def _create_x509_certificate(
key_der, subject_name
): #type(Union[EllipticCurvePrivateKey,RSAPrivateKey], str) -> Certificate
signing_key = serialization.load_der_private_key(
key_der, password=None, backend=default_backend())
builder = CertificateBuilder()
builder = builder.subject_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, subject_name),
]))
builder = builder.issuer_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, subject_name),
]))
one_day = datetime.timedelta(1, 0, 0)
builder = builder.not_valid_before(datetime.datetime.today() - one_day)
builder = builder.not_valid_after(datetime.datetime.today() +
(one_day * 30))
builder = builder.serial_number(x509.random_serial_number())
builder = builder.public_key(signing_key.public_key())
builder = builder.add_extension(SubjectAlternativeName(
[x509.DNSName(subject_name)]),
critical=False)
builder = builder.add_extension(BasicConstraints(ca=False,
path_length=None),
critical=True)
return builder.sign(private_key=signing_key,
algorithm=hashes.SHA256(),
backend=default_backend()).public_bytes(
serialization.Encoding.DER)
def sign_certificate_builder(
session: PivSession,
slot: SLOT,
key_type: KEY_TYPE,
builder: x509.CertificateBuilder,
hash_algorithm: Type[hashes.HashAlgorithm] = hashes.SHA256,
) -> x509.Certificate:
"""Sign a Certificate."""
dummy_key = _dummy_key(key_type)
cert = builder.sign(dummy_key, hash_algorithm(), default_backend())
sig = session.sign(
slot,
key_type,
cert.tbs_certificate_bytes,
hash_algorithm(),
padding.PKCS1v15(), # Only used for RSA
)
seq = Tlv.parse_list(Tlv.unpack(0x30, cert.public_bytes(Encoding.DER)))
# Replace signature, add unused bits = 0
seq[2] = Tlv(seq[2].tag, b"\0" + sig)
# Re-assemble sequence
der = Tlv(0x30, b"".join(seq))
return x509.load_der_x509_certificate(der, default_backend())
def create_x509_certificate(key_pem, subject_name): # type: (str, str) -> str
"""
Given an RSA or ECDS private key, create a self-signed X.509 certificate
with the specified subject name signed with that key.
"""
signing_key = serialization.load_pem_private_key(key_pem.encode("ascii"),
password=None,
backend=default_backend())
builder = CertificateBuilder()
builder = builder.subject_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, subject_name),
]))
builder = builder.issuer_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, subject_name),
]))
one_day = datetime.timedelta(1, 0, 0)
builder = builder.not_valid_before(datetime.datetime.today() - one_day)
builder = builder.not_valid_after(datetime.datetime.today() +
(one_day * 30))
builder = builder.serial_number(x509.random_serial_number())
builder = builder.public_key(signing_key.public_key())
builder = builder.add_extension(SubjectAlternativeName(
[x509.DNSName(subject_name)]),
critical=False)
builder = builder.add_extension(BasicConstraints(ca=False,
path_length=None),
critical=True)
return (builder.sign(
private_key=signing_key,
algorithm=hashes.SHA256(),
backend=default_backend(),
).public_bytes(serialization.Encoding.PEM).decode("ascii"))
def sign_csr(
csr: CertificateSigningRequest, ca_cert: Certificate,
key: EllipticCurvePrivateKey, expiration_date: date,
custom_extensions: Iterable[Union[KeyUsage, UnrecognizedExtension,
BasicConstraints]]
) -> Certificate:
"""
Sign a CSR with CA credentials.
:param csr: the CSR
:param ca_cert: the CA certificate
:param key: the CA private key
:param expiration_date: expiration date
:param custom_extensions: custom extensions to be added to the certificate
:return: a certificate object
"""
issuer = ca_cert.subject
now = datetime.utcnow()
cert_builder = CertificateBuilder().issuer_name(issuer).subject_name(
csr.subject).public_key(csr.public_key()).serial_number(
x509.random_serial_number()).not_valid_before(now).not_valid_after(
datetime.combine(expiration_date, time(), None)).add_extension(
extension=AuthorityKeyIdentifier.from_issuer_public_key(
ca_cert.public_key()),
critical=False)
try:
cert_builder = cert_builder.add_extension(
csr.extensions.get_extension_for_class(
SubjectAlternativeName).value,
critical=False)
except ExtensionNotFound:
pass
for extension in custom_extensions:
if isinstance(extension, UnrecognizedExtension):
critical = False
else:
critical = True
# pyre-fixme[6]: Expected `ExtensionType` for 1st param but got
# `Union[BasicConstraints, KeyUsage, UnrecognizedExtension]`.
cert_builder = cert_builder.add_extension(extension, critical=critical)
return cert_builder.sign(key, SHA256(), backends.default_backend())