def create_csr(
cls, subject: str
) -> typing.Tuple[PrivateKeyTypes, x509.CertificateSigningRequest]:
"""Generate a CSR with the given subject."""
private_key = rsa.generate_private_key(public_exponent=65537,
key_size=1024,
backend=default_backend())
builder = x509.CertificateSigningRequestBuilder()
builder = builder.subject_name(x509_name(subject))
builder = builder.add_extension(x509.BasicConstraints(
ca=False, path_length=None),
critical=True)
request = builder.sign(private_key, hashes.SHA256(), default_backend())
return private_key, request
def _decode_basic_constraints(backend, ext):
bc_st = backend._lib.X509V3_EXT_d2i(ext)
assert bc_st != backend._ffi.NULL
basic_constraints = backend._ffi.cast("BASIC_CONSTRAINTS *", bc_st)
basic_constraints = backend._ffi.gc(basic_constraints,
backend._lib.BASIC_CONSTRAINTS_free)
# The byte representation of an ASN.1 boolean true is \xff. OpenSSL
# chooses to just map this to its ordinal value, so true is 255 and
# false is 0.
ca = basic_constraints.ca == 255
if basic_constraints.pathlen == backend._ffi.NULL:
path_length = None
else:
path_length = _asn1_integer_to_int(backend, basic_constraints.pathlen)
return x509.BasicConstraints(ca, path_length)
def cert():
one_day = datetime.timedelta(1, 0, 0)
pk = genKeyPair('RSA')[0]
puk = pk.public_key()
builder = x509.CertificateBuilder()
builder = builder.subject_name((x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'p3g2')])))
builder = builder.issuer_name((x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'p3g2')])))
builder = builder.not_valid_before(datetime.datetime.today() - one_day)
builder = builder.not_valid_after(datetime.datetime(2018, 8, 2))
builder = builder.serial_number(x509.random_serial_number())
builder = builder.public_key(puk)
builder = builder.add_extension(x509.BasicConstraints(ca=False, path_length=None), critical=True)
certificate = builder.sign(private_key=pk, algorithm=hashes.SHA256(), backend=BACKEND)
f = open('server_cert.pem', 'wr+')
f.write(str(certificate.public_bytes(serialization.Encoding.PEM)))
def _build_single_leaf(hostname, certfile, ca_cert, ca_key):
"""
Builds a single leaf certificate, signed by the CA's private key.
"""
if os.path.isfile(certfile):
_LOGGER.info("{hostname} already exists, not regenerating",
hostname=hostname)
return
private_key = rsa.generate_private_key(public_exponent=65537,
key_size=2048,
backend=default_backend())
public_key = private_key.public_key()
builder = x509.CertificateBuilder()
builder = builder.subject_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, hostname),
]))
builder = builder.issuer_name(ca_cert.subject)
builder = builder.not_valid_before(datetime.datetime.today() - ONE_DAY)
builder = builder.not_valid_after(datetime.datetime.today() + TENISH_YEARS)
builder = builder.serial_number(int(uuid.uuid4()))
builder = builder.public_key(public_key)
builder = builder.add_extension(
x509.BasicConstraints(ca=False, path_length=None),
critical=True,
)
builder = builder.add_extension(
x509.SubjectAlternativeName([x509.DNSName(hostname)]),
critical=True,
)
certificate = builder.sign(private_key=ca_key,
algorithm=hashes.SHA256(),
backend=default_backend())
# Write it out.
with open(certfile, 'wb') as f:
f.write(
private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption()))
f.write(certificate.public_bytes(serialization.Encoding.PEM))
_LOGGER.info("Built certificate for {hostname}", hostname=hostname)
def _build_ssl():
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
import sys
import socket
import ipaddress
import random
hostname = socket.gethostname()
public_ip = ipaddress.ip_address(socket.gethostbyname(hostname))
key = rsa.generate_private_key(public_exponent=65537, key_size=1024, backend=default_backend())
alt_name_list = [x509.DNSName(hostname), x509.IPAddress(ipaddress.ip_address(public_ip))]
alt_names = x509.SubjectAlternativeName(alt_name_list)
# Basic data
name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, hostname)])
basic_contraints = x509.BasicConstraints(ca=True, path_length=0)
now = datetime.datetime.utcnow()
# Build cert
cert = (x509.CertificateBuilder()
.subject_name(name)
.issuer_name(name)
.public_key(key.public_key())
.serial_number(int(random.random() * sys.maxsize))
.not_valid_before(now)
.not_valid_after(now + datetime.timedelta(days=10*365))
.add_extension(basic_contraints, False)
.add_extension(alt_names, False)
.sign(key, hashes.SHA256(), default_backend())) # yapf: disable
# Build and return keys
cert_pem = cert.public_bytes(encoding=serialization.Encoding.PEM)
key_pem = key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
) # yapf: disable
return cert_pem, key_pem
def certificate_download():
"""Create a new key/certificate to upload to the DEP/ASM/ABM portal.
The private key generated for this certificate will be the key recipient of the DEP S/MIME payload.
"""
try:
certificate_model = db.session.query(
DEPServerTokenCertificate).filter_by(
x509_cn='COMMANDMENT-DEP').one()
except sqlalchemy.orm.exc.NoResultFound:
ca = get_ca()
private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend(),
)
private_key_model = RSAPrivateKey.from_crypto(private_key)
db.session.add(private_key_model)
name = x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, 'COMMANDMENT-DEP'),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, 'commandment')
])
builder = x509.CertificateSigningRequestBuilder()
builder = builder.subject_name(name)
builder = builder.add_extension(x509.BasicConstraints(
ca=False, path_length=None),
critical=True)
request = builder.sign(private_key, hashes.SHA256(), default_backend())
request_model = CertificateSigningRequest.from_crypto(request)
request_model.rsa_private_key = private_key_model
db.session.add(request_model)
certificate = ca.sign(request)
certificate_model = DEPServerTokenCertificate.from_crypto(certificate)
certificate_model.rsa_private_key = private_key_model
db.session.add(certificate_model)
db.session.commit()
return certificate_model.pem_data, 200, {
'Content-Type': 'application/x-x509-ca-cert',
'Content-Disposition': 'attachment; filename="commandment-dep.cer"'
}
def main():
one_day = datetime.timedelta(1, 0, 0)
private_key = rsa.generate_private_key(public_exponent=65537,
key_size=2048,
backend=default_backend())
public_key = private_key.public_key()
builder = x509.CertificateBuilder()
builder = builder.subject_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME,
u'openstack-ansible Test CA'),
x509.NameAttribute(NameOID.ORGANIZATION_NAME,
u'openstack-ansible'),
x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME,
u'Default CA Deployment'),
]))
builder = builder.issuer_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME,
u'openstack-ansible Test CA'),
]))
builder = builder.not_valid_before(datetime.datetime.today() - one_day)
builder = builder.not_valid_after(datetime.datetime(2028, 8, 2))
builder = builder.serial_number(int(uuid.uuid4()))
builder = builder.public_key(public_key)
builder = builder.add_extension(
x509.BasicConstraints(ca=True, path_length=None),
critical=True,
)
certificate = builder.sign(private_key=private_key,
algorithm=hashes.SHA256(),
backend=default_backend())
#print(isinstance(certificate, x509.Certificate))
if isinstance(certificate, x509.Certificate) == True:
return True
with open("ca.key", "wb") as f:
f.write(
private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.BestAvailableEncryption(
b"openstack-ansible")))
with open("ca.crt", "wb") as f:
f.write(certificate.public_bytes(
encoding=serialization.Encoding.PEM, ))
def generate_certificate() -> CertificatePrivateKey:
key = typing.cast(
ec.EllipticCurvePrivateKeyWithSerialization,
ec.generate_private_key(curve=ec.SECP521R1(),
backend=default_backend()),
)
subject = issuer = x509.Name([
x509.NameAttribute(x509.oid.NameOID.ORGANIZATION_NAME,
"python-terraform-plugin"),
x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, "localhost"),
])
certificate = (x509.CertificateBuilder().subject_name(subject).issuer_name(
issuer).public_key(key.public_key()).serial_number(
x509.random_serial_number()).not_valid_before(
datetime.datetime.utcnow()).not_valid_after(
datetime.datetime.utcnow() +
datetime.timedelta(days=365)).add_extension(
x509.KeyUsage(
digital_signature=True,
content_commitment=False,
key_encipherment=True,
data_encipherment=False,
key_agreement=True,
key_cert_sign=True,
crl_sign=False,
encipher_only=False,
decipher_only=False,
),
critical=True,
).add_extension(
x509.ExtendedKeyUsage([
x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH,
x509.oid.ExtendedKeyUsageOID.SERVER_AUTH,
]),
critical=True,
).add_extension(x509.BasicConstraints(ca=True,
path_length=None),
critical=True).add_extension(
x509.SubjectAlternativeName(
[x509.DNSName("localhost")]),
critical=False,
).sign(key, hashes.SHA256(),
default_backend()))
return CertificatePrivateKey(certificate=certificate, private_key=key)
def _add_leaf_usages(csr: Any, domains: List[str],
issuer: Credentials) -> Any:
return csr.add_extension(
x509.BasicConstraints(ca=False, path_length=None),
critical=True,
).add_extension(
x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
issuer.certificate.extensions.get_extension_for_class(
x509.SubjectKeyIdentifier).value),
critical=False).add_extension(
x509.SubjectAlternativeName(
[x509.DNSName(domain) for domain in domains]),
critical=True,
).add_extension(x509.ExtendedKeyUsage([
ExtendedKeyUsageOID.SERVER_AUTH,
]),
critical=True)
def generate_cert(hostname, ip_addresses=None, key=None):
"""Generates self signed certificate for a hostname, and optional IP addresses."""
# Generate our key
if key is None:
key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend(),
)
name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, hostname)])
# best practice seem to be to include the hostname in the SAN, which *SHOULD* mean COMMON_NAME is ignored.
alt_names = [x509.DNSName(hostname)]
# allow addressing by IP, for when you don't have real DNS (common in most testing scenarios
if ip_addresses:
for addr in ip_addresses:
# openssl wants DNSnames for ips...
alt_names.append(x509.DNSName(addr))
# ... whereas golang's crypto/tls is stricter, and needs IPAddresses
# note: older versions of cryptography do not understand ip_address objects
alt_names.append(x509.IPAddress(ipaddress.ip_address(addr)))
san = x509.SubjectAlternativeName(alt_names)
# path_len=0 means this cert can only sign itself, not other certs.
basic_contraints = x509.BasicConstraints(ca=True, path_length=0)
now = datetime.utcnow()
cert = (x509.CertificateBuilder(
).subject_name(name).issuer_name(name).public_key(
key.public_key()).serial_number(1000).not_valid_before(now - timedelta(
days=10 *
365)).not_valid_after(now - timedelta(days=9 * 365)).add_extension(
basic_contraints,
False).add_extension(san, False).sign(key, hashes.SHA256(),
default_backend()))
cert_pem = cert.public_bytes(encoding=serialization.Encoding.PEM)
key_pem = key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
)
return cert_pem, key_pem
def create_self_signed_certificate(subject_name, private_key, days_valid=365):
subject = x509.Name([
x509.NameAttribute(x509.NameOID.ORGANIZATION_NAME, u"Test, Inc."),
x509.NameAttribute(x509.NameOID.COMMON_NAME, subject_name)
])
certificate = x509.CertificateBuilder().subject_name(subject).issuer_name(
subject).public_key(private_key.public_key()).serial_number(
x509.random_serial_number()).add_extension(
x509.BasicConstraints(ca=True, path_length=None),
critical=True).not_valid_before(
datetime.datetime.utcnow()).not_valid_after(
datetime.datetime.utcnow() +
datetime.timedelta(days=days_valid)).sign(
private_key, hashes.SHA256(),
backends.default_backend())
return certificate
def create_client(common_name, ca):
key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, common_name)])
issuer_name = x509.Name(
ca.cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME))
now = datetime.utcnow()
cert = (x509.CertificateBuilder().subject_name(name).issuer_name(
issuer_name).public_key(key.public_key()).serial_number(
x509.random_serial_number()).add_extension(
x509.BasicConstraints(ca=False, path_length=None),
critical=True).not_valid_before(now).not_valid_after(
now + timedelta(days=60)).sign(ca.key, hashes.SHA256()))
return Identity(key=key, cert=cert)
def generateCertRequest(self):
key = self.generateKey()
# Create a cerificate request
csr = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
# Provide various details about who we are.
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"TalkyWalky"),
x509.NameAttribute(NameOID.COMMON_NAME,
u"User:"******"./client_csr.pem", "wb") as f:
f.write(csr.public_bytes(serialization.Encoding.PEM))
return csr.public_bytes(serialization.Encoding.PEM).decode()
def make_ssl_cert(file_path):
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend(),
)
name = x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, 'mdb_autogen'),
x509.NameAttribute(NameOID.COUNTRY_NAME, 'US'),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, 'California'),
x509.NameAttribute(NameOID.LOCALITY_NAME, 'Berkeley'),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, 'MindsDB')
])
now = datetime.utcnow()
cert = (
x509.CertificateBuilder()
.subject_name(name)
.issuer_name(name)
.public_key(key.public_key())
.serial_number(1)
.not_valid_before(now)
.not_valid_after(now + timedelta(days=10*365))
.add_extension(
x509.BasicConstraints(ca=True, path_length=0),
False
)
.sign(key, hashes.SHA256(), default_backend())
)
cert_pem = cert.public_bytes(encoding=serialization.Encoding.PEM)
key_pem = key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
)
with open(file_path, 'wb') as f:
f.write(key_pem + cert_pem)
def create_csr(country, state, locality, org, cn, key):
csr = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
# Provide various details about who we are.
x509.NameAttribute(NameOID.COUNTRY_NAME, country),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, state),
x509.NameAttribute(NameOID.LOCALITY_NAME, locality),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, org),
x509.NameAttribute(NameOID.COMMON_NAME, cn),
])).add_extension(
x509.BasicConstraints(ca=False, path_length=None),
critical=True,
# Sign the CSR with our private key.
).sign(key, hashes.SHA256(), default_backend())
# Write our CSR out to disk.
with open("clientcsr.pem", "wb") as f:
f.write(csr.public_bytes(serialization.Encoding.PEM))
def create_CA(path,
path_key,
CA_subj_dict,
serialization_format=serialization.Encoding.PEM,
time_begin=datetime.datetime.now(),
time_delta=datetime.timedelta(days=10)):
'''Creating CA
dirpath - path to directory, where CA will be placed
CA_subj_dict - dict, like this CA_subj_dict={'Country':u'PL', ...}'''
private_key_CA = rsa.generate_private_key(public_exponent=65537,
key_size=2048,
backend=default_backend())
public_key_CA = private_key_CA.public_key()
with open(path_key, 'wb') as f:
f.write(
private_key_CA.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.BestAvailableEncryption(
b"password")))
CA_subject = [
x509.NameAttribute(NameOID.COUNTRY_NAME, CA_subj_dict['Country']),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME,
CA_subj_dict['State']),
x509.NameAttribute(NameOID.LOCALITY_NAME, CA_subj_dict['Locality']),
x509.NameAttribute(NameOID.ORGANIZATION_NAME,
CA_subj_dict['Organization']),
x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME,
CA_subj_dict['OU']),
x509.NameAttribute(NameOID.COMMON_NAME, CA_subj_dict['CN'])
]
CA_cert = x509.CertificateBuilder().subject_name(x509.Name(CA_subject))
CA_cert = CA_cert.issuer_name(x509.Name(CA_subject))
CA_cert = CA_cert.public_key(public_key_CA)
CA_cert = CA_cert.serial_number(x509.random_serial_number())
CA_cert = CA_cert.not_valid_before(time_begin)
CA_cert = CA_cert.not_valid_after(datetime.datetime.utcnow() + time_delta)
CA_cert = CA_cert.add_extension(x509.BasicConstraints(ca=True,
path_length=None),
critical=True)
CA_cert = CA_cert.sign(private_key_CA, hashes.SHA256(), default_backend())
with open(path, 'wb') as CAcert:
CAcert.write(CA_cert.public_bytes(serialization_format))
return private_key_CA, CA_subject, CA_cert
def _gen_cryptography():
import datetime
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization
from cryptography.x509.oid import NameOID
one_day = datetime.timedelta(1, 0, 0)
private_key = rsa.generate_private_key(public_exponent=65537,
key_size=2048,
backend=default_backend())
public_key = private_key.public_key()
builder = x509.CertificateBuilder()
builder = builder.subject_name(
x509.Name(
[x509.NameAttribute(NameOID.COMMON_NAME, socket.gethostname())]))
builder = builder.issuer_name(
x509.Name(
[x509.NameAttribute(NameOID.COMMON_NAME, socket.gethostname())]))
builder = builder.not_valid_before(datetime.datetime.today() - one_day)
builder = builder.not_valid_after(datetime.datetime.today() +
(one_day * 365 * 5))
builder = builder.serial_number(x509.random_serial_number())
builder = builder.public_key(public_key)
builder = builder.add_extension(x509.SubjectAlternativeName([
x509.DNSName(socket.gethostname()),
x509.DNSName('*.%s' % socket.gethostname()),
x509.DNSName('localhost'),
x509.DNSName('*.localhost'),
]),
critical=False)
builder = builder.add_extension(x509.BasicConstraints(ca=False,
path_length=None),
critical=True)
certificate = builder.sign(private_key=private_key,
algorithm=hashes.SHA256(),
backend=default_backend())
return (certificate.public_bytes(serialization.Encoding.PEM),
private_key.private_bytes(serialization.Encoding.PEM,
serialization.PrivateFormat.PKCS8,
serialization.NoEncryption()))
def MakeCACert(private_key,
common_name=u"grr",
issuer_cn=u"grr_test",
issuer_c=u"US"):
"""Generate a CA certificate.
Args:
private_key: The private key to use.
common_name: Name for cert.
issuer_cn: Name for issuer.
issuer_c: Country for issuer.
Returns:
The certificate.
"""
public_key = private_key.GetPublicKey()
builder = x509.CertificateBuilder()
issuer = x509.Name([
x509.NameAttribute(oid.NameOID.COMMON_NAME, issuer_cn),
x509.NameAttribute(oid.NameOID.COUNTRY_NAME, issuer_c)
])
subject = x509.Name(
[x509.NameAttribute(oid.NameOID.COMMON_NAME, common_name)])
builder = builder.subject_name(subject)
builder = builder.issuer_name(issuer)
valid_from = rdfvalue.RDFDatetime.Now() - rdfvalue.Duration("1d")
valid_until = rdfvalue.RDFDatetime.Now() + rdfvalue.Duration("3650d")
builder = builder.not_valid_before(valid_from.AsDatetime())
builder = builder.not_valid_after(valid_until.AsDatetime())
builder = builder.serial_number(1)
builder = builder.public_key(public_key.GetRawPublicKey())
builder = builder.add_extension(
x509.BasicConstraints(ca=True, path_length=None), critical=True)
builder = builder.add_extension(
x509.SubjectKeyIdentifier.from_public_key(public_key.GetRawPublicKey()),
critical=False)
certificate = builder.sign(
private_key=private_key.GetRawPrivateKey(),
algorithm=hashes.SHA256(),
backend=openssl.backend)
return rdf_crypto.RDFX509Cert(certificate)
def generate_ca_cert_and_key():
"""Creates a CA cert and key for testing.
:returns: The cryptography CA cert and CA key objects.
"""
ca_key = rsa.generate_private_key(
public_exponent=65537, key_size=2048, backend=default_backend())
subject = issuer = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Denial"),
x509.NameAttribute(NameOID.LOCALITY_NAME, u"Corvallis"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"OpenStack"),
x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u"Octavia"),
x509.NameAttribute(NameOID.COMMON_NAME, u"ca_cert.example.com"),
])
ca_cert = x509.CertificateBuilder().subject_name(
subject
).issuer_name(
issuer
).public_key(
ca_key.public_key()
).serial_number(
x509.random_serial_number()
).not_valid_before(
datetime.datetime.utcnow()
).not_valid_after(
datetime.datetime.utcnow() + datetime.timedelta(days=10)
).add_extension(
x509.SubjectAlternativeName([x509.DNSName(u"ca_cert.example.com")]),
critical=False,
).add_extension(
x509.BasicConstraints(ca=True, path_length=None),
critical=True,
).add_extension(
# KeyUsage(digital_signature, content_commitment, key_encipherment,
# data_encipherment, key_agreement, key_cert_sign, crl_sign,
# encipher_only, decipher_only)
x509.KeyUsage(True, False, False, False, False,
True, True, False, False),
critical=True,
).sign(ca_key, hashes.SHA256(), default_backend())
return ca_cert, ca_key
def issue_self_signed_certificate(domains, private_key, logger):
# Generates a self-signed certificate.
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.x509.oid import NameOID
from cryptography.x509 import DNSName
import datetime
import uuid
logger("Issuing self-signed certificate.")
import sys
if sys.version_info < (3, ):
# In Py2, pyca requires the CN to be a unicode instance.
domains = [domain.decode("ascii") for domain in domains]
# https://cryptography.io/en/latest/x509/reference/
one_day = datetime.timedelta(days=1)
duration = datetime.timedelta(days=31)
builder = x509.CertificateBuilder()
builder = builder.subject_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, domains[0]),
]))
builder = builder.issuer_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, domains[0]),
]))
builder = builder.not_valid_before(datetime.datetime.today() - one_day)
builder = builder.not_valid_after(datetime.datetime.today() + duration)
builder = builder.serial_number(int(uuid.uuid4()))
builder = builder.public_key(private_key.public_key())
builder = builder.add_extension(
x509.BasicConstraints(ca=False, path_length=None),
critical=True,
)
if len(domains) > 1:
builder = builder.add_extension(x509.SubjectAlternativeName(
[x509.DNSName(domain) for domain in domains]),
critical=False)
certificate = builder.sign(private_key=private_key,
algorithm=hashes.SHA256(),
backend=default_backend())
return (cert_to_pem(certificate), []) # no chain
def _dummy_end_cert(self, ca_key, ca_cert, end_key):
nowtime = datetime.datetime.now(datetime.timezone.utc)
cert = x509.CertificateBuilder().subject_name(
x509.Name([
x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, 'end-entity'),
])).issuer_name(ca_cert.issuer).public_key(
end_key.public_key()).serial_number(x509.random_serial_number(
)).not_valid_before(nowtime).not_valid_after(
nowtime + datetime.timedelta(days=1)).add_extension(
x509.BasicConstraints(ca=False, path_length=None),
critical=True,
).add_extension(
x509.SubjectAlternativeName([
x509.UniformResourceIdentifier(
self._app._config.node_id),
]),
critical=False,
).add_extension(
x509.KeyUsage(
digital_signature=True,
content_commitment=False,
key_encipherment=False,
data_encipherment=False,
key_agreement=False,
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
decipher_only=False,
),
critical=False,
).add_extension(
x509.ExtendedKeyUsage([
x509.oid.ObjectIdentifier(
'1.3.6.1.5.5.7.3.35') # id-kp-bundleSecurity
]),
critical=False,
).add_extension(
x509.SubjectKeyIdentifier.from_public_key(
end_key.public_key()),
critical=False,
).add_extension(
x509.AuthorityKeyIdentifier.from_issuer_public_key(
ca_key.public_key()),
critical=False,
).sign(ca_key, hashes.SHA256(), backend=default_backend())
return cert
def create_ca(
organization: str,
cn: str,
key_size: int,
) -> Tuple[rsa.RSAPrivateKeyWithSerialization, x509.Certificate]:
now = datetime.datetime.now()
private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=key_size,
) # type: ignore
name = x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, cn),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, organization)
])
builder = x509.CertificateBuilder()
builder = builder.serial_number(x509.random_serial_number())
builder = builder.subject_name(name)
builder = builder.not_valid_before(now - datetime.timedelta(days=2))
builder = builder.not_valid_after(now + CA_EXPIRY)
builder = builder.issuer_name(name)
builder = builder.public_key(private_key.public_key())
builder = builder.add_extension(x509.BasicConstraints(ca=True,
path_length=None),
critical=True)
builder = builder.add_extension(x509.ExtendedKeyUsage(
[ExtendedKeyUsageOID.SERVER_AUTH]),
critical=False)
builder = builder.add_extension(x509.KeyUsage(
digital_signature=False,
content_commitment=False,
key_encipherment=False,
data_encipherment=False,
key_agreement=False,
key_cert_sign=True,
crl_sign=True,
encipher_only=False,
decipher_only=False,
),
critical=True)
builder = builder.add_extension(x509.SubjectKeyIdentifier.from_public_key(
private_key.public_key()),
critical=False)
cert = builder.sign(private_key=private_key,
algorithm=hashes.SHA256()) # type: ignore
return private_key, cert
def generate_selfsigned_cert(hostname, public_ip, private_ip):
import datetime
import ipaddress
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
# Generate our key
key = rsa.generate_private_key(public_exponent=65537,
key_size=1024,
backend=default_backend())
name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, hostname)])
alt_names = x509.SubjectAlternativeName([
# best practice seem to be to include the hostname in the SAN, which *SHOULD* mean COMMON_NAME is ignored.
x509.DNSName(hostname),
# allow addressing by IP, for when you don't have real DNS (common in most testing scenarios)
# openssl wants DNSnames for ips...
x509.DNSName(public_ip),
x509.DNSName(private_ip),
# ... whereas golang's crypto/tls is stricter, and needs IPAddresses
x509.IPAddress(ipaddress.ip_address(public_ip)),
x509.IPAddress(ipaddress.ip_address(private_ip)),
])
# path_len=0 means this cert can only sign itself, not other certs.
basic_constraints = x509.BasicConstraints(ca=True, path_length=0)
now = datetime.datetime.utcnow()
cert = (x509.CertificateBuilder().subject_name(name).issuer_name(
name).public_key(
key.public_key()).serial_number(1000).not_valid_before(now).
not_valid_after(now +
datetime.timedelta(days=100 * 365)).add_extension(
basic_constraints,
False).add_extension(alt_names, False).sign(
key, hashes.SHA256(), default_backend()))
cert_pem = cert.public_bytes(encoding=serialization.Encoding.PEM)
key_pem = key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
)
return cert_pem, key_pem
def sign_csr(csr):
csr = x509.load_pem_x509_csr(str(csr), default_backend())
ca_key = serialization.load_pem_private_key(get_ca_key(), None,
default_backend())
if csr.public_key().key_size > 2048:
return {'error': 'key_size'}
if len(csr.subject.public_bytes(default_backend())) > 350:
return {'error': 'subject_size'}
if not csr.is_signature_valid:
return {'error': 'invalid_signature'}
if len(csr.subject.get_attributes_for_oid(NameOID.COMMON_NAME)) != 1:
return {'error': 'invalid_name'}
for attr in csr.subject.get_attributes_for_oid(NameOID.COMMON_NAME):
username = attr.value
if username.lower() == 'admin':
return {'error': 'invalid_name'}
builder = x509.CertificateBuilder()
builder = builder.subject_name(csr.subject)
builder = builder.issuer_name(ISSUER)
builder = builder.not_valid_before(datetime.datetime(2018, 1, 1))
builder = builder.not_valid_after(datetime.datetime(2019, 1, 1))
builder = builder.serial_number(gen_serial())
builder = builder.public_key(csr.public_key())
builder = builder.add_extension(
x509.BasicConstraints(ca=False, path_length=None),
critical=True,
)
certificate = builder.sign(private_key=ca_key,
algorithm=hashes.MD5(),
backend=default_backend())
return {
'result': certificate.public_bytes(encoding=serialization.Encoding.PEM)
}
def generate(self, key, profile, digest=hashes.SHA256(), backend=default_backend, name=[], subject_alt_names=[]):
"""Generate a Certificate Signing Request (CSR)
The CSR needs to be signed by a private key using a digest (defaults
to SHA256). The ``name`` argument is a list of dictionaries in the
form of ``{"commonName": "foobar.com"}`` The names get mapped to
X509 OIDS. Short forms are not supported yet.
Args:
key (obj): Private key instance that signs the CSR
profile (dict): profile dictionary defining certificate options
digest (:obj: `digest`, optional): Digest instance used for signing
backend (:obj:`backend`, optional): Specify a backend to use
name (:obj:`list`, optional): list of dict of X509 Subjects
subject_alt_names (:obj:`list`, optional): list of SubjectAlternativeNames
"""
builder = x509.CertificateSigningRequestBuilder()
builder = builder.subject_name(x509.Name(list(self._create_subject_name(name))))
if 'extended_key_usage' in profile:
builder = builder.add_extension(
x509.ExtendedKeyUsage([self._get_oid(usage) for usage in profile['extended_key_usage']]), critical=False,
)
if subject_alt_names:
builder = builder.add_extension(
x509.SubjectAlternativeName([self._get_alt_name(alt) for alt in subject_alt_names]), critical=False,
)
constraints = {'ca': False, 'path_length': None}
constraints.update(profile.get('basic_constraints', {}))
builder = builder.add_extension(x509.BasicConstraints(**constraints), critical=True)
usage = [
'digital_signature', 'content_commitment', 'key_encipherment', 'data_encipherment',
'key_agreement', 'key_cert_sign', 'crl_sign', 'encipher_only', 'decipher_only'
]
usage = dict.fromkeys(usage, False)
usage.update(dict.fromkeys(profile.get('key_usage', []), True))
builder = builder.add_extension(x509.KeyUsage(**usage), critical=True)
self.request = builder.sign(
key, digest, backend()
)
def rsa_ca(self, ca_key_name, ca_crt_name, sign_hash_change):
with open(ca_key_name + '.key', 'rb') as key_file:
key = serialization.load_pem_private_key(key_file.read(),
password=None,
backend=default_backend())
if sign_hash_change == 1:
algorithm = hashes.MD5()
elif sign_hash_change == 2:
algorithm = hashes.SHA1()
elif sign_hash_change == 3:
algorithm = hashes.SHA224()
elif sign_hash_change == 4:
algorithm = hashes.SHA256()
elif sign_hash_change == 5:
algorithm = hashes.SHA512()
subject = issuer = x509.Name([
x509.NameAttribute(x509.oid.NameOID.COUNTRY_NAME, u"CN"),
x509.NameAttribute(x509.oid.NameOID.STATE_OR_PROVINCE_NAME,
u"ShaanXi"),
x509.NameAttribute(x509.oid.NameOID.LOCALITY_NAME, u"XiAN"),
x509.NameAttribute(x509.oid.NameOID.ORGANIZATION_NAME, u"LQtest"),
x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, u"ca"),
])
cert = x509.CertificateBuilder().subject_name(subject).issuer_name(
issuer).public_key(key.public_key()).serial_number(
x509.random_serial_number()
).not_valid_before(datetime.datetime.utcnow()).not_valid_after(
#设置证书有效期
datetime.datetime.utcnow() +
datetime.timedelta(days=3650)).add_extension(
extension=x509.SubjectKeyIdentifier.from_public_key(
key.public_key()),
critical=False).add_extension(
extension=x509.AuthorityKeyIdentifier.
from_issuer_public_key(key.public_key()),
critical=False).add_extension(
extension=x509.BasicConstraints(ca=True,
path_length=None),
critical=True).sign(key, algorithm,
default_backend())
with open(ca_crt_name + ".crt", "wb") as f:
f.write(cert.public_bytes(serialization.Encoding.PEM))
def inicialize(config={}, subject={}, valid_from=None, valid_to=None):
# normalize config
normalizeConfig(config)
normalizeSubject(subject)
if valid_from is None:
valid_from = datetime.datetime.now() - ONE_DAY
if valid_to is None:
valid_to = valid_from + datetime.timedelta(days=3650)
# first create private key
private_key = getKey(config['ca_key_path'])
# get public key
public_key = private_key.public_key()
builder = x509.CertificateBuilder()
name = x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, 'ca'),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, subject['o']),
x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME,
subject['ou']),
])
# fill certificate
builder = builder.subject_name(name)
builder = builder.issuer_name(name)
builder = builder.not_valid_before(valid_from)
builder = builder.not_valid_after(valid_to)
builder = builder.serial_number(int(uuid.uuid4()))
builder = builder.public_key(public_key)
builder = builder.add_extension(
x509.BasicConstraints(ca=True, path_length=None),
critical=True,
)
ca = builder.sign(private_key=private_key,
algorithm=hashes.SHA256(),
backend=default_backend())
# save ca cert
savePem(ca, config['ca_cert_path'])
return CA(config=config)
def create_root(root_file, root_key_file):
crypto_be = cryptography.hazmat.backends.default_backend()
# Create or load a root CA key pair
print('\nRoot CA key')
root_ca_priv_key = load_or_create_key(root_key_file, backend=crypto_be)
# Create root CA certificate
print('\nGenerating self-signed root CA certificate')
builder = x509.CertificateBuilder()
builder = builder.serial_number(random_cert_sn(16))
# Please note that the name of the root CA is also part of the signer certificate and thus, it's
# part of certificate definition in the SAMG55 firmware (g_cert_elements_1_signer). If this name is
# changed, it will also need to be changed in the firmware. The cert2certdef.py utility script can
# help with regenerating the cert_def_1_signer.c file after making changes.
o = input("organization name:")
cn = input("common name:")
builder = builder.issuer_name(
x509.Name([
x509.NameAttribute(x509.oid.NameOID.ORGANIZATION_NAME, o),
x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, cn)
]))
builder = builder.not_valid_before(datetime.datetime.now(tz=pytz.utc))
builder = builder.not_valid_after(
builder._not_valid_before.replace(year=builder._not_valid_before.year +
25))
builder = builder.subject_name(builder._issuer_name)
builder = builder.public_key(root_ca_priv_key.public_key())
builder = builder.add_extension(x509.SubjectKeyIdentifier.from_public_key(
root_ca_priv_key.public_key()),
critical=False)
builder = builder.add_extension(x509.BasicConstraints(ca=True,
path_length=None),
critical=True)
# Self-sign certificate
root_ca_cert = builder.sign(private_key=root_ca_priv_key,
algorithm=hashes.SHA256(),
backend=crypto_be)
# Write root CA certificate to file
with open(root_file, 'wb') as f:
print(' Saving to ' + f.name)
f.write(root_ca_cert.public_bytes(encoding=serialization.Encoding.PEM))
def _extensions(key: rsa.RSAPrivateKey,
cert_opts: Dict) -> List[Tuple[bool, x509.Extension]]: # noqa
sector = cert_opts['sector']
# certificate policies
policies = [
x509.PolicyInformation(x509.ObjectIdentifier('1.3.76.16'),
[x509.UserNotice(None, 'AgIDroot')]),
x509.PolicyInformation(x509.ObjectIdentifier('1.3.76.16.6'),
[x509.UserNotice(None, 'agIDcert')]),
]
if sector == 'private':
policies.append(
x509.PolicyInformation(x509.ObjectIdentifier('1.3.76.16.4.3.1'),
[x509.UserNotice(None, 'cert_SP_Priv')]))
elif sector == 'public':
policies.append(
x509.PolicyInformation(x509.ObjectIdentifier('1.3.76.16.4.2.1'),
[x509.UserNotice(None, 'cert_SP_Pub')]))
else:
emsg = 'Invalid value for sector (%s)' % sector
raise Exception(emsg)
# extensions list
return [
# basicCinstraints
(False, x509.BasicConstraints(ca=False, path_length=None)),
# keyUsage
(True,
x509.KeyUsage(
digital_signature=True,
content_commitment=True,
key_encipherment=False,
data_encipherment=False,
key_agreement=False,
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
decipher_only=False,
)),
# certifcatePolicies
(False, x509.CertificatePolicies(policies)),
# subjectKeyIdentifier
(False, x509.SubjectKeyIdentifier.from_public_key(key.public_key())),
]
def ca_create(self, key):
subject = issuer = x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u"CA"),
])
return x509.CertificateBuilder().subject_name(subject).issuer_name(
issuer).public_key(key.public_key()).serial_number(
x509.random_serial_number()).not_valid_before(
datetime.datetime.utcnow()).not_valid_after(
# Our certificate will be valid for 10 years
datetime.datetime.utcnow() +
datetime.timedelta(days=10 * 365)).add_extension(
extension=x509.BasicConstraints(ca=True,
path_length=None),
critical=True).sign(
# Sign our certificate with our private key
key,
hashes.SHA256(),
default_backend())
