documentation
- Refreshed Pipfile.lock with latest dependencies
- Enhanced production deployment documentation
### v2.0.0 (Security Release)
- Fixed CVE-2024-6345 (pyOpenSSL vulnerability)
- Fixed GHSA-5rjg-fvgr-3xxf (setuptools vulnerability)
- Updated all dependencies to latest secure versions
- Removed 1024-bit RSA key support
- Enhanced Docker security
- Improved documentation