def create_csr( cls, subject: str ) -> typing.Tuple[PrivateKeyTypes, x509.CertificateSigningRequest]: """Generate a CSR with the given subject.""" private_key = rsa.generate_private_key(public_exponent=65537, key_size=1024, backend=default_backend()) builder = x509.CertificateSigningRequestBuilder() builder = builder.subject_name(x509_name(subject)) builder = builder.add_extension(x509.BasicConstraints( ca=False, path_length=None), critical=True) request = builder.sign(private_key, hashes.SHA256(), default_backend()) return private_key, request
def _decode_basic_constraints(backend, ext): bc_st = backend._lib.X509V3_EXT_d2i(ext) assert bc_st != backend._ffi.NULL basic_constraints = backend._ffi.cast("BASIC_CONSTRAINTS *", bc_st) basic_constraints = backend._ffi.gc(basic_constraints, backend._lib.BASIC_CONSTRAINTS_free) # The byte representation of an ASN.1 boolean true is \xff. OpenSSL # chooses to just map this to its ordinal value, so true is 255 and # false is 0. ca = basic_constraints.ca == 255 if basic_constraints.pathlen == backend._ffi.NULL: path_length = None else: path_length = _asn1_integer_to_int(backend, basic_constraints.pathlen) return x509.BasicConstraints(ca, path_length)
def cert(): one_day = datetime.timedelta(1, 0, 0) pk = genKeyPair('RSA')[0] puk = pk.public_key() builder = x509.CertificateBuilder() builder = builder.subject_name((x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'p3g2')]))) builder = builder.issuer_name((x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'p3g2')]))) builder = builder.not_valid_before(datetime.datetime.today() - one_day) builder = builder.not_valid_after(datetime.datetime(2018, 8, 2)) builder = builder.serial_number(x509.random_serial_number()) builder = builder.public_key(puk) builder = builder.add_extension(x509.BasicConstraints(ca=False, path_length=None), critical=True) certificate = builder.sign(private_key=pk, algorithm=hashes.SHA256(), backend=BACKEND) f = open('server_cert.pem', 'wr+') f.write(str(certificate.public_bytes(serialization.Encoding.PEM)))
def _build_single_leaf(hostname, certfile, ca_cert, ca_key): """ Builds a single leaf certificate, signed by the CA's private key. """ if os.path.isfile(certfile): _LOGGER.info("{hostname} already exists, not regenerating", hostname=hostname) return private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend()) public_key = private_key.public_key() builder = x509.CertificateBuilder() builder = builder.subject_name( x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, hostname), ])) builder = builder.issuer_name(ca_cert.subject) builder = builder.not_valid_before(datetime.datetime.today() - ONE_DAY) builder = builder.not_valid_after(datetime.datetime.today() + TENISH_YEARS) builder = builder.serial_number(int(uuid.uuid4())) builder = builder.public_key(public_key) builder = builder.add_extension( x509.BasicConstraints(ca=False, path_length=None), critical=True, ) builder = builder.add_extension( x509.SubjectAlternativeName([x509.DNSName(hostname)]), critical=True, ) certificate = builder.sign(private_key=ca_key, algorithm=hashes.SHA256(), backend=default_backend()) # Write it out. with open(certfile, 'wb') as f: f.write( private_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption())) f.write(certificate.public_bytes(serialization.Encoding.PEM)) _LOGGER.info("Built certificate for {hostname}", hostname=hostname)
def _build_ssl(): from cryptography import x509 from cryptography.x509.oid import NameOID from cryptography.hazmat.primitives import hashes from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric import rsa import sys import socket import ipaddress import random hostname = socket.gethostname() public_ip = ipaddress.ip_address(socket.gethostbyname(hostname)) key = rsa.generate_private_key(public_exponent=65537, key_size=1024, backend=default_backend()) alt_name_list = [x509.DNSName(hostname), x509.IPAddress(ipaddress.ip_address(public_ip))] alt_names = x509.SubjectAlternativeName(alt_name_list) # Basic data name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, hostname)]) basic_contraints = x509.BasicConstraints(ca=True, path_length=0) now = datetime.datetime.utcnow() # Build cert cert = (x509.CertificateBuilder() .subject_name(name) .issuer_name(name) .public_key(key.public_key()) .serial_number(int(random.random() * sys.maxsize)) .not_valid_before(now) .not_valid_after(now + datetime.timedelta(days=10*365)) .add_extension(basic_contraints, False) .add_extension(alt_names, False) .sign(key, hashes.SHA256(), default_backend())) # yapf: disable # Build and return keys cert_pem = cert.public_bytes(encoding=serialization.Encoding.PEM) key_pem = key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption(), ) # yapf: disable return cert_pem, key_pem
def certificate_download(): """Create a new key/certificate to upload to the DEP/ASM/ABM portal. The private key generated for this certificate will be the key recipient of the DEP S/MIME payload. """ try: certificate_model = db.session.query( DEPServerTokenCertificate).filter_by( x509_cn='COMMANDMENT-DEP').one() except sqlalchemy.orm.exc.NoResultFound: ca = get_ca() private_key = rsa.generate_private_key( public_exponent=65537, key_size=2048, backend=default_backend(), ) private_key_model = RSAPrivateKey.from_crypto(private_key) db.session.add(private_key_model) name = x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, 'COMMANDMENT-DEP'), x509.NameAttribute(NameOID.ORGANIZATION_NAME, 'commandment') ]) builder = x509.CertificateSigningRequestBuilder() builder = builder.subject_name(name) builder = builder.add_extension(x509.BasicConstraints( ca=False, path_length=None), critical=True) request = builder.sign(private_key, hashes.SHA256(), default_backend()) request_model = CertificateSigningRequest.from_crypto(request) request_model.rsa_private_key = private_key_model db.session.add(request_model) certificate = ca.sign(request) certificate_model = DEPServerTokenCertificate.from_crypto(certificate) certificate_model.rsa_private_key = private_key_model db.session.add(certificate_model) db.session.commit() return certificate_model.pem_data, 200, { 'Content-Type': 'application/x-x509-ca-cert', 'Content-Disposition': 'attachment; filename="commandment-dep.cer"' }
def main(): one_day = datetime.timedelta(1, 0, 0) private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend()) public_key = private_key.public_key() builder = x509.CertificateBuilder() builder = builder.subject_name( x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, u'openstack-ansible Test CA'), x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'openstack-ansible'), x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Default CA Deployment'), ])) builder = builder.issuer_name( x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, u'openstack-ansible Test CA'), ])) builder = builder.not_valid_before(datetime.datetime.today() - one_day) builder = builder.not_valid_after(datetime.datetime(2028, 8, 2)) builder = builder.serial_number(int(uuid.uuid4())) builder = builder.public_key(public_key) builder = builder.add_extension( x509.BasicConstraints(ca=True, path_length=None), critical=True, ) certificate = builder.sign(private_key=private_key, algorithm=hashes.SHA256(), backend=default_backend()) #print(isinstance(certificate, x509.Certificate)) if isinstance(certificate, x509.Certificate) == True: return True with open("ca.key", "wb") as f: f.write( private_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.BestAvailableEncryption( b"openstack-ansible"))) with open("ca.crt", "wb") as f: f.write(certificate.public_bytes( encoding=serialization.Encoding.PEM, ))
def generate_certificate() -> CertificatePrivateKey: key = typing.cast( ec.EllipticCurvePrivateKeyWithSerialization, ec.generate_private_key(curve=ec.SECP521R1(), backend=default_backend()), ) subject = issuer = x509.Name([ x509.NameAttribute(x509.oid.NameOID.ORGANIZATION_NAME, "python-terraform-plugin"), x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, "localhost"), ]) certificate = (x509.CertificateBuilder().subject_name(subject).issuer_name( issuer).public_key(key.public_key()).serial_number( x509.random_serial_number()).not_valid_before( datetime.datetime.utcnow()).not_valid_after( datetime.datetime.utcnow() + datetime.timedelta(days=365)).add_extension( x509.KeyUsage( digital_signature=True, content_commitment=False, key_encipherment=True, data_encipherment=False, key_agreement=True, key_cert_sign=True, crl_sign=False, encipher_only=False, decipher_only=False, ), critical=True, ).add_extension( x509.ExtendedKeyUsage([ x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH, x509.oid.ExtendedKeyUsageOID.SERVER_AUTH, ]), critical=True, ).add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True).add_extension( x509.SubjectAlternativeName( [x509.DNSName("localhost")]), critical=False, ).sign(key, hashes.SHA256(), default_backend())) return CertificatePrivateKey(certificate=certificate, private_key=key)
def _add_leaf_usages(csr: Any, domains: List[str], issuer: Credentials) -> Any: return csr.add_extension( x509.BasicConstraints(ca=False, path_length=None), critical=True, ).add_extension( x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier( issuer.certificate.extensions.get_extension_for_class( x509.SubjectKeyIdentifier).value), critical=False).add_extension( x509.SubjectAlternativeName( [x509.DNSName(domain) for domain in domains]), critical=True, ).add_extension(x509.ExtendedKeyUsage([ ExtendedKeyUsageOID.SERVER_AUTH, ]), critical=True)
def generate_cert(hostname, ip_addresses=None, key=None): """Generates self signed certificate for a hostname, and optional IP addresses.""" # Generate our key if key is None: key = rsa.generate_private_key( public_exponent=65537, key_size=2048, backend=default_backend(), ) name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, hostname)]) # best practice seem to be to include the hostname in the SAN, which *SHOULD* mean COMMON_NAME is ignored. alt_names = [x509.DNSName(hostname)] # allow addressing by IP, for when you don't have real DNS (common in most testing scenarios if ip_addresses: for addr in ip_addresses: # openssl wants DNSnames for ips... alt_names.append(x509.DNSName(addr)) # ... whereas golang's crypto/tls is stricter, and needs IPAddresses # note: older versions of cryptography do not understand ip_address objects alt_names.append(x509.IPAddress(ipaddress.ip_address(addr))) san = x509.SubjectAlternativeName(alt_names) # path_len=0 means this cert can only sign itself, not other certs. basic_contraints = x509.BasicConstraints(ca=True, path_length=0) now = datetime.utcnow() cert = (x509.CertificateBuilder( ).subject_name(name).issuer_name(name).public_key( key.public_key()).serial_number(1000).not_valid_before(now - timedelta( days=10 * 365)).not_valid_after(now - timedelta(days=9 * 365)).add_extension( basic_contraints, False).add_extension(san, False).sign(key, hashes.SHA256(), default_backend())) cert_pem = cert.public_bytes(encoding=serialization.Encoding.PEM) key_pem = key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption(), ) return cert_pem, key_pem
def create_self_signed_certificate(subject_name, private_key, days_valid=365): subject = x509.Name([ x509.NameAttribute(x509.NameOID.ORGANIZATION_NAME, u"Test, Inc."), x509.NameAttribute(x509.NameOID.COMMON_NAME, subject_name) ]) certificate = x509.CertificateBuilder().subject_name(subject).issuer_name( subject).public_key(private_key.public_key()).serial_number( x509.random_serial_number()).add_extension( x509.BasicConstraints(ca=True, path_length=None), critical=True).not_valid_before( datetime.datetime.utcnow()).not_valid_after( datetime.datetime.utcnow() + datetime.timedelta(days=days_valid)).sign( private_key, hashes.SHA256(), backends.default_backend()) return certificate
def create_client(common_name, ca): key = rsa.generate_private_key(public_exponent=65537, key_size=2048) name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, common_name)]) issuer_name = x509.Name( ca.cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)) now = datetime.utcnow() cert = (x509.CertificateBuilder().subject_name(name).issuer_name( issuer_name).public_key(key.public_key()).serial_number( x509.random_serial_number()).add_extension( x509.BasicConstraints(ca=False, path_length=None), critical=True).not_valid_before(now).not_valid_after( now + timedelta(days=60)).sign(ca.key, hashes.SHA256())) return Identity(key=key, cert=cert)
def generateCertRequest(self): key = self.generateKey() # Create a cerificate request csr = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ # Provide various details about who we are. x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"TalkyWalky"), x509.NameAttribute(NameOID.COMMON_NAME, u"User:"******"./client_csr.pem", "wb") as f: f.write(csr.public_bytes(serialization.Encoding.PEM)) return csr.public_bytes(serialization.Encoding.PEM).decode()
def make_ssl_cert(file_path): from cryptography import x509 from cryptography.x509.oid import NameOID from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric import rsa key = rsa.generate_private_key( public_exponent=65537, key_size=2048, backend=default_backend(), ) name = x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, 'mdb_autogen'), x509.NameAttribute(NameOID.COUNTRY_NAME, 'US'), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, 'California'), x509.NameAttribute(NameOID.LOCALITY_NAME, 'Berkeley'), x509.NameAttribute(NameOID.ORGANIZATION_NAME, 'MindsDB') ]) now = datetime.utcnow() cert = ( x509.CertificateBuilder() .subject_name(name) .issuer_name(name) .public_key(key.public_key()) .serial_number(1) .not_valid_before(now) .not_valid_after(now + timedelta(days=10*365)) .add_extension( x509.BasicConstraints(ca=True, path_length=0), False ) .sign(key, hashes.SHA256(), default_backend()) ) cert_pem = cert.public_bytes(encoding=serialization.Encoding.PEM) key_pem = key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption(), ) with open(file_path, 'wb') as f: f.write(key_pem + cert_pem)
def create_csr(country, state, locality, org, cn, key): csr = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ # Provide various details about who we are. x509.NameAttribute(NameOID.COUNTRY_NAME, country), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, state), x509.NameAttribute(NameOID.LOCALITY_NAME, locality), x509.NameAttribute(NameOID.ORGANIZATION_NAME, org), x509.NameAttribute(NameOID.COMMON_NAME, cn), ])).add_extension( x509.BasicConstraints(ca=False, path_length=None), critical=True, # Sign the CSR with our private key. ).sign(key, hashes.SHA256(), default_backend()) # Write our CSR out to disk. with open("clientcsr.pem", "wb") as f: f.write(csr.public_bytes(serialization.Encoding.PEM))
def create_CA(path, path_key, CA_subj_dict, serialization_format=serialization.Encoding.PEM, time_begin=datetime.datetime.now(), time_delta=datetime.timedelta(days=10)): '''Creating CA dirpath - path to directory, where CA will be placed CA_subj_dict - dict, like this CA_subj_dict={'Country':u'PL', ...}''' private_key_CA = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend()) public_key_CA = private_key_CA.public_key() with open(path_key, 'wb') as f: f.write( private_key_CA.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.BestAvailableEncryption( b"password"))) CA_subject = [ x509.NameAttribute(NameOID.COUNTRY_NAME, CA_subj_dict['Country']), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, CA_subj_dict['State']), x509.NameAttribute(NameOID.LOCALITY_NAME, CA_subj_dict['Locality']), x509.NameAttribute(NameOID.ORGANIZATION_NAME, CA_subj_dict['Organization']), x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, CA_subj_dict['OU']), x509.NameAttribute(NameOID.COMMON_NAME, CA_subj_dict['CN']) ] CA_cert = x509.CertificateBuilder().subject_name(x509.Name(CA_subject)) CA_cert = CA_cert.issuer_name(x509.Name(CA_subject)) CA_cert = CA_cert.public_key(public_key_CA) CA_cert = CA_cert.serial_number(x509.random_serial_number()) CA_cert = CA_cert.not_valid_before(time_begin) CA_cert = CA_cert.not_valid_after(datetime.datetime.utcnow() + time_delta) CA_cert = CA_cert.add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True) CA_cert = CA_cert.sign(private_key_CA, hashes.SHA256(), default_backend()) with open(path, 'wb') as CAcert: CAcert.write(CA_cert.public_bytes(serialization_format)) return private_key_CA, CA_subject, CA_cert
def _gen_cryptography(): import datetime from cryptography import x509 from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.asymmetric import rsa from cryptography.hazmat.primitives import serialization from cryptography.x509.oid import NameOID one_day = datetime.timedelta(1, 0, 0) private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend()) public_key = private_key.public_key() builder = x509.CertificateBuilder() builder = builder.subject_name( x509.Name( [x509.NameAttribute(NameOID.COMMON_NAME, socket.gethostname())])) builder = builder.issuer_name( x509.Name( [x509.NameAttribute(NameOID.COMMON_NAME, socket.gethostname())])) builder = builder.not_valid_before(datetime.datetime.today() - one_day) builder = builder.not_valid_after(datetime.datetime.today() + (one_day * 365 * 5)) builder = builder.serial_number(x509.random_serial_number()) builder = builder.public_key(public_key) builder = builder.add_extension(x509.SubjectAlternativeName([ x509.DNSName(socket.gethostname()), x509.DNSName('*.%s' % socket.gethostname()), x509.DNSName('localhost'), x509.DNSName('*.localhost'), ]), critical=False) builder = builder.add_extension(x509.BasicConstraints(ca=False, path_length=None), critical=True) certificate = builder.sign(private_key=private_key, algorithm=hashes.SHA256(), backend=default_backend()) return (certificate.public_bytes(serialization.Encoding.PEM), private_key.private_bytes(serialization.Encoding.PEM, serialization.PrivateFormat.PKCS8, serialization.NoEncryption()))
def MakeCACert(private_key, common_name=u"grr", issuer_cn=u"grr_test", issuer_c=u"US"): """Generate a CA certificate. Args: private_key: The private key to use. common_name: Name for cert. issuer_cn: Name for issuer. issuer_c: Country for issuer. Returns: The certificate. """ public_key = private_key.GetPublicKey() builder = x509.CertificateBuilder() issuer = x509.Name([ x509.NameAttribute(oid.NameOID.COMMON_NAME, issuer_cn), x509.NameAttribute(oid.NameOID.COUNTRY_NAME, issuer_c) ]) subject = x509.Name( [x509.NameAttribute(oid.NameOID.COMMON_NAME, common_name)]) builder = builder.subject_name(subject) builder = builder.issuer_name(issuer) valid_from = rdfvalue.RDFDatetime.Now() - rdfvalue.Duration("1d") valid_until = rdfvalue.RDFDatetime.Now() + rdfvalue.Duration("3650d") builder = builder.not_valid_before(valid_from.AsDatetime()) builder = builder.not_valid_after(valid_until.AsDatetime()) builder = builder.serial_number(1) builder = builder.public_key(public_key.GetRawPublicKey()) builder = builder.add_extension( x509.BasicConstraints(ca=True, path_length=None), critical=True) builder = builder.add_extension( x509.SubjectKeyIdentifier.from_public_key(public_key.GetRawPublicKey()), critical=False) certificate = builder.sign( private_key=private_key.GetRawPrivateKey(), algorithm=hashes.SHA256(), backend=openssl.backend) return rdf_crypto.RDFX509Cert(certificate)
def generate_ca_cert_and_key(): """Creates a CA cert and key for testing. :returns: The cryptography CA cert and CA key objects. """ ca_key = rsa.generate_private_key( public_exponent=65537, key_size=2048, backend=default_backend()) subject = issuer = x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Denial"), x509.NameAttribute(NameOID.LOCALITY_NAME, u"Corvallis"), x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"OpenStack"), x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u"Octavia"), x509.NameAttribute(NameOID.COMMON_NAME, u"ca_cert.example.com"), ]) ca_cert = x509.CertificateBuilder().subject_name( subject ).issuer_name( issuer ).public_key( ca_key.public_key() ).serial_number( x509.random_serial_number() ).not_valid_before( datetime.datetime.utcnow() ).not_valid_after( datetime.datetime.utcnow() + datetime.timedelta(days=10) ).add_extension( x509.SubjectAlternativeName([x509.DNSName(u"ca_cert.example.com")]), critical=False, ).add_extension( x509.BasicConstraints(ca=True, path_length=None), critical=True, ).add_extension( # KeyUsage(digital_signature, content_commitment, key_encipherment, # data_encipherment, key_agreement, key_cert_sign, crl_sign, # encipher_only, decipher_only) x509.KeyUsage(True, False, False, False, False, True, True, False, False), critical=True, ).sign(ca_key, hashes.SHA256(), default_backend()) return ca_cert, ca_key
def issue_self_signed_certificate(domains, private_key, logger): # Generates a self-signed certificate. from cryptography import x509 from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import hashes from cryptography.x509.oid import NameOID from cryptography.x509 import DNSName import datetime import uuid logger("Issuing self-signed certificate.") import sys if sys.version_info < (3, ): # In Py2, pyca requires the CN to be a unicode instance. domains = [domain.decode("ascii") for domain in domains] # https://cryptography.io/en/latest/x509/reference/ one_day = datetime.timedelta(days=1) duration = datetime.timedelta(days=31) builder = x509.CertificateBuilder() builder = builder.subject_name( x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, domains[0]), ])) builder = builder.issuer_name( x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, domains[0]), ])) builder = builder.not_valid_before(datetime.datetime.today() - one_day) builder = builder.not_valid_after(datetime.datetime.today() + duration) builder = builder.serial_number(int(uuid.uuid4())) builder = builder.public_key(private_key.public_key()) builder = builder.add_extension( x509.BasicConstraints(ca=False, path_length=None), critical=True, ) if len(domains) > 1: builder = builder.add_extension(x509.SubjectAlternativeName( [x509.DNSName(domain) for domain in domains]), critical=False) certificate = builder.sign(private_key=private_key, algorithm=hashes.SHA256(), backend=default_backend()) return (cert_to_pem(certificate), []) # no chain
def _dummy_end_cert(self, ca_key, ca_cert, end_key): nowtime = datetime.datetime.now(datetime.timezone.utc) cert = x509.CertificateBuilder().subject_name( x509.Name([ x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, 'end-entity'), ])).issuer_name(ca_cert.issuer).public_key( end_key.public_key()).serial_number(x509.random_serial_number( )).not_valid_before(nowtime).not_valid_after( nowtime + datetime.timedelta(days=1)).add_extension( x509.BasicConstraints(ca=False, path_length=None), critical=True, ).add_extension( x509.SubjectAlternativeName([ x509.UniformResourceIdentifier( self._app._config.node_id), ]), critical=False, ).add_extension( x509.KeyUsage( digital_signature=True, content_commitment=False, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False, ), critical=False, ).add_extension( x509.ExtendedKeyUsage([ x509.oid.ObjectIdentifier( '1.3.6.1.5.5.7.3.35') # id-kp-bundleSecurity ]), critical=False, ).add_extension( x509.SubjectKeyIdentifier.from_public_key( end_key.public_key()), critical=False, ).add_extension( x509.AuthorityKeyIdentifier.from_issuer_public_key( ca_key.public_key()), critical=False, ).sign(ca_key, hashes.SHA256(), backend=default_backend()) return cert
def create_ca( organization: str, cn: str, key_size: int, ) -> Tuple[rsa.RSAPrivateKeyWithSerialization, x509.Certificate]: now = datetime.datetime.now() private_key = rsa.generate_private_key( public_exponent=65537, key_size=key_size, ) # type: ignore name = x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, cn), x509.NameAttribute(NameOID.ORGANIZATION_NAME, organization) ]) builder = x509.CertificateBuilder() builder = builder.serial_number(x509.random_serial_number()) builder = builder.subject_name(name) builder = builder.not_valid_before(now - datetime.timedelta(days=2)) builder = builder.not_valid_after(now + CA_EXPIRY) builder = builder.issuer_name(name) builder = builder.public_key(private_key.public_key()) builder = builder.add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True) builder = builder.add_extension(x509.ExtendedKeyUsage( [ExtendedKeyUsageOID.SERVER_AUTH]), critical=False) builder = builder.add_extension(x509.KeyUsage( digital_signature=False, content_commitment=False, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=True, crl_sign=True, encipher_only=False, decipher_only=False, ), critical=True) builder = builder.add_extension(x509.SubjectKeyIdentifier.from_public_key( private_key.public_key()), critical=False) cert = builder.sign(private_key=private_key, algorithm=hashes.SHA256()) # type: ignore return private_key, cert
def generate_selfsigned_cert(hostname, public_ip, private_ip): import datetime import ipaddress from cryptography import x509 from cryptography.x509.oid import NameOID from cryptography.hazmat.primitives import hashes from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric import rsa # Generate our key key = rsa.generate_private_key(public_exponent=65537, key_size=1024, backend=default_backend()) name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, hostname)]) alt_names = x509.SubjectAlternativeName([ # best practice seem to be to include the hostname in the SAN, which *SHOULD* mean COMMON_NAME is ignored. x509.DNSName(hostname), # allow addressing by IP, for when you don't have real DNS (common in most testing scenarios) # openssl wants DNSnames for ips... x509.DNSName(public_ip), x509.DNSName(private_ip), # ... whereas golang's crypto/tls is stricter, and needs IPAddresses x509.IPAddress(ipaddress.ip_address(public_ip)), x509.IPAddress(ipaddress.ip_address(private_ip)), ]) # path_len=0 means this cert can only sign itself, not other certs. basic_constraints = x509.BasicConstraints(ca=True, path_length=0) now = datetime.datetime.utcnow() cert = (x509.CertificateBuilder().subject_name(name).issuer_name( name).public_key( key.public_key()).serial_number(1000).not_valid_before(now). not_valid_after(now + datetime.timedelta(days=100 * 365)).add_extension( basic_constraints, False).add_extension(alt_names, False).sign( key, hashes.SHA256(), default_backend())) cert_pem = cert.public_bytes(encoding=serialization.Encoding.PEM) key_pem = key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption(), ) return cert_pem, key_pem
def sign_csr(csr): csr = x509.load_pem_x509_csr(str(csr), default_backend()) ca_key = serialization.load_pem_private_key(get_ca_key(), None, default_backend()) if csr.public_key().key_size > 2048: return {'error': 'key_size'} if len(csr.subject.public_bytes(default_backend())) > 350: return {'error': 'subject_size'} if not csr.is_signature_valid: return {'error': 'invalid_signature'} if len(csr.subject.get_attributes_for_oid(NameOID.COMMON_NAME)) != 1: return {'error': 'invalid_name'} for attr in csr.subject.get_attributes_for_oid(NameOID.COMMON_NAME): username = attr.value if username.lower() == 'admin': return {'error': 'invalid_name'} builder = x509.CertificateBuilder() builder = builder.subject_name(csr.subject) builder = builder.issuer_name(ISSUER) builder = builder.not_valid_before(datetime.datetime(2018, 1, 1)) builder = builder.not_valid_after(datetime.datetime(2019, 1, 1)) builder = builder.serial_number(gen_serial()) builder = builder.public_key(csr.public_key()) builder = builder.add_extension( x509.BasicConstraints(ca=False, path_length=None), critical=True, ) certificate = builder.sign(private_key=ca_key, algorithm=hashes.MD5(), backend=default_backend()) return { 'result': certificate.public_bytes(encoding=serialization.Encoding.PEM) }
def generate(self, key, profile, digest=hashes.SHA256(), backend=default_backend, name=[], subject_alt_names=[]): """Generate a Certificate Signing Request (CSR) The CSR needs to be signed by a private key using a digest (defaults to SHA256). The ``name`` argument is a list of dictionaries in the form of ``{"commonName": "foobar.com"}`` The names get mapped to X509 OIDS. Short forms are not supported yet. Args: key (obj): Private key instance that signs the CSR profile (dict): profile dictionary defining certificate options digest (:obj: `digest`, optional): Digest instance used for signing backend (:obj:`backend`, optional): Specify a backend to use name (:obj:`list`, optional): list of dict of X509 Subjects subject_alt_names (:obj:`list`, optional): list of SubjectAlternativeNames """ builder = x509.CertificateSigningRequestBuilder() builder = builder.subject_name(x509.Name(list(self._create_subject_name(name)))) if 'extended_key_usage' in profile: builder = builder.add_extension( x509.ExtendedKeyUsage([self._get_oid(usage) for usage in profile['extended_key_usage']]), critical=False, ) if subject_alt_names: builder = builder.add_extension( x509.SubjectAlternativeName([self._get_alt_name(alt) for alt in subject_alt_names]), critical=False, ) constraints = {'ca': False, 'path_length': None} constraints.update(profile.get('basic_constraints', {})) builder = builder.add_extension(x509.BasicConstraints(**constraints), critical=True) usage = [ 'digital_signature', 'content_commitment', 'key_encipherment', 'data_encipherment', 'key_agreement', 'key_cert_sign', 'crl_sign', 'encipher_only', 'decipher_only' ] usage = dict.fromkeys(usage, False) usage.update(dict.fromkeys(profile.get('key_usage', []), True)) builder = builder.add_extension(x509.KeyUsage(**usage), critical=True) self.request = builder.sign( key, digest, backend() )
def rsa_ca(self, ca_key_name, ca_crt_name, sign_hash_change): with open(ca_key_name + '.key', 'rb') as key_file: key = serialization.load_pem_private_key(key_file.read(), password=None, backend=default_backend()) if sign_hash_change == 1: algorithm = hashes.MD5() elif sign_hash_change == 2: algorithm = hashes.SHA1() elif sign_hash_change == 3: algorithm = hashes.SHA224() elif sign_hash_change == 4: algorithm = hashes.SHA256() elif sign_hash_change == 5: algorithm = hashes.SHA512() subject = issuer = x509.Name([ x509.NameAttribute(x509.oid.NameOID.COUNTRY_NAME, u"CN"), x509.NameAttribute(x509.oid.NameOID.STATE_OR_PROVINCE_NAME, u"ShaanXi"), x509.NameAttribute(x509.oid.NameOID.LOCALITY_NAME, u"XiAN"), x509.NameAttribute(x509.oid.NameOID.ORGANIZATION_NAME, u"LQtest"), x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, u"ca"), ]) cert = x509.CertificateBuilder().subject_name(subject).issuer_name( issuer).public_key(key.public_key()).serial_number( x509.random_serial_number() ).not_valid_before(datetime.datetime.utcnow()).not_valid_after( #设置证书有效期 datetime.datetime.utcnow() + datetime.timedelta(days=3650)).add_extension( extension=x509.SubjectKeyIdentifier.from_public_key( key.public_key()), critical=False).add_extension( extension=x509.AuthorityKeyIdentifier. from_issuer_public_key(key.public_key()), critical=False).add_extension( extension=x509.BasicConstraints(ca=True, path_length=None), critical=True).sign(key, algorithm, default_backend()) with open(ca_crt_name + ".crt", "wb") as f: f.write(cert.public_bytes(serialization.Encoding.PEM))
def inicialize(config={}, subject={}, valid_from=None, valid_to=None): # normalize config normalizeConfig(config) normalizeSubject(subject) if valid_from is None: valid_from = datetime.datetime.now() - ONE_DAY if valid_to is None: valid_to = valid_from + datetime.timedelta(days=3650) # first create private key private_key = getKey(config['ca_key_path']) # get public key public_key = private_key.public_key() builder = x509.CertificateBuilder() name = x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, 'ca'), x509.NameAttribute(NameOID.ORGANIZATION_NAME, subject['o']), x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, subject['ou']), ]) # fill certificate builder = builder.subject_name(name) builder = builder.issuer_name(name) builder = builder.not_valid_before(valid_from) builder = builder.not_valid_after(valid_to) builder = builder.serial_number(int(uuid.uuid4())) builder = builder.public_key(public_key) builder = builder.add_extension( x509.BasicConstraints(ca=True, path_length=None), critical=True, ) ca = builder.sign(private_key=private_key, algorithm=hashes.SHA256(), backend=default_backend()) # save ca cert savePem(ca, config['ca_cert_path']) return CA(config=config)
def create_root(root_file, root_key_file): crypto_be = cryptography.hazmat.backends.default_backend() # Create or load a root CA key pair print('\nRoot CA key') root_ca_priv_key = load_or_create_key(root_key_file, backend=crypto_be) # Create root CA certificate print('\nGenerating self-signed root CA certificate') builder = x509.CertificateBuilder() builder = builder.serial_number(random_cert_sn(16)) # Please note that the name of the root CA is also part of the signer certificate and thus, it's # part of certificate definition in the SAMG55 firmware (g_cert_elements_1_signer). If this name is # changed, it will also need to be changed in the firmware. The cert2certdef.py utility script can # help with regenerating the cert_def_1_signer.c file after making changes. o = input("organization name:") cn = input("common name:") builder = builder.issuer_name( x509.Name([ x509.NameAttribute(x509.oid.NameOID.ORGANIZATION_NAME, o), x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, cn) ])) builder = builder.not_valid_before(datetime.datetime.now(tz=pytz.utc)) builder = builder.not_valid_after( builder._not_valid_before.replace(year=builder._not_valid_before.year + 25)) builder = builder.subject_name(builder._issuer_name) builder = builder.public_key(root_ca_priv_key.public_key()) builder = builder.add_extension(x509.SubjectKeyIdentifier.from_public_key( root_ca_priv_key.public_key()), critical=False) builder = builder.add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True) # Self-sign certificate root_ca_cert = builder.sign(private_key=root_ca_priv_key, algorithm=hashes.SHA256(), backend=crypto_be) # Write root CA certificate to file with open(root_file, 'wb') as f: print(' Saving to ' + f.name) f.write(root_ca_cert.public_bytes(encoding=serialization.Encoding.PEM))
def _extensions(key: rsa.RSAPrivateKey, cert_opts: Dict) -> List[Tuple[bool, x509.Extension]]: # noqa sector = cert_opts['sector'] # certificate policies policies = [ x509.PolicyInformation(x509.ObjectIdentifier('1.3.76.16'), [x509.UserNotice(None, 'AgIDroot')]), x509.PolicyInformation(x509.ObjectIdentifier('1.3.76.16.6'), [x509.UserNotice(None, 'agIDcert')]), ] if sector == 'private': policies.append( x509.PolicyInformation(x509.ObjectIdentifier('1.3.76.16.4.3.1'), [x509.UserNotice(None, 'cert_SP_Priv')])) elif sector == 'public': policies.append( x509.PolicyInformation(x509.ObjectIdentifier('1.3.76.16.4.2.1'), [x509.UserNotice(None, 'cert_SP_Pub')])) else: emsg = 'Invalid value for sector (%s)' % sector raise Exception(emsg) # extensions list return [ # basicCinstraints (False, x509.BasicConstraints(ca=False, path_length=None)), # keyUsage (True, x509.KeyUsage( digital_signature=True, content_commitment=True, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False, )), # certifcatePolicies (False, x509.CertificatePolicies(policies)), # subjectKeyIdentifier (False, x509.SubjectKeyIdentifier.from_public_key(key.public_key())), ]
def ca_create(self, key): subject = issuer = x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, u"CA"), ]) return x509.CertificateBuilder().subject_name(subject).issuer_name( issuer).public_key(key.public_key()).serial_number( x509.random_serial_number()).not_valid_before( datetime.datetime.utcnow()).not_valid_after( # Our certificate will be valid for 10 years datetime.datetime.utcnow() + datetime.timedelta(days=10 * 365)).add_extension( extension=x509.BasicConstraints(ca=True, path_length=None), critical=True).sign( # Sign our certificate with our private key key, hashes.SHA256(), default_backend())