def save_p12(cert, private, file_name, passphrase=None):
host_folder = os.getenv(HOST_FOLDER_EXPORTS_PATH_ENV_KEY)
if file_name and host_folder:
openssl_cert = X509.from_cryptography(cert)
openssl_priv_key = PKey.from_cryptography_key(private)
p12 = PKCS12()
p12.set_privatekey(openssl_priv_key)
p12.set_certificate(openssl_cert)
p12bin = p12.export(passphrase)
file_path = PATH_TO_EXPORTS_FOLDER + '/{}.p12'.format(file_name)
if os.path.isfile(file_path):
raise ValueError
with open(file_path, 'wb') as f:
f.write(p12bin)
return host_folder + '/{}.p12'.format(file_name)
def _new_ssl_context(cls, cert, chain, key):
ctx = PyOpenSSLContext(ssl.PROTOCOL_TLS)
ctx._ctx.use_certificate(X509.from_cryptography(cert))
for ca_cert in chain:
ctx._ctx.add_extra_chain_cert(X509.from_cryptography(ca_cert))
def remove_underscore(val: str) -> str:
return val[len('_'):] if val.startswith('_') else val
try:
ctx._ctx.use_privatekey(PKey.from_cryptography_key(key))
except OpenSSLError as error:
raise X509AdapterError(str(error)) from error
except TypeError as error:
raise X509AdapterError(
f"unsupported key type, expected RSAPrivateKey/DSAPrivateKey got"
f" {remove_underscore(type(key).__name__)}") from error
return ctx
def create_ssl_context(cert_byes,
pk_bytes,
password=None,
encoding=Encoding.PEM):
"""Create an SSL Context with the supplied cert/password.
:param cert_bytes array of bytes containing the cert encoded
using the method supplied in the ``encoding`` parameter
:param pk_bytes array of bytes containing the private key encoded
using the method supplied in the ``encoding`` parameter
:param password array of bytes containing the passphrase to be used
with the supplied private key. None if unencrypted.
Defaults to None.
:param encoding ``cryptography.hazmat.primitives.serialization.Encoding``
details the encoding method used on the ``cert_bytes`` and
``pk_bytes`` parameters. Can be either PEM or DER.
Defaults to PEM.
"""
backend = default_backend()
cert = None
key = None
if encoding == Encoding.PEM:
cert = x509.load_pem_x509_certificate(cert_byes, backend)
key = load_pem_private_key(pk_bytes, password, backend)
elif encoding == Encoding.DER:
cert = x509.load_der_x509_certificate(cert_byes, backend)
key = load_der_private_key(pk_bytes, password, backend)
else:
raise ValueError('Invalid encoding provided: Must be PEM or DER')
if not (cert and key):
raise ValueError('Cert and key could not be parsed from '
'provided data')
check_cert_dates(cert)
ssl_context = PyOpenSSLContext(PROTOCOL)
ssl_context._ctx.use_certificate(X509.from_cryptography(cert))
ssl_context._ctx.use_privatekey(PKey.from_cryptography_key(key))
return ssl_context
def create_ssl_context(cert_byes, pk_bytes, password=None,
encoding=Encoding.PEM):
"""Create an SSL Context with the supplied cert/password.
:param cert_bytes array of bytes containing the cert encoded
using the method supplied in the ``encoding`` parameter
:param pk_bytes array of bytes containing the private key encoded
using the method supplied in the ``encoding`` parameter
:param password array of bytes containing the passphrase to be used
with the supplied private key. None if unencrypted.
Defaults to None.
:param encoding ``cryptography.hazmat.primitives.serialization.Encoding``
details the encoding method used on the ``cert_bytes`` and
``pk_bytes`` parameters. Can be either PEM or DER.
Defaults to PEM.
"""
backend = default_backend()
cert = None
key = None
if encoding == Encoding.PEM:
cert = x509.load_pem_x509_certificate(cert_byes, backend)
key = load_pem_private_key(pk_bytes, password, backend)
elif encoding == Encoding.DER:
cert = x509.load_der_x509_certificate(cert_byes, backend)
key = load_der_private_key(pk_bytes, password, backend)
else:
raise ValueError('Invalid encoding provided: Must be PEM or DER')
if not (cert and key):
raise ValueError('Cert and key could not be parsed from '
'provided data')
check_cert_dates(cert)
ssl_context = PyOpenSSLContext(PROTOCOL)
ssl_context._ctx.use_certificate(X509.from_cryptography(cert))
ssl_context._ctx.use_privatekey(PKey.from_cryptography_key(key))
return ssl_context
def get_certificate_options(self) -> CertificateOptions:
""" Return certificate options
With certificate generated and signed with peer private key
"""
certificate = self.get_certificate()
openssl_certificate = X509.from_cryptography(certificate)
openssl_pkey = PKey.from_cryptography_key(self.private_key)
with open(settings.CA_FILEPATH, 'rb') as f:
ca = x509.load_pem_x509_certificate(data=f.read(),
backend=default_backend())
openssl_ca = X509.from_cryptography(ca)
ca_cert = Certificate(openssl_ca)
trust_root = trustRootFromCertificates([ca_cert])
# We should not use a ContextFactory
# https://twistedmatrix.com/documents/19.7.0/api/twisted.protocols.tls.TLSMemoryBIOFactory.html
certificate_options = CertificateOptions(
privateKey=openssl_pkey,
certificate=openssl_certificate,
trustRoot=trust_root,
raiseMinimumTo=TLSVersion.TLSv1_3)
return certificate_options
def _certificates_for_authority_and_server(service_identity, key_size=1024):
"""
Create a self-signed CA certificate and server certificate signed
by the CA.
:param service_identity: The identity (hostname) of the server.
:type service_identity: :py:class:`unicode`
:param key_size: (optional) The size of CA's and server's private
RSA keys. Defaults to 1024 bits, which is the minimum allowed
by OpenSSL Contexts at the default security level as of 1.1.
:type key_size: :py:class:`int`
:return: a 3-tuple of ``(certificate_authority_certificate,
server_private_key, server_certificate)``.
:rtype: :py:class:`tuple` of (:py:class:`sslverify.Certificate`,
:py:class:`OpenSSL.crypto.PKey`,
:py:class:`OpenSSL.crypto.X509`)
"""
common_name_for_ca = x509.Name(
[x509.NameAttribute(NameOID.COMMON_NAME, u'Testing Example CA')])
common_name_for_server = x509.Name(
[x509.NameAttribute(NameOID.COMMON_NAME, u'Testing Example Server')])
one_day = datetime.timedelta(1, 0, 0)
private_key_for_ca = rsa.generate_private_key(public_exponent=65537,
key_size=key_size,
backend=default_backend())
public_key_for_ca = private_key_for_ca.public_key()
ca_certificate = (x509.CertificateBuilder().subject_name(
common_name_for_ca).issuer_name(common_name_for_ca).not_valid_before(
datetime.datetime.today() -
one_day).not_valid_after(datetime.datetime.today() +
one_day).serial_number(
x509.random_serial_number()).
public_key(public_key_for_ca).add_extension(
x509.BasicConstraints(ca=True, path_length=9),
critical=True,
).sign(private_key=private_key_for_ca,
algorithm=hashes.SHA256(),
backend=default_backend()))
private_key_for_server = rsa.generate_private_key(
public_exponent=65537, key_size=key_size, backend=default_backend())
public_key_for_server = private_key_for_server.public_key()
server_certificate = (
x509.CertificateBuilder().subject_name(common_name_for_server).
issuer_name(common_name_for_ca).not_valid_before(
datetime.datetime.today() -
one_day).not_valid_after(datetime.datetime.today() +
one_day).serial_number(
x509.random_serial_number()).
public_key(public_key_for_server).add_extension(
x509.BasicConstraints(ca=False, path_length=None),
critical=True,
).add_extension(
x509.SubjectAlternativeName([x509.DNSName(service_identity)]),
critical=True,
).sign(private_key=private_key_for_ca,
algorithm=hashes.SHA256(),
backend=default_backend()))
ca_self_cert = Certificate.loadPEM(
ca_certificate.public_bytes(Encoding.PEM))
pkey = PKey.from_cryptography_key(private_key_for_server)
x509_server_certificate = X509.from_cryptography(server_certificate)
return ca_self_cert, pkey, x509_server_certificate
def _certificates_for_authority_and_server(service_identity, key_size=1024):
"""
Create a self-signed CA certificate and server certificate signed
by the CA.
:param service_identity: The identity (hostname) of the server.
:type service_identity: :py:class:`unicode`
:param key_size: (optional) The size of CA's and server's private
RSA keys. Defaults to 1024 bits, which is the minimum allowed
by OpenSSL Contexts at the default security level as of 1.1.
:type key_size: :py:class:`int`
:return: a 3-tuple of ``(certificate_authority_certificate,
server_private_key, server_certificate)``.
:rtype: :py:class:`tuple` of (:py:class:`sslverify.Certificate`,
:py:class:`OpenSSL.crypto.PKey`,
:py:class:`OpenSSL.crypto.X509`)
"""
common_name_for_ca = x509.Name(
[x509.NameAttribute(NameOID.COMMON_NAME, u'Testing Example CA')]
)
common_name_for_server = x509.Name(
[x509.NameAttribute(NameOID.COMMON_NAME, u'Testing Example Server')]
)
one_day = datetime.timedelta(1, 0, 0)
private_key_for_ca = rsa.generate_private_key(
public_exponent=65537,
key_size=key_size,
backend=default_backend()
)
public_key_for_ca = private_key_for_ca.public_key()
ca_certificate = (
x509.CertificateBuilder()
.subject_name(common_name_for_ca)
.issuer_name(common_name_for_ca)
.not_valid_before(datetime.datetime.today() - one_day)
.not_valid_after(datetime.datetime.today() + one_day)
.serial_number(x509.random_serial_number())
.public_key(public_key_for_ca)
.add_extension(
x509.BasicConstraints(ca=True, path_length=9), critical=True,
)
.sign(
private_key=private_key_for_ca, algorithm=hashes.SHA256(),
backend=default_backend()
)
)
private_key_for_server = rsa.generate_private_key(
public_exponent=65537,
key_size=key_size,
backend=default_backend()
)
public_key_for_server = private_key_for_server.public_key()
server_certificate = (
x509.CertificateBuilder()
.subject_name(common_name_for_server)
.issuer_name(common_name_for_ca)
.not_valid_before(datetime.datetime.today() - one_day)
.not_valid_after(datetime.datetime.today() + one_day)
.serial_number(x509.random_serial_number())
.public_key(public_key_for_server)
.add_extension(
x509.BasicConstraints(ca=False, path_length=None), critical=True,
)
.add_extension(
x509.SubjectAlternativeName(
[x509.DNSName(service_identity)]
),
critical=True,
)
.sign(
private_key=private_key_for_ca, algorithm=hashes.SHA256(),
backend=default_backend()
)
)
ca_self_cert = Certificate.loadPEM(
ca_certificate.public_bytes(Encoding.PEM)
)
pkey = PKey.from_cryptography_key(private_key_for_server)
x509_server_certificate = X509.from_cryptography(server_certificate)
return ca_self_cert, pkey, x509_server_certificate