def create_csr(self, fully_qualified_identity, remote_instance_name):
"""
Create a csr with name as the common name.
The key that is used to sign the csr is <instance_name>.name.
:param fully_qualified_identity:
:param target_volttron:
:return:
"""
assert fully_qualified_identity
remote_rmq_user = "******".format(remote_instance_name, fully_qualified_identity)
xname = x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, six.u(remote_rmq_user)),
])
key = _load_key(self.private_key_file(fully_qualified_identity))
csr = x509.CertificateSigningRequestBuilder().subject_name(
xname).sign(key, hashes.SHA256(), default_backend())
# with open(self.csr_create_file(name, target_volttron), "wb") as fw:
# fw.write(csr.public_bytes(serialization.Encoding.PEM))
return csr.public_bytes(serialization.Encoding.PEM)
def generate_ec_certificate(common_name,
curve=ec.SECP256R1,
alternative_names=[]):
key = ec.generate_private_key(backend=default_backend(), curve=curve)
subject = issuer = x509.Name(
[x509.NameAttribute(x509.NameOID.COMMON_NAME, common_name)])
builder = (x509.CertificateBuilder().subject_name(subject).issuer_name(
issuer).public_key(key.public_key()).serial_number(
x509.random_serial_number()).not_valid_before(
datetime.datetime.utcnow()).not_valid_after(
datetime.datetime.utcnow() + datetime.timedelta(days=10)))
if alternative_names:
builder = builder.add_extension(
x509.SubjectAlternativeName(
[x509.DNSName(name) for name in alternative_names]),
critical=False,
)
cert = builder.sign(key, hashes.SHA256(), default_backend())
return cert, key
def create(cls, common_name: str = 'COMMANDMENT-CA', key_size=2048):
ca = cls()
ca.common_name = common_name
name = x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, common_name),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, 'commandment')
])
private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=key_size,
backend=default_backend(),
)
ca.rsa_private_key = RSAPrivateKey.from_crypto(private_key)
db.session.add(ca.rsa_private_key)
certificate = x509.CertificateBuilder().subject_name(
name
).issuer_name(
name
).public_key(
private_key.public_key()
).serial_number(
x509.random_serial_number()
).not_valid_before(
datetime.datetime.utcnow()
).not_valid_after(
datetime.datetime.utcnow() + datetime.timedelta(days=365)
).add_extension(
x509.BasicConstraints(ca=True, path_length=None), True
).sign(private_key, hashes.SHA256(), default_backend())
ca_certificate_model = CACertificate.from_crypto(certificate)
ca_certificate_model.rsa_private_key = ca.rsa_private_key
ca.certificate = ca_certificate_model
db.session.add(ca)
db.session.commit()
return ca
def generate_p12(common_name, organization_name, country, password):
# Load CA certificate and private key
cakey = load_pem_private_key(ca_private.encode('ascii'), ca_password.encode('ascii'), default_backend())
cacert = x509.load_pem_x509_certificate(ca_cert.encode('ascii'), default_backend())
subject = x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, common_name),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, organization_name),
x509.NameAttribute(NameOID.COUNTRY_NAME, country),])
sernum = x509.random_serial_number()
key = rsa.generate_private_key(public_exponent=65537,
key_size=2048,
backend=default_backend())
cert = x509.CertificateBuilder().subject_name(subject) \
.issuer_name(cacert.subject) \
.serial_number(sernum) \
.public_key(key.public_key()) \
.not_valid_before(datetime.now())\
.not_valid_after(datetime.now() + timedelta(days=366))\
.add_extension(x509.KeyUsage(digital_signature=False
, content_commitment=False
, key_encipherment=True
, data_encipherment=True
, key_agreement=False
, key_cert_sign=False
, crl_sign=False
, encipher_only=False
, decipher_only = False), critical=True)\
.sign(cakey, hashes.SHA256(), default_backend())
cas = [cacert]
p12 = pkcs12.serialize_key_and_certificates(common_name.encode('utf-8'),
key,
cert,
cas,
serialization.BestAvailableEncryption(password.encode('ascii')))
return p12
def generate_builder(
options: dict
) -> typing.Union[x509.CertificateBuilder,
x509.CertificateSigningRequestBuilder]:
# We expect backend_mapping keys for crypto_subject_name attr in options and for crypto_issuer_name as well
data = {}
for key in ('crypto_subject_name', 'crypto_issuer_name'):
data[key] = x509.Name([
x509.NameAttribute(getattr(NameOID, k.upper()), v)
for k, v in (options.get(key) or {}).items() if v
])
if not data['crypto_issuer_name']:
data['crypto_issuer_name'] = data['crypto_subject_name']
# Lifetime represents no of days
# Let's normalize lifetime value
not_valid_before = datetime.datetime.utcnow()
not_valid_after = datetime.datetime.utcnow() + datetime.timedelta(
days=options.get('lifetime') or DEFAULT_LIFETIME_DAYS)
# Let's normalize `san`
san = x509.SubjectAlternativeName([
x509.IPAddress(ipaddress.ip_address(v))
if t == 'IP' else x509.DNSName(v) for t, v in options.get('san') or []
])
builder = x509.CertificateSigningRequestBuilder if options.get(
'csr') else x509.CertificateBuilder
cert = builder(subject_name=data['crypto_subject_name'])
if not options.get('csr'):
cert = cert.issuer_name(data['crypto_issuer_name']).not_valid_before(
not_valid_before).not_valid_after(not_valid_after).serial_number(
options.get('serial') or random.randint(1000, pow(2, 30)))
if san:
cert = cert.add_extension(san, False)
return cert
def generate_admin_crt(config, host):
private_key = generate_key()
public_key = private_key.public_key()
one_day = datetime.timedelta(1, 0, 0)
ca_cert = config.get("CA_CERT", None)
ca_key = config.get("CA_KEY", None)
cert_expiration = config.get("CERT_ADMIN_EXPIRE", 1825)
if not ca_cert or not ca_key:
raise Exception('CA_CERT or CA_KEY not defined')
ca_key = serialization.load_pem_private_key(str(ca_key), password=None, backend=default_backend())
ca_cert = x509.load_pem_x509_certificate(str(ca_cert), backend=default_backend())
builder = x509.CertificateBuilder()
builder = builder.subject_name(x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, host),
]))
builder = builder.issuer_name(ca_cert.subject)
builder = builder.not_valid_before(datetime.datetime.today() - one_day)
builder = builder.not_valid_after(datetime.datetime.today() + datetime.timedelta(days=cert_expiration))
builder = builder.serial_number(x509.random_serial_number())
builder = builder.public_key(public_key)
builder = builder.add_extension(
x509.SubjectAlternativeName(
[x509.IPAddress(ipaddress.IPv4Address(host))]
),
critical=False
)
builder = builder.add_extension(
x509.BasicConstraints(ca=False, path_length=None), critical=True,
)
certificate = builder.sign(
private_key=ca_key, algorithm=hashes.SHA256(),
backend=default_backend()
)
private_key = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
)
certificate = certificate.public_bytes(serialization.Encoding.PEM)
return private_key, certificate
def test_freshestcrl_extension(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
last_update = datetime.datetime(2002, 1, 1, 12, 1)
next_update = datetime.datetime(2030, 1, 1, 12, 1)
freshest = x509.FreshestCRL(
[
x509.DistributionPoint(
[x509.UniformResourceIdentifier("http://d.om/delta")],
None,
None,
None,
)
]
)
builder = (
x509.CertificateRevocationListBuilder()
.issuer_name(
x509.Name(
[
x509.NameAttribute(
NameOID.COMMON_NAME, "cryptography.io CA"
)
]
)
)
.last_update(last_update)
.next_update(next_update)
.add_extension(freshest, False)
)
crl = builder.sign(private_key, hashes.SHA256(), backend)
assert len(crl) == 0
assert len(crl.extensions) == 1
ext1 = crl.extensions.get_extension_for_class(x509.FreshestCRL)
assert ext1.critical is False
assert isinstance(ext1.value[0], x509.DistributionPoint)
assert ext1.value[0].full_name is not None
uri = ext1.value[0].full_name[0]
assert isinstance(uri, x509.UniformResourceIdentifier)
assert uri.value == "http://d.om/delta"
def generate_self_signed_cert(path: str,
key_name: str = "key.pem",
cert_name: str = "cert.pem"):
if not os.path.isdir(path):
raise ValueError("'path' should be an existing directory")
key = rsa.generate_private_key(
public_exponent=65537,
key_size=4096,
backend=backend,
)
with open(os.path.join(path, key_name), "wb") as file:
file.write(
key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
))
subject = issuer = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"California"),
x509.NameAttribute(NameOID.LOCALITY_NAME, u"Santa Clara"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"Couchbase"),
x509.NameAttribute(NameOID.COMMON_NAME, u"couchbase.com"),
])
cert = x509.CertificateBuilder() \
.subject_name(subject) \
.issuer_name(issuer) \
.public_key(key.public_key()) \
.serial_number(x509.random_serial_number()) \
.not_valid_before(datetime.datetime.utcnow()) \
.not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=365)) \
.add_extension(x509.SubjectAlternativeName([x509.DNSName(u"localhost")]), critical=False) \
.sign(key, hashes.SHA256(), backend=backend)
with open(os.path.join(path, cert_name), "wb") as file:
file.write(cert.public_bytes(serialization.Encoding.PEM))
def create_device_csr(self, common_name: str) -> (rsa.RSAPrivateKeyWithSerialization, x509.CertificateSigningRequest):
"""
Create a Certificate Signing Request with the specified Common Name.
Args:
common_name (str): The certificate Common Name attribute
Returns:
Tuple[rsa.RSAPrivateKeyWithSerialization, x509.CertificateSigningRequest]
"""
private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend(),
)
private_key_model = RSAPrivateKey.from_crypto(private_key)
db.session.add(private_key_model)
db.session.commit()
name = x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, common_name),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, 'commandment')
])
builder = x509.CertificateSigningRequestBuilder()
builder = builder.subject_name(name)
builder = builder.add_extension(x509.BasicConstraints(ca=False, path_length=None), critical=True)
request = builder.sign(
private_key,
hashes.SHA256(),
default_backend()
)
csr_model = CertificateSigningRequest().from_crypto(request)
db.session.add(csr_model)
db.session.commit()
return private_key, request
def generate_csr_client_cert(hostname, server_ca_cert, server_key, client_key):
"""
Generate client-side certificate with CSR.
"""
csr = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, hostname),
])).add_extension(
x509.SubjectAlternativeName([
x509.DNSName(hostname),
]),
critical=False,
).sign(client_key, hashes.SHA256(), default_backend())
crt = x509.CertificateBuilder().subject_name(csr.subject).issuer_name(
server_ca_cert.subject).public_key(csr.public_key()).serial_number(
uuid.uuid4().int).not_valid_before(
datetime.datetime.utcnow()).not_valid_after(
datetime.datetime.utcnow() +
datetime.timedelta(days=365 * 100)).add_extension(
extension=x509.KeyUsage(digital_signature=True,
key_encipherment=True,
content_commitment=True,
data_encipherment=False,
key_agreement=False,
encipher_only=False,
decipher_only=False,
key_cert_sign=False,
crl_sign=False),
critical=True).add_extension(
extension=x509.BasicConstraints(ca=False,
path_length=None),
critical=True).add_extension(
extension=x509.AuthorityKeyIdentifier.
from_issuer_public_key(
server_key.public_key()),
critical=False).sign(private_key=server_key,
algorithm=hashes.SHA256(),
backend=default_backend())
crt_pem = crt.public_bytes(serialization.Encoding.PEM)
return crt_pem
def generate_public_key(private_key, filename, **kwargs):
subject = x509.Name(
[
x509.NameAttribute(NameOID.COUNTRY_NAME, kwargs["country"]),
x509.NameAttribute(
NameOID.STATE_OR_PROVINCE_NAME, kwargs["state"]
),
x509.NameAttribute(NameOID.LOCALITY_NAME, kwargs["locality"]),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, kwargs["org"]),
x509.NameAttribute(NameOID.COMMON_NAME, kwargs["hostname"]),
]
)
# Because this is self signed, the issuer is always the subject
issuer = subject
# This certificate is valid from now until 30 days
valid_from = datetime.utcnow()
valid_to = valid_from + timedelta(days=30)
# Used to build the certificate
builder = (
x509.CertificateBuilder()
.subject_name(subject)
.issuer_name(issuer)
.public_key(private_key.public_key())
.serial_number(x509.random_serial_number())
.not_valid_before(valid_from)
.not_valid_after(valid_to)
)
# Sign the certificate with the private key
public_key = builder.sign(
private_key, hashes.SHA256(), default_backend()
)
with open(filename, "wb") as certfile:
certfile.write(public_key.public_bytes(serialization.Encoding.PEM))
return public_key
def build_root_certificate(options):
private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend()
)
subject = issuer = x509.Name([
x509.NameAttribute(x509.OID_COUNTRY_NAME, options['country']),
x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, options['state']),
x509.NameAttribute(x509.OID_LOCALITY_NAME, options['location']),
x509.NameAttribute(x509.OID_ORGANIZATION_NAME, options['organization']),
x509.NameAttribute(x509.OID_ORGANIZATIONAL_UNIT_NAME, options['organizational_unit']),
x509.NameAttribute(x509.OID_COMMON_NAME, options['common_name'])
])
builder = x509.CertificateBuilder(
subject_name=subject,
issuer_name=issuer,
public_key=private_key.public_key(),
not_valid_after=options['validity_end'],
not_valid_before=options['validity_start'],
serial_number=options['first_serial']
)
builder.add_extension(x509.SubjectAlternativeName([x509.DNSName(options['common_name'])]), critical=False)
cert = builder.sign(private_key, hashes.SHA256(), default_backend())
cert_pem = cert.public_bytes(
encoding=serialization.Encoding.PEM
).decode('utf-8')
private_key_pem = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL, # would like to use PKCS8 but AWS ELBs don't like it
encryption_algorithm=serialization.NoEncryption()
)
return cert_pem, private_key_pem
def _generate_self_signed_cert(key_type):
"""Generates a self signed certificate"""
if key_type == 'rsa':
key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend()
)
elif key_type == 'ecdsa':
key = ec.generate_private_key(
ec.SECP256R1(), default_backend()
)
else:
raise Exception('what')
subject = issuer = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u"NO"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"State or Province Name"),
x509.NameAttribute(NameOID.LOCALITY_NAME, u"Locality name"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"Organization Name"),
x509.NameAttribute(NameOID.COMMON_NAME, u"commonName"),
])
cert = x509.CertificateBuilder().subject_name(
subject
).issuer_name(
issuer
).public_key(
key.public_key()
).serial_number(
x509.random_serial_number()
).not_valid_before(
datetime.datetime.utcnow()
).not_valid_after(
datetime.datetime.utcnow() + datetime.timedelta(days=10)
).add_extension(
x509.SubjectAlternativeName([x509.DNSName(u"testulf")]),
critical=False,
).sign(key, hashes.SHA256(), default_backend())
return cert, key
def generate_adhoc_ssl_pair(
cn: t.Optional[str] = None,
) -> t.Tuple["Certificate", "RSAPrivateKeyWithSerialization"]:
try:
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import rsa
except ImportError:
raise TypeError(
"Using ad-hoc certificates requires the cryptography library."
) from None
backend = default_backend()
pkey = rsa.generate_private_key(public_exponent=65537,
key_size=2048,
backend=backend)
# pretty damn sure that this is not actually accepted by anyone
if cn is None:
cn = "*"
subject = x509.Name([
x509.NameAttribute(NameOID.ORGANIZATION_NAME, "Dummy Certificate"),
x509.NameAttribute(NameOID.COMMON_NAME, cn),
])
backend = default_backend()
cert = (x509.CertificateBuilder().subject_name(subject).issuer_name(
subject).public_key(pkey.public_key()).serial_number(
x509.random_serial_number()).not_valid_before(dt.now(
timezone.utc)).not_valid_after(
dt.now(timezone.utc) + timedelta(days=365)).add_extension(
x509.ExtendedKeyUsage([x509.OID_SERVER_AUTH]),
critical=False).add_extension(
x509.SubjectAlternativeName([x509.DNSName(cn)]),
critical=False).sign(pkey, hashes.SHA256(),
backend))
return cert, pkey
def createCertificate(key):
# create certificate
subject = issuer = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Utah"),
x509.NameAttribute(NameOID.LOCALITY_NAME, u"Salt Lake City"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"),
x509.NameAttribute(NameOID.COMMON_NAME, u"My CA"),
])
cert = x509.CertificateBuilder().subject_name(subject).issuer_name(
issuer).public_key(key.public_key()).serial_number(
x509.random_serial_number()).not_valid_before(
datetime.datetime.utcnow()).not_valid_after(
datetime.datetime.utcnow() +
datetime.timedelta(days=10)).add_extension(
x509.SubjectAlternativeName(
[x509.DNSName(u"localhost")]),
critical=False).sign(key, hashes.SHA256(),
default_backend())
return cert
def create_self_signed_cert():
key = rsa.generate_private_key(public_exponent=65537,
key_size=4096,
backend=default_backend())
# create a self-signed cert
name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, 'localhost')])
now = datetime.utcnow()
cert = (x509.CertificateBuilder().subject_name(name).issuer_name(
name).serial_number(1000).not_valid_before(now).not_valid_after(
now + timedelta(days=10 * 365)).public_key(key.public_key()).sign(
key, hashes.SHA256(), default_backend()))
with open(CERT_FILE, "wb") as output_cert:
output_cert.write(
cert.public_bytes(encoding=serialization.Encoding.PEM))
with open(KEY_FILE, "wb") as output_key:
output_key.write(
key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption()))
def _create_emergency_ssl_context(self) -> ssl.SSLContext:
"""Create an emergency ssl certificate so we can still startup."""
context = ssl_util.server_context_modern()
host: str
try:
host = cast(str,
URL(get_url(self.hass, prefer_external=True)).host)
except NoURLAvailableError:
host = "homeassistant.local"
key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
)
subject = issuer = x509.Name([
x509.NameAttribute(NameOID.ORGANIZATION_NAME,
"Home Assistant Emergency Certificate"),
x509.NameAttribute(NameOID.COMMON_NAME, host),
])
cert = (x509.CertificateBuilder().subject_name(subject).issuer_name(
issuer).public_key(key.public_key()).serial_number(
x509.random_serial_number()).not_valid_before(
datetime.datetime.utcnow()).not_valid_after(
datetime.datetime.utcnow() +
datetime.timedelta(days=30)).add_extension(
x509.SubjectAlternativeName([x509.DNSName(host)]),
critical=False,
).sign(key, hashes.SHA256()))
with NamedTemporaryFile() as cert_pem, NamedTemporaryFile() as key_pem:
cert_pem.write(cert.public_bytes(serialization.Encoding.PEM))
key_pem.write(
key.private_bytes(
serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
))
cert_pem.flush()
key_pem.flush()
context.load_cert_chain(cert_pem.name, key_pem.name)
return context
def generate_certificate_signing_request(self,
slot,
public_key,
subject,
touch_callback=None):
builder = x509.CertificateSigningRequestBuilder()
builder = builder.subject_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, subject),
]))
try:
return self.sign_csr_builder(slot,
public_key,
builder,
touch_callback=touch_callback)
except APDUError as e:
logger.error(
'Failed to generate Certificate Signing Request for slot %s',
slot,
exc_info=e)
raise
def process_csr(self,
certificate_request,
key,
not_valid_before=None,
not_valid_after=None):
public_key = certificate_request.public_key()
subject = certificate_request.subject
issuer = x509.Name([
x509.NameAttribute(NameOID.ORGANIZATION_NAME,
PUB_KEY_ORGANIZATION),
x509.NameAttribute(NameOID.USER_ID, self.get_signer_pubkey())
])
not_valid_before = not_valid_before if not_valid_before else datetime.datetime.utcnow(
)
not_valid_after = not_valid_after if not_valid_after else not_valid_before + PUB_KEY_MAX_VALIDITY
return x509.CertificateBuilder().subject_name(subject).issuer_name(
issuer).public_key(public_key).serial_number(
x509.random_serial_number()).not_valid_before(
not_valid_before).not_valid_after(not_valid_after).sign(
key, hashes.SHA256(), default_backend())
def generate_csr(CN: str, private_key: rsa.RSAPrivateKey, path: Path,
names: typing.List[str]):
"""Generates a certificate signing request.
:param CN: The requested common name.
:param private_key: The private key to sign the CSR with.
:param path: The path to write the PEM-serialized CSR to.
:param names: The requested names in the CSR.
:return: The generated CSR.
"""
csr = (x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, CN)
])).add_extension(
x509.SubjectAlternativeName(
[x509.DNSName(name) for name in names]),
critical=False,
).sign(private_key, hashes.SHA256()))
with open(path, "wb") as pem_out:
pem_out.write(csr.public_bytes(serialization.Encoding.PEM))
return csr
def generate_ad_hoc_certificate(hostname: str) -> typing.Tuple[str, str]:
"""
Utility function to generate an ad-hoc self-signed SSL certificate.
"""
certfile = os.path.join(tempfile.gettempdir(), f"{hostname}.crt")
keyfile = os.path.join(tempfile.gettempdir(), f"{hostname}.key")
if not os.path.exists(certfile) or not os.path.exists(keyfile):
backend = default_backend()
private_key = rsa.generate_private_key(65537, 2048, backend)
with open(keyfile, "wb") as fp:
# noinspection PyTypeChecker
key_data = private_key.private_bytes(
serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
)
fp.write(key_data)
common_name = x509.NameAttribute(COMMON_NAME, hostname)
subject_name = x509.Name([common_name])
not_valid_before = datetime.datetime.utcnow()
not_valid_after = not_valid_before + datetime.timedelta(days=365)
cert_builder = x509.CertificateBuilder(
subject_name=subject_name,
issuer_name=subject_name,
public_key=private_key.public_key(),
serial_number=x509.random_serial_number(),
not_valid_before=not_valid_before,
not_valid_after=not_valid_after,
)
certificate = cert_builder.sign(private_key, hashes.SHA256(), backend)
with open(certfile, "wb") as fp:
# noinspection PyTypeChecker
cert_data = certificate.public_bytes(serialization.Encoding.PEM)
fp.write(cert_data)
return certfile, keyfile
def csRequest(self):
# Generate a CSR
csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([
# Provide various details about who we are.
x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"California"),
x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"),
x509.NameAttribute(NameOID.COMMON_NAME, u"mysite.com"),
])).add_extension(
x509.SubjectAlternativeName([
# Describe what sites we want this certificate for.
x509.DNSName(u"mysite.com"),
]),
critical=False,
# Sign the CSR with our private key.
).sign(self.key, hashes.SHA256())
# Write our CSR out to disk.
with open(self.path, "wb") as f: # path = path/to/store/csr.pem
f.write(csr.public_bytes(serialization.Encoding.PEM))
def _generate_csr(cls, cn, private_key, passphrase=None):
pk = serialization.load_pem_private_key(
data=private_key, password=passphrase,
backend=backends.default_backend())
csr = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, cn),
])
)
csr = csr.add_extension(
x509.BasicConstraints(
ca=False,
path_length=None
),
critical=True
)
csr = csr.add_extension(
x509.KeyUsage(
digital_signature=True,
key_encipherment=True,
data_encipherment=True,
key_agreement=True,
content_commitment=False,
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
decipher_only=False
),
critical=True
)
csr = csr.add_extension(
x509.SubjectAlternativeName([x509.DNSName(cn)]),
critical=False
)
signed_csr = csr.sign(
pk,
getattr(hashes, CONF.certificates.signing_digest.upper())(),
backends.default_backend())
return signed_csr.public_bytes(serialization.Encoding.PEM)
def create_self_signed_cert(common_name, days=30):
password_file = "self_key.pem"
private_key = create_private_key(key_file=password_file, key_size=4096)
file_certificate = "self_cert.pem"
public_key = private_key.public_key()
subject = x509.Name(
[x509.NameAttribute(NameOID.COMMON_NAME, str.encode(common_name).decode("utf-8"))]
)
builder = create_cert_builder(
subject=subject, issuer_name=subject, public_key=public_key, days=days, is_ca=False
)
self_cert = builder.sign(
private_key=private_key, algorithm=hashes.SHA256(), backend=default_backend()
)
with open(file_certificate, "wb") as f:
f.write(self_cert.public_bytes(serialization.Encoding.PEM))
return self_cert
def generate_certificate(self):
key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend(),
)
with open("domain_srv.key", "wb") as f:
f.write(
key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
))
subject = issuer = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"CA"),
x509.NameAttribute(NameOID.LOCALITY_NAME, u"locality"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"A place"),
x509.NameAttribute(NameOID.COMMON_NAME, self.hostname),
])
cert = x509.CertificateBuilder().subject_name(subject).issuer_name(
issuer).public_key(key.public_key()).serial_number(
x509.random_serial_number()).not_valid_before(
datetime.datetime.utcnow()).not_valid_after(
datetime.datetime.utcnow() +
datetime.timedelta(days=365)).add_extension(
x509.SubjectAlternativeName([
x509.DNSName(u"localhost"),
x509.DNSName(self.hostname),
x509.DNSName(u"127.0.0.1")
]),
critical=False,
).sign(key, hashes.SHA256(), default_backend())
with open("domain_srv.crt", "wb") as f:
f.write(cert.public_bytes(serialization.Encoding.PEM))
def generate_key_and_cert():
signing_key = rsa.generate_private_key(backend=crypto_default_backend(),
public_exponent=65537,
key_size=2048)
subject = issuer = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"CA"),
x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"),
x509.NameAttribute(NameOID.COMMON_NAME, u"example.com"),
])
signing_cert = x509.CertificateBuilder().subject_name(subject).issuer_name(
issuer).public_key(signing_key.public_key()).serial_number(
x509.random_serial_number()).not_valid_before(
datetime.utcnow()).not_valid_after(
# Our certificate will be valid for 10 days
datetime.utcnow() + timedelta(days=10)
# Sign our certificate with our private key
).sign(signing_key, hashes.SHA256(),
crypto_default_backend()).public_bytes(
crypto_serialization.Encoding.DER)
return signing_key, signing_cert
def test_sign_extensions(self, backend, extension):
private_key = RSA_KEY_2048.private_key(backend)
last_update = datetime.datetime(2002, 1, 1, 12, 1)
next_update = datetime.datetime(2030, 1, 1, 12, 1)
builder = x509.CertificateRevocationListBuilder().issuer_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA")
])
).last_update(
last_update
).next_update(
next_update
).add_extension(
extension, False
)
crl = builder.sign(private_key, hashes.SHA256(), backend)
assert len(crl) == 0
assert len(crl.extensions) == 1
ext = crl.extensions.get_extension_for_class(type(extension))
assert ext.critical is False
assert ext.value == extension
def _generate_csr_and_key(self):
"""Return a dict with a new csr and key."""
key = rsa.generate_private_key(public_exponent=65537,
key_size=2048,
backend=backends.default_backend())
csr = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
x509.NameAttribute(oid.NameOID.COMMON_NAME, u"Magnum User"),
])).sign(key, hashes.SHA256(), backends.default_backend())
result = {
"csr":
csr.public_bytes(encoding=serialization.Encoding.PEM),
"key":
key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption()),
}
return result
def generate_csr(cn, is_hostname=True):
"""
Generate certificate signing request
:param cn: common name (str|unicode)
:param is_hostname: is the common name a hostname (default: True)
"""
key = rsa.generate_private_key(public_exponent=65537,
key_size=2048,
backend=default_backend())
if isinstance(cn, bytes):
cn = cn.decode()
csr = x509.CertificateSigningRequestBuilder()
csr = csr.subject_name(
x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, cn)]))
if is_hostname:
csr = csr.add_extension(x509.SubjectAlternativeName([x509.DNSName(cn)
]),
critical=False)
csr = csr.sign(key, hashes.SHA256(), default_backend())
return csr.public_bytes(serialization.Encoding.PEM).decode()
def generate_server_cert_and_key(ca_cert, ca_key, server_uuid):
"""Creates a server cert and key for testing.
:param ca_cert: A cryptography CA certificate (x509) object.
:param ca_key: A cryptography CA key (x509) object.
:param server_uuid: A UUID identifying the server.
:returns: The cryptography server cert and key objects.
"""
server_key = rsa.generate_private_key(public_exponent=65537,
key_size=2048,
backend=default_backend())
subject = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Denial"),
x509.NameAttribute(NameOID.LOCALITY_NAME, u"Corvallis"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"OpenStack"),
x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u"Octavia"),
x509.NameAttribute(NameOID.COMMON_NAME,
u"{}.example.com".format(server_uuid)),
])
server_cert = x509.CertificateBuilder().subject_name(subject).issuer_name(
ca_cert.subject).public_key(server_key.public_key()).serial_number(
x509.random_serial_number()).not_valid_before(
datetime.datetime.utcnow()).not_valid_after(
datetime.datetime.utcnow() +
datetime.timedelta(days=10)).add_extension(
x509.SubjectAlternativeName([
x509.DNSName(u"{}.example.com".format(server_uuid))
]),
critical=False,
).add_extension(
x509.BasicConstraints(ca=False, path_length=None),
critical=True,
).sign(ca_key, hashes.SHA256(), default_backend())
return server_cert, server_key
