def make_ca(subject_name, valid_days):
"""
Create a CA root certificate.
"""
private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend(),
)
public_key = private_key.public_key()
default_keyusage = {
"digital_signature": True,
"content_commitment": False,
"key_encipherment": False,
"data_encipherment": False,
"key_agreement": False,
"key_cert_sign": True,
"crl_sign": True,
"encipher_only": False,
"decipher_only": False,
}
extensions = [
Extension(
ExtensionOID.KEY_USAGE,
True,
x509.KeyUsage(**default_keyusage),
),
Extension(
ExtensionOID.BASIC_CONSTRAINTS,
True,
x509.BasicConstraints(ca=True, path_length=None),
),
Extension(
ExtensionOID.SUBJECT_KEY_IDENTIFIER,
False,
x509.SubjectKeyIdentifier.from_public_key(public_key),
),
Extension(
ExtensionOID.AUTHORITY_KEY_IDENTIFIER,
False,
x509.AuthorityKeyIdentifier.from_issuer_public_key(public_key),
),
]
csr_builder = x509.CertificateSigningRequestBuilder(
subject_name,
extensions,
)
csr = csr_builder.sign(
private_key=private_key,
algorithm=hashes.SHA256(),
backend=default_backend(),
)
signer = CASigner(private_key, csr.subject)
cert = signer.sign(csr, valid_days)
return private_key, cert
def generate_android_extensions(data: bytes) -> List[Extension]:
android_key_oid = ObjectIdentifier('1.3.6.1.4.1.11129.2.1.17')
android_key_description = KeyDescription()
android_key_description['attestationVersion'] = 0
android_key_description['attestationSecurityLevel'] = 0
android_key_description['keymasterVersion'] = 0
android_key_description['keymasterSecurityLevel'] = 0
android_key_description['attestationChallenge'] = data
android_key_description['uniqueId'] = b'unique'
software_enforced = AuthorizationList()
software_enforced['origin'] = KM_ORIGIN_GENERATED
software_enforced['purpose'].append(KM_PURPOSE_SIGN)
android_key_description['softwareEnforced'] = software_enforced
tee_enforced = AuthorizationList()
tee_enforced['origin'] = KM_ORIGIN_GENERATED
tee_enforced['purpose'].append(KM_PURPOSE_SIGN)
android_key_description['teeEnforced'] = tee_enforced
der_key = encode(android_key_description)
extensions = [
Extension(android_key_oid, False,
UnrecognizedExtension(android_key_oid, der_key))
]
return extensions
def add_extension(self, extval: ExtensionType, critical: bool):
if not isinstance(extval, ExtensionType):
raise TypeError("extension must be an ExtensionType")
extension = Extension(extval.oid, critical, extval)
_reject_duplicate_extension(extension, self._extensions)
return RevokedCertificateBuilder(self._serial_number,
self._revocation_date,
self._extensions + [extension])
def add_extension(self, extension, critical):
"""
Adds an X.509 extension to the certificate request.
"""
if not isinstance(extension, ExtensionType):
raise TypeError("extension must be an ExtensionType")
extension = Extension(extension.oid, critical, extension)
_reject_duplicate_extension(extension, self._extensions)
return CertificateSigningRequestBuilder(self._subject_name,
self._extensions + [extension])
def my_fix_add_extension_cryptography(builder, extension, critical):
from cryptography.x509.extensions import Extension, ExtensionType
if not isinstance(extension, ExtensionType):
raise TypeError("extension must be an ExtensionType")
ext = Extension(extension.oid, critical, extension)
return x509.CertificateBuilder(builder._issuer_name, builder._subject_name,
builder._public_key, builder._serial_number,
builder._not_valid_before,
builder._not_valid_after,
builder._extensions + [ext])
def add_extension(self, extension, critical):
if not isinstance(extension, ExtensionType):
raise TypeError("extension must be an ExtensionType")
extension = Extension(extension.oid, critical, extension)
# TODO: This is quadratic in the number of extensions
for e in self._extensions:
if e.oid == extension.oid:
raise ValueError('This extension has already been set.')
return RevokedCertificateBuilder(self._serial_number,
self._revocation_date,
self._extensions + [extension])
def add_extension(self, extension, critical):
"""
Adds an X.509 extension to the certificate revocation list.
"""
if not isinstance(extension, ExtensionType):
raise TypeError("extension must be an ExtensionType")
extension = Extension(extension.oid, critical, extension)
_reject_duplicate_extension(extension, self._extensions)
return CertificateRevocationListBuilder(self._issuer_name,
self._last_update,
self._next_update,
self._extensions + [extension],
self._revoked_certificates)
def add_extension(self, extension, critical):
"""
Adds an X.509 extension to the certificate request.
"""
if not isinstance(extension, ExtensionType):
raise TypeError("extension must be an ExtensionType")
extension = Extension(extension.oid, critical, extension)
# TODO: This is quadratic in the number of extensions
for e in self._extensions:
if e.oid == extension.oid:
raise ValueError('This extension has already been set.')
return CertificateSigningRequestBuilder(self._subject_name,
self._extensions + [extension])
def add_extension(self, extension, critical):
"""
Adds an X.509 extension to the certificate.
"""
if not isinstance(extension, ExtensionType):
raise TypeError("extension must be an ExtensionType")
extension = Extension(extension.oid, critical, extension)
_reject_duplicate_extension(extension, self._extensions)
return CertificateBuilder(self._issuer_name, self._subject_name,
self._public_key, self._serial_number,
self._not_valid_before,
self._not_valid_after,
self._extensions + [extension])
def generate_elliptic_curve_x509_certificate_android_raw(
curve: EllipticCurve,
data: bytes) -> Tuple[x509.Certificate, EC2PrivateKey, EC2PublicKey]:
android_key_oid = ObjectIdentifier('1.3.6.1.4.1.11129.2.1.17')
extensions = [
Extension(android_key_oid, False,
UnrecognizedExtension(android_key_oid, data))
]
private_key = generate_private_key(curve, default_backend())
public_key = private_key.public_key()
return generate_x509_certificate(
public_key, private_key, hashes.SHA256(),
extensions=extensions), private_key, public_key
def add_extension(self, extension, critical):
"""
Adds an X.509 extension to the certificate revocation list.
"""
if not isinstance(extension, ExtensionType):
raise TypeError("extension must be an ExtensionType")
extension = Extension(extension.oid, critical, extension)
# TODO: This is quadratic in the number of extensions
for e in self._extensions:
if e.oid == extension.oid:
raise ValueError('This extension has already been set.')
return CertificateRevocationListBuilder(
self._issuer_name, self._last_update, self._next_update,
self._extensions + [extension], self._revoked_certificates
)
def add_extension(self, extension, critical):
"""
Adds an X.509 extension to the certificate.
"""
if not isinstance(extension, ExtensionType):
raise TypeError("extension must be an ExtensionType")
extension = Extension(extension.oid, critical, extension)
# TODO: This is quadratic in the number of extensions
for e in self._extensions:
if e.oid == extension.oid:
raise ValueError('This extension has already been set.')
return CertificateBuilder(self._issuer_name, self._subject_name,
self._public_key, self._serial_number,
self._not_valid_before,
self._not_valid_after,
self._extensions + [extension])
def get_extension_keyusage(ext_attr):
all_keyusage = [
"digital_signature",
"content_commitment",
"key_encipherment",
"data_encipherment",
"key_agreement",
"key_cert_sign",
"crl_sign",
"encipher_only",
"decipher_only",
]
keyusage = {}
for k in all_keyusage:
if k in ext_attr:
keyusage[k] = True
else:
keyusage[k] = False
return Extension(ExtensionOID.KEY_USAGE, True, x509.KeyUsage(**keyusage))
