def create_server(cn, server_file, server_key_file, signer_file,
signer_key_file):
# Make sure files exist
if not (os.path.isfile(signer_file) and os.path.isfile(signer_key_file)):
raise FileNotFoundError('Failed to find {}, {}, or {}'.format(
signer_file, signer_key_file))
# Setup cryptography
be = cryptography.hazmat.backends.default_backend()
# Create Server cert key pair
print('\nServer Cert key')
server_priv_key = load_or_create_key(server_key_file, backend=be)
print('\nLoad Signer')
# Load the Signing key from the file
print(' Loading key from %s' % signer_key_file)
with open(signer_key_file, 'rb') as f:
signer_ca_priv_key = serialization.load_pem_private_key(data=f.read(),
password=None,
backend=be)
# Load the Signing Certificate from the file
print(' Loading certificate from %s' % signer_file)
with open(signer_file, 'rb') as f:
signer_ca_cert = x509.load_pem_x509_certificate(f.read(), be)
# Build certificate
print('\nCreate Server Certificate template')
builder = x509.CertificateBuilder()
builder = builder.issuer_name(signer_ca_cert.subject)
# Device cert must have minutes and seconds set to 0
builder = builder.not_valid_before(
datetime.datetime.now(tz=pytz.utc).replace(minute=0, second=0))
# Should be year 9999, but this doesn't work on windows
builder = builder.not_valid_after(
datetime.datetime(3000, 12, 31, 23, 59, 59))
builder = builder.subject_name(
x509.Name([x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, cn)]))
builder = builder.public_key(server_priv_key.public_key())
# Device certificate is generated from certificate dates and public key
builder = builder.serial_number(cert_sn(16, builder))
# Sign certificate
server_cert = builder.sign(private_key=signer_ca_priv_key,
algorithm=hashes.SHA256(),
backend=be)
# Save certificate for reference
print(' Save server Certificate to %s' % server_file)
with open(server_file, 'wb') as f:
f.write(server_cert.public_bytes(encoding=serialization.Encoding.PEM))
def create_signer(o, cn, signer_file, signer_key_file, root_file, root_key_file):
crypto_be = cryptography.hazmat.backends.default_backend()
#print('\nLoading root CA key')
if not os.path.isfile(root_key_file):
raise AWSZTKitError('Failed to find root CA key file, ' + root_key_file + '. Have you run ca_create_root first?')
with open(root_key_file, 'rb') as f:
#print(' Loading from ' + f.name)
root_ca_priv_key = serialization.load_pem_private_key(
data=f.read(),
password=None,
backend=crypto_be)
#print('\nLoading root CA certificate')
if not os.path.isfile(root_file):
raise AWSZTKitError('Failed to find root CA certificate file, ' + root_file + '. Have you run ca_create_root first?')
with open(root_file, 'rb') as f:
#print(' Loading from ' + f.name)
root_ca_cert = x509.load_pem_x509_certificate(f.read(), crypto_be)
# Create or load a Signer CA key pair
#print('\nSigner CA key')
signer_ca_priv_key = load_or_create_key(signer_key_file, backend=crypto_be)
# Create signer CA certificate
#print('\nGenerating signer CA certificate from CSR')
# Please note that the structure of the signer certificate is part of certificate definition in the SAMG55 firmware
# (g_cert_elements_1_signer). If any part of it is changed, it will also need to be changed in the firmware.
# The cert2certdef.py utility script can help with regenerating the cert_def_1_signer.c file after making changes.
builder = x509.CertificateBuilder()
builder = builder.serial_number(random_cert_sn(16))
builder = builder.issuer_name(root_ca_cert.subject)
builder = builder.not_valid_before(datetime.datetime.now(tz=pytz.utc))
builder = builder.not_valid_after(builder._not_valid_before.replace(year=builder._not_valid_before.year + 10))
builder = builder.public_key(signer_ca_priv_key.public_key())
builder = builder.subject_name(x509.Name([
x509.NameAttribute(x509.oid.NameOID.ORGANIZATION_NAME, o ),
x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, cn )]))
builder = builder.add_extension(
x509.BasicConstraints(ca=True, path_length=0),
critical=True)
builder = builder.add_extension(
x509.KeyUsage(
digital_signature=True,
content_commitment=False,
key_encipherment=False,
data_encipherment=False,
key_agreement=False,
key_cert_sign=True,
crl_sign=True,
encipher_only=False,
decipher_only=False),
critical=True)
builder = builder.add_extension(
x509.SubjectKeyIdentifier.from_public_key(signer_ca_priv_key.public_key()),
critical=False)
issuer_ski = root_ca_cert.extensions.get_extension_for_class(x509.SubjectKeyIdentifier)
builder = builder.add_extension(
x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(issuer_ski.value),
critical=False)
# Sign signer certificate with root
signer_ca_cert = builder.sign(
private_key=root_ca_priv_key,
algorithm=hashes.SHA256(),
backend=crypto_be)
# Write signer CA certificate to file
with open(signer_file, 'wb') as f:
#print(' Saving to ' + f.name)
f.write(signer_ca_cert.public_bytes(encoding=serialization.Encoding.PEM))
print('CAcert create success')
def create_device(o, device_file, device_key_file, signer_file, signer_key_file, root_file, root_key_file):
# Make sure files exist
if not (os.path.isfile(signer_file) and os.path.isfile(signer_key_file) and os.path.isfile(root_file)):
raise FileNotFoundError('Failed to find {}, {}, or {}'.format(signer_file, signer_key_file, root_file))
# Setup cryptography
be = cryptography.hazmat.backends.default_backend()
# Create or load a dummy device key pair
#print('\ndummy device key')
device_priv_key = load_or_create_key(device_key_file, backend=be)
# Convert the key into the cryptography format
public_key = device_priv_key.public_key()
#print('\nLoad Signer')
# Load the Signing key from the file
#print(' Loading key from %s' % signer_key_file)
with open(signer_key_file, 'rb') as f:
signer_ca_priv_key = serialization.load_pem_private_key(data=f.read(), password=None, backend=be)
# Load the Signing Certificate from the file
#print(' Loading certificate from %s' % signer_file)
with open(signer_file, 'rb') as f:
signer_ca_cert = x509.load_pem_x509_certificate(f.read(), be)
with open(root_file, 'rb') as f:
root_ca_cert = x509.load_pem_x509_certificate(f.read(), be)
root_public = root_ca_cert.public_key()
# Build certificate
#print('\nCreate Device Certificate template')
builder = x509.CertificateBuilder()
builder = builder.issuer_name(signer_ca_cert.subject)
# Device cert must have minutes and seconds set to 0
builder = builder.not_valid_before(datetime.datetime.now(tz=pytz.utc).replace(minute=0,second=0))
# Should be year 9999, but this doesn't work on windows
builder = builder.not_valid_after(datetime.datetime(3000, 12, 31, 23, 59, 59))
cn = str('0123xxxxxxxxxxxxee')
builder = builder.subject_name(x509.Name([
x509.NameAttribute(x509.oid.NameOID.ORGANIZATION_NAME, o),
x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, cn)]))
builder = builder.public_key(public_key)
# Device certificate is generated from certificate dates and public key
builder = builder.serial_number(device_cert_sn(16, builder))
# Subject Key ID is used as the thing name and MQTT client ID and is required for this demo
builder = builder.add_extension(
x509.SubjectKeyIdentifier.from_public_key(public_key),
critical=False)
issuer_ski = signer_ca_cert.extensions.get_extension_for_class(x509.SubjectKeyIdentifier)
builder = builder.add_extension(
x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(issuer_ski.value),
critical=False)
# Sign certificate with longest R & S pattern
while True:
device_cert = builder.sign(private_key=signer_ca_priv_key, algorithm=hashes.SHA256(), backend=be)
cert = decoder.decode(device_cert.public_bytes(encoding=serialization.Encoding.DER), asn1Spec=rfc2459.Certificate())[0]
info = cert_sig_offset_length(cert)
if info['length'] == 75:
break
# Save certificate for reference
#print(' Save Device Certificate to %s' % device_file)
with open(device_file, 'wb') as f:
f.write(device_cert.public_bytes(encoding=serialization.Encoding.PEM))
# Save root public key
#print(' Save Root Public Key to %s' % root_key_file)
with open(root_key_file, 'wb') as f:
f.write(root_public.public_bytes(serialization.Encoding.PEM, serialization.PublicFormat.SubjectPublicKeyInfo))
print('device cert template create success')
def create_server(o, cn, san1, san2, server_file, server_key_file, signer_file,
signer_key_file, root_file):
# Make sure files exist
if not (os.path.isfile(signer_file) and os.path.isfile(signer_key_file)
and os.path.isfile(root_file)):
raise FileNotFoundError('Failed to find {}, {}, or {}'.format(
signer_file, signer_key_file, root_file))
# Setup cryptography
be = cryptography.hazmat.backends.default_backend()
# Create Server cert key pair
#print('\nServer Cert key')
server_priv_key = load_or_create_key(server_key_file, backend=be)
#print('\nLoad Signer')
# Load the Signing key from the file
#print(' Loading key from %s' % signer_key_file)
with open(signer_key_file, 'rb') as f:
signer_ca_priv_key = serialization.load_pem_private_key(data=f.read(),
password=None,
backend=be)
# Load the Signing Certificate from the file
#print(' Loading certificate from %s' % signer_file)
with open(signer_file, 'rb') as f:
signer_ca_cert = x509.load_pem_x509_certificate(f.read(), be)
with open(root_file, 'rb') as f:
root_ca_cert = x509.load_pem_x509_certificate(f.read(), be)
# Build certificate
#print('\nCreate Server Certificate template')
builder = x509.CertificateBuilder()
builder = builder.issuer_name(signer_ca_cert.subject)
# Device cert must have minutes and seconds set to 0
builder = builder.not_valid_before(
datetime.datetime.now(tz=pytz.utc).replace(minute=0, second=0))
# TLS server certificates must have a validity period of 825 days or fewer
# (as expressed in the NotBefore and NotAfter fields of the certificate).
# https://support.apple.com/en-us/HT210176
builder = builder.not_valid_after(
datetime.datetime.now(tz=pytz.utc).replace(minute=0, second=0) +
expire_day)
builder = builder.subject_name(
x509.Name([
x509.NameAttribute(x509.oid.NameOID.ORGANIZATION_NAME, o),
x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, cn)
]))
builder = builder.public_key(server_priv_key.public_key())
# Device certificate is generated from certificate dates and public key
builder = builder.serial_number(cert_sn(16, builder))
# specific for server cert
builder = builder.add_extension(x509.BasicConstraints(ca=False,
path_length=None),
critical=False)
builder = builder.add_extension(x509.KeyUsage(digital_signature=True,
content_commitment=True,
key_encipherment=True,
data_encipherment=False,
key_agreement=False,
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
decipher_only=False),
critical=False)
builder = builder.add_extension(x509.ExtendedKeyUsage(
[x509.oid.ExtendedKeyUsageOID.SERVER_AUTH]),
critical=False)
builder = builder.add_extension(x509.SubjectKeyIdentifier.from_public_key(
server_priv_key.public_key()),
critical=False)
issuer_ski = signer_ca_cert.extensions.get_extension_for_class(
x509.SubjectKeyIdentifier)
builder = builder.add_extension(
x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
issuer_ski.value),
critical=False)
if (san2 == ''):
builder = builder.add_extension(x509.SubjectAlternativeName(
[x509.DNSName(san1)]),
critical=False)
else:
builder = builder.add_extension(x509.SubjectAlternativeName(
[x509.DNSName(san1),
x509.IPAddress(ipaddress.ip_address(san2))]),
critical=False)
# Sign certificate
server_cert = builder.sign(private_key=signer_ca_priv_key,
algorithm=hashes.SHA256(),
backend=be)
# Save certificate for reference
#print(' Save server Certificate to %s' % server_file)
with open(server_file, 'wb') as f:
f.write(server_cert.public_bytes(encoding=serialization.Encoding.PEM))
# Save certificate chain for reference
#print(' Save server Certificate chain to %s.chain' % server_file)
with open(server_file + ".chain", 'wb') as f:
f.write(server_cert.public_bytes(encoding=serialization.Encoding.PEM))
with open(server_file + ".chain", 'ab') as f:
f.write(
signer_ca_cert.public_bytes(encoding=serialization.Encoding.PEM))
with open(server_file + ".chain", 'ab') as f:
f.write(root_ca_cert.public_bytes(encoding=serialization.Encoding.PEM))
print('servercert create success')
def create_rtclient(cn, rtclient_file, rtclient_key_file, signer_file,
signer_key_file):
# Make sure files exist
if not (os.path.isfile(signer_file) and os.path.isfile(signer_key_file)):
raise FileNotFoundError('Failed to find {}, {}, or {}'.format(
signer_file, signer_key_file))
# Setup cryptography
be = cryptography.hazmat.backends.default_backend()
# Create client cert key pair
#print('\nrtclient Cert key')
rtclient_priv_key = load_or_create_key(rtclient_key_file, backend=be)
#print('\nLoad Signer')
# Load the Signing key from the file
#print(' Loading key from %s' % signer_key_file)
with open(signer_key_file, 'rb') as f:
signer_ca_priv_key = serialization.load_pem_private_key(data=f.read(),
password=None,
backend=be)
# Load the Signing Certificate from the file
#print(' Loading certificate from %s' % signer_file)
with open(signer_file, 'rb') as f:
signer_ca_cert = x509.load_pem_x509_certificate(f.read(), be)
# Build certificate
#print('\nCreate rtclient Certificate')
builder = x509.CertificateBuilder()
builder = builder.issuer_name(signer_ca_cert.subject)
# Device cert must have minutes and seconds set to 0
builder = builder.not_valid_before(
datetime.datetime.now(tz=pytz.utc).replace(minute=0, second=0))
# Should be year 9999, but this doesn't work on windows
builder = builder.not_valid_after(
datetime.datetime(3000, 12, 31, 23, 59, 59))
builder = builder.subject_name(
x509.Name([x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, cn)]))
builder = builder.public_key(rtclient_priv_key.public_key())
# Device certificate is generated from certificate dates and public key
builder = builder.serial_number(cert_sn(16, builder))
# specific for client cert
builder = builder.add_extension(x509.BasicConstraints(ca=False,
path_length=None),
critical=False)
builder = builder.add_extension(x509.KeyUsage(digital_signature=True,
content_commitment=True,
key_encipherment=True,
data_encipherment=False,
key_agreement=False,
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
decipher_only=False),
critical=False)
builder = builder.add_extension(x509.ExtendedKeyUsage(
[x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH]),
critical=False)
# Sign certificate
rtclient_cert = builder.sign(private_key=signer_ca_priv_key,
algorithm=hashes.SHA256(),
backend=be)
# Save certificate for reference
#print(' Save rtclient Certificate to %s' % rtclient_file)
with open(rtclient_file, 'wb') as f:
f.write(
rtclient_cert.public_bytes(encoding=serialization.Encoding.PEM))
print('rtclientcert create success')
