def get_node_tls_cert_pem(
key: ec.EllipticCurvePrivateKeyWithSerialization) -> str:
b = x509.CertificateBuilder()
b = b.serial_number(x509.random_serial_number())
b = b.public_key(key.public_key())
node_id_raw = get_node_id_raw(key)
cn = get_node_tls_cn(node_id_raw)
x509_name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, cn)])
b = b.subject_name(x509_name)
b = b.issuer_name(x509_name)
now = datetime.now()
b = b.not_valid_before(now - timedelta(days=1))
b = b.not_valid_after(now + timedelta(days=365 * 10))
cert = b.sign(private_key=key,
algorithm=hashes.SHA256(),
backend=default_backend())
cert_pem = cert.public_bytes(encoding=serialization.Encoding.PEM)
return cert_pem.decode('ascii')
def generate_certificate(key: EllipticCurvePrivateKeyWithSerialization):
hostname = 'localhost'
subject = issuer = x509.Name(
[x509.NameAttribute(x509.NameOID.COMMON_NAME, hostname)])
cert: Certificate = x509.CertificateBuilder().subject_name(
subject).issuer_name(issuer).public_key(
key.public_key()).serial_number(
x509.random_serial_number()).not_valid_before(
utcnow() - datetime.timedelta(seconds=60)).not_valid_after(
utcnow() + datetime.timedelta(days=1)).add_extension(
x509.BasicConstraints(ca=True, path_length=None),
critical=True).add_extension(
x509.KeyUsage(
digital_signature=True,
content_commitment=False,
key_encipherment=True,
data_encipherment=False,
key_agreement=True,
key_cert_sign=True,
crl_sign=False,
encipher_only=False,
decipher_only=False,
),
critical=True,
).add_extension(x509.ExtendedKeyUsage([
x509.ExtendedKeyUsageOID.SERVER_AUTH,
x509.ExtendedKeyUsageOID.CLIENT_AUTH,
]),
critical=False).add_extension(
x509.SubjectAlternativeName([
x509.DNSName(hostname),
]),
critical=False).sign(
key, hashes.SHA256(),
default_backend())
return cert
def get_node_id_raw(key: ec.EllipticCurvePrivateKeyWithSerialization) -> bytes:
W = key.public_key().public_numbers()
pk_bytes = W.x.to_bytes(32, 'big') + W.y.to_bytes(32, 'big')
return keccak(pk_bytes)[12:]