Esempio n. 1
0
def write_authenticode_certificate(
    ca_cert: x509.Certificate,
    ca_cert_orig: x509.Certificate,
    signing_key: ecdsa.keys.SigningKey,
    name: str,
    subject: x509.Name,
) -> None:
    private_key, public_key = generate_private_key("rsa:4096")
    signed_digest_algorithm = x509.SignedDigestAlgorithm(
        {"algorithm": "sha256_ecdsa"})

    certificate = x509.Certificate({
        "tbs_certificate": {
            "version":
            "v3",
            "serial_number":
            random_serial_number(),
            "signature":
            signed_digest_algorithm,
            "issuer":
            ca_cert.subject,
            "validity": {
                "not_before":
                x509.UTCTime(
                    datetime.datetime(2018, 1, 1,
                                      tzinfo=datetime.timezone.utc)),
                "not_after":
                x509.UTCTime(
                    datetime.datetime(2021, 1, 1,
                                      tzinfo=datetime.timezone.utc)),
            },
            "subject":
            subject,
            "subject_public_key_info":
            public_key,
            "extensions": [
                {
                    "extn_id": "basic_constraints",
                    "critical": True,
                    "extn_value": {
                        "ca": False
                    },
                },
                {
                    "extn_id": "key_usage",
                    "critical": True,
                    "extn_value": {"digital_signature"},
                },
                {
                    "extn_id":
                    "extended_key_usage",
                    "critical":
                    True,
                    "extn_value": [
                        "code_signing",
                        "1.3.6.1.4.1.311.2.1.21",
                        "1.3.6.1.4.1.311.2.1.22",
                    ],
                },
            ],
        },
        "signature_algorithm":
        signed_digest_algorithm,
    })

    sign_certificate(signing_key, certificate)

    with open(name + ".crt", "wb") as f:
        write_pem(f, certificate, "CERTIFICATE")
        write_pem(f, ca_cert_orig, "CERTIFICATE")
        write_pem(f, ca_cert, "CERTIFICATE")

    with open(name + ".key", "wb") as f:
        write_pem(f, private_key, "PRIVATE KEY")

    subprocess.check_call((
        "openssl",
        "crl2pkcs7",
        "-nocrl",
        "-certfile",
        name + ".crt",
        "-outform",
        "DER",
        "-out",
        name + ".spc",
    ))

    subprocess.check_call((
        "openssl",
        "rsa",
        "-in",
        name + ".key",
        "-outform",
        "PVK",
        "-pvk-none",
        "-out",
        name + ".pvk",
    ))
Esempio n. 2
0
def write_tls_certificate(
    ca_cert: x509.Certificate,
    ca_cert_orig: x509.Certificate,
    signing_key: ecdsa.keys.SigningKey,
    name: str,
    subject: x509.Name,
    subject_alt_names: Sequence[str],
) -> None:
    private_key, public_key = generate_private_key("rsa:4096")
    signed_digest_algorithm = x509.SignedDigestAlgorithm(
        {"algorithm": "sha256_ecdsa"})

    certificate = x509.Certificate({
        "tbs_certificate": {
            "version":
            "v3",
            "serial_number":
            random_serial_number(),
            "signature":
            signed_digest_algorithm,
            "issuer":
            ca_cert_orig.subject,
            "validity": {
                "not_before":
                x509.UTCTime(
                    datetime.datetime(2018, 1, 1,
                                      tzinfo=datetime.timezone.utc)),
                "not_after":
                x509.UTCTime(
                    datetime.datetime(2021, 1, 1,
                                      tzinfo=datetime.timezone.utc)),
            },
            "subject":
            subject,
            "subject_public_key_info":
            public_key,
            "extensions": [
                {
                    "extn_id": "basic_constraints",
                    "critical": True,
                    "extn_value": {
                        "ca": False
                    },
                },
                {
                    "extn_id":
                    "subject_alt_name",
                    "critical":
                    False,
                    "extn_value": [
                        x509.GeneralName({"dns_name": dns_name})
                        for dns_name in subject_alt_names
                    ],
                },
                {
                    "extn_id":
                    "certificate_policies",
                    "critical":
                    False,
                    "extn_value": [
                        {
                            "policy_identifier": "1.3.6.1.4.1.6449.1.2.1.5.1"
                        },
                    ],
                },
            ],
        },
        "signature_algorithm":
        signed_digest_algorithm,
    })

    sign_certificate(signing_key, certificate)

    with open(name + ".crt", "wb") as f:
        write_pem(f, certificate, "CERTIFICATE")
        write_pem(f, ca_cert_orig, "CERTIFICATE")
        write_pem(f, ca_cert, "CERTIFICATE")

    with open(name + ".key", "wb") as f:
        write_pem(f, private_key, "PRIVATE KEY")
        write_pem(f, certificate, "CERTIFICATE")
        write_pem(f, ca_cert_orig, "CERTIFICATE")
        write_pem(f, ca_cert, "CERTIFICATE")