Share
## https://sploitus.com/exploit?id=002440C3-543A-52F1-B1BB-6BB29229A17E
# Secure CSR Generator ๐Ÿ”

[![Security Monitoring](https://github.com/nemekath/csrgenerator-secure/actions/workflows/security.yml/badge.svg)](https://github.com/nemekath/csrgenerator-secure/actions/workflows/security.yml)
[![Docker](https://img.shields.io/badge/Docker-Ready-blue.svg)](https://github.com/nemekath/csrgenerator-secure)
[![Python](https://img.shields.io/badge/Python-3.9+-blue.svg)](https://github.com/nemekath/csrgenerator-secure)

A Flask-based web application for generating Certificate Signing Requests (CSRs) and verifying CSR/private key pairs. This security-enhanced fork builds on [David Wittman's CSR Generator](https://github.com/DavidWittman/csrgenerator.com), incorporating security fixes, enhanced features, and comprehensive documentation.

> **โš ๏ธ Hobby Project**: This is maintained in spare time with no guaranteed support. See [full disclaimer](HOBBY_PROJECT_DISCLAIMER.md).

## ๐Ÿ›ก๏ธ Security Enhancements and New Features

Key improvements over the original:

- **Security Fixes**: Patched critical vulnerabilities (CVE-2024-6345, GHSA-5rjg-fvgr-3xxf)
- **Dependency Updates**: All packages upgraded to latest secure versions
- **Enhanced Cryptography**: Added ECDSA support (P-256, P-384, P-521) alongside RSA
- **HTTPS Integration**: Automatic self-signed certificate generation
- **Key Verification**: Added CSR/private key pair verification functionality
- **Comprehensive Documentation**: Detailed guides for setup, development, and security

## ๐Ÿš€ Quick Start

### Docker (Easiest)

```bash
# Build and run
docker build -t csrgenerator-secure:latest .
docker run -d -p 5555:5555 --name csrgenerator-secure csrgenerator-secure:latest

# Access at https://localhost:5555
# (Ignore the browser security warning - it's a self-signed certificate)
```

### Local Development

```bash
# Clone and install
git clone https://github.com/nemekath/csrgenerator-secure.git
cd csrgenerator-secure
pip install -r requirements.txt

# Run the app
python start_server.py

# Access at https://localhost:5555
```

## ๐Ÿ“‹ Key Features

### Core Functionality
- **CSR Generation**: Create secure certificate signing requests
- **Key Pair Verification**: Verify CSRs match with private keys
- **RSA and ECDSA Support**: Work with RSA (2048/4096-bit) and ECDSA (P-256, P-384, P-521) keys
- **Secure HTTPS**: Self-signed certificates provided for HTTPS
- **Multidomain Support**: Generate certificates with Subject Alternative Names (SANs)

### User Experience
- **Responsive Design**: Works on desktops, tablets, and phones
- **Interactive Controls**: Dynamic switching between RSA and ECDSA inputs
- **Ease of Use**: Clear copying options for generated CSRs and keys
- **Validation Feedback**: Client and server-side validation for inputs

### Technical Details
- **Framework**: Built with Python and Flask
- **Deployment Options**: Run locally or via Docker container
- **Testing**: Comprehensive automated test suite included
- **Documentation**: Guides available for setup, development, and usage
- **Security**: Strong cryptographic defaults enforced

## ๐Ÿ”ง Configuration

### Environment Variables

- `PORT` - Port to run the application (default: 5555)
- `SECRET_KEY` - Flask secret key for session security
- `WORKERS` - Number of Gunicorn workers (auto-calculated by default)

### Supported Cryptography

#### RSA Key Sizes
- **2048-bit**: Default, broadly compatible and secure
- **4096-bit**: Enhanced security, larger size

#### ECDSA Curves
- **P-256 (secp256r1)**: Fast and very popular
- **P-384 (secp384r1)**: Stronger security without major performance hit
- **P-521 (secp521r1)**: Offers maximum security

*Note: 1024-bit RSA keys are deprecated and not supported.*

### Operation Modes

- **Development**: Single-process using Flask (`python start_server.py`)
- **Docker**: Multi-process with Gunicorn
- **Advanced**: Start manually with Gunicorn (`gunicorn --config gunicorn.conf.py app:app`)

## ๐Ÿ“š Documentation

Comprehensive documentation is available covering various aspects:

- **[๐Ÿ“– Documentation Index](docs/README.md)** - Central hub for all guides
- **[๐Ÿ—๏ธ System Architecture](docs/ARCHITECTURE.md)** - Design principles and component structure
- **[๐Ÿ“ Code Structure](docs/CODE_STRUCTURE.md)** - File-by-file analysis and walkthroughs
- **[๐Ÿ” Cryptography Guide](docs/CRYPTOGRAPHY_GUIDE.md)** - Security implementation and concepts
- **[โš™๏ธ Development Guide](docs/DEVELOPMENT_GUIDE.md)** - Setup, testing, and deployment instructions
- **[๐Ÿ” Validation Details](VALIDATION_VERIFICATION.md)** - RFC-compliant domain validation specifics

## ๐Ÿ” Security Details

### Dependency Versions

| Package | Version | Security Status |
|---------|---------|----------------|
| pyOpenSSL | 25.1.0 | โœ… Latest (CVE-2024-6345 fixed) |
| cryptography | 45.0.4 | โœ… Latest |
| setuptools | โ‰ฅ80.9.0 | โœ… Latest (GHSA-5rjg-fvgr-3xxf fixed) |
| Flask | 3.1.1 | โœ… Latest |
| Werkzeug | 3.1.3 | โœ… Latest |
| Gunicorn | 23.0.0 | โœ… Latest |
| zipp | โ‰ฅ3.19.1 | โœ… Latest (CVE-2023-45853 fixed) |

### Security Measures

- Container runs as non-root user
- No 1024-bit RSA key generation (deprecated)
- SHA-256 hashing for signatures
- Dependencies updated for known vulnerabilities
- Basic vulnerability scanning in CI/CD

## ๐Ÿงช Testing

```bash
# Run tests
python3 -m pytest tests.py

# Run linting
python3 -m flake8 --max-line-length=120 .

# Run development dependencies test
pip install -r requirements-dev.txt
python3 -m pytest tests.py -v
```

## ๐Ÿš€ Deployment Options

### WSGI Server with Gunicorn

For better performance than Flask's development server:

- **Multi-worker processing** for handling concurrent requests
- **Worker management** and automatic restart on failures
- **Improved performance** compared to single-threaded Flask dev server
- **Basic health monitoring** capabilities

*Note: This is suitable for small-scale use. For larger deployments, consider additional infrastructure.*

### Development vs Production Setup

| Feature | Development | Production Setup |
|---------|-------------|------------------|
| Server | Flask dev server | Gunicorn WSGI |
| Workers | 1 (single-threaded) | Multiple workers |
| Performance | Basic | Improved |
| Concurrent Requests | Limited | Better handling |
| Suitable For | Development/Testing | Small to medium usage |

### Manual Setup

```bash
# Install dependencies
pip install -r requirements.txt

# Run with Gunicorn
gunicorn --config gunicorn.conf.py app:app

# Or with custom settings
gunicorn --bind 0.0.0.0:5555 --workers 4 app:app
```

## ๐Ÿณ Docker Commands

```bash
# Build image
docker build -t csrgenerator-secure:latest .

# Run container
docker run -d -p 5555:5555 --name csrgenerator-secure csrgenerator-secure:latest

# View logs
docker logs csrgenerator-secure

# Stop container
docker stop csrgenerator-secure

# Remove container
docker rm csrgenerator-secure
```

## ๐Ÿค Contributing

Contributions are welcome! Please follow these steps:

1. Fork the repository
2. Create a feature branch (`git checkout -b feature/amazing-feature`)
3. Commit your changes (`git commit -m 'Add amazing feature'`)
4. Push to the branch (`git push origin feature/amazing-feature`)
5. Open a Pull Request

### Development Guidelines

- Follow PEP 8 style guidelines
- Add tests for new features
- Update documentation as needed
- Run security checks before submitting

## ๐Ÿ“ License

This project is licensed under the GNU General Public License v3.0 - see the [LICENSE](LICENSE) file for details.

## ๐Ÿ™ Acknowledgments

### Original Project

This project is a security-enhanced fork of the excellent work by **David Wittman**:

- **Original Repository**: [csrgenerator.com](https://github.com/DavidWittman/csrgenerator.com)
- **Original Author**: [David Wittman](https://github.com/DavidWittman)
- **Original License**: GNU General Public License v3.0

**Thank you to David Wittman** for creating this valuable tool and making it available as open source. This fork builds upon his solid foundation to provide comprehensive security, UI/UX, and infrastructure enhancements while preserving the original CSR generation core.

### What This Fork Adds

**Security Fixes:**
- Fixed CVE-2024-6345 and GHSA-5rjg-fvgr-3xxf
- Updated dependencies to newer versions
- Added HTTPS support (self-signed certificates)
- Container runs as non-root user

**Features Added:**
- ECDSA key support (P-256, P-384, P-521)
- CSR/private key verification
- Better web interface
- JSON API responses
- Automated tests

**Documentation:**
- Added setup and development guides
- Explained how the crypto works
- Added troubleshooting info

### About This Fork

This is an enhanced version that:
- Keeps full credit to the original author
- Uses the same GPL v3.0 license
- Adds security fixes and new features
- Maintains the core CSR generation functionality

**Please also check out:**
- โญ The [original repository](https://github.com/DavidWittman/csrgenerator.com)
- ๐Ÿ“– David Wittman's other projects

### Community

- Special thanks to the open source community
- Security researchers who identified the vulnerabilities
- Contributors to all the underlying libraries (Flask, pyOpenSSL, cryptography)

## ๐Ÿ“ž Support

**โš ๏ธ Hobby Project Disclaimer**: This is a personal project maintained in spare time. **[Read Full Disclaimer](HOBBY_PROJECT_DISCLAIMER.md)** for complete details.

- **No SLA**: No guaranteed response times or support commitments
- **Best Effort**: Issues will be addressed when time permits
- **Community Driven**: Feel free to fork if you need faster fixes or features
- **Use at Your Own Risk**: Provided as-is without warranties

If you encounter any issues or have questions:

1. Check the [Issues](https://github.com/nemekath/csrgenerator-secure/issues) page
2. Create a new issue with detailed information
3. Include system information and error logs
4. Consider contributing fixes via pull requests

## โœจ Latest Release (v2.3.2) - 2025-06-30

### ๐Ÿ”’ Security Monitoring
- **Dependency Scanning**: GitHub Dependabot configured for weekly dependency updates
- **Vulnerability Scanning**: Automated scans using Safety, pip-audit, Trivy, and CodeQL
- **Security Dashboard**: Basic security monitoring via GitHub Security tab
- **Vulnerability Reporting**: Security policy for responsible disclosure via GitHub
- **Basic Validation**: Automated checks for secure cryptographic configuration

### ๐Ÿ“š Documentation & Transparency
- **Project Scope Clarity**: Added disclaimer explaining hobby project limitations
- **Honest Documentation**: Adjusted claims to reflect actual capabilities
- **Documentation Consistency**: Fixed inconsistencies across guide files
- **Validation Documentation**: Aligned RFC compliance docs with implementation
- **Architecture Documentation**: Updated docs to match actual codebase structure

### ๐Ÿ”ง Code Quality Improvements
- **Missing Dependencies**: Fixed ipaddress import in app.py
- **Server Startup**: Corrected documentation to recommend start_server.py over app.py
- **CVE-2023-45853**: Pinned zipp >= 3.19.1 to prevent path traversal vulnerability
- **Function Documentation**: Ensured all validation function names match actual implementation

## ๐Ÿš€ Previous Major Updates

### Version 2.3.1 (Documentation & Infrastructure)
- **Documentation Accuracy**: Fixed version mismatches and build instructions
- **Build System**: Enhanced Makefile and consistent Docker commands
- **Test Verification**: Confirmed all 69 tests pass and are documented correctly

### Version 2.3.0 (HTTPS & UI Enhancements)
- **HTTPS by Default**: Auto-generates self-signed certificates
- **Enhanced Interface**: Separate areas for CSR and private key with copy buttons
- **JSON API**: Modern structured API responses
- **Gunicorn Integration**: Better performance with multi-worker setup

## ๐Ÿ”„ Changelog

### v2.3.1 (Documentation & Infrastructure Release) - 2025-06-30
- ๐Ÿ”ง **Infrastructure**: Enhanced Makefile with modern workflow targets (docker, test, lint, check)
- ๐Ÿณ **Build System**: Fixed all Docker commands to use consistent naming (csrgenerator:latest)
- ๐Ÿ“ฆ **Dependencies**: Added gunicorn to requirements.txt for local production setup
- ๐Ÿ”— **Command Consistency**: Standardized all commands to use `python3 -m` syntax for reliability
- ๐Ÿ“š **README Accuracy**: Updated to reflect extensive enhancements as "extensively enhanced fork"
- ๐ŸŽฏ **Attribution Clarity**: Properly acknowledged significant additions while honoring original work
- ๐Ÿ” **Version Alignment**: Resolved all version mismatches across documentation and dependencies
- ๐Ÿ **Python Support**: Updated badges and docs to reflect actual support (Python 3.9+)
- ๐Ÿ“‹ **Requirements Sync**: Ensured requirements.txt and requirements-dev.txt are fully consistent
- ๐Ÿ“– **Build Instructions**: Updated all build, test, and deployment instructions to current working state
- ๐Ÿ—๏ธ **Code Structure**: Fixed CODE_STRUCTURE.md to reflect actual project layout and test classes
- โœ… **Quality Assurance**: Comprehensive documentation audit ensuring all docs align with implementation
- ๐Ÿงช **Test Accuracy**: Accurate reporting of 69 tests across 9 test classes
- ๐Ÿท๏ธ **Version Labels**: Dockerfile and all version references updated to v2.3.1

### v2.3.0 (Security & Functional Release) - 2025-06-30
- ๐Ÿ”’ **HTTPS by Default**: Automatic SSL certificate generation and secure connections
- ๐Ÿ“Š **JSON API**: Modernized `/generate` endpoint to return structured JSON responses
- ๐ŸŽจ **Enhanced UI**: Perfect field alignment, resizable text areas, and professional styling
- ๐Ÿ—๏ธ **Gunicorn Integration**: Production WSGI server configured and integrated
- ๐Ÿ“š **Structural Documentation**: Comprehensive guides for HTTPS setup and certificate management
- ๐Ÿ›ก๏ธ **Security Headers**: HSTS, X-Frame-Options, and enhanced security policies
- ๐Ÿ“‹ **Separate Output Fields**: CSR and private key in distinct, copyable areas with copy buttons
- ๐Ÿณ **Docker Enhancements**: Updated container configuration for HTTPS support and health checks

### v2.2.0 (Verification Feature & Documentation Release) - 2025-06-30
- โœจ **MAJOR NEW FEATURE**: CSR and Private Key verification functionality
- ๐Ÿ”„ **Dual-Mode Interface**: Toggle between "Generate CSR" and "Verify CSR/Key Match" modes
- ๐Ÿ” **Real-Time Verification**: Instant feedback with detailed success/error messaging
- ๐Ÿ”’ **Universal Support**: Works with both RSA and ECDSA key pairs
- ๐ŸŽฏ **New `/verify` Endpoint**: Dedicated API for CSR/private key verification
- ๐ŸŽจ **Enhanced UI**: Mode switching buttons and dynamic form display
- ๐Ÿ“ฑ **Toast Notifications**: User-friendly verification result messages
- ๐Ÿงช **Comprehensive Testing**: Complete test suite for verification scenarios
- ๐Ÿ“š **NEW**: Comprehensive documentation suite covering architecture, code structure, cryptography, and development
- ๐Ÿ—๏ธ **NEW**: Architecture documentation with layered design patterns
- ๐Ÿ“ **NEW**: Complete code structure analysis with file-by-file walkthroughs
- ๐Ÿ” **NEW**: In-depth cryptography guide explaining security measures and implementation
- โš™๏ธ **NEW**: Development guide with setup, testing, deployment, and troubleshooting
- ๐ŸŽฏ **NEW**: Documentation index for easy navigation by different audiences

### v2.1.0 (ECDSA Support Release) - 2025-06-30
- โœจ **NEW**: Added ECDSA key support with P-256, P-384, and P-521 curves
- โœจ **NEW**: Dynamic UI with key type selection (RSA/ECDSA)
- โœจ **NEW**: Interactive form fields that adapt based on key type
- ๐Ÿงช **Enhanced**: Comprehensive test suite covering ECDSA generation
- ๐Ÿ”ง **Improved**: Enhanced error handling for ECDSA-specific errors
- ๐Ÿ“š **Updated**: Documentation with ECDSA feature details
- ๐ŸŽจ **UI**: Added JavaScript toggle between RSA and ECDSA options
- ๐Ÿ”’ **Security**: Maintained secure curve selection (no weak curves)

### v2.0.1 (Security Update)
- Updated setuptools to 80.9.0 (latest secure version)
- Updated Python version support to 3.11 in Pipfile
- Added Gunicorn to dependency documentation
- Refreshed Pipfile.lock with latest dependencies
- Enhanced production deployment documentation

### v2.0.0 (Security Release)
- Fixed CVE-2024-6345 (pyOpenSSL vulnerability)
- Fixed GHSA-5rjg-fvgr-3xxf (setuptools vulnerability)
- Updated all dependencies to latest secure versions
- Removed 1024-bit RSA key support
- Enhanced Docker security
- Improved documentation