def create_server(cn, server_file, server_key_file, signer_file, signer_key_file): # Make sure files exist if not (os.path.isfile(signer_file) and os.path.isfile(signer_key_file)): raise FileNotFoundError('Failed to find {}, {}, or {}'.format( signer_file, signer_key_file)) # Setup cryptography be = cryptography.hazmat.backends.default_backend() # Create Server cert key pair print('\nServer Cert key') server_priv_key = load_or_create_key(server_key_file, backend=be) print('\nLoad Signer') # Load the Signing key from the file print(' Loading key from %s' % signer_key_file) with open(signer_key_file, 'rb') as f: signer_ca_priv_key = serialization.load_pem_private_key(data=f.read(), password=None, backend=be) # Load the Signing Certificate from the file print(' Loading certificate from %s' % signer_file) with open(signer_file, 'rb') as f: signer_ca_cert = x509.load_pem_x509_certificate(f.read(), be) # Build certificate print('\nCreate Server Certificate template') builder = x509.CertificateBuilder() builder = builder.issuer_name(signer_ca_cert.subject) # Device cert must have minutes and seconds set to 0 builder = builder.not_valid_before( datetime.datetime.now(tz=pytz.utc).replace(minute=0, second=0)) # Should be year 9999, but this doesn't work on windows builder = builder.not_valid_after( datetime.datetime(3000, 12, 31, 23, 59, 59)) builder = builder.subject_name( x509.Name([x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, cn)])) builder = builder.public_key(server_priv_key.public_key()) # Device certificate is generated from certificate dates and public key builder = builder.serial_number(cert_sn(16, builder)) # Sign certificate server_cert = builder.sign(private_key=signer_ca_priv_key, algorithm=hashes.SHA256(), backend=be) # Save certificate for reference print(' Save server Certificate to %s' % server_file) with open(server_file, 'wb') as f: f.write(server_cert.public_bytes(encoding=serialization.Encoding.PEM))
def create_signer(o, cn, signer_file, signer_key_file, root_file, root_key_file): crypto_be = cryptography.hazmat.backends.default_backend() #print('\nLoading root CA key') if not os.path.isfile(root_key_file): raise AWSZTKitError('Failed to find root CA key file, ' + root_key_file + '. Have you run ca_create_root first?') with open(root_key_file, 'rb') as f: #print(' Loading from ' + f.name) root_ca_priv_key = serialization.load_pem_private_key( data=f.read(), password=None, backend=crypto_be) #print('\nLoading root CA certificate') if not os.path.isfile(root_file): raise AWSZTKitError('Failed to find root CA certificate file, ' + root_file + '. Have you run ca_create_root first?') with open(root_file, 'rb') as f: #print(' Loading from ' + f.name) root_ca_cert = x509.load_pem_x509_certificate(f.read(), crypto_be) # Create or load a Signer CA key pair #print('\nSigner CA key') signer_ca_priv_key = load_or_create_key(signer_key_file, backend=crypto_be) # Create signer CA certificate #print('\nGenerating signer CA certificate from CSR') # Please note that the structure of the signer certificate is part of certificate definition in the SAMG55 firmware # (g_cert_elements_1_signer). If any part of it is changed, it will also need to be changed in the firmware. # The cert2certdef.py utility script can help with regenerating the cert_def_1_signer.c file after making changes. builder = x509.CertificateBuilder() builder = builder.serial_number(random_cert_sn(16)) builder = builder.issuer_name(root_ca_cert.subject) builder = builder.not_valid_before(datetime.datetime.now(tz=pytz.utc)) builder = builder.not_valid_after(builder._not_valid_before.replace(year=builder._not_valid_before.year + 10)) builder = builder.public_key(signer_ca_priv_key.public_key()) builder = builder.subject_name(x509.Name([ x509.NameAttribute(x509.oid.NameOID.ORGANIZATION_NAME, o ), x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, cn )])) builder = builder.add_extension( x509.BasicConstraints(ca=True, path_length=0), critical=True) builder = builder.add_extension( x509.KeyUsage( digital_signature=True, content_commitment=False, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=True, crl_sign=True, encipher_only=False, decipher_only=False), critical=True) builder = builder.add_extension( x509.SubjectKeyIdentifier.from_public_key(signer_ca_priv_key.public_key()), critical=False) issuer_ski = root_ca_cert.extensions.get_extension_for_class(x509.SubjectKeyIdentifier) builder = builder.add_extension( x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(issuer_ski.value), critical=False) # Sign signer certificate with root signer_ca_cert = builder.sign( private_key=root_ca_priv_key, algorithm=hashes.SHA256(), backend=crypto_be) # Write signer CA certificate to file with open(signer_file, 'wb') as f: #print(' Saving to ' + f.name) f.write(signer_ca_cert.public_bytes(encoding=serialization.Encoding.PEM)) print('CAcert create success')
def create_device(o, device_file, device_key_file, signer_file, signer_key_file, root_file, root_key_file): # Make sure files exist if not (os.path.isfile(signer_file) and os.path.isfile(signer_key_file) and os.path.isfile(root_file)): raise FileNotFoundError('Failed to find {}, {}, or {}'.format(signer_file, signer_key_file, root_file)) # Setup cryptography be = cryptography.hazmat.backends.default_backend() # Create or load a dummy device key pair #print('\ndummy device key') device_priv_key = load_or_create_key(device_key_file, backend=be) # Convert the key into the cryptography format public_key = device_priv_key.public_key() #print('\nLoad Signer') # Load the Signing key from the file #print(' Loading key from %s' % signer_key_file) with open(signer_key_file, 'rb') as f: signer_ca_priv_key = serialization.load_pem_private_key(data=f.read(), password=None, backend=be) # Load the Signing Certificate from the file #print(' Loading certificate from %s' % signer_file) with open(signer_file, 'rb') as f: signer_ca_cert = x509.load_pem_x509_certificate(f.read(), be) with open(root_file, 'rb') as f: root_ca_cert = x509.load_pem_x509_certificate(f.read(), be) root_public = root_ca_cert.public_key() # Build certificate #print('\nCreate Device Certificate template') builder = x509.CertificateBuilder() builder = builder.issuer_name(signer_ca_cert.subject) # Device cert must have minutes and seconds set to 0 builder = builder.not_valid_before(datetime.datetime.now(tz=pytz.utc).replace(minute=0,second=0)) # Should be year 9999, but this doesn't work on windows builder = builder.not_valid_after(datetime.datetime(3000, 12, 31, 23, 59, 59)) cn = str('0123xxxxxxxxxxxxee') builder = builder.subject_name(x509.Name([ x509.NameAttribute(x509.oid.NameOID.ORGANIZATION_NAME, o), x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, cn)])) builder = builder.public_key(public_key) # Device certificate is generated from certificate dates and public key builder = builder.serial_number(device_cert_sn(16, builder)) # Subject Key ID is used as the thing name and MQTT client ID and is required for this demo builder = builder.add_extension( x509.SubjectKeyIdentifier.from_public_key(public_key), critical=False) issuer_ski = signer_ca_cert.extensions.get_extension_for_class(x509.SubjectKeyIdentifier) builder = builder.add_extension( x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(issuer_ski.value), critical=False) # Sign certificate with longest R & S pattern while True: device_cert = builder.sign(private_key=signer_ca_priv_key, algorithm=hashes.SHA256(), backend=be) cert = decoder.decode(device_cert.public_bytes(encoding=serialization.Encoding.DER), asn1Spec=rfc2459.Certificate())[0] info = cert_sig_offset_length(cert) if info['length'] == 75: break # Save certificate for reference #print(' Save Device Certificate to %s' % device_file) with open(device_file, 'wb') as f: f.write(device_cert.public_bytes(encoding=serialization.Encoding.PEM)) # Save root public key #print(' Save Root Public Key to %s' % root_key_file) with open(root_key_file, 'wb') as f: f.write(root_public.public_bytes(serialization.Encoding.PEM, serialization.PublicFormat.SubjectPublicKeyInfo)) print('device cert template create success')
def create_server(o, cn, san1, san2, server_file, server_key_file, signer_file, signer_key_file, root_file): # Make sure files exist if not (os.path.isfile(signer_file) and os.path.isfile(signer_key_file) and os.path.isfile(root_file)): raise FileNotFoundError('Failed to find {}, {}, or {}'.format( signer_file, signer_key_file, root_file)) # Setup cryptography be = cryptography.hazmat.backends.default_backend() # Create Server cert key pair #print('\nServer Cert key') server_priv_key = load_or_create_key(server_key_file, backend=be) #print('\nLoad Signer') # Load the Signing key from the file #print(' Loading key from %s' % signer_key_file) with open(signer_key_file, 'rb') as f: signer_ca_priv_key = serialization.load_pem_private_key(data=f.read(), password=None, backend=be) # Load the Signing Certificate from the file #print(' Loading certificate from %s' % signer_file) with open(signer_file, 'rb') as f: signer_ca_cert = x509.load_pem_x509_certificate(f.read(), be) with open(root_file, 'rb') as f: root_ca_cert = x509.load_pem_x509_certificate(f.read(), be) # Build certificate #print('\nCreate Server Certificate template') builder = x509.CertificateBuilder() builder = builder.issuer_name(signer_ca_cert.subject) # Device cert must have minutes and seconds set to 0 builder = builder.not_valid_before( datetime.datetime.now(tz=pytz.utc).replace(minute=0, second=0)) # TLS server certificates must have a validity period of 825 days or fewer # (as expressed in the NotBefore and NotAfter fields of the certificate). # https://support.apple.com/en-us/HT210176 builder = builder.not_valid_after( datetime.datetime.now(tz=pytz.utc).replace(minute=0, second=0) + expire_day) builder = builder.subject_name( x509.Name([ x509.NameAttribute(x509.oid.NameOID.ORGANIZATION_NAME, o), x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, cn) ])) builder = builder.public_key(server_priv_key.public_key()) # Device certificate is generated from certificate dates and public key builder = builder.serial_number(cert_sn(16, builder)) # specific for server cert builder = builder.add_extension(x509.BasicConstraints(ca=False, path_length=None), critical=False) builder = builder.add_extension(x509.KeyUsage(digital_signature=True, content_commitment=True, key_encipherment=True, data_encipherment=False, key_agreement=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False), critical=False) builder = builder.add_extension(x509.ExtendedKeyUsage( [x509.oid.ExtendedKeyUsageOID.SERVER_AUTH]), critical=False) builder = builder.add_extension(x509.SubjectKeyIdentifier.from_public_key( server_priv_key.public_key()), critical=False) issuer_ski = signer_ca_cert.extensions.get_extension_for_class( x509.SubjectKeyIdentifier) builder = builder.add_extension( x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier( issuer_ski.value), critical=False) if (san2 == ''): builder = builder.add_extension(x509.SubjectAlternativeName( [x509.DNSName(san1)]), critical=False) else: builder = builder.add_extension(x509.SubjectAlternativeName( [x509.DNSName(san1), x509.IPAddress(ipaddress.ip_address(san2))]), critical=False) # Sign certificate server_cert = builder.sign(private_key=signer_ca_priv_key, algorithm=hashes.SHA256(), backend=be) # Save certificate for reference #print(' Save server Certificate to %s' % server_file) with open(server_file, 'wb') as f: f.write(server_cert.public_bytes(encoding=serialization.Encoding.PEM)) # Save certificate chain for reference #print(' Save server Certificate chain to %s.chain' % server_file) with open(server_file + ".chain", 'wb') as f: f.write(server_cert.public_bytes(encoding=serialization.Encoding.PEM)) with open(server_file + ".chain", 'ab') as f: f.write( signer_ca_cert.public_bytes(encoding=serialization.Encoding.PEM)) with open(server_file + ".chain", 'ab') as f: f.write(root_ca_cert.public_bytes(encoding=serialization.Encoding.PEM)) print('servercert create success')
def create_rtclient(cn, rtclient_file, rtclient_key_file, signer_file, signer_key_file): # Make sure files exist if not (os.path.isfile(signer_file) and os.path.isfile(signer_key_file)): raise FileNotFoundError('Failed to find {}, {}, or {}'.format( signer_file, signer_key_file)) # Setup cryptography be = cryptography.hazmat.backends.default_backend() # Create client cert key pair #print('\nrtclient Cert key') rtclient_priv_key = load_or_create_key(rtclient_key_file, backend=be) #print('\nLoad Signer') # Load the Signing key from the file #print(' Loading key from %s' % signer_key_file) with open(signer_key_file, 'rb') as f: signer_ca_priv_key = serialization.load_pem_private_key(data=f.read(), password=None, backend=be) # Load the Signing Certificate from the file #print(' Loading certificate from %s' % signer_file) with open(signer_file, 'rb') as f: signer_ca_cert = x509.load_pem_x509_certificate(f.read(), be) # Build certificate #print('\nCreate rtclient Certificate') builder = x509.CertificateBuilder() builder = builder.issuer_name(signer_ca_cert.subject) # Device cert must have minutes and seconds set to 0 builder = builder.not_valid_before( datetime.datetime.now(tz=pytz.utc).replace(minute=0, second=0)) # Should be year 9999, but this doesn't work on windows builder = builder.not_valid_after( datetime.datetime(3000, 12, 31, 23, 59, 59)) builder = builder.subject_name( x509.Name([x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, cn)])) builder = builder.public_key(rtclient_priv_key.public_key()) # Device certificate is generated from certificate dates and public key builder = builder.serial_number(cert_sn(16, builder)) # specific for client cert builder = builder.add_extension(x509.BasicConstraints(ca=False, path_length=None), critical=False) builder = builder.add_extension(x509.KeyUsage(digital_signature=True, content_commitment=True, key_encipherment=True, data_encipherment=False, key_agreement=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False), critical=False) builder = builder.add_extension(x509.ExtendedKeyUsage( [x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH]), critical=False) # Sign certificate rtclient_cert = builder.sign(private_key=signer_ca_priv_key, algorithm=hashes.SHA256(), backend=be) # Save certificate for reference #print(' Save rtclient Certificate to %s' % rtclient_file) with open(rtclient_file, 'wb') as f: f.write( rtclient_cert.public_bytes(encoding=serialization.Encoding.PEM)) print('rtclientcert create success')