def test_deserialize_key(self):
with open(self.key_file_path, "rb") as template_key_file:
key = ssl_serializer.deserialize_key(template_key_file.read())
self.assertEqual(
self.template_key.private_bytes(Encoding.PEM,
PrivateFormat.TraditionalOpenSSL,
NoEncryption()),
key.private_bytes(Encoding.PEM, PrivateFormat.TraditionalOpenSSL,
NoEncryption()))
def test_store_key(self):
key_name = "ref_key"
key: ec.EllipticCurvePrivateKeyWithSerialization = ec.generate_private_key(
ec.SECP384R1(), backends.default_backend()
)
self.file_path = os.path.join(self.ssl_folder_path, ssl_certificate_factory.KEY_FILE_FORMAT.format(key_name))
ssl_certificate_factory.store_key(key, self.ssl_folder_path, key_name, self._stream_factory)
ref_key = serialization.load_pem_private_key(self.stream_mock.data, None, backends.default_backend())
self.assertEqual(
key.private_bytes(Encoding.PEM, PrivateFormat.TraditionalOpenSSL, NoEncryption()),
ref_key.private_bytes(Encoding.PEM, PrivateFormat.TraditionalOpenSSL, NoEncryption())
)
def test_fetch_key(self):
key_name = "temp_key_file"
key_file = NamedTemporaryFile()
key = ssl_certificate_factory.generate_key()
self.file_path = os.path.join(self.ssl_folder_path, ssl_certificate_factory.KEY_FILE_FORMAT.format(key_name))
ssl_certificate_factory.store_key(key, self.ssl_folder_path, key_name, self._stream_factory)
key_file.write(self.stream_mock.data)
key_file.seek(0)
ref_key = ssl_certificate_factory.fetch_key(url_helper.url_join("file:", key_file.name))
self.assertEqual(
key.private_bytes(Encoding.PEM, PrivateFormat.TraditionalOpenSSL, NoEncryption()),
ref_key.private_bytes(Encoding.PEM, PrivateFormat.TraditionalOpenSSL, NoEncryption())
)
def to_cose_key(
k: Union[Ed448PrivateKey, Ed448PublicKey, Ed25519PrivateKey,
Ed25519PublicKey, X448PrivateKey, X448PublicKey,
X25519PrivateKey, X25519PublicKey, ]
) -> Dict[int, Any]:
cose_key: Dict[int, Any] = {}
cose_key[1] = COSE_KEY_TYPES["OKP"]
cose_key[-1] = 6 # Ed25519
if isinstance(k, (Ed25519PublicKey, Ed25519PrivateKey)):
cose_key[-1] = 6 # Ed25519
if isinstance(k, Ed25519PublicKey):
cose_key[-2] = k.public_bytes(Encoding.Raw, PublicFormat.Raw)
else:
cose_key[-2] = k.public_key().public_bytes(
Encoding.Raw, PublicFormat.Raw)
cose_key[-4] = k.private_bytes(Encoding.Raw, PrivateFormat.Raw,
NoEncryption())
elif isinstance(k, (Ed448PublicKey, Ed448PrivateKey)):
cose_key[-1] = 7 # Ed448
if isinstance(k, Ed448PublicKey):
cose_key[-2] = k.public_bytes(Encoding.Raw, PublicFormat.Raw)
else:
cose_key[-2] = k.public_key().public_bytes(
Encoding.Raw, PublicFormat.Raw)
cose_key[-4] = k.private_bytes(Encoding.Raw, PrivateFormat.Raw,
NoEncryption())
elif isinstance(k, (X25519PublicKey, X25519PrivateKey)):
cose_key[-1] = 4 # X25519
if isinstance(k, X25519PublicKey):
cose_key[-2] = k.public_bytes(Encoding.Raw, PublicFormat.Raw)
else:
cose_key[-2] = k.public_key().public_bytes(
Encoding.Raw, PublicFormat.Raw)
cose_key[-4] = k.private_bytes(Encoding.Raw, PrivateFormat.Raw,
NoEncryption())
elif isinstance(k, (X448PublicKey, X448PrivateKey)):
cose_key[-1] = 5 # X448
if isinstance(k, X448PublicKey):
cose_key[-2] = k.public_bytes(Encoding.Raw, PublicFormat.Raw)
else:
cose_key[-2] = k.public_key().public_bytes(
Encoding.Raw, PublicFormat.Raw)
cose_key[-4] = k.private_bytes(Encoding.Raw, PrivateFormat.Raw,
NoEncryption())
else:
raise ValueError("Unsupported or unknown key for OKP.")
return cose_key
def generate_keys():
folder = os.path.dirname(__file__)
key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend(),
)
with open(os.path.join(folder, 'localhost.key'), "wb") as f:
f.write(
key.private_bytes(
encoding=Encoding.PEM,
format=PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=NoEncryption(),
))
subject = issuer = Name([
NameAttribute(NameOID.COUNTRY_NAME, "IE"),
NameAttribute(NameOID.ORGANIZATION_NAME, "Scrapy"),
NameAttribute(NameOID.COMMON_NAME, "localhost"),
])
cert = (CertificateBuilder().subject_name(subject).issuer_name(
issuer).public_key(key.public_key()).serial_number(
random_serial_number()).not_valid_before(
datetime.utcnow()).not_valid_after(
datetime.utcnow() + timedelta(days=10)).add_extension(
SubjectAlternativeName([DNSName("localhost")]),
critical=False,
).sign(key, SHA256(), default_backend()))
with open(os.path.join(folder, 'localhost.crt'), "wb") as f:
f.write(cert.public_bytes(Encoding.PEM))
def get_prv_key_from_safe_bag(id_name):
"""
Export the safebag with password 1234 using ndnsec-export command line tool.
The function then parse the exported safe bag and return the private key bytes.
:param id_name: the NDN identity name
"""
p = subprocess.run(['ndnsec-export', id_name, '-P', '1234'],
stdout=subprocess.PIPE)
wire = base64.b64decode(p.stdout)
logging.debug('result from ndnsec-export')
logging.debug(wire)
wire = parse_and_check_tl(wire, SecurityV2TypeNumber.SAFE_BAG)
bag = SafeBag.parse(wire)
# Don't use unwrap because the key returned is still in DER format
#key = unwrap(bytes(bag.encrypted_key_bag), '1234')[1]
privateKey = serialization.load_der_private_key(bytes(
bag.encrypted_key_bag),
password=b'1234',
backend=default_backend())
ecc_key = ECC.import_key(
privateKey.private_bytes(Encoding.DER, PrivateFormat.PKCS8,
NoEncryption()))
logging.debug("pub key: ")
logging.debug(ecc_key.pointQ.xy)
logging.debug("prv key: ")
logging.debug(ecc_key.d)
cert_prv_key = ecc_key.d.to_bytes()
logging.info("Private KEY: ")
logging.info(cert_prv_key)
return cert_prv_key
def generate_key():
key = ec.generate_private_key(ec.SECP256R1(), default_backend())
key_pem = key.private_bytes(
encoding=Encoding.PEM,
format=PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=NoEncryption())
return crypto.load_privatekey(crypto.FILETYPE_PEM, key_pem)
def generate_private_key(self):
""" Generate a private key for ECDSA and RSA algorithm clients """
for client in self:
algorithm_prefix = client.jwt_algorithm[:2]
if algorithm_prefix == 'ES':
key = ec.generate_private_key(
curve=ec.SECT283R1,
backend=default_backend(),
)
elif algorithm_prefix in ('RS', 'PS'):
key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend(),
)
else:
raise exceptions.UserError(
_('You can only generate private keys for asymetric '
'algorithms!'))
client.jwt_private_key = key.private_bytes(
encoding=Encoding.PEM,
format=PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=NoEncryption(),
)
def generate_key_pair(size=2048, public_exponent=65537, as_string=True):
"""
Generate a public/private key pair.
:param size: Optional. Describes how many bits long the key should be, larger keys provide more security,
currently 1024 and below are considered breakable, and 2048 or 4096 are reasonable default
key sizes for new keys. Defaults to 2048.
:param public_exponent: Optional. Indicates what one mathematical property of the key generation will be.
65537 is the default and should almost always be used.
:param as_string: Optional. If True, return tuple of strings. If false, return tuple of RSA key objects.
Defaults to True.
:return: (PrivateKey<string>, PublicKey<string>)
:return: (
`RSAPrivateKey <https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey>`_,
`RSAPublicKey <https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey>`_)
"""
private = rsa.generate_private_key(public_exponent=public_exponent,
key_size=size,
backend=default_backend())
public = private.public_key()
if not as_string:
return private, public
pem_private = private.private_bytes(Encoding.PEM, PrivateFormat.PKCS8,
NoEncryption()).decode(ENCODING)
pem_public = public.public_bytes(
Encoding.PEM, PublicFormat.SubjectPublicKeyInfo).decode(ENCODING)
return pem_private, pem_public
def copy_cert(cert, data, key_path, csr_path):
key_dest = os.path.join(args.dest, data['key_filename'])
csr_dest = os.path.join(args.dest, data['csr_filename'])
pub_dest = os.path.join(args.dest, data['pub_filename'])
key_der_dest = os.path.join(args.dest, data['key_der_filename'])
pub_der_dest = os.path.join(args.dest, data['pub_der_filename'])
shutil.copy(key_path, key_dest)
shutil.copy(csr_path, csr_dest)
with open(pub_dest, 'w') as stream:
stream.write(cert.pub)
with open(key_dest, 'rb') as stream:
priv_key = stream.read()
priv_key = load_pem_private_key(priv_key, None, default_backend())
key_der = priv_key.private_bytes(encoding=Encoding.DER,
format=PrivateFormat.PKCS8,
encryption_algorithm=NoEncryption())
with open(key_der_dest, 'wb') as stream:
stream.write(key_der)
with open(pub_der_dest, 'wb') as stream:
stream.write(cert.dump_certificate(Encoding.DER))
data['crl'] = cert.ca.crl_url
data['subject'] = cert.distinguishedName()
data['parsed_cert'] = cert
update_cert_data(cert, data)
def bootstrap():
global trust_anchor, signer
import_safebag("sec/server.safebag", "1234")
import_cert("sec/server.ndncert")
with open("sec/server.safebag", "r") as safebag:
wire = safebag.read()
wire = base64.b64decode(wire)
wire = parse_and_check_tl(wire, SecurityV2TypeNumber.SAFE_BAG)
bag = SafeBag.parse(wire)
testbed_signed = CertificateV2Value.parse(bag.certificate_v2)
server_key_name = Name.to_str(testbed_signed.name[:-2])
privateKey = serialization.load_der_private_key(
bytes(bag.encrypted_key_bag),
password=b'1234',
backend=default_backend())
server_prv_key = privateKey.private_bytes(Encoding.DER,
PrivateFormat.PKCS8,
NoEncryption())
signer = Sha256WithEcdsaSigner(server_key_name, server_prv_key)
with open("sec/testbed.anchor", "r") as ndncert:
wire = ndncert.read()
wire = base64.b64decode(wire)
trust_anchor = parse_certificate(wire)
def to_pem(self) -> bytes:
"return private key's serialized (PEM) form"
pem_data = self.pk.private_bytes(
encoding=Encoding.PEM, format=PrivateFormat.PKCS8, encryption_algorithm=NoEncryption()
)
return pem_data
def private_key_pem(self):
"""`Blob`: The PEM-encoded private key for this CA. Use this to sign
other certificates from this CA."""
return Blob(
self._private_key.private_bytes(Encoding.PEM,
PrivateFormat.TraditionalOpenSSL,
NoEncryption()))
def secret_as_pem(self):
"""
Write out the private key as a PEM format
:return: Pem Encoded private key
"""
return self._private_key.private_bytes(Encoding.PEM, PrivateFormat.PKCS8, NoEncryption())
def dumps_private_key(self):
obj = self.dumps_public_key(self.private_key.public_key())
d_bytes = self.private_key.private_bytes(Encoding.Raw,
PrivateFormat.Raw,
NoEncryption())
obj['d'] = to_unicode(urlsafe_b64encode(d_bytes))
return obj
def generateAndSaveKey (flag):
# 1. Gerar a Chave Privada e Pública.
rsaPrivateKey = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend()
)
rsaPublicKey = rsaPrivateKey.public_key()
# 2. Salvar a Chave Privada e Pública, consoante a flag.
# Criação dos bytes serializados da Chave RSA Privada.
privateBytes = rsaPrivateKey.private_bytes(
encoding=Encoding.PEM,
format=PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=NoEncryption()
)
# Criação dos bytes serializados da Chave RSA Pública.
publicBytes = rsaPublicKey.public_bytes(encoding=Encoding.PEM,
format=PublicFormat.SubjectPublicKeyInfo)
# Guardar no ficheiro a Chave Privada.
if(flag==0): nomeFicheiro = "serverRSA.private"
else: nomeFicheiro = "clientRSA.private"
with open(nomeFicheiro, "wb") as privateKeyFile:
privateKeyFile.write(privateBytes)
# Guardar no ficheiro a Chave Pública.
if(flag==0): nomeFicheiro = "serverRSA.public"
else: nomeFicheiro = "clientRSA.public"
with open(nomeFicheiro, "wb") as publicKeyFile:
publicKeyFile.write(publicBytes)
def generate_csr(domains, key_path, csr_path, key_type=RSA_KEY_TYPE):
"""
Generate a private key, and a CSR for the given domains using this key.
:param domains: the domain names to include in the CSR
:type domains: `list` of `str`
:param str key_path: path to the private key that will be generated
:param str csr_path: path to the CSR that will be generated
:param str key_type: type of the key (misc.RSA_KEY_TYPE or misc.ECDSA_KEY_TYPE)
"""
if key_type == RSA_KEY_TYPE:
key = crypto.PKey()
key.generate_key(crypto.TYPE_RSA, 2048)
elif key_type == ECDSA_KEY_TYPE:
key = ec.generate_private_key(ec.SECP384R1(), default_backend())
key = key.private_bytes(encoding=Encoding.PEM,
format=PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=NoEncryption())
key = crypto.load_privatekey(crypto.FILETYPE_PEM, key)
else:
raise ValueError('Invalid key type: {0}'.format(key_type))
key_bytes = crypto.dump_privatekey(crypto.FILETYPE_PEM, key)
with open(key_path, 'wb') as file:
file.write(key_bytes)
csr_bytes = crypto_util.make_csr(key_bytes, domains)
with open(csr_path, 'wb') as file:
file.write(csr_bytes)
def load_pkcs12_certificate(certificate_data, password):
# type: (bytes, Optional[bytes]) -> _Cert
from cryptography.hazmat.primitives.serialization import Encoding, NoEncryption, pkcs12, PrivateFormat
try:
private_key, cert, additional_certs = pkcs12.load_key_and_certificates(
certificate_data, password, backend=default_backend()
)
except ValueError as ex:
# mentioning PEM here because we raise this error when certificate_data is garbage
six.raise_from(ValueError("Failed to deserialize certificate in PEM or PKCS12 format"), ex)
if not private_key:
raise ValueError("The certificate must include its private key")
if not cert:
raise ValueError("Failed to deserialize certificate in PEM or PKCS12 format")
# This serializes the private key without any encryption it may have had. Doing so doesn't violate security
# boundaries because this representation of the key is kept in memory. We already have the key and its
# password, if any, in memory.
key_bytes = private_key.private_bytes(Encoding.PEM, PrivateFormat.PKCS8, NoEncryption())
pem_sections = [key_bytes] + [c.public_bytes(Encoding.PEM) for c in [cert] + additional_certs]
pem_bytes = b"".join(pem_sections)
fingerprint = cert.fingerprint(hashes.SHA1()) # nosec
return _Cert(pem_bytes, private_key, fingerprint)
def write_ca(cert, data, password=None):
key_dest = os.path.join(args.dest, data['key_filename'])
pub_dest = os.path.join(args.dest, data['pub_filename'])
key_der_dest = os.path.join(args.dest, data['key_der_filename'])
pub_der_dest = os.path.join(args.dest, data['pub_der_filename'])
# write files to dest
shutil.copy(ca_storage.path(cert.private_key_path), key_dest)
with open(pub_dest, 'w') as stream:
stream.write(cert.pub)
if password is None:
encryption = NoEncryption()
else:
encryption = BestAvailableEncryption(password)
key_der = cert.key(password=password).private_bytes(
encoding=Encoding.DER, format=PrivateFormat.PKCS8, encryption_algorithm=encryption)
with open(key_der_dest, 'wb') as stream:
stream.write(key_der)
with open(pub_der_dest, 'wb') as stream:
stream.write(cert.dump_certificate(Encoding.DER))
# These keys are only present in CAs:
data['issuer_url'] = ca.issuer_url
data['crl_url'] = ca.crl_url
data['ca_crl_url'] = '%s%s' % (testserver, reverse('django_ca:ca-crl', kwargs={'serial': ca.serial}))
data['ocsp_url'] = '%s%s' % (testserver, reverse('django_ca:ocsp-cert-post',
kwargs={'serial': ca.serial}))
# Update common data for CAs and certs
update_cert_data(cert, data)
def generate_ssh_keys(cls,
size=4096,
passphrase=None,
private_format=PrivateFormat.PKCS8,
public_format=PublicFormat.OpenSSH,
private_encoding=Encoding.PEM,
public_encoding=Encoding.OpenSSH):
"""Generates a public and private rsa ssh key
Returns an SSHKeyResponse objects which has both the public and private
key as attributes
:param int size: RSA modulus length (must be a multiple of 256)
and >= 1024
:param str passphrase: The pass phrase to derive the encryption key
from
"""
encryption = (BestAvailableEncryption(passphrase)
if passphrase else NoEncryption())
key = rsa.generate_private_key(backend=default_backend(),
public_exponent=65537,
key_size=size)
return SSHKey(public_key=key.public_key().public_bytes(
public_encoding, public_format),
private_key=key.private_bytes(Encoding.PEM,
private_format,
encryption))
def sns_privatekey():
key = rsa.generate_private_key(
public_exponent=65537,
key_size=1024, # 1024 shouldn't be used, but for tests it's fine.
backend=default_backend(),
)
return key.private_bytes(Encoding.PEM, PrivateFormat.PKCS8, NoEncryption())
def private_key_to_raw(private_key):
private_key_pkcs8 = private_key.private_bytes(Encoding.DER,
PrivateFormat.PKCS8,
NoEncryption())
# Key is serialized in the PKCS8 format, but we need the raw key bytestring
# The raw key is found from byte 36 to 68 in the formatted key.
return private_key_pkcs8[PRIVATE_BYTES_START:PRIVATE_BYTES_END]
def _save(
cls, key: PrivateKey, cert: x509.Certificate, directory: str,
name: str, key_format: Encoding
) -> ((str, bytes), (str, bytes), (str, bytes)):
private_file = f'{name}.{key_format.name.lower()}'
private_path = join(directory, private_file)
private_bytes = key.private_bytes(key_format, PrivateFormat.PKCS8,
NoEncryption())
public_file = f'{name}.pub.{key_format.name.lower()}'
public_path = join(directory, public_file)
public_bytes = cert.public_key().public_bytes(key_format,
PublicFormat.PKCS1)
cert_file = f'{name}.cert.{key_format.name.lower()}'
cert_path = join(directory, cert_file)
cert_bytes = cert.public_bytes(key_format)
serialized = ((private_path, private_bytes),
(public_path, public_bytes), (cert_path, cert_bytes))
for file_path, file_bytes in serialized:
with open(file_path, 'wb') as out:
out.write(file_bytes)
return serialized
def as_bytes(self, encoding=None, is_private=False, password=None):
"""Export key into PEM/DER format bytes.
:param encoding: "PEM" or "DER"
:param is_private: export private key or public key
:param password: encrypt private key with password
:return: bytes
"""
if encoding is None or encoding == 'PEM':
encoding = Encoding.PEM
elif encoding == 'DER':
encoding = Encoding.DER
else:
raise ValueError('Invalid encoding: {!r}'.format(encoding))
raw_key = self.as_key(is_private)
if is_private:
if not raw_key:
raise ValueError('This is a public key')
if password is None:
encryption_algorithm = NoEncryption()
else:
encryption_algorithm = BestAvailableEncryption(
to_bytes(password))
return raw_key.private_bytes(
encoding=encoding,
format=PrivateFormat.PKCS8,
encryption_algorithm=encryption_algorithm,
)
return raw_key.public_bytes(
encoding=encoding,
format=PublicFormat.SubjectPublicKeyInfo,
)
def copy_cert(cert, data, key_path, csr_path):
key_dest = os.path.join(args.dest, data["key_filename"])
csr_dest = os.path.join(args.dest, data["csr_filename"])
pub_dest = os.path.join(args.dest, data["pub_filename"])
key_der_dest = os.path.join(args.dest, data["key_der_filename"])
pub_der_dest = os.path.join(args.dest, data["pub_der_filename"])
shutil.copy(key_path, key_dest)
shutil.copy(csr_path, csr_dest)
with open(pub_dest, "w") as stream:
stream.write(cert.pub.pem)
with open(key_dest, "rb") as stream:
priv_key = stream.read()
priv_key = load_pem_private_key(priv_key, None, default_backend())
key_der = priv_key.private_bytes(encoding=Encoding.DER,
format=PrivateFormat.PKCS8,
encryption_algorithm=NoEncryption())
with open(key_der_dest, "wb") as stream:
stream.write(key_der)
with open(pub_der_dest, "wb") as stream:
stream.write(cert.pub.der)
data["crl"] = cert.ca.crl_url
data["subject"] = cert.distinguished_name
data["parsed_cert"] = cert
update_cert_data(cert, data)
def export_key(key, encoding=None, is_private=False, password=None):
if encoding is None or encoding == 'PEM':
encoding = Encoding.PEM
elif encoding == 'DER':
encoding = Encoding.DER
else:
raise ValueError('Invalid encoding: {!r}'.format(encoding))
if is_private:
if key.key_type == 'private':
if password is None:
encryption_algorithm = NoEncryption()
else:
encryption_algorithm = BestAvailableEncryption(
to_bytes(password))
return key.raw_key.private_bytes(
encoding=encoding,
format=PrivateFormat.PKCS8,
encryption_algorithm=encryption_algorithm,
)
raise ValueError('This is a public key')
if key.key_type == 'private':
raw_key = key.raw_key.public_key()
else:
raw_key = key.raw_key
return raw_key.public_bytes(
encoding=encoding,
format=PublicFormat.SubjectPublicKeyInfo,
)
def cryptography_create_pkcs12_bundle(self,
keystore_p12_path,
key_format='PEM',
cert_format='PEM'):
if key_format == 'PEM':
key_loader = load_pem_private_key
else:
key_loader = load_der_private_key
if cert_format == 'PEM':
cert_loader = load_pem_x509_certificate
else:
cert_loader = load_der_x509_certificate
try:
with open(self.private_key_path, 'rb') as key_file:
private_key = key_loader(key_file.read(),
password=to_bytes(self.keypass),
backend=backend)
except TypeError:
# Re-attempt with no password to match existing behavior
try:
with open(self.private_key_path, 'rb') as key_file:
private_key = key_loader(key_file.read(),
password=None,
backend=backend)
except (OSError, TypeError, ValueError, UnsupportedAlgorithm) as e:
self.module.fail_json(
msg=
"The following error occurred while loading the provided private_key: %s"
% to_native(e))
except (OSError, ValueError, UnsupportedAlgorithm) as e:
self.module.fail_json(
msg=
"The following error occurred while loading the provided private_key: %s"
% to_native(e))
try:
with open(self.certificate_path, 'rb') as cert_file:
cert = cert_loader(cert_file.read(), backend=backend)
except (OSError, ValueError, UnsupportedAlgorithm) as e:
self.module.fail_json(
msg=
"The following error occurred while loading the provided certificate: %s"
% to_native(e))
if self.password:
encryption = BestAvailableEncryption(to_bytes(self.password))
else:
encryption = NoEncryption()
pkcs12_bundle = serialize_key_and_certificates(
name=to_bytes(self.name),
key=private_key,
cert=cert,
cas=None,
encryption_algorithm=encryption)
with open(keystore_p12_path, 'wb') as p12_file:
p12_file.write(pkcs12_bundle)
def write_key(self, fn):
from cryptography.hazmat.primitives.serialization import Encoding, PrivateFormat, NoEncryption
data = self.key.private_bytes(encoding=Encoding.PEM,
format=PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=NoEncryption())
with open(fn, 'w') as f:
f.write(data)
def generate_private_key(self, key_type='ec256'):
"""
Generates a new RSA or EC private key.\n
- :param `key_type` [`str`]: the requested `private_key` type. Options are: [`ec256`, `ec384`, `rsa2048`,
`rsa4096`]\n
- :return [`bytes`]: the encoded private key PEM data string. This method will update the `private_key` property
of the object with the same value.\n
- :raises `InvalidKeyType`: when an unknown/unsupported `key_type` is requested\n\n
## Example\n
```python
>>> client.generate_private_key(key_type="ec384")
b'-----BEGIN EC PRIVATE KEY-----\\nMIGkAgEBBDAZRFNLcQdVJmLh42p8F4D92...'
```
"""
# Generate a EC256 private key
if key_type == 'ec256':
key = ec.generate_private_key(ec.SECP256R1(), default_backend())
self.private_key = key.private_bytes(
encoding=Encoding.PEM,
format=PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=NoEncryption())
# Generate a EC384 private key
elif key_type == 'ec384':
key = ec.generate_private_key(ec.SECP384R1(), default_backend())
self.private_key = key.private_bytes(
encoding=Encoding.PEM,
format=PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=NoEncryption()
)
# Generate a RSA2048 private key
elif key_type == 'rsa2048':
key = OpenSSL.crypto.PKey()
key.generate_key(OpenSSL.crypto.TYPE_RSA, 2048)
self.private_key = OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, key)
# Generate a RSA4096 private key
elif key_type == 'rsa4096':
key = OpenSSL.crypto.PKey()
key.generate_key(OpenSSL.crypto.TYPE_RSA, 4096)
self.private_key = OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, key)
# Otherwise, the requested key type is not supported. Throw an error
else:
options = ['ec256', 'ec384', 'rsa2048', 'rsa4096']
msg = "Invalid private key rtype '{key_type}'. Options {options}".format(key_type=key_type, options=options)
raise errors.InvalidKeyType(msg)
return self.private_key
def key_to_pem(key, password=None):
"""Serialize key in PEM format, optionally encrypted.
"""
if password:
enc = BestAvailableEncryption(as_bytes(password))
else:
enc = NoEncryption()
return key.private_bytes(Encoding.PEM, PrivateFormat.PKCS8, enc)
