def test_key_agreement_false_encipher_decipher_true(self):
with pytest.raises(ValueError):
x509.KeyUsage(digital_signature=False,
content_commitment=False,
key_encipherment=False,
data_encipherment=False,
key_agreement=False,
key_cert_sign=False,
crl_sign=False,
encipher_only=True,
decipher_only=False)
with pytest.raises(ValueError):
x509.KeyUsage(digital_signature=False,
content_commitment=False,
key_encipherment=False,
data_encipherment=False,
key_agreement=False,
key_cert_sign=False,
crl_sign=False,
encipher_only=True,
decipher_only=True)
with pytest.raises(ValueError):
x509.KeyUsage(digital_signature=False,
content_commitment=False,
key_encipherment=False,
data_encipherment=False,
key_agreement=False,
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
decipher_only=True)
def new_certificate_signing_request(
template: Template,
rsa_key: rsa.RSAPrivateKey) -> x509.CertificateSigningRequest:
csr = x509.CertificateSigningRequestBuilder(subject_name=x509.Name(
tuple(
x509.NameAttribute(SubjectAttributeOID[k].value, v)
for k, v in template.subject))).add_extension(
x509.BasicConstraints(
ca=template.basic_constraints.ca,
path_length=template.basic_constraints.path_length),
critical=True)
if template.subject_alt_names:
csr = csr.add_extension(x509.SubjectAlternativeName(
tuple(x509.DNSName(s) for s in template.subject_alt_names)),
critical=False)
if template.key_usage:
csr = csr.add_extension(x509.KeyUsage(
digital_signature=template.key_usage.digital_signature,
content_commitment=template.key_usage.content_commitment,
key_encipherment=template.key_usage.key_encipherment,
data_encipherment=template.key_usage.data_encipherment,
key_agreement=template.key_usage.key_agreement,
key_cert_sign=template.key_usage.key_cert_sign,
crl_sign=template.key_usage.crl_sign,
encipher_only=template.key_usage.encipher_only,
decipher_only=template.key_usage.decipher_only),
critical=True)
csr = csr.sign(rsa_key,
getattr(hashes, template.hash_algorithm)(), backend)
csr_errors = check_csr(csr=csr, template=template)
assert csr_errors == '', csr_errors
return csr
def santest_csr(request, santest_host_1, santest_host_2):
backend = default_backend()
pkey = rsa.generate_private_key(public_exponent=65537,
key_size=2048,
backend=backend)
csr = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, santest_host_1.fqdn),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, api.env.realm)
])).add_extension(
x509.SubjectAlternativeName([
x509.DNSName(santest_host_1.name),
x509.DNSName(santest_host_2.name)
]), False).add_extension(
x509.BasicConstraints(ca=False, path_length=None),
True).add_extension(
x509.KeyUsage(digital_signature=True,
content_commitment=True,
key_encipherment=True,
data_encipherment=False,
key_agreement=False,
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
decipher_only=False),
False).sign(pkey, hashes.SHA256(), backend).public_bytes(
serialization.Encoding.PEM)
return csr.decode('ascii')
def create_client_cert(result_dir, client_name):
# If the key exists, we assume there is a valid keypair and certificate.
if os.path.isfile("{}/client-configs/{}.key".format(
result_dir, client_name)):
logging.info("Client key already exists, not creating a new one..")
return
key = create_RSA_keypair("{}/client-configs/{}.key".format(
result_dir, client_name))
with open("{}/ca.crt".format(result_dir), "rb") as f:
data = f.read()
ca_cert = x509.load_pem_x509_certificate(data, default_backend())
with open("{}/ca.key".format(result_dir), "rb") as f:
data = f.read()
ca_key = load_pem_private_key(data, None, default_backend())
subject = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u"BE"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"East Flanders"),
x509.NameAttribute(NameOID.LOCALITY_NAME, u"Ghent"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"Easy OpenVPN Server"),
x509.NameAttribute(NameOID.COMMON_NAME, client_name),
])
cert = x509.CertificateBuilder().subject_name(subject).issuer_name(
ca_cert.issuer
).public_key(key.public_key()).serial_number(x509.random_serial_number(
)).not_valid_before(datetime.datetime.utcnow()).not_valid_after(
# This certificate will be valid for about 100 years
datetime.datetime.utcnow() + datetime.timedelta(days=36500)
).add_extension(
x509.BasicConstraints(ca=False, path_length=None),
critical=False,
).add_extension(
# Make sure this key can only be used for clients
# This is to prevent man-in-the-middle attack
# with client certificate.
# More info:
# - https://openvpn.net/community-resources/how-to
# - https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/
x509.KeyUsage(
digital_signature=True,
content_commitment=False,
key_encipherment=False,
data_encipherment=False,
key_agreement=False,
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
decipher_only=False,
),
critical=True,
).add_extension(
x509.ExtendedKeyUsage([ExtendedKeyUsageOID.CLIENT_AUTH]),
critical=True,
# Sign the certificate with ca key
).sign(ca_key, hashes.SHA256(), default_backend())
# Write the certificate out to disk.
with open("{}/client-configs/{}.crt".format(result_dir, client_name),
"wb") as f:
f.write(cert.public_bytes(serialization.Encoding.PEM))
def _decode_key_usage(backend, ext):
bit_string = backend._lib.X509V3_EXT_d2i(ext)
assert bit_string != backend._ffi.NULL
bit_string = backend._ffi.cast("ASN1_BIT_STRING *", bit_string)
bit_string = backend._ffi.gc(
bit_string, backend._lib.ASN1_BIT_STRING_free
)
get_bit = backend._lib.ASN1_BIT_STRING_get_bit
digital_signature = get_bit(bit_string, 0) == 1
content_commitment = get_bit(bit_string, 1) == 1
key_encipherment = get_bit(bit_string, 2) == 1
data_encipherment = get_bit(bit_string, 3) == 1
key_agreement = get_bit(bit_string, 4) == 1
key_cert_sign = get_bit(bit_string, 5) == 1
crl_sign = get_bit(bit_string, 6) == 1
encipher_only = get_bit(bit_string, 7) == 1
decipher_only = get_bit(bit_string, 8) == 1
return x509.KeyUsage(
digital_signature,
content_commitment,
key_encipherment,
data_encipherment,
key_agreement,
key_cert_sign,
crl_sign,
encipher_only,
decipher_only
)
def ensure_end_entity_cert(output_dir,
names,
ca_private_key,
ca_cert,
end_entity_public_key,
is_server=True):
name = names[0]
end_entity_cert_filename = os.path.join(
output_dir,
safe_filename(name) + '.' + CERT_EXT)
if os.path.exists(end_entity_cert_filename):
return
ca_public_key = ca_private_key.public_key()
end_entity_cert_builder = x509.CertificateBuilder().\
subject_name(x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, name),
])).\
issuer_name(ca_cert.subject).\
not_valid_before(datetime.datetime.today() - DAY).\
not_valid_after(datetime.datetime.today() + 3650 * DAY).\
serial_number(x509.random_serial_number()).\
public_key(end_entity_public_key).\
add_extension(
x509.BasicConstraints(ca=False, path_length=None),
critical=True).\
add_extension(
x509.KeyUsage(digital_signature=True,
content_commitment=False,
key_encipherment=True,
data_encipherment=False,
key_agreement=False,
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
decipher_only=False),
critical=True).\
add_extension(
x509.ExtendedKeyUsage([
ExtendedKeyUsageOID.SERVER_AUTH if is_server else ExtendedKeyUsageOID.CLIENT_AUTH,
]), critical=False).\
add_extension(
x509.AuthorityKeyIdentifier.from_issuer_public_key(ca_public_key),
critical=False).\
add_extension(
x509.SubjectKeyIdentifier.from_public_key(end_entity_public_key),
critical=False)
if is_server:
end_entity_cert_builder.add_extension(x509.SubjectAlternativeName(
[x509.DNSName(name) for name in names]),
critical=False)
end_entity_cert = end_entity_cert_builder.\
sign(
private_key=ca_private_key,
algorithm=hashes.SHA256(),
backend=default_backend()
)
with open(end_entity_cert_filename, "wb") as end_entity_cert_file:
end_entity_cert_file.write(
end_entity_cert.public_bytes(encoding=serialization.Encoding.PEM))
return end_entity_cert
def csr_sign(self, csr):
return x509.CertificateBuilder().subject_name(
csr.subject
).issuer_name(
self.ca_cert.subject
).public_key(
csr.public_key()
).serial_number(
uuid.uuid4().int # pylint: disable=no-member
).not_valid_before(
datetime.datetime.utcnow()
).not_valid_after(
datetime.datetime.utcnow() + datetime.timedelta(days=365)
).add_extension(
extension=x509.KeyUsage(
digital_signature=True, key_encipherment=True, content_commitment=True,
data_encipherment=False, key_agreement=False, encipher_only=False, decipher_only=False,
key_cert_sign=False, crl_sign=False
),
critical=True
).add_extension(
extension=x509.BasicConstraints(ca=False, path_length=None),
critical=True
).add_extension(
extension=x509.AuthorityKeyIdentifier.from_issuer_public_key(self.ca_pk.public_key()),
critical=False
).sign(
private_key=self.ca_pk,
algorithm=hashes.SHA256(),
backend=default_backend()
)
def prepare_certificate(hostname):
# Mostly from:
# https://www.programcreek.com/python/example/102792/
# cryptography.x509.CertificateBuilder
return CertificateBuilder().subject_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, hostname)
])).add_extension(
extension=x509.SubjectAlternativeName([x509.DNSName(hostname)
]),
critical=False).add_extension(
extension=x509.KeyUsage(digital_signature=True,
key_encipherment=True,
content_commitment=True,
data_encipherment=False,
key_agreement=False,
encipher_only=False,
decipher_only=False,
key_cert_sign=False,
crl_sign=False),
critical=True).add_extension(
extension=x509.BasicConstraints(ca=False,
path_length=None),
critical=True).serial_number(
uuid4().int).not_valid_before(
datetime.utcnow()).not_valid_after(
datetime.utcnow() +
timedelta(days=365 * 10))
def mkcert():
"""
Make a self-signed X.509 certificate.
Make a self-signed X.509 certificate for signing new blocks.
Returns
-------
cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey
The private key of the certificate
cryptography.x509.Certificate
The X.509 certificate
string
Fingerprint of the certificate in hex
"""
private_key = rsa.generate_private_key(public_exponent=65537, key_size = KEYSIZE,backend = default_backend())
public_key = private_key.public_key()
builder = x509.CertificateBuilder()
builder = builder.subject_name(x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, NODE_NAME),]))
builder = builder.issuer_name(x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, NODE_NAME),]))
builder = builder.not_valid_before(datetime.datetime.today())
builder = builder.not_valid_after(datetime.datetime(MAX_YEAR, 1, 1))
builder = builder.serial_number(x509.random_serial_number())
builder = builder.public_key(public_key)
builder = builder.add_extension(x509.SubjectAlternativeName([x509.DNSName(NODE_NAME)]), critical = False)
builder = builder.add_extension(x509.BasicConstraints(ca=False, path_length=None), critical = True)
builder = builder.add_extension(x509.KeyUsage(digital_signature=True, content_commitment=True, key_encipherment = False, data_encipherment = False, key_agreement = False, key_cert_sign = False, crl_sign = False, encipher_only=False, decipher_only = False), critical = True)
certificate = builder.sign(private_key = private_key, algorithm = hashes.SHA256(), backend = default_backend())
return private_key, certificate
def _build_extensions_as(subject_key: ec.EllipticCurvePrivateKey,
issuer_key: ec.EllipticCurvePrivateKey) -> Extensions:
"""
Returns a list of Extension with the extension and its criticality
"""
return [
Extension(x509.KeyUsage(digital_signature=True,
content_commitment=False,
key_encipherment=False,
data_encipherment=False,
key_agreement=False,
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
decipher_only=False),
critical=True),
Extension(x509.SubjectKeyIdentifier.from_public_key(
subject_key.public_key()),
critical=False),
Extension(x509.AuthorityKeyIdentifier.from_issuer_public_key(
issuer_key.public_key()),
critical=False),
Extension(x509.ExtendedKeyUsage([
x509.ExtendedKeyUsageOID.SERVER_AUTH,
x509.ExtendedKeyUsageOID.CLIENT_AUTH,
x509.ExtendedKeyUsageOID.TIME_STAMPING
]),
critical=False)
]
def _build_extensions_ca(subject_key: ec.EllipticCurvePrivateKey,
issuer_key: ec.EllipticCurvePrivateKey) -> Extensions:
"""
Returns a list of Extension with the extension and its criticality
"""
return [
Extension(x509.BasicConstraints(ca=True, path_length=0),
critical=True),
Extension(x509.KeyUsage(digital_signature=False,
content_commitment=False,
key_encipherment=False,
data_encipherment=False,
key_agreement=False,
key_cert_sign=True,
crl_sign=True,
encipher_only=False,
decipher_only=False),
critical=True),
Extension(x509.SubjectKeyIdentifier.from_public_key(
subject_key.public_key()),
critical=False),
Extension(x509.AuthorityKeyIdentifier.from_issuer_public_key(
issuer_key.public_key()),
critical=False)
]
def generate_ca_cert(self, cn, ou, o, expire_period=None, password=None):
"""CA 인증서 생성
Peer 인증서 발급 전용 인증서(ECC Key)
:param cn: 주체 CommonName
:param ou: 주체 OrganizationalUnitName
:param o: 주체 OrganizationName
:param expire_period: 인증서 유효기간(year)
:param password: 개인키 암호화 비밀번호(8자리 이상)
"""
sign_pri_key = ec.generate_private_key(ec.SECP256K1(),
default_backend())
sign_pub_key = sign_pri_key.public_key()
subject_name = x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, cn),
x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, ou),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, o),
x509.NameAttribute(NameOID.COUNTRY_NAME, "kr")
])
serial_number = self.__LAST_CA_INDEX + 1
key_usage = x509.KeyUsage(digital_signature=True,
content_commitment=False,
key_encipherment=True,
data_encipherment=False,
key_agreement=False,
key_cert_sign=True,
crl_sign=False,
encipher_only=False,
decipher_only=False)
if expire_period is None:
expire_period = self.__ca_expired
new_cert = self.__generate_cert(pub_key=sign_pub_key,
subject_name=subject_name,
issuer_name=subject_name,
serial_number=serial_number,
expire_period=expire_period,
key_usage=key_usage,
issuer_priv=sign_pri_key)
cert_pem = new_cert.public_bytes(encoding=serialization.Encoding.PEM)
if password is None:
pri_pem = sign_pri_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption())
else:
pri_pem = sign_pri_key.private_bytes(
encoding=serialization.Encoding.DER,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.BestAvailableEncryption(
password=password))
self.__save(self.__CA_PATH, cert_pem, pri_pem)
self.__LAST_CA_INDEX += 1
self.__show_certificate(new_cert)
def make(pkey_pem, emails, usage):
private_key = serialization.load_pem_private_key(pkey_pem, password=None)
csr = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, emails[0]),
x509.NameAttribute(NameOID.EMAIL_ADDRESS, emails[0]),
])).add_extension(
x509.SubjectAlternativeName([x509.RFC822Name(e) for e in emails] +
[x509.DNSName(e) for e in emails]),
critical=False,
)
if (usage):
data_encipherment, key_cert_sign, crl_sign, encipher_only, decipher_only = (
False, ) * 5
digital_signature = 'digitalSignature' in usage
content_commitment = 'contentCommitment' in usage
key_encipherment = 'keyEncipherment' in usage
key_agreement = 'keyAgreement' in usage
csr = csr.add_extension(
x509.KeyUsage(
digital_signature=digital_signature,
content_commitment=content_commitment,
key_encipherment=key_encipherment,
data_encipherment=data_encipherment,
key_agreement=key_agreement,
key_cert_sign=key_cert_sign,
crl_sign=crl_sign,
encipher_only=encipher_only,
decipher_only=decipher_only,
),
critical=True,
)
csr_pem = csr.sign(private_key, hashes.SHA256()).public_bytes(
serialization.Encoding.PEM)
return csr_pem
def _make_cert(subject_name, subject_key, issuer_name, issuer_key,
extended_key_usage_oid):
return x509.CertificateBuilder().subject_name(
_make_name(subject_name)).issuer_name(issuer_name).public_key(
subject_key.public_key()).serial_number(x509.random_serial_number(
)).not_valid_before(datetime.datetime.utcnow()).not_valid_after(
datetime.datetime.utcnow() + datetime.timedelta(
days=settings.VPN_KEYGEN_CONFIG.KEY_EXPIRE)).add_extension(
x509.SubjectAlternativeName(
[x509.DNSName(subject_name)]),
critical=False,
).add_extension(
x509.AuthorityKeyIdentifier.from_issuer_public_key(
issuer_key.public_key()),
critical=False,
).add_extension(
x509.SubjectKeyIdentifier.from_public_key(
subject_key.public_key()),
critical=False,
).add_extension(
# digital_signature
x509.KeyUsage(True, False, False, False, False, False,
False, False, False),
critical=True,
).add_extension(
x509.ExtendedKeyUsage([extended_key_usage_oid]),
critical=True,
).add_extension(
x509.BasicConstraints(ca=False, path_length=None),
critical=True,
).sign(issuer_key, hashes.SHA256(), default_backend())
def csr(pk):
private_key = load_pem_private_key(pk,
password=None,
backend=default_backend())
builder = x509.CertificateSigningRequestBuilder()
builder = builder.subject_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u'PELO_MENOS_ISTO'),
]))
builder = builder.add_extension(
x509.BasicConstraints(ca=False, path_length=None),
critical=True,
)
ext = x509.KeyUsage(digital_signature=True,
content_commitment=False,
key_encipherment=True,
data_encipherment=False,
key_agreement=False,
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
decipher_only=False)
# ku_args['digital_signature'] = True
# ku_args['key_encipherment'] = True
# ext = make_key_usage(**ku_args)
builder = builder.add_extension(ext, critical=True)
request = builder.sign(private_key, hashes.SHA256(), default_backend())
if (isinstance(request, x509.CertificateSigningRequest)):
return request
def _create_ocsp_certificate(self, cert: CertificateType, private_key: Key,
issuer_key: Key) -> x509.Certificate:
Certificate._check_issuer_provided(cert)
Certificate._check_policies(cert)
self._builder = x509.CertificateBuilder()
self._set_basic(cert, private_key, issuer_key)
self._builder = self._builder.add_extension(
x509.KeyUsage(
digital_signature=True,
content_commitment=False,
key_encipherment=False,
data_encipherment=False,
key_agreement=False,
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
decipher_only=False,
),
critical=True,
)
self._builder = self._builder.add_extension(
x509.ExtendedKeyUsage([ExtendedKeyUsageOID.OCSP_SIGNING]),
critical=True,
)
return self._sign_certificate(issuer_key)
def sign_csr(ca_cert, ca_key, csr):
if not csr.is_signature_valid:
raise ValueError("CSR has an invalid signature, not signing!")
if len(csr.extensions) > 0:
raise ValueError("CSR has extensions, we forbid this for simplicity")
cb = (x509.CertificateBuilder().subject_name(csr.subject).issuer_name(
ca_cert.subject).not_valid_before(datetime.datetime.today() -
datetime.timedelta(days=1)).
not_valid_after(datetime.datetime.today() +
datetime.timedelta(days=365)).serial_number(
x509.random_serial_number()).public_key(
csr.public_key()).add_extension(
x509.KeyUsage(
digital_signature=True,
content_commitment=False,
key_encipherment=True,
data_encipherment=False,
key_agreement=False,
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
decipher_only=False,
),
critical=True,
).add_extension(
x509.ExtendedKeyUsage(
[ExtendedKeyUsageOID.CLIENT_AUTH]),
critical=True,
))
# for extension in csr.extensions:
# cb = cb.add_extension(extension.value, critical=extension.critical)
certificate = cb.sign(private_key=ca_key,
algorithm=hashes.SHA256(),
backend=default_backend())
return certificate
def create_certificate_authority(common_name='xun-private-ca'):
ca_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
xun_name = x509.Name(
[x509.NameAttribute(NameOID.COMMON_NAME, common_name)])
now = datetime.utcnow()
ca_cert = (x509.CertificateBuilder().subject_name(xun_name).issuer_name(
xun_name).public_key(ca_key.public_key()).serial_number(
x509.random_serial_number()).add_extension(
x509.SubjectAlternativeName([x509.DNSName(common_name)]),
critical=False).add_extension(
x509.BasicConstraints(ca=True, path_length=0),
critical=True).add_extension(
x509.KeyUsage(digital_signature=False,
content_commitment=False,
key_encipherment=False,
data_encipherment=False,
key_agreement=False,
key_cert_sign=True,
crl_sign=True,
encipher_only=False,
decipher_only=False),
critical=True).not_valid_before(now).not_valid_after(
now + timedelta(days=60)).sign(
ca_key, hashes.SHA256()))
return Identity(key=ca_key, cert=ca_cert)
def create_cert_builder(key, subject, issuer, serial_number, is_cacert = False):
now = datetime.utcnow()
return (
x509.CertificateBuilder()
.subject_name(subject)
.issuer_name(issuer)
.public_key(key.public_key())
.serial_number(serial_number)
.not_valid_before(now)
.not_valid_after(now + timedelta(days=365))
.add_extension(
x509.BasicConstraints(is_cacert, None),
critical=True)
.add_extension(
x509.SubjectKeyIdentifier.from_public_key(key.public_key()),
critical=False)
.add_extension(
x509.KeyUsage(
digital_signature=not is_cacert,
content_commitment=not is_cacert,
key_encipherment=not is_cacert,
data_encipherment=not is_cacert,
key_agreement=not is_cacert,
key_cert_sign=is_cacert,
crl_sign=is_cacert,
encipher_only=False,
decipher_only=False),
critical=True)
)
def signer_csr(self, nom_fichier_csr, nom_signataire):
with open('%s.key.pem' % nom_signataire, 'rb') as fichier:
private_bytes = fichier.read()
signing_key = serialization.load_pem_private_key(
private_bytes, password=None, backend=default_backend())
with open('%s.cert.pem' % nom_signataire, 'rb') as fichier:
public_bytes = fichier.read()
signing_cert = x509.load_pem_x509_certificate(
public_bytes, backend=default_backend())
with open('%s.csr.pem' % nom_fichier_csr, 'rb') as fichier:
public_bytes = fichier.read()
fichier_csr = x509.load_pem_x509_csr(public_bytes,
backend=default_backend())
one_day = datetime.timedelta(1, 0, 0)
builder = x509.CertificateBuilder()
builder = builder.subject_name(fichier_csr.subject)
builder = builder.issuer_name(signing_cert.subject)
builder = builder.not_valid_before(datetime.datetime.today() - one_day)
builder = builder.not_valid_after(datetime.datetime.today() +
self.__duree_cert_noeud)
builder = builder.serial_number(x509.random_serial_number())
builder = builder.public_key(fichier_csr.public_key())
builder = builder.add_extension(x509.SubjectAlternativeName(
[x509.DNSName(u'mon_serveur.ca')]),
critical=False)
builder = builder.add_extension(
x509.BasicConstraints(ca=False, path_length=None),
critical=True,
)
builder = builder.add_extension(
x509.SubjectKeyIdentifier.from_public_key(
fichier_csr.public_key()),
critical=False)
ski = signing_cert.extensions.get_extension_for_oid(
x509.oid.ExtensionOID.SUBJECT_KEY_IDENTIFIER)
builder = builder.add_extension(x509.AuthorityKeyIdentifier(
ski.value.digest, None, None),
critical=False)
builder = builder.add_extension(x509.KeyUsage(digital_signature=True,
content_commitment=True,
key_encipherment=True,
data_encipherment=True,
key_agreement=True,
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
decipher_only=False),
critical=False)
certificate = builder.sign(private_key=signing_key,
algorithm=hashes.SHA512(),
backend=default_backend())
with open('%s.cert.pem' % nom_fichier_csr, 'wb') as fichier:
fichier.write(certificate.public_bytes(serialization.Encoding.PEM))
def profile_ca(builder, ca_nick, ca):
now = datetime.datetime.utcnow()
builder = builder.not_valid_before(now)
builder = builder.not_valid_after(now + 10 * YEAR)
crl_uri = 'file://{}.crl'.format(os.path.join(DIR, ca_nick))
builder = builder.add_extension(
x509.KeyUsage(
digital_signature=True,
content_commitment=True,
key_encipherment=False,
data_encipherment=False,
key_agreement=False,
key_cert_sign=True,
crl_sign=True,
encipher_only=False,
decipher_only=False,
),
critical=True,
)
builder = builder.add_extension(
x509.BasicConstraints(ca=True, path_length=None),
critical=True,
)
builder = builder.add_extension(
x509.CRLDistributionPoints([
x509.DistributionPoint(
full_name=[x509.UniformResourceIdentifier(crl_uri)],
relative_name=None,
crl_issuer=None,
reasons=None,
),
]),
critical=False,
)
public_key = builder._public_key
builder = builder.add_extension(
x509.SubjectKeyIdentifier.from_public_key(public_key),
critical=False,
)
if not ca:
builder = builder.add_extension(
x509.AuthorityKeyIdentifier.from_issuer_public_key(public_key),
critical=False,
)
# here we get "ca" object only for "ca1/subca"
else:
ski = ca.cert.extensions.get_extension_for_class(
x509.SubjectKeyIdentifier)
builder = builder.add_extension(
x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
ski),
critical=False,
)
return builder
def certify_p10(request):
# Load CA certificate and private key
key = load_pem_private_key(ca_private.encode('ascii'), ca_password.encode('ascii'), default_backend())
cacert = x509.load_pem_x509_certificate(ca_cert.encode('ascii'), default_backend())
# Load Request
x509req = x509.load_pem_x509_csr(request, default_backend())
# Create certificate for it
sernum = x509.random_serial_number()
cert = x509.CertificateBuilder()\
.issuer_name(cacert.subject)\
.subject_name(x509req.subject)\
.public_key(x509req.public_key())\
.serial_number(sernum)\
.not_valid_before(datetime.now())\
.not_valid_after(datetime.now() + timedelta(days=366))\
.add_extension(x509.KeyUsage(digital_signature=True
, content_commitment=True
, key_encipherment=False
, data_encipherment=False
, key_agreement=False
, key_cert_sign=False
, crl_sign=False
, encipher_only=False
, decipher_only = False), critical=True)\
.sign(key, hashes.SHA256(), default_backend())
pemCert = cert.public_bytes(serialization.Encoding.PEM).decode('ascii')
return pemCert
def _create_self_signed_certificate(self, private_key, common_name):
issuer = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"CA"),
x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"),
x509.NameAttribute(NameOID.COMMON_NAME, common_name),
])
cert_builder = x509.CertificateBuilder(
issuer_name=issuer,
subject_name=issuer,
public_key=private_key.public_key(),
serial_number=x509.random_serial_number(),
not_valid_before=datetime.utcnow(),
not_valid_after=datetime.utcnow() +
timedelta(days=10)).add_extension(
x509.BasicConstraints(ca=True, path_length=1),
critical=True).add_extension(x509.KeyUsage(
digital_signature=True,
content_commitment=True,
key_encipherment=False,
data_encipherment=False,
key_agreement=False,
key_cert_sign=True,
crl_sign=False,
encipher_only=False,
decipher_only=False),
critical=False)
cert = cert_builder.sign(private_key, hashes.SHA256(),
default_backend())
return cert
def sign_csr(csr, ca_crt, ca_pkey):
crt = x509.CertificateBuilder().subject_name(csr.subject).issuer_name(
ca_crt.subject).public_key(csr.public_key()).serial_number(
uuid.uuid4().int).not_valid_before(
datetime.utcnow()).not_valid_after(
datetime.utcnow() +
timedelta(days=365 * 10)).add_extension(
extension=x509.KeyUsage(digital_signature=True,
key_encipherment=True,
content_commitment=True,
data_encipherment=True,
key_agreement=False,
encipher_only=False,
decipher_only=False,
key_cert_sign=False,
crl_sign=False),
critical=True).add_extension(
extension=x509.BasicConstraints(ca=False,
path_length=None),
critical=True).add_extension(
extension=x509.AuthorityKeyIdentifier.
from_issuer_public_key(ca_pkey.public_key()),
critical=False).sign(private_key=ca_pkey,
algorithm=hashes.SHA256(),
backend=default_backend())
fingerprint = binascii.hexlify(crt.fingerprint(hashes.SHA1())).decode()
return fingerprint, crt.public_bytes(
encoding=serialization.Encoding.PEM).decode('ascii')
def generate_selfsigned_cert(cert_file: str, key_file: str,
config: Config) -> None:
"""Generate self signed certificate compatible with Philips HUE."""
dec_serial = int(config.bridge_id, 16)
root_key = ec.generate_private_key(ec.SECP256R1(), default_backend())
subject = issuer = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u"NL"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"Philips Hue"),
x509.NameAttribute(NameOID.COMMON_NAME, config.bridge_id),
])
root_cert = (x509.CertificateBuilder(
).subject_name(subject).issuer_name(issuer).public_key(
root_key.public_key()).serial_number(dec_serial).not_valid_before(
datetime.utcnow()).not_valid_after(datetime.utcnow() + timedelta(
days=3650)).add_extension(
x509.BasicConstraints(ca=False, path_length=None),
critical=True).add_extension(
x509.SubjectKeyIdentifier(b"hash").from_public_key(
root_key.public_key()),
critical=False,
).add_extension(
x509.AuthorityKeyIdentifier(
key_identifier=b"keyid,issuer",
authority_cert_issuer=None,
authority_cert_serial_number=None,
).from_issuer_public_key(root_key.public_key()),
critical=False,
).add_extension(
x509.KeyUsage(
digital_signature=True,
content_commitment=False,
key_encipherment=True,
data_encipherment=False,
key_agreement=False,
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
decipher_only=False,
),
critical=True,
).add_extension(
x509.ExtendedKeyUsage([x509.OID_SERVER_AUTH]),
critical=False).sign(root_key, hashes.SHA256(),
default_backend()))
cert_pem = root_cert.public_bytes(encoding=serialization.Encoding.PEM)
key_pem = root_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
)
with open(cert_file, "w") as fileobj:
fileobj.write(cert_pem.decode("utf-8"))
with open(key_file, "w") as fileobj:
fileobj.write(key_pem.decode("utf-8"))
LOGGER.debug("Certificate generated")
def sign_csr(self, ipa_csr):
"""Sign certificate CSR.
:param ipa_csr: CSR in PEM format.
:type ipa_csr: bytes.
:returns: bytes -- Signed CA in PEM format.
"""
csr_tbs = x509.load_pem_x509_csr(ipa_csr, default_backend())
csr_public_key = csr_tbs.public_key()
csr_subject = csr_tbs.subject
builder = x509.CertificateBuilder()
builder = builder.public_key(csr_public_key)
builder = builder.subject_name(csr_subject)
builder = builder.serial_number(x509.random_serial_number())
builder = builder.issuer_name(self.issuer)
builder = builder.not_valid_before(datetime.datetime.utcnow())
builder = builder.not_valid_after(
datetime.datetime.utcnow() + datetime.timedelta(days=365))
builder = builder.add_extension(
x509.KeyUsage(
digital_signature=False,
content_commitment=False,
key_encipherment=False,
data_encipherment=False,
key_agreement=False,
key_cert_sign=True,
crl_sign=True,
encipher_only=False,
decipher_only=False,
),
critical=True,
)
builder = builder.add_extension(
x509.SubjectKeyIdentifier.from_public_key(csr_public_key),
critical=False,
)
builder = builder.add_extension(
x509.AuthorityKeyIdentifier.from_issuer_public_key(
self.ca_public_key
),
critical=False,
)
builder = builder.add_extension(
x509.BasicConstraints(ca=True, path_length=1),
critical=True,
)
cert = builder.sign(
private_key=self.ca_key,
algorithm=hashes.SHA256(),
backend=default_backend(),
)
return cert.public_bytes(serialization.Encoding.PEM)
def cert_key_usage(**kwargs):
"""
Helper to create x509.KeyUsage object. Function provide defaults (False)
for unspecified KeyUsage arguments.
Args:
x509.KeyUsage keys. If not provided False is used for each arg.
Return:
x509.KeyUsage
"""
required = [
'digital_signature',
'content_commitment',
'key_encipherment',
'data_encipherment',
'key_agreement',
'key_cert_sign',
'crl_sign',
'encipher_only',
'decipher_only',
]
for name in required:
kwargs.setdefault(name, False)
return x509.KeyUsage(**kwargs)
def _generate_csr(cls, cn, private_key, passphrase=None):
pk = serialization.load_pem_private_key(
data=private_key,
password=passphrase,
backend=backends.default_backend())
csr = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, cn),
]))
csr = csr.add_extension(x509.BasicConstraints(ca=False,
path_length=None),
critical=True)
csr = csr.add_extension(x509.KeyUsage(digital_signature=True,
key_encipherment=True,
data_encipherment=True,
key_agreement=True,
content_commitment=False,
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
decipher_only=False),
critical=True)
csr = csr.add_extension(x509.SubjectAlternativeName([x509.DNSName(cn)
]),
critical=False)
signed_csr = csr.sign(
pk,
getattr(hashes, CONF.certificates.signing_digest.upper())(),
backends.default_backend())
return signed_csr.public_bytes(serialization.Encoding.PEM)
def bootstrap_ca(
days_valid: int = 3650,
common_name: str = "Resoto Root CA",
organization_name: str = "Some Engineering Inc.",
path_length: int = 2,
) -> Tuple[RSAPrivateKey, Certificate]:
ca_key = gen_rsa_key()
subject = issuer = x509.Name([
x509.NameAttribute(NameOID.ORGANIZATION_NAME, organization_name),
x509.NameAttribute(NameOID.COMMON_NAME, common_name),
])
ca_cert = (
x509.CertificateBuilder().subject_name(subject).issuer_name(
issuer).public_key(ca_key.public_key()).serial_number(
x509.random_serial_number()).
not_valid_before(datetime.now(tz=timezone.utc)).not_valid_after(
datetime.now(tz=timezone.utc) +
timedelta(days=days_valid)).add_extension(
x509.BasicConstraints(ca=True, path_length=path_length),
critical=True).add_extension(
x509.KeyUsage(
digital_signature=False,
key_encipherment=False,
key_cert_sign=
True, # CA Cert is only allowed to sign other certs
key_agreement=False,
content_commitment=False,
data_encipherment=False,
crl_sign=True, # and cert revocation lists
encipher_only=False,
decipher_only=False,
),
critical=True, # KeyUsage extension is critical to support
).sign(ca_key, hashes.SHA256(), default_backend()))
return ca_key, ca_cert
def create_root_ca_cert(path, key, name):
print("... Creating Root CA Certificate")
subject = issuer = x509.Name([
x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, name),
])
cert = (x509.CertificateBuilder().subject_name(subject).issuer_name(
issuer).public_key(key.public_key()).serial_number(
x509.random_serial_number()).not_valid_before(
datetime.datetime.utcnow()).not_valid_after(
datetime.datetime.utcnow() +
datetime.timedelta(days=3650)).add_extension(
x509.BasicConstraints(ca=True, path_length=0),
critical=True).add_extension(
x509.KeyUsage(digital_signature=True,
content_commitment=False,
key_encipherment=False,
data_encipherment=False,
key_agreement=False,
key_cert_sign=True,
crl_sign=False,
encipher_only=False,
decipher_only=False),
critical=True).add_extension(
x509.ExtendedKeyUsage([
x509.oid.ExtendedKeyUsageOID.SERVER_AUTH,
x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH
]),
critical=True).sign(key, hashes.SHA256(),
default_backend()))
with open(path, "wb") as f:
f.write(cert.public_bytes(serialization.Encoding.PEM))
return cert
