def sign_certificate_request(self, cert_req: X509Req, serial_number: int) -> X509: cert = X509() cert.set_issuer(self.__cert.get_subject()) cert.set_pubkey(cert_req.get_pubkey()) cert.set_subject(cert_req.get_subject()) cert.set_serial_number(serial_number) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(365 * 24 * 60 * 60) cert.sign(self.__pkey, "sha256") return cert
def make_cert(req: X509Req, ca_pkey: PKey) -> X509: cert = X509() cert.set_serial_number(1) cert.set_version(2) cert.set_subject(req.get_subject()) cert.set_pubkey(req.get_pubkey()) cert.set_notBefore(x509_time(minutes=-1)) cert.set_notAfter(x509_time(days=30)) # noinspection PyTypeChecker cert.sign(ca_pkey, 'sha1') return cert
def createCSR(cert_name, password, subject_dict, csr_type='usr'): ''' create A Certificate Signing Request for a CA. csr_type should be set to 'ca' if it is a CSR for an intermediate CA. CN MUST be passed. ''' if isinstance(password, str): password = bytes(password, 'utf-8') if csr_type == 'ca': pvt_obj, pvt_bytes = generatePrivate(cert_name, _size=4096, password=password) else: pvt_obj, pvt_bytes = generatePrivate(cert_name, password=password) req = X509Req() subject = req.get_subject() subject = setSubject(subject, subject_dict) req.set_pubkey(pvt_obj) req.sign(pvt_obj, "sha256") if csr_type == 'usr': # If it is a request by user then also create the files in the pwd open(path.abspath(cert_name + '.private.pem'), 'wb').write(pvt_bytes) open(path.abspath(cert_name + '.csr.pem'), 'wb').write(dump_certificate_request(FILETYPE_PEM, req)) return pvt_bytes, dump_certificate_request(FILETYPE_PEM, req)
def create_csr(csr_file_path): private_key_path = re.sub(r".(pem|crt)$", ".key", cert_file_path, flags=re.IGNORECASE) # create public/private key key = PKey() key.generate_key(TYPE_RSA, 2048) # Generate CSR req = X509Req() req.get_subject().CN = 'localhost' req.get_subject().O = 'XYZ Widgets Inc' req.get_subject().OU = 'IT Department' req.get_subject().L = 'Seattle' req.get_subject().ST = 'Washington' req.get_subject().C = 'US' req.get_subject().emailAddress = '*****@*****.**' req.set_pubkey(key) req.sign(key, 'sha256') with open(csr_file_path, 'wb+') as f: f.write(dump_certificate_request(FILETYPE_PEM, req)) with open(private_key_path, 'wb+') as f: f.write(dump_privatekey(FILETYPE_PEM, key))
def __getitem__(self, cn): cnp = path.sep.join([self.cache_dir, '.pymp_%s.pem' % cn]) if not path.exists(cnp): # Crea Key key = PKey() key.generate_key(TYPE_RSA, 2048) # Crea CSR # revisar : http://stackoverflow.com/questions/24043226/generating-a-csr-with-python-crypto req = X509Req() req.get_subject().CN = cn req.set_pubkey(key) req.sign(key, 'sha1') # Firmar CSR cert = X509() cert.set_subject(req.get_subject()) cert.set_serial_number(self.serial) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(31536000) cert.set_issuer(self.cert.get_subject()) cert.set_pubkey(req.get_pubkey()) cert.sign(self.key, 'sha1') with open(cnp, 'wb+') as f: f.write(dump_privatekey(FILETYPE_PEM, key)) f.write(dump_certificate(FILETYPE_PEM, cert)) return cnp
def __getitem__(self, cn): ''' Gets the specified Certificate authority file if it already exists, else creates one! ''' cnp = path.sep.join([self.cache_dir, '.pymp_%s.pem' % cn]) if not path.exists(cnp): # create certificate key = PKey() key.generate_key(TYPE_RSA, 2048) # Generate CSR req = X509Req() req.get_subject().CN = cn req.set_pubkey(key) req.sign(key, 'sha1') # Sign CSR cert = X509() cert.set_subject(req.get_subject()) cert.set_serial_number(self.serial) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(31536000) cert.set_issuer(self.cert.get_subject()) cert.set_pubkey(req.get_pubkey()) cert.sign(self.key, 'sha1') with open(cnp, 'wb+') as f: f.write(dump_privatekey(FILETYPE_PEM, key)) f.write(dump_certificate(FILETYPE_PEM, cert)) return cnp
def _sign_ca(self, cn, cnp): # 使用合法的CA证书为代理程序生成服务器证书 # create certificate try: key = PKey() key.generate_key(TYPE_RSA, 2048) # Generate CSR req = X509Req() req.get_subject().CN = cn req.set_pubkey(key) req.sign(key, 'sha256') # Sign CSR cert = X509() cert.set_version(2) cert.set_subject(req.get_subject()) cert.set_serial_number(self.serial) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(31536000) cert.set_issuer(self.cert.get_subject()) ss = ("DNS:%s" % cn).encode(encoding="utf-8") cert.add_extensions([X509Extension(b"subjectAltName", False, ss)]) cert.set_pubkey(req.get_pubkey()) cert.sign(self.key, 'sha256') with open(cnp, 'wb+') as f: f.write(dump_privatekey(FILETYPE_PEM, key)) f.write(dump_certificate(FILETYPE_PEM, cert)) except Exception as e: raise Exception("generate CA fail:{}".format(str(e)))
def CreateCsr(self, Key): if not self.CsrFile: CertConfig = self.ParseConfig() Csr = X509Req() Csr.get_subject().commonName = CertConfig['CSR'].get('commonName') Csr.get_subject().stateOrProvinceName = CertConfig['CSR'].get( 'stateOrProvinceName') Csr.get_subject().localityName = CertConfig['CSR'].get( 'localityName') Csr.get_subject().organizationName = CertConfig['CSR'].get( 'organizationName') Csr.get_subject().organizationalUnitName = CertConfig['CSR'].get( 'organizationalUnitName') Csr.get_subject().emailAddress = CertConfig['CSR'].get( 'emailAddress') Csr.get_subject().countryName = CertConfig['CSR'].get( 'countryName') Csr.set_pubkey(Key) Csr.sign(Key, self.digestType) else: with open(self.CsrFile) as CsrFile: if self.OldCsrFileType == 'PEM': Csr = load_certificate_request(FILETYPE_PEM, CsrFile.read()) elif self.OldCsrFileType == 'DER': Csr = load_certificate_request(FILETYPE_ASN1, CsrFile.read()) else: raise TypeError("Unknown Certificate Type %s" % (self.OldCsrFileType)) return Csr
def __getitem__(self, cn): cnp = os.path.sep.join([self.cache_dir, '.pymp_%s.pem' % cn]) if not os.path.exists(cnp): # create certificate key = PKey() key.generate_key(TYPE_RSA, 2048) # Generate CSR req = X509Req() req.get_subject().CN = cn req.set_pubkey(key) req.sign(key, 'sha256') # Sign CSR cert = X509() cert.set_subject(req.get_subject()) cert.set_serial_number(self.serial) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(31536000) cert.set_issuer(self.cert.get_subject()) cert.set_pubkey(req.get_pubkey()) cert.sign(self.key, 'sha256') with open(cnp, 'wb+') as f: f.write(dump_privatekey(self.filetype, key)) f.write(dump_certificate(self.filetype, cert)) return cnp
def get_cert_path(self, cn): cnp = os.path.sep.join( [self.cache_dir, '%s-%s.pem' % (self.CERT_PREFIX, cn)]) if os.path.exists(cnp): print("Cert already exists common_name=%s" % cn) else: print("Creating and signing cert common_name=%s" % cn) key = PKey() key.generate_key(TYPE_RSA, 2048) # Generate CSR req = X509Req() req.get_subject().CN = cn req.set_pubkey(key) req.sign(key, 'sha1') # Sign CSR cert = X509() cert.set_subject(req.get_subject()) cert.set_serial_number(123) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(31536000) cert.set_issuer(self.cert.get_subject()) cert.set_pubkey(req.get_pubkey()) cert.sign(self.key, 'sha256') with open(cnp, 'wb+') as f: f.write(dump_privatekey(FILETYPE_PEM, key)) f.write(dump_certificate(FILETYPE_PEM, cert)) print("Created cert common_name=%s location=%s" % (cn, cnp)) return cnp
def create_cert_req(pk, dn): c = X509Req() c.set_pubkey(pk) set_name_from_dict(c.get_subject(), dn) c.get_subject() c.sign(pk, 'SHA256') c.verify(pk) # csr = OpenSSL.crypto.dump_certificate_request(FILETYPE_PEM, c) return c
def make_req(pub_key, cn=None, digest=None) -> X509Req: req = X509Req() req.set_version(2) req.set_pubkey(pub_key) if cn is not None: subject = req.get_subject() subject.CN = cn.encode('utf-8') if digest: req.sign(pub_key, digest) return req
def create_certificate_request(self, common_name, pkey) -> X509Req: cert_req = X509Req() cert_req.set_pubkey(pkey) subject = cert_req.get_subject() subject.countryName = self.__cert.get_subject().countryName subject.stateOrProvinceName = self.__cert.get_subject().stateOrProvinceName subject.localityName = self.__cert.get_subject().localityName subject.organizationName = self.__cert.get_subject().organizationName subject.organizationalUnitName = self.__cert.get_subject().organizationalUnitName subject.emailAddress = self.__cert.get_subject().emailAddress subject.commonName = common_name cert_req.sign(self.__pkey, "sha256") return cert_req
def get_csr(client, key_id, key_version_id, subject_name, domain, kms_algorithm, signature_algorithm): clear_text_public_key_pem = get_public_key(client, key_id, key_version_id) # kms get_public_key pkey = load_publickey(FILETYPE_PEM, clear_text_public_key_pem) req = X509Req() req.set_pubkey(pkey) req.get_subject().CN = subject_name.get('CN') req.get_subject().C = subject_name.get('C') req.get_subject().O = subject_name.get('O') req.set_version(0) # addExtensions req.add_extensions([ X509Extension(b'subjectAltName', False, ','.join(domain).encode('ascii')) ]) result_buffer = _ffi.new('unsigned char**') encode_result = _lib.i2d_re_X509_REQ_tbs(req._req, result_buffer) md_length = _ffi.new("unsigned int *") md = _ffi.new("unsigned char[]", 32) evp_md = _lib.EVP_get_digestbyname(b"sha256") md_ctx = _lib.Cryptography_EVP_MD_CTX_new() md_ctx = _ffi.gc(md_ctx, _lib.Cryptography_EVP_MD_CTX_free) _lib.EVP_DigestInit_ex(md_ctx, evp_md, _ffi.NULL) _lib.EVP_DigestUpdate(md_ctx, result_buffer[0], encode_result) _lib.EVP_DigestFinal_ex(md_ctx, md, md_length) psig = _ffi.new("ASN1_BIT_STRING **") palg = _ffi.new("X509_ALGOR **") _lib.X509_REQ_get0_signature(req._req, psig, palg) # kms_sign sign_data = kms_sign(client, key_id, key_version_id, kms_algorithm, bytes(md)) _lib.ASN1_STRING_set(psig[0], sign_data, len(sign_data)) psig[0].flags &= ~(0x08 | 0x07) psig[0].flags |= 0x08 _lib.OPENSSL_free(result_buffer[0]) palg[0].algorithm = _lib.OBJ_nid2obj(_lib.OBJ_sn2nid(signature_algorithm)) csr_pem_str = dump_certificate_request(FILETYPE_PEM, req) return csr_pem_str
def _make_certificate(self, cn, cnp): """ Generate private key, generate certificate signing request, sign it using our key, and write out to file. Only call this if the file doesn't yet exist. """ key = self._make_private_key() # generate CSR (certificate signing request) req = X509Req() req.get_subject().CN = cn req.set_pubkey(key) # sign CSR (certificate signing request) and get certificate req.sign(key, 'sha1') cert = self._sign_csr(key, req) # dump out key and certificate to file self._write_cert(cnp, key, cert)
def create_csr_key(subject): key = PKey() key.generate_key(TYPE_RSA, 2048) req = X509Req() req.get_subject().CN = subject['CN'] req.get_subject().O = subject['O'] # noqa: E741 req.get_subject().OU = subject['OU'] req.get_subject().L = subject['L'] req.get_subject().ST = subject['ST'] req.get_subject().C = subject['C'] req.set_pubkey(key) req.sign(key, 'sha256') csr = dump_certificate_request(FILETYPE_PEM, req) privatekey = dump_privatekey(FILETYPE_PEM, key).decode('utf-8') return csr, privatekey
def gen_x509_csr(key_pair, csr_fields, csr_sign_bits): """ gen_x509_csr creates a certificate signature request by applying the passed fields to the subject of the request, attaches the public key's fingerprint and signs the request using the private key. csr_fields dictionary and generates a certificate request using the passed keypair. Note that the default digest is sha256. :param key_pair: The key pair that will sign the request :type key_pair: :py:data:`OpenSSL.crypto.PKey` the key must have an attached private component. :param csr_fields: The certifcate issuer's details in X.509 Distinguished Name format. :type csr_fields: :py:data:`dict` C - Country name ST - State or province name L - Locality name O - Organization name OU - Organizational unit name CN - Common name emailAddress - E-mail address :rtype: A `pyopenssl.OpenSSL.crypto.X509Req` """ req = X509Req() subj = req.get_subject() for field, value in csr_fields.iteritems(): setattr(subj, field, value) prv_key = load_privatekey(SSL.FILETYPE_PEM, key_pair) req.set_pubkey(prv_key) req.sign(prv_key, 'sha' + str(csr_sign_bits)) # TODO clean prv_key and str_prv_key from memory pem_csr = dump_certificate_request(SSL.FILETYPE_PEM, req) # TODO clean req from memory return pem_csr
def otherMakeCertificate(**kw): keypair = PKey() keypair.generate_key(TYPE_RSA, 1024) req = X509Req() subj = req.get_subject() for (k, v) in kw.items(): setattr(subj, k, v) req.set_pubkey(keypair) req.sign(keypair, "md5") cert = X509() cert.set_serial_number(counter()) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(60 * 60 * 24 * 365) # One year cert.set_issuer(req.get_subject()) cert.set_subject(req.get_subject()) cert.set_pubkey(req.get_pubkey()) cert.sign(keypair, "md5") return keypair, cert
ca.add_extensions([ X509Extension("authorityKeyIdentifier", False, "keyid:always", issuer=ca) ]) f = open("CA.cert", "w") f.write(dump_certificate(FILETYPE_PEM, ca)) f.close() host_key = PKey() host_key.generate_key(TYPE_RSA, 2048) f = open("HOST.key", "w") f.write(dump_privatekey(FILETYPE_PEM, host_key)) f.close() host_req = X509Req() host_req.get_subject().commonName = "malware.org" host_req.get_subject().emailAddress = "*****@*****.**" host_req.set_pubkey(host_key) host_req.sign(host_key, "sha1") f = open("HOST.req", "w") f.write(dump_certificate_request(FILETYPE_PEM, host_req)) f.close() host = X509() host.set_subject(host_req.get_subject()) host.set_serial_number(2) host.gmtime_adj_notBefore(0) host.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60) host.set_issuer(ca.get_subject())