def test_generate_wrong_types(self, backend):
cert, key = _load_ca(backend)
cert2 = _load_cert(backend, os.path.join("x509", "letsencryptx3.pem"))
encryption = serialization.NoEncryption()
with pytest.raises(TypeError) as exc:
serialize_key_and_certificates(b"name", cert, cert, None,
encryption)
assert (str(
exc.value) == "Key must be RSA, DSA, or EllipticCurve private key."
)
with pytest.raises(TypeError) as exc:
serialize_key_and_certificates(b"name", key, key, None, encryption)
assert str(exc.value) == "cert must be a certificate"
with pytest.raises(TypeError) as exc:
serialize_key_and_certificates(b"name", key, cert, None, key)
assert str(exc.value) == ("Key encryption algorithm must be a "
"KeySerializationEncryption instance")
with pytest.raises(TypeError) as exc:
serialize_key_and_certificates(None, key, cert, cert2, encryption)
with pytest.raises(TypeError) as exc:
serialize_key_and_certificates(None, key, cert, [key], encryption)
assert str(exc.value) == "all values in cas must be certificates"
def test_must_supply_something(self):
with pytest.raises(ValueError) as exc:
serialize_key_and_certificates(
None, None, None, None, serialization.NoEncryption()
)
assert str(exc.value) == (
"You must supply at least one of key, cert, or cas"
)
def test_generate_unsupported_encryption_type(self, backend):
cert, key = _load_ca(backend)
with pytest.raises(ValueError) as exc:
serialize_key_and_certificates(
None,
key,
cert,
None,
DummyKeySerializationEncryption(),
)
assert str(exc.value) == "Unsupported key encryption type"
def create_store(path: Path,
basename: str,
key_size: int,
organization=None,
cn=None) -> None:
path.mkdir(parents=True, exist_ok=True)
organization = organization or basename
cn = cn or basename
key: rsa.RSAPrivateKeyWithSerialization
ca: x509.Certificate
key, ca = create_ca(organization=organization,
cn=cn,
key_size=key_size)
# Dump the CA plus private key.
with CertStore.umask_secret():
# PEM format
(path / f"{basename}-ca.pem").write_bytes(
key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
) + ca.public_bytes(serialization.Encoding.PEM))
# PKCS12 format for Windows devices
(path / f"{basename}-ca.p12").write_bytes(
pkcs12.serialize_key_and_certificates( # type: ignore
name=basename.encode(),
key=key,
cert=ca,
cas=None,
encryption_algorithm=serialization.NoEncryption(),
))
# Dump the certificate in PEM format
pem_cert = ca.public_bytes(serialization.Encoding.PEM)
(path / f"{basename}-ca-cert.pem").write_bytes(pem_cert)
# Create a .cer file with the same contents for Android
(path / f"{basename}-ca-cert.cer").write_bytes(pem_cert)
# Dump the certificate in PKCS12 format for Windows devices
(path / f"{basename}-ca-cert.p12").write_bytes(
pkcs12.serialize_key_and_certificates(
name=basename.encode(),
key=None, # type: ignore
cert=ca,
cas=None,
encryption_algorithm=serialization.NoEncryption(),
))
(path / f"{basename}-dhparam.pem").write_bytes(DEFAULT_DHPARAM)
def generate_client_cert(name, passphrase):
key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
)
cert = base_cert(name, key).add_extension(
x509.ExtendedKeyUsage([
ExtendedKeyUsageOID.CLIENT_AUTH,
]),
critical=True,
).sign(key, hashes.SHA256())
p12 = serialize_key_and_certificates(
b'client',
key,
cert,
None,
encryption_algorithm=serialization.BestAvailableEncryption(
passphrase.encode('utf-8')))
return (
cert.public_bytes(serialization.Encoding.PEM),
p12,
)
def test_generate_each_supported_keytype(self, backend, kgenerator, ktype,
kparam, name, algorithm,
password):
if ktype == ec.EllipticCurvePrivateKey:
_skip_curve_unsupported(backend, *kparam)
key = kgenerator(*kparam)
assert isinstance(key, ktype)
cacert, cakey = _load_ca(backend)
now = datetime.utcnow()
cert = (x509.CertificateBuilder().subject_name(
cacert.subject).issuer_name(cacert.subject).public_key(
key.public_key()).serial_number(
x509.random_serial_number()).not_valid_before(
now).not_valid_after(now).sign(cakey, hashes.SHA256()))
assert isinstance(cert, x509.Certificate)
p12 = serialize_key_and_certificates(name, key, cert, [cacert],
algorithm)
parsed_key, parsed_cert, parsed_more_certs = load_key_and_certificates(
p12, password, backend)
assert parsed_cert == cert
assert isinstance(parsed_key, ktype)
assert parsed_key.public_key().public_bytes(
Encoding.PEM, PublicFormat.SubjectPublicKeyInfo) == key.public_key(
).public_bytes(Encoding.PEM, PublicFormat.SubjectPublicKeyInfo)
assert parsed_more_certs == [cacert]
def generate_bytes(self, module):
"""Generate PKCS#12 file archive."""
pkey = None
if self.privatekey_path:
try:
pkey = load_privatekey(self.privatekey_path, self.privatekey_passphrase, backend=self.backend)
except OpenSSLBadPassphraseError as exc:
raise PkcsError(exc)
cert = None
if self.certificate_path:
cert = load_certificate(self.certificate_path, backend=self.backend)
friendly_name = to_bytes(self.friendly_name) if self.friendly_name is not None else None
# Store fake object which can be used to retrieve the components back
self.pkcs12 = (pkey, cert, self.other_certificates, friendly_name)
return serialize_key_and_certificates(
friendly_name,
pkey,
cert,
self.other_certificates,
serialization.BestAvailableEncryption(to_bytes(self.passphrase))
if self.passphrase else serialization.NoEncryption(),
)
def cryptography_create_pkcs12_bundle(self,
keystore_p12_path,
key_format='PEM',
cert_format='PEM'):
if key_format == 'PEM':
key_loader = load_pem_private_key
else:
key_loader = load_der_private_key
if cert_format == 'PEM':
cert_loader = load_pem_x509_certificate
else:
cert_loader = load_der_x509_certificate
try:
with open(self.private_key_path, 'rb') as key_file:
private_key = key_loader(key_file.read(),
password=to_bytes(self.keypass),
backend=backend)
except TypeError:
# Re-attempt with no password to match existing behavior
try:
with open(self.private_key_path, 'rb') as key_file:
private_key = key_loader(key_file.read(),
password=None,
backend=backend)
except (OSError, TypeError, ValueError, UnsupportedAlgorithm) as e:
self.module.fail_json(
msg=
"The following error occurred while loading the provided private_key: %s"
% to_native(e))
except (OSError, ValueError, UnsupportedAlgorithm) as e:
self.module.fail_json(
msg=
"The following error occurred while loading the provided private_key: %s"
% to_native(e))
try:
with open(self.certificate_path, 'rb') as cert_file:
cert = cert_loader(cert_file.read(), backend=backend)
except (OSError, ValueError, UnsupportedAlgorithm) as e:
self.module.fail_json(
msg=
"The following error occurred while loading the provided certificate: %s"
% to_native(e))
if self.password:
encryption = BestAvailableEncryption(to_bytes(self.password))
else:
encryption = NoEncryption()
pkcs12_bundle = serialize_key_and_certificates(
name=to_bytes(self.name),
key=private_key,
cert=cert,
cas=None,
encryption_algorithm=encryption)
with open(keystore_p12_path, 'wb') as p12_file:
p12_file.write(pkcs12_bundle)
def test_generate_no_cert(self, backend):
_, key = _load_ca(backend)
p12 = serialize_key_and_certificates(None, key, None, None,
serialization.NoEncryption())
parsed_key, parsed_cert, parsed_more_certs = load_key_and_certificates(
p12, None, backend)
assert parsed_cert is None
assert parsed_key.private_numbers() == key.private_numbers()
assert parsed_more_certs == []
def test_generate_cas_only(self, encryption_algorithm, password, backend):
cert, _ = _load_ca(backend)
p12 = serialize_key_and_certificates(None, None, None, [cert],
encryption_algorithm)
parsed_key, parsed_cert, parsed_more_certs = load_key_and_certificates(
p12, password, backend)
assert parsed_cert is None
assert parsed_key is None
assert parsed_more_certs == [cert]
def test_generate(self, backend, name, encryption_algorithm, password):
cert, key = _load_ca(backend)
p12 = serialize_key_and_certificates(name, key, cert, None,
encryption_algorithm)
parsed_key, parsed_cert, parsed_more_certs = load_key_and_certificates(
p12, password, backend)
assert parsed_cert == cert
assert parsed_key.private_numbers() == key.private_numbers()
assert parsed_more_certs == []
def create_pkcs12(username, key, crt):
cert = x509.load_pem_x509_certificate(crt.encode())
pem_pkcs12 = urlsafe_b64encode(
serialize_key_and_certificates(
name=username.encode('utf-8'),
key=key,
cert=cert,
cas=None,
encryption_algorithm=serialization.BestAvailableEncryption(
pkcs_12_password.encode()))).decode('utf-8')
return pem_pkcs12
def export_pfx_key(issuer, serialnr, password):
fname = "/tmp/" + create_filename(issuer.encode("utf-8")) + '_' + str(
int(serialnr, 0)) + '.p12'
f = open(fname, "rb")
p12_data = f.read()
f.close()
(priv, cert, cas) = load_key_and_certificates(p12_data, b'mypassword')
cn = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)
return serialize_key_and_certificates(
cn[0].value.encode(), priv, cert, cas,
serialization.BestAvailableEncryption(b'mypassword'))
def test_pkcs12_ordering():
"""
In OpenSSL < 3.0.0 PKCS12 parsing reverses the order. However, we
accidentally thought it was **encoding** that did it, leading to bug
https://github.com/pyca/cryptography/issues/5872
This test ensures our ordering is correct going forward.
"""
def make_cert(name):
key = ec.generate_private_key(ec.SECP256R1())
subject = x509.Name(
[
x509.NameAttribute(x509.NameOID.COMMON_NAME, name),
]
)
now = datetime.utcnow()
cert = (
x509.CertificateBuilder()
.subject_name(subject)
.issuer_name(subject)
.public_key(key.public_key())
.serial_number(x509.random_serial_number())
.not_valid_before(now)
.not_valid_after(now)
.sign(key, hashes.SHA256())
)
return (key, cert)
# Make some certificates with distinct names.
a_name = "A" * 20
b_name = "B" * 20
c_name = "C" * 20
a_key, a_cert = make_cert(a_name)
_, b_cert = make_cert(b_name)
_, c_cert = make_cert(c_name)
# Bundle them in a PKCS#12 file in order A, B, C.
p12 = serialize_key_and_certificates(
b"p12", a_key, a_cert, [b_cert, c_cert], serialization.NoEncryption()
)
# Parse them out. The API should report them in the same order.
(key, cert, certs) = load_key_and_certificates(p12, None)
assert cert == a_cert
assert certs == [b_cert, c_cert]
# The ordering in the PKCS#12 file itself should also match.
a_idx = p12.index(a_name.encode("utf-8"))
b_idx = p12.index(b_name.encode("utf-8"))
c_idx = p12.index(c_name.encode("utf-8"))
assert a_idx < b_idx < c_idx
def import_pfx_key(pkcs12, password):
(priv, cert, cas) = load_key_and_certificates(pkcs12, password.encode())
cn = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)
p12_data = serialize_key_and_certificates(
cn[0].value.encode(), priv, cert, cas,
serialization.BestAvailableEncryption(b'mypassword'))
issuer = ",".join(attr.rfc4514_string() for attr in cert.issuer)
fname = "/tmp/" + create_filename(issuer.encode()) + '_' + str(
cert.serial_number) + '.p12'
f = open(fname, "wb+")
f.write(p12_data)
f.close()
return
def test_generate_cert_only(self, encryption_algorithm, password, backend):
# This test is a bit weird, but when passing *just* a cert
# with no corresponding key it will be encoded in the cas
# list. We have external consumers relying on this behavior
# (and the underlying structure makes no real distinction
# anyway) so this test ensures we don't break them.
cert, _ = _load_ca(backend)
p12 = serialize_key_and_certificates(None, None, cert, [],
encryption_algorithm)
parsed_key, parsed_cert, parsed_more_certs = load_key_and_certificates(
p12, password, backend)
assert parsed_cert is None
assert parsed_key is None
assert parsed_more_certs == [cert]
def test_generate_with_cert_key_ca(self, backend):
cert, key = _load_ca(backend)
cert2 = _load_cert(
backend, os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"))
cert3 = _load_cert(backend, os.path.join("x509", "letsencryptx3.pem"))
encryption = serialization.NoEncryption()
p12 = serialize_key_and_certificates(None, key, cert, [cert2, cert3],
encryption)
parsed_key, parsed_cert, parsed_more_certs = load_key_and_certificates(
p12, None, backend)
assert parsed_cert == cert
assert parsed_key.private_numbers() == key.private_numbers()
assert parsed_more_certs == [cert2, cert3]
def deploy_cert(self,
domain,
cert_path,
key_path,
chain_path=None,
fullchain_path=None):
if not fullchain_path:
raise errors.PluginError(
"CASTLE Installer plugin requires --fullchain-path to generate a PKCS12 container."
)
logger.info("Generating PKCS12 container")
logger.debug('Loading cert ')
cert = x509.load_pem_x509_certificate(open(cert_path, 'rb').read())
logger.debug('Loading key ')
privkey = serialization.load_pem_private_key(open(key_path,
'rb').read(),
password=None)
logger.debug('Loading chain ')
chain = x509.load_pem_x509_certificate(open(chain_path, 'rb').read())
passphrase = None
if (not self.conf('no-passphrase')):
if (self.conf('passphrase')):
passphrase = self.conf('passphrase').encode('utf-8')
else:
text = 'A passphrase is needed for protecting the PKCS12 container. '
display_util.notification(text, pause=False)
pf = getpass.getpass('Enter passphrase: ')
vpf = getpass.getpass('Re-enter passphrase: ')
while (pf != vpf):
display_util.notify('Passphrases do not match.')
vpf = getpass.getpass('Re-enter passphrase: ')
passphrase = pf.encode('utf-8')
algo = serialization.BestAvailableEncryption(
passphrase) if passphrase else serialization.NoEncryption()
pfxdata = pkcs12.serialize_key_and_certificates(
name=domain.encode('utf-8'),
key=privkey,
cert=cert,
cas=[chain],
encryption_algorithm=algo)
path, _ = os.path.split(cert_path)
pfx_f, pfx_filename = util.unique_file(os.path.join(path, 'cert.pfx'),
0o600, "wb")
with pfx_f:
pfx_f.write(pfxdata)
display_util.notification('PKCS12 container generated at ' +
pfx_filename,
pause=False)
def import_certificate(pemCertificate):
cert = x509.load_pem_x509_certificate(pemCertificate, default_backend())
cas = []
priv_filename = "/tmp/" + create_privkey_filename(cert) + ".key"
priv = load_private_key(cert)
cn = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)
p12_data = serialize_key_and_certificates(
cn[0].value.encode(), priv, cert, cas,
serialization.BestAvailableEncryption(b'mypassword'))
issuer = ",".join(attr.rfc4514_string() for attr in cert.issuer)
fname = "/tmp/" + create_filename(issuer.encode()) + '_' + str(
cert.serial_number) + '.p12'
f = open(fname, "wb+")
f.write(p12_data)
f.close()
return
def main():
username = sys.argv[1]
[private_key, csr] = create_CSR(username)
res = session.post("https://ca_server:10443/certs",
cert=('/etc/Flask/certs/core_cert.pem',
'/etc/Flask/private/core_key.pem'),
data={'csr': csr})
if res.status_code != 200:
print("error")
else:
raw_cert = urlsafe_b64decode(res.text.encode('utf-8'))
cert = x509.load_pem_x509_certificate(raw_cert)
# print(cert.public_bytes(serialization.Encoding.PEM).decode())
pem_pkcs12 = urlsafe_b64encode(
serialize_key_and_certificates(
name=username.encode('utf-8'),
key=private_key,
cert=cert,
cas=None,
encryption_algorithm=serialization.NoEncryption())).decode(
'utf-8')
f = open("/home/ubuntu/example.p12", "wb")
f.write(urlsafe_b64decode(pem_pkcs12.encode()))
f.close()
f = open("/home/ubuntu/example.pem", "w")
f.write(cert.public_bytes(serialization.Encoding.PEM).decode())
f.close()
raw_cert = urlsafe_b64encode(raw_cert).decode()
res = session.post("https://ca_server:10443/certs/check",
cert=('/etc/Flask/certs/core_cert.pem',
'/etc/Flask/private/core_key.pem'),
data={'crt': raw_cert})
# print(res.text)
res = session.delete("https://ca_server:10443/certs",
cert=('/etc/Flask/certs/core_cert.pem',
'/etc/Flask/private/core_key.pem'),
data={'crt': raw_cert})
# print(res.text)
res = session.post("https://ca_server:10443/certs/check",
cert=('/etc/Flask/certs/core_cert.pem',
'/etc/Flask/private/core_key.pem'),
data={'crt': raw_cert})
# print(res.text)
res = session.get("https://ca_server:10443/certs/serial",
cert=('/etc/Flask/certs/core_cert.pem',
'/etc/Flask/private/core_key.pem'))
def test_generate_cas_friendly_names(self, backend):
cert, key = _load_ca(backend)
cert2 = _load_cert(
backend, os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"))
cert3 = _load_cert(backend, os.path.join("x509", "letsencryptx3.pem"))
encryption = serialization.NoEncryption()
p12 = serialize_key_and_certificates(
b"test",
key,
cert,
[
PKCS12Certificate(cert2, b"cert2"),
PKCS12Certificate(cert3, None),
],
encryption,
)
p12_cert = load_pkcs12(p12, None, backend)
cas = p12_cert.additional_certs
assert cas[0].friendly_name == b"cert2"
assert cas[1].friendly_name is None
def as_pkcs12(self, passphrase=None):
"""
:param str passphrase:
:rtype: str
"""
if not self.cert or not self.key:
get_logger().error(
"PKCS12 output: Certificate or Private Key is None.")
raise VenafiError(
"Certificate and Private Key are required for PKCS12 output.")
certificate = x509.load_pem_x509_certificate(self.cert.encode(),
default_backend())
cas = []
if self.chain:
for x in self.chain:
chain_x509 = x509.load_pem_x509_certificate(
x.encode(), default_backend())
cas.append(chain_x509)
if passphrase:
b_pass = passphrase.encode()
encryption = serialization.BestAvailableEncryption(b_pass)
else:
encryption = serialization.NoEncryption()
b_pass = None
try:
p_key = serialization.load_pem_private_key(
data=self.key.encode(),
password=b_pass,
backend=default_backend())
except Exception as e:
get_logger().error(msg=f"Error parsing Private Key: {e.message}")
return
name = random_word(10).encode()
output = pkcs12.serialize_key_and_certificates(name, p_key,
certificate, cas,
encryption)
return output
def setUpClass(cls):
super().setUpClass()
cls.certificate_password = b"794613"
private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
public_key = private_key.public_key()
builder = x509.CertificateBuilder()
cls.certificate_name = "Test Certificate"
one_day = timedelta(1, 0, 0)
builder = (
builder.subject_name(
x509.Name(
[x509.NameAttribute(oid.NameOID.COMMON_NAME, cls.certificate_name)]
)
)
.issuer_name(
x509.Name(
[
x509.NameAttribute(oid.NameOID.COMMON_NAME, "cryptography.io"),
]
)
)
.not_valid_before(datetime.today() - one_day)
.not_valid_after(datetime.today() + (one_day * 30))
.serial_number(x509.random_serial_number())
.public_key(public_key)
)
certificate = builder.sign(private_key=private_key, algorithm=hashes.SHA256())
content = pkcs12.serialize_key_and_certificates(
None,
private_key,
certificate,
None,
BestAvailableEncryption(cls.certificate_password),
)
cls.sii_cert = cls.env["l10n.es.aeat.certificate"].create(
{
"folder": "Test folder",
"file": base64.b64encode(content),
}
)
def generate_p12(common_name, organization_name, country, password):
# Load CA certificate and private key
cakey = load_pem_private_key(ca_private.encode('ascii'), ca_password.encode('ascii'), default_backend())
cacert = x509.load_pem_x509_certificate(ca_cert.encode('ascii'), default_backend())
subject = x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, common_name),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, organization_name),
x509.NameAttribute(NameOID.COUNTRY_NAME, country),])
sernum = x509.random_serial_number()
key = rsa.generate_private_key(public_exponent=65537,
key_size=2048,
backend=default_backend())
cert = x509.CertificateBuilder().subject_name(subject) \
.issuer_name(cacert.subject) \
.serial_number(sernum) \
.public_key(key.public_key()) \
.not_valid_before(datetime.now())\
.not_valid_after(datetime.now() + timedelta(days=366))\
.add_extension(x509.KeyUsage(digital_signature=False
, content_commitment=False
, key_encipherment=True
, data_encipherment=True
, key_agreement=False
, key_cert_sign=False
, crl_sign=False
, encipher_only=False
, decipher_only = False), critical=True)\
.sign(cakey, hashes.SHA256(), default_backend())
cas = [cacert]
p12 = pkcs12.serialize_key_and_certificates(common_name.encode('utf-8'),
key,
cert,
cas,
serialization.BestAvailableEncryption(password.encode('ascii')))
return p12
def test_generate_rsa(self, backend):
cert = _load_cert(
backend, os.path.join("x509", "custom", "ca", "rsa_ca.pem")
)
key = load_vectors_from_file(
os.path.join("x509", "custom", "ca", "rsa_key.pem"),
lambda pemfile: load_pem_private_key(
pemfile.read(), None, backend
),
mode="rb",
)
assert isinstance(key, rsa.RSAPrivateKey)
p12 = serialize_key_and_certificates(
None, key, cert, None, serialization.NoEncryption()
)
parsed_key, parsed_cert, parsed_more_certs = load_key_and_certificates(
p12, None, backend
)
assert parsed_cert == cert
assert isinstance(parsed_key, rsa.RSAPrivateKey)
assert parsed_key.private_numbers() == key.private_numbers()
assert parsed_more_certs == []
def generate_X509(workspace_contract, password, mode):
did = helpers.ethereum_pvk_to_DID(session['private_key_value'],
session['method'])
talao_issuer = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, "FR"),
x509.NameAttribute(NameOID.LOCALITY_NAME, "Paris"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, "Talao"),
x509.NameAttribute(NameOID.DOMAIN_COMPONENT, "talao.io"),
#x509.NameAttribute(NameOID.POSTAL_ADDRESS, "16 rue de wattignies, 75012 Paris"),
x509.NameAttribute(NameOID.COMMON_NAME, "talao"),
x509.NameAttribute(NameOID.USER_ID, did),
])
# upload the Talao private rsa key
talao_rsa_private_key = privatekey.get_key(mode.owner_talao, 'rsa_key',
mode)
if type(talao_rsa_private_key) == bytes:
talao_rsa_key = serialization.load_pem_private_key(
talao_rsa_private_key,
password=None,
)
else:
talao_rsa_key = serialization.load_pem_private_key(
bytes(talao_rsa_private_key, 'utf-8'),
password=None,
)
# get identity data
address = contractsToOwners(workspace_contract, mode)
rsa_privatekey = privatekey.get_key(address, 'rsa_key', mode)
if type(rsa_privatekey) == bytes:
subject_key = serialization.load_pem_private_key(
rsa_privatekey,
password=None,
)
else:
subject_key = serialization.load_pem_private_key(
bytes(rsa_privatekey, 'utf-8'),
password=None,
)
#profil = read_profil(workspace_contract, mode, 'full')[0]
#name = profil['firstname'] + ' ' + profil['lastname']
username = ns.get_username_from_resolver(workspace_contract, mode)
email = ns.get_data_from_username(username, mode)['email']
subject = x509.Name([
#x509.NameAttribute(NameOID.COUNTRY_NAME, "FR"),
#x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, ""),
#x509.NameAttribute(NameOID.LOCALITY_NAME, "Paris"),
#x509.NameAttribute(NameOID.ORGANIZATION_NAME, ""),
x509.NameAttribute(NameOID.COMMON_NAME, session['name']),
x509.NameAttribute(NameOID.EMAIL_ADDRESS, email),
x509.NameAttribute(NameOID.USER_ID, did),
])
cert = x509.CertificateBuilder()
cert = cert.subject_name(subject)
# talao as CA
cert = cert.issuer_name(talao_issuer)
cert = cert.public_key(subject_key.public_key())
cert = cert.serial_number(x509.random_serial_number())
cert = cert.not_valid_before(datetime.datetime.utcnow() -
datetime.timedelta(days=1))
cert = cert.not_valid_after(datetime.datetime.utcnow() +
datetime.timedelta(days=3650))
cert = cert.add_extension(x509.BasicConstraints(ca=False,
path_length=None),
critical=True)
cert = cert.add_extension(x509.ExtendedKeyUsage([
x509.oid.ExtendedKeyUsageOID.EMAIL_PROTECTION,
x509.oid.ExtendedKeyUsageOID.CODE_SIGNING,
x509.oid.ExtendedKeyUsageOID.TIME_STAMPING
]),
critical=True)
#cert=cert.add_extension(x509.SubjectAlternativeName([x509.RFC822Name(email), x509.OtherName(NameOID.COMMON_NAME, bytes(did, 'utf-8'))]),critical=True,)
#cert=cert.add_extension(x509.SubjectAlternativeName([x509.OtherName(NameOID.COMMON_NAME, bytes(did, 'utf-8'))]),critical=True,)
cert = cert.add_extension(x509.KeyUsage(digital_signature=True,
key_encipherment=True,
data_encipherment=True,
key_agreement=True,
content_commitment=False,
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
decipher_only=False),
critical=True)
cert = cert.sign(talao_rsa_key, hashes.SHA256())
# Write our certificate out to disk.
filename = mode.uploads_path + workspace_contract + ".pem"
with open(filename, "wb") as f:
f.write(cert.public_bytes(serialization.Encoding.PEM))
certificate = pkcs12.serialize_key_and_certificates(
bytes(did, 'utf-8'), subject_key, cert, None,
serialization.BestAvailableEncryption(bytes(password, 'utf-8')))
filename = mode.uploads_path + workspace_contract + ".p12"
with open(filename, "wb") as f:
f.write(certificate)
return True
def signPDF(docdata, page, email, name, shape, style, font, region, x1,y1,x2,y2):
try:
res = getHankoImage(name, shape, style, font)
if "Message" in res[0]:
return res
else:
_fr, fname = tempfile.mkstemp(".pdf")
one_day = datetime.timedelta(1, 0, 0)
private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend()
)
public_key = private_key.public_key()
builder = x509.CertificateBuilder()
builder = builder.subject_name(x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, name),
]))
builder = builder.issuer_name(x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u'inkantan'),
]))
builder = builder.not_valid_before(datetime.datetime.today() - one_day)
builder = builder.not_valid_after(datetime.datetime.today() + (one_day * 365))
builder = builder.serial_number(x509.random_serial_number())
builder = builder.public_key(public_key)
builder = builder.add_extension(
x509.SubjectAlternativeName(
[x509.DNSName("@inkantan")]
),
critical=False
)
builder = builder.add_extension(
x509.BasicConstraints(ca=False, path_length=None), critical=True,
)
certificate = builder.sign(
private_key=private_key, algorithm=hashes.SHA256(),
backend=default_backend()
)
p12 = pkcs12.serialize_key_and_certificates(b'test', private_key, certificate, [certificate], serialization.BestAvailableEncryption(b'1234'))
y = pkcs12.load_key_and_certificates(p12, b'1234', default_backend())
date = datetime.datetime.utcnow() - datetime.timedelta(hours=12)
date = date.strftime("D:%Y%m%d%H%M%S+00'00'")
dct = {
"aligned": 0,
"sigflags": 1,
"sigflagsft": 132,
"sigpage": int(page)-1,
"sigbutton": True,
"sigfield": "Signature1",
"sigandcertify": True,
"signaturebox": (0,0,0,0), #(x1, y1, x2, y2),
"signature": "Contract with Hanko seal applied",
"contact": email,
"location": region,
"signingdate": date,
"reason": "To execute/formalize/affirm the contract", #目的:契約書に署名する
"password": "******",
}
with open(fname, 'wb') as fx:
fx.write(docdata)
img_rect = fitz.Rect(min(x1,x2), min(y1,y2), max(x1,x2), max(y1,y2))
document = fitz.open(fname)
pg = document[int(page)-1]
pg.insertImage(img_rect, filename=res[0])
if document.can_save_incrementally():
document.save(fname, garbage=0, deflate=True, incremental=True, encryption=0)
document.close()
else:
os.close(res[1])
os.remove(res[0])
os.close(_fr)
os.remove(fname)
return ["Fitz Issue: Cannot incrementally save document", "Continuing may lead to loss of data"]
datau = open(fname, "rb").read()
try:
datas = cms.sign(datau, dct, y[0], y[1], y[2], "sha256")
except Exception as x:
return errHandler(x, [res[0], fname], [res[1], _fr])
with open(fname, "wb") as fp:
fp.write(datau)
fp.write(datas)
os.close(res[1])
os.remove(res[0])
os.close(_fr)
return fname
except Exception as e:
return errHandler(e, [res[0], fname], [res[1], _fr])
def lambda_handler(event, context):
now = datetime.datetime.now()
expire_date = now + datetime.timedelta(days=3650)
# PARAMETER
ssm = boto3.client('ssm', region_name=os.environ['REGION'])
nifi_secret = ssm.get_parameter(
Name=os.environ['PREFIX']+'-nifi-secret-'+os.environ['SUFFIX'],
WithDecryption=True
)
s3 = boto3.resource('s3')
s3_object = list(s3.Bucket(os.environ['BUCKET']).objects.filter(Prefix='nifi/certificates/'))
if len(s3_object) == 5:
print('Certificates found, skipping.')
else:
print('Certificates not found, generating.')
# Valid dates
now = datetime.datetime.now()
expire_date = now + datetime.timedelta(days=3650)
# CA
ca_private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=backends.default_backend()
)
ca_public_key = ca_private_key.public_key()
builder = x509.CertificateBuilder()
builder = builder.subject_name(x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u"NIFICA"),
]))
builder = builder.issuer_name(x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u"NIFICA"),
]))
builder = builder.not_valid_before(now)
builder = builder.not_valid_after(expire_date)
builder = builder.serial_number(x509.random_serial_number())
builder = builder.public_key(ca_public_key)
builder = builder.add_extension(
x509.BasicConstraints(ca=True, path_length=None),
critical=True)
ca_certificate = builder.sign(
private_key=ca_private_key, algorithm=hashes.SHA256(), backend=backends.default_backend()
)
ca_private_bytes = ca_private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.BestAvailableEncryption(str.encode(nifi_secret['Parameter']['Value'])))
ca_public_bytes = ca_certificate.public_bytes(
encoding=serialization.Encoding.PEM)
# ADMIN
admin_private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=backends.default_backend()
)
admin_public_key = admin_private_key.public_key()
builder2 = x509.CertificateBuilder()
builder2 = builder2.subject_name(x509.Name([
x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u"NIFI"),
x509.NameAttribute(NameOID.COMMON_NAME, u"admin")
]))
builder2 = builder2.issuer_name(x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u"NIFICA"),
]))
builder2 = builder2.not_valid_before(now)
builder2 = builder2.not_valid_after(expire_date)
builder2 = builder2.serial_number(x509.random_serial_number())
builder2 = builder2.public_key(admin_public_key)
builder2 = builder2.add_extension(
x509.KeyUsage(digital_signature=True, content_commitment=False, key_encipherment=True, data_encipherment=True, key_agreement=True, key_cert_sign=True, crl_sign=False, encipher_only=False, decipher_only=False),
critical=True)
builder2 = builder2.add_extension(
x509.ExtendedKeyUsage([x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH]),
critical=True)
admin_certificate = builder2.sign(
private_key=ca_private_key, algorithm=hashes.SHA256(), backend=backends.default_backend()
)
admin_private_bytes = admin_private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.BestAvailableEncryption(str.encode(nifi_secret['Parameter']['Value'])))
admin_public_bytes = admin_certificate.public_bytes(
encoding=serialization.Encoding.PEM)
# ADMIN PKCS12
admin_p12 = pkcs12.serialize_key_and_certificates(
b"admin",
admin_private_key,
admin_certificate,
None,
serialization.BestAvailableEncryption(str.encode(nifi_secret['Parameter']['Value']))
)
# UPLOAD
files = {
'nifi/certificates/ca/ca.pem': io.BytesIO(ca_public_bytes),
'nifi/certificates/ca/ca.key': io.BytesIO(ca_private_bytes),
'nifi/certificates/admin/admin_cert.pem': io.BytesIO(admin_public_bytes),
'nifi/certificates/admin/private_key.key': io.BytesIO(admin_private_bytes),
'nifi/certificates/admin/keystore.p12': io.BytesIO(admin_p12)
}
for key in files:
s3.meta.client.upload_fileobj(
files[key],
os.environ['BUCKET'],
key,
ExtraArgs={'ServerSideEncryption':'aws:kms','SSEKMSKeyId':os.environ['KEY']})
print(key + ' put to s3.')
return {
'statusCode': 200,
'body': json.dumps('Complete')
}
async def amain(url, service, template, altname, onbehalf, cn = None, pfx_file = None, pfx_password = None, enroll_cert = None, enroll_password = None):
try:
if pfx_file is None:
pfx_file = 'cert_%s.pfx' % os.urandom(4).hex()
if pfx_password is None:
pfx_password = '******'
print('[+] Parsing connection parameters...')
su = SMBConnectionURL(url)
ip = su.get_target().get_hostname_or_ip()
if cn is None:
cn = '%s@%s' % (su.username, su.domain)
print('[*] Using CN: %s' % cn)
print('[+] Generating RSA privat key...')
key = rsa.generate_private_key(0x10001, 2048)
print('[+] Building certificate request...')
attributes = {
"CertificateTemplate": template,
}
csr = x509.CertificateSigningRequestBuilder()
csr = csr.subject_name(
x509.Name(
[
x509.NameAttribute(NameOID.COMMON_NAME, cn),
]
)
)
if altname:
altname = core.UTF8String(altname).dump()
csr = csr.add_extension(
x509.SubjectAlternativeName(
[
x509.OtherName(PRINCIPAL_NAME, altname),
]
),
critical=False,
)
csr = csr.sign(key, hashes.SHA256())
if onbehalf is not None:
agent_key = None
agent_cert = None
with open(enroll_cert, 'rb') as f:
agent_key, agent_cert, _ = pkcs12.load_key_and_certificates(f.read(), enroll_password)
pkcs7builder = pkcs7.PKCS7SignatureBuilder().set_data(csr).add_signer(agent_key, agent_cert, hashes.SHA1())
csr = pkcs7builder.sign(Encoding.DER, options=[pkcs7.PKCS7Options.Binary])
else:
csr = csr.public_bytes(Encoding.DER)
print('[+] Connecting to EPM...')
target, err = await EPM.create_target(ip, ICPRRPC().service_uuid, dc_ip = su.get_target().dc_ip, domain = su.get_target().domain)
if err is not None:
raise err
print('[+] Connecting to ICRPR service...')
gssapi = AuthenticatorBuilder.to_spnego_cred(su.get_credential(), target)
auth = DCERPCAuth.from_smb_gssapi(gssapi)
connection = DCERPC5Connection(auth, target)
rpc, err = await ICPRRPC.from_rpcconnection(connection, perform_dummy=True)
if err is not None:
raise err
logger.debug('DCE Connected!')
print('[+] Requesting certificate from the service...')
res, err = await rpc.request_certificate(service, csr, attributes)
if err is not None:
print('[-] Request failed!')
raise err
if res['encodedcert'] in [None, b'']:
raise Exception('No certificate was returned from server!. Full message: %s' % res)
print('[+] Got certificate!')
cert = x509.load_der_x509_certificate(res['encodedcert'])
print("[*] Cert subject: {}".format(cert.subject.rfc4514_string()))
print("[*] Cert issuer: {}".format(cert.issuer.rfc4514_string()))
print("[*] Cert Serial: {:X}".format(cert.serial_number))
try:
ext = cert.extensions.get_extension_for_oid(ExtensionOID.EXTENDED_KEY_USAGE)
for oid in ext.value:
print("[*] Cert Extended Key Usage: {}".format(EKUS_NAMES.get(oid.dotted_string, oid.dotted_string)))
except:
print('[-] Could not verify extended key usage')
try:
ext = cert.extensions.get_extension_for_oid(ExtensionOID.SUBJECT_ALTERNATIVE_NAME)
for name in ext.value.get_values_for_type(x509.OtherName):
if name.type_id == x509.ObjectIdentifier("1.3.6.1.4.1.311.20.2.3"):
print('[*] Certificate ALT NAME: %s' % core.UTF8String.load(name.value).native)
break
else:
print('[-] Certificate doesnt have ALT NAME')
except:
print('[-] Certificate doesnt have ALT NAME')
print('[+] Writing certificate to disk (file:"%s" pass: "******")...' % (pfx_file, pfx_password))
# Still waiting for the day oscrypto will have a pfx serializer :(
# Until that we'd need to use cryptography
with open(pfx_file, 'wb') as f:
data = pkcs12.serialize_key_and_certificates(
name=b"",
key=key,
cert=cert,
cas=None,
encryption_algorithm=BestAvailableEncryption(pfx_password.encode())
)
f.write(data)
print('[+] Finished!')
return True, None
except Exception as e:
traceback.print_exc()
return False, e
def convert_cert_to_p12(cert, root_cert_key, password="******"):
return serialize_key_and_certificates(b'cert', root_cert_key, cert, None,
serialization.BestAvailableEncryption(bytes(password, "utf-8")))
