def test_subject_alt_names(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
csr = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
x509.NameAttribute(x509.OID_COMMON_NAME, u"SAN"),
])).add_extension(
x509.SubjectAlternativeName([
x509.DNSName(u"example.com"),
x509.DNSName(u"*.example.com"),
]),
critical=False,
).sign(private_key, hashes.SHA256(), backend)
assert len(csr.extensions) == 1
ext = csr.extensions.get_extension_for_oid(
x509.OID_SUBJECT_ALTERNATIVE_NAME)
assert not ext.critical
assert ext.oid == x509.OID_SUBJECT_ALTERNATIVE_NAME
assert list(ext.value) == [
x509.DNSName(u"example.com"),
x509.DNSName(u"*.example.com"),
]
def __init__(self,
initializer=None,
common_name=None,
private_key=None,
age=None):
super(CertificateSigningRequest, self).__init__(
initializer=initializer, age=age)
if self._value is None:
if isinstance(initializer, x509.CertificateSigningRequest):
self._value = initializer
elif isinstance(initializer, bytes):
self.ParseFromBytes(initializer)
elif common_name and private_key:
self._value = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name(
[x509.NameAttribute(oid.NameOID.COMMON_NAME,
str(common_name))])).sign(
private_key.GetRawPrivateKey(),
hashes.SHA256(),
backend=openssl.backend)
elif initializer is not None:
raise rdfvalue.InitializeError("Cannot initialize %s from %s." %
(self.__class__, initializer))
def enroll(self, enrollment_id, enrollment_secret):
"""Enroll a registered user in order to receive a signed X509 certificate
Args:
enrollment_id (str): The registered ID to use for enrollment
enrollment_secret (str): The secret associated with the
enrollment ID
Returns: PEM-encoded X509 certificate
Raises:
RequestException: errors in requests.exceptions
ValueError: Failed response, json parse error, args missing
"""
private_key = self._crypto.generate_private_key()
csr = self._crypto.generate_csr(private_key, x509.Name(
[x509.NameAttribute(NameOID.COMMON_NAME, six.u(enrollment_id))]))
cert = self._ca_client.enroll(
enrollment_id, enrollment_secret,
csr.public_bytes(Encoding.PEM).decode("utf-8"))
return Enrollment(private_key, cert)
def generate_certificate(private_key: PrivateKey,
hostname: str,
name: str,
hash_algorithm: HashAlgorithm,
lifespan: int = 14) -> x509.Certificate:
x509_name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, name)])
x509_dns_name = x509.DNSName(f'{name}.{hostname}')
san = x509.SubjectAlternativeName([x509_dns_name])
constraints = x509.BasicConstraints(ca=True, path_length=0)
now = datetime.now()
return (x509.CertificateBuilder().subject_name(x509_name).issuer_name(
x509_name).public_key(
private_key.public_key()).not_valid_before(now).not_valid_after(
now +
timedelta(days=lifespan)).serial_number(1000).add_extension(
constraints,
False).add_extension(san,
False).sign(private_key,
hash_algorithm,
default_backend()))
def generate_server_cert(ca_cert, ca_key, common_names):
private_key = rsa.generate_private_key(public_exponent=65537,
key_size=2048,
backend=default_backend())
name = x509.Name(COMMON_SUBJECT_ATTRIB + [
x509.NameAttribute(NameOID.COMMON_NAME, name) for name in common_names
])
certificate = (
x509.CertificateBuilder().subject_name(name).issuer_name(
ca_cert.subject).not_valid_before(datetime.datetime.today() -
datetime.timedelta(days=1)).
not_valid_after(datetime.datetime.today() +
datetime.timedelta(days=365)).serial_number(
x509.random_serial_number()).public_key(
private_key.public_key()).add_extension(
x509.KeyUsage(
digital_signature=True,
content_commitment=False,
key_encipherment=True,
data_encipherment=False,
key_agreement=False,
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
decipher_only=False,
),
critical=True,
).add_extension(
x509.ExtendedKeyUsage([
ExtendedKeyUsageOID.CLIENT_AUTH,
ExtendedKeyUsageOID.SERVER_AUTH
]),
critical=True,
).sign(private_key=ca_key,
algorithm=hashes.SHA256(),
backend=default_backend()))
return certificate, private_key
def makeCSR(self, identifiers):
# Generate a CSR
'''
csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),\
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"California"),\
x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"),\
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"),\
x509.NameAttribute(NameOID.COMMON_NAME, u"mysite.com"),\
])).add_extension(x509.SubjectAlternativeName([\
x509.DNSName(u"mysite.com"),\
x509.DNSName(u"www.mysite.com"),\
x509.DNSName(u"subdomain.mysite.com"),\
]),
critical = False,).sign(self.private_key, hashes.SHA256(), default_backend())
csr.public_bytes(serialization.Encoding.DER)
'''
print("IDENTIFIERS ARE: ", identifiers, "and are of type ",
type(identifiers))
alternatives = [None] * len(
identifiers) #create array to suit csr format
for i in range(len(identifiers)):
alternatives[i] = x509.DNSName(identifiers[i])
builder = x509.CertificateSigningRequestBuilder()
builder = builder.subject_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
]))
builder = builder.add_extension(
x509.SubjectAlternativeName(alternatives),
critical=False,
)
request = builder.sign(self.private_key, hashes.SHA256(),
default_backend())
csr = request.public_bytes(serialization.Encoding.DER)
return csr
def _dummy_ca_cert(self, ca_key):
ca_name = x509.Name([
x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, 'CA'),
])
nowtime = datetime.datetime.now(datetime.timezone.utc)
cert = x509.CertificateBuilder().subject_name(ca_name).issuer_name(
ca_name).public_key(ca_key.public_key()).serial_number(
x509.random_serial_number()).not_valid_before(
nowtime).not_valid_after(nowtime + datetime.timedelta(
days=1)).add_extension(
x509.BasicConstraints(ca=True, path_length=1),
critical=True,
).add_extension(
x509.KeyUsage(
digital_signature=False,
content_commitment=False,
key_encipherment=False,
data_encipherment=False,
key_agreement=False,
key_cert_sign=True,
crl_sign=True,
encipher_only=False,
decipher_only=False,
),
critical=False,
).add_extension(
x509.SubjectKeyIdentifier.from_public_key(
ca_key.public_key()),
critical=False,
).add_extension(
x509.AuthorityKeyIdentifier.from_issuer_public_key(
ca_key.public_key()),
critical=False,
).sign(ca_key,
hashes.SHA256(),
backend=default_backend())
return cert
def create_pair(self, algorithm):
if algorithm == ALGORITHM.RSA_2048:
private_key = rsa.generate_private_key(
0x10001, 2048, default_backend())
elif algorithm == ALGORITHM.RSA_3072:
private_key = rsa.generate_private_key(
0x10001, 3072, default_backend())
elif algorithm == ALGORITHM.RSA_4096:
private_key = rsa.generate_private_key(
0x10001, 4096, default_backend())
else:
ec_curve = ALGORITHM.to_curve(algorithm)
private_key = ec.generate_private_key(ec_curve, default_backend())
builder = x509.CertificateBuilder()
name = x509.Name([x509.NameAttribute(
NameOID.COMMON_NAME, u'Test Attestation Certificate')])
builder = builder.subject_name(name)
builder = builder.issuer_name(name)
one_day = datetime.timedelta(1, 0, 0)
builder = builder.not_valid_before(datetime.datetime.today() - one_day)
builder = builder.not_valid_after(datetime.datetime.today() + one_day)
builder = builder.serial_number(int(uuid.uuid4()))
builder = builder.public_key(private_key.public_key())
certificate = builder.sign(
private_key, hashes.SHA256(), default_backend())
attkey = AsymmetricKey.put(
self.session, 0, 'Test Create Pair', 0xffff,
CAPABILITY.SIGN_ATTESTATION_CERTIFICATE,
private_key)
certobj = attkey.put_certificate('Test Create Pair', 0xffff,
CAPABILITY.NONE, certificate)
self.assertEqual(certificate.public_bytes(Encoding.DER), certobj.get())
return attkey, certobj, certificate
def cert_info(name, email, country, state, city, org_name):
name = name.encode("utf-8")
email = email.encode("utf-8")
country = country.encode("utf-8")
state = state.encode("utf-8")
city = city.encode("utf-8")
org_name = org_name.encode("utf-8")
info = x509.Name([
# Provide various details about who we are.
x509.NameAttribute(NameOID.COUNTRY_NAME, country),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, state),
x509.NameAttribute(NameOID.LOCALITY_NAME, city),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, org_name),
x509.NameAttribute(NameOID.COMMON_NAME, name),
x509.NameAttribute(NameOID.EMAIL_ADDRESS, email)
])
return info
def generate_csr(
private_key: rsa.RSAPrivateKey = None
) -> Tuple[rsa.RSAPrivateKey, x509.CertificateSigningRequest]:
"""Generate a Certificate Signing Request using a few defaults.
Args:
private_key (rsa.RSAPrivateKey): Optional. If not supplied a key will be generated
Returns:
Tuple of private_key, x509.CertificateSigningRequest
"""
if private_key is None:
private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend(),
)
builder = x509.CertificateSigningRequestBuilder()
builder = builder.subject_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u'scepy2 client'),
]))
builder = builder.add_extension(
# Absolutely critical for SCEP
x509.KeyUsage(digital_signature=True,
content_commitment=False,
key_encipherment=True,
data_encipherment=False,
key_agreement=False,
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
decipher_only=False),
True)
csr = builder.sign(private_key, hashes.SHA512(), default_backend())
return private_key, csr
def def_certificate_subject():
return x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME,
input("Country Name (2 letter code) [AU] : ")),
x509.NameAttribute(
NameOID.STATE_OR_PROVINCE_NAME,
input("State or Province Name (full name) [Some-State] : ")),
x509.NameAttribute(NameOID.LOCALITY_NAME,
input("Locality Name (eg, city) [] : ")),
x509.NameAttribute(
NameOID.ORGANIZATION_NAME,
input(
"Organization Name (eg, company) [Internet Widgits Pty Ltd] : "
)),
x509.NameAttribute(
NameOID.ORGANIZATIONAL_UNIT_NAME,
input("Organizational Unit Name (eg, section) [] : ")),
x509.NameAttribute(
NameOID.COMMON_NAME,
input("Common Name (e.g. server FQDN or YOUR name) [] : ")),
x509.NameAttribute(NameOID.EMAIL_ADDRESS, input("Email Address [] : "))
])
def ca_create(self, key):
subject = issuer = x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u"CA"),
])
return x509.CertificateBuilder().subject_name(
subject
).issuer_name(
issuer
).public_key(
key.public_key()
).serial_number(
x509.random_serial_number()
).not_valid_before(
datetime.datetime.utcnow()
).not_valid_after(
# Our certificate will be valid for 10 years
datetime.datetime.utcnow() + datetime.timedelta(days=10 * 365)
).add_extension(
extension=x509.BasicConstraints(ca=True, path_length=None),
critical=True
).sign(
# Sign our certificate with our private key
key, hashes.SHA256(), default_backend()
)
def generate_certificate_signing_request(username, passphrase, key_file):
"""
Generate the certificate signing request for the new user in Kubernetes
"""
file_location = _ensure_cert_working_path()
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
key_bytes = None
with open(key_file, "rb") as f:
key_bytes = f.read()
key = serialization.load_pem_private_key(key_bytes,
bytes(passphrase, "utf-8"),
default_backend())
csr = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
# Provide various details about who we are.
x509.NameAttribute(NameOID.COMMON_NAME,
u"{0}".format(username)),
])).sign(key, hashes.SHA256(), default_backend())
csr_file = Path(file_location).joinpath(f"{username}_csr.pem")
# write CSR to file
with open(csr_file, "wb") as f:
f.write(csr.public_bytes(serialization.Encoding.PEM))
if csr_file.is_file():
return csr_file
else:
return None
def make_tls_cert(hostname: str) -> Tuple[x509.Certificate, rsa.RSAPrivateKey]:
key = rsa.generate_private_key(
public_exponent=65537, key_size=2048, backend=default_backend()
)
subject = issuer = x509.Name(
[
x509.NameAttribute(NameOID.COMMON_NAME, hostname),
]
)
cert = (
x509.CertificateBuilder()
.subject_name(subject)
.issuer_name(issuer)
.public_key(key.public_key())
.serial_number(x509.random_serial_number())
.not_valid_before(datetime.utcnow())
.not_valid_after(datetime.utcnow() + timedelta(days=10))
.add_extension(
x509.SubjectAlternativeName([x509.DNSName(hostname)]),
critical=False,
)
.sign(key, hashes.SHA256(), default_backend())
)
return cert, key
def _generate_pem_cert_and_key(cn=None):
import datetime
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import rsa
key = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend())
name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, cn or '127.0.0.1')])
now = datetime.datetime.utcnow()
cert = (x509.CertificateBuilder().
subject_name(name).
issuer_name(name).
public_key(key.public_key()).
serial_number(1000).
not_valid_before(now).
not_valid_after(now + datetime.timedelta(days=1)).
sign(key, hashes.SHA256(), default_backend()))
cert_pem = cert.public_bytes(encoding=serialization.Encoding.PEM)
key_pem = key.private_bytes(encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption())
return cert_pem, key_pem
def new_cert_request(names, key, must_staple=False):
primary_name = x509.Name([
x509.NameAttribute(
NameOID.COMMON_NAME, names[0].decode('utf-8') if getattr(
names[0], 'decode', None) else names[0])
])
all_names = x509.SubjectAlternativeName([
x509.DNSName(
name.decode('utf-8') if getattr(name, 'decode', None) else name)
for name in names
])
req = x509.CertificateSigningRequestBuilder()
req = req.subject_name(primary_name)
req = req.add_extension(all_names, critical=False)
if must_staple:
if getattr(x509, 'TLSFeature', None):
req = req.add_extension(
x509.TLSFeature(features=[x509.TLSFeatureType.status_request]),
critical=False)
else:
log('OCSP must-staple ignored as current version of cryptography does not support the flag.',
warning=True)
req = req.sign(key, hashes.SHA256(), default_backend())
return req
def test_sign_multiple_extensions_critical(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
last_update = datetime.datetime(2002, 1, 1, 12, 1)
next_update = datetime.datetime(2030, 1, 1, 12, 1)
ian = x509.IssuerAlternativeName(
[x509.UniformResourceIdentifier("https://cryptography.io")])
crl_number = x509.CRLNumber(13)
builder = (x509.CertificateRevocationListBuilder().issuer_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, "cryptography.io CA")
])).last_update(last_update).next_update(
next_update).add_extension(crl_number,
False).add_extension(ian, True))
crl = builder.sign(private_key, hashes.SHA256(), backend)
assert len(crl) == 0
assert len(crl.extensions) == 2
ext1 = crl.extensions.get_extension_for_class(x509.CRLNumber)
assert ext1.critical is False
assert ext1.value == crl_number
ext2 = crl.extensions.get_extension_for_class(
x509.IssuerAlternativeName)
assert ext2.critical is True
assert ext2.value == ian
def test_freshestcrl_extension(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
last_update = datetime.datetime(2002, 1, 1, 12, 1)
next_update = datetime.datetime(2030, 1, 1, 12, 1)
freshest = x509.FreshestCRL([
x509.DistributionPoint([
x509.UniformResourceIdentifier(u"http://d.om/delta"),
], None, None, None)
])
builder = x509.CertificateRevocationListBuilder().issuer_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA")
])).last_update(last_update).next_update(
next_update).add_extension(freshest, False)
crl = builder.sign(private_key, hashes.SHA256(), backend)
assert len(crl) == 0
assert len(crl.extensions) == 1
ext1 = crl.extensions.get_extension_for_class(x509.FreshestCRL)
assert ext1.critical is False
assert isinstance(ext1.value[0], x509.DistributionPoint)
uri = ext1.value[0].full_name[0]
assert isinstance(uri, x509.UniformResourceIdentifier)
assert uri.value == u"http://d.om/delta"
def test_aware_next_update(self, backend):
next_time = datetime.datetime(2022, 1, 16, 22, 43)
tz = pytz.timezone("US/Pacific")
next_time = tz.localize(next_time)
utc_next = datetime.datetime(2022, 1, 17, 6, 43)
last_time = datetime.datetime(2012, 1, 17, 6, 43)
private_key = RSA_KEY_2048.private_key(backend)
builder = (
x509.CertificateRevocationListBuilder()
.issuer_name(
x509.Name(
[
x509.NameAttribute(
NameOID.COMMON_NAME, "cryptography.io CA"
)
]
)
)
.last_update(last_time)
.next_update(next_time)
)
crl = builder.sign(private_key, hashes.SHA256(), backend)
assert crl.next_update == utc_next
def test_certificate(self):
private_key = ec.generate_private_key(ALGORITHM.EC_P256.to_curve(),
default_backend())
name = x509.Name([
x509.NameAttribute(x509.oid.NameOID.COMMON_NAME,
u"Test Certificate")
])
one_day = datetime.timedelta(1, 0, 0)
certificate = (x509.CertificateBuilder(
).subject_name(name).issuer_name(name).not_valid_before(
datetime.datetime.today() -
one_day).not_valid_after(datetime.datetime.today() +
one_day).serial_number(int(
uuid.uuid4())).public_key(
private_key.public_key()).sign(
private_key, hashes.SHA256(),
default_backend()))
certobj = Opaque.put_certificate(self.session, 0,
"Test certificate Opaque", 1,
CAPABILITY.NONE, certificate)
self.assertEqual(certificate, certobj.get_certificate())
certobj.delete()
def renew(conn, cert_id, pkey, sn, cn):
print("Trying to renew certificate")
new_request = CertificateRequest(cert_id=cert_id, )
# TODO change back to True when support for renew with csr use is deployed.
conn.renew_cert(new_request, reuse_key=False)
time.sleep(5)
t = time.time()
while time.time() - t < 300:
new_cert = conn.retrieve_cert(new_request)
if new_cert:
break
else:
time.sleep(5)
f = open("./renewed_cert.pem", "w")
f.write(new_cert.full_chain)
f.close()
cert = x509.load_pem_x509_certificate(new_cert.cert.encode(),
default_backend())
assert isinstance(cert, x509.Certificate)
assert cert.subject.get_attributes_for_oid(
NameOID.COMMON_NAME) == [x509.NameAttribute(NameOID.COMMON_NAME, cn)]
assert cert.serial_number != sn
private_key = serialization.load_pem_private_key(pkey.encode(),
password=None,
backend=default_backend())
private_key_public_key_pem = private_key.public_key().public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo)
public_key_pem = cert.public_key().public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo)
# TODO this assertion only works when the reuse key is set to true in the renew method
# assert private_key_public_key_pem == public_key_pem
return cert
def setup_certificate(workspace):
"""Generate a self-signed certificate for nginx.
:param workspace: path of folder where to put the certificate
:return: tuple containing the key path and certificate path
:rtype: `tuple`
"""
# Generate key
# See comment on cryptography import about type: ignore
private_key = rsa.generate_private_key( # type: ignore
public_exponent=65537,
key_size=2048,
backend=default_backend())
subject = issuer = x509.Name(
[x509.NameAttribute(x509.NameOID.COMMON_NAME, u'nginx.wtf')])
certificate = x509.CertificateBuilder().subject_name(subject).issuer_name(
issuer).public_key(
private_key.public_key()).serial_number(1).not_valid_before(
datetime.datetime.utcnow()).not_valid_after(
datetime.datetime.utcnow() +
datetime.timedelta(days=1)).sign(private_key,
hashes.SHA256(),
default_backend())
key_path = os.path.join(workspace, 'cert.key')
with open(key_path, 'wb') as file_handle:
file_handle.write(
private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption()))
cert_path = os.path.join(workspace, 'cert.pem')
with open(cert_path, 'wb') as file_handle:
file_handle.write(certificate.public_bytes(serialization.Encoding.PEM))
return key_path, cert_path
def test_request(self, name):
cn = '{0}.example.com'.format(name)
# Provide python27 compatibility
if not isinstance(cn, text_type):
cn = cn.decode()
ret = self.run_run_plus(fun='venafi.request',
minion_id=cn,
dns_name=cn,
key_password='******',
zone='fake')
cert_output = ret['return'][0]
assert cert_output is not None, 'venafi_certificate not found in `output_value`'
cert = x509.load_pem_x509_certificate(cert_output.encode(),
default_backend())
assert isinstance(cert, x509.Certificate)
assert cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
x509.NameAttribute(NameOID.COMMON_NAME, cn)
]
pkey_output = ret['return'][1]
assert pkey_output is not None, 'venafi_private key not found in output_value'
pkey = serialization.load_pem_private_key(pkey_output.encode(),
password=b'secretPassword',
backend=default_backend())
pkey_public_key_pem = pkey.public_key().public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo)
cert_public_key_pem = cert.public_key().public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo)
assert pkey_public_key_pem == cert_public_key_pem
def gen_csr(
csr_key: RSAPrivateKey,
common_name: str = "some.engineering",
san_dns_names: Optional[List[str]] = None,
san_ip_addresses: Optional[List[str]] = None,
include_loopback: bool = True,
) -> CertificateSigningRequest:
if san_dns_names is None:
san_dns_names = get_local_hostnames(include_loopback=include_loopback,
args=ArgumentParser.args)
if san_ip_addresses is None:
san_ip_addresses = get_local_ip_addresses(
include_loopback=include_loopback, args=ArgumentParser.args)
csr_build = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, common_name)]))
if len(san_dns_names) + len(san_ip_addresses) > 0:
csr_build = csr_build.add_extension(
x509.SubjectAlternativeName(
[x509.DNSName(n) for n in san_dns_names] +
[x509.IPAddress(make_ip(i)) for i in san_ip_addresses]),
critical=
False, # Optional extensions are not critical if unsupported
)
return csr_build.sign(csr_key, hashes.SHA256(), default_backend())
def _generate_ca_cert(self):
"""
Generate a CA cert/key.
"""
if self._ca_key is None:
self._ca_key = generate_private_key(u'rsa')
self._ca_name = x509.Name(
[x509.NameAttribute(NameOID.COMMON_NAME, u'ACME Snake Oil CA')])
self._ca_cert = (
x509.CertificateBuilder().subject_name(self._ca_name).issuer_name(
self._ca_name).not_valid_before(self._now() -
timedelta(seconds=3600)).
not_valid_after(self._now() + timedelta(days=3650)).public_key(
self._ca_key.public_key()).serial_number(int(
uuid4())).add_extension(
x509.BasicConstraints(ca=True, path_length=0),
critical=True).add_extension(
x509.SubjectKeyIdentifier.from_public_key(
self._ca_key.public_key()),
critical=False).sign(private_key=self._ca_key,
algorithm=hashes.SHA256(),
backend=default_backend()))
self._ca_aki = x509.AuthorityKeyIdentifier.from_issuer_public_key(
self._ca_key.public_key())
def generate(fqdn, write_dir, key_length, mode, owner_uid, group_gid):
"""Generate a key and CSR for headless operation.
The private key is written out to the provided directory and
the CSR is returned as a PEM encoded string.
"""
public_exp = 65537
priv_key = rsa.generate_private_key(public_exponent=public_exp,
key_size=key_length,
backend=default_backend())
for key_filename in (KEY_FILENAME, PKCS8_KEY_FILENAME):
key_format = KEY_FILENAME_TO_FORMAT.get(key_filename)
if not key_format:
raise GenerationError(
'Invalid key format for file {}'.format(key_filename))
priv_key_filepath = os.path.join(write_dir, key_filename)
try:
with open(priv_key_filepath, 'w') as keyfile:
keyfile.write(
priv_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=key_format,
encryption_algorithm=serialization.NoEncryption()))
os.chmod(priv_key_filepath, mode)
os.chown(priv_key_filepath, owner_uid, group_gid)
except IOError:
raise GenerationError('Error writing key file {}'.format(keyfile))
builder = x509.CertificateSigningRequestBuilder()
common_name = x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, six.u(fqdn))
builder = builder.subject_name(x509.Name([common_name]))
builder = builder.add_extension(x509.BasicConstraints(ca=False,
path_length=None),
critical=True)
csr = builder.sign(priv_key, hashes.SHA256(), default_backend())
csr_pem_encoded = csr.public_bytes(serialization.Encoding.PEM)
return csr_pem_encoded
def create_test_cert(path,
path_key,
private_key_CA,
CA_subject,
test_subj_dict,
serialization_format=serialization.Encoding.PEM,
time_begin=datetime.datetime.now(),
time_delta=datetime.timedelta(days=10)):
'''Creating test cert
test_subj_dict = {'Country':u'UK', etc}'''
Test_subject = [
x509.NameAttribute(NameOID.COUNTRY_NAME, test_subj_dict['Country']),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME,
test_subj_dict['State']),
x509.NameAttribute(NameOID.LOCALITY_NAME, test_subj_dict['Locality']),
x509.NameAttribute(NameOID.ORGANIZATION_NAME,
test_subj_dict['Organization']),
x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME,
test_subj_dict['OU']),
x509.NameAttribute(NameOID.COMMON_NAME, test_subj_dict['CN'])
]
private_test_key = rsa.generate_private_key(public_exponent=65537,
key_size=2048,
backend=default_backend())
public_test_key = private_test_key.public_key()
test_cert = x509.CertificateBuilder().subject_name(x509.Name(Test_subject))
test_cert = test_cert.issuer_name(x509.Name(CA_subject))
test_cert = test_cert.public_key(public_test_key)
test_cert = test_cert.serial_number(x509.random_serial_number())
test_cert = test_cert.not_valid_before(time_begin)
test_cert = test_cert.not_valid_after(time_begin + time_delta)
test_cert = test_cert.sign(private_key_CA, hashes.SHA256(),
default_backend())
with open(path_key, 'wb') as f:
f.write(
private_test_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.BestAvailableEncryption(
b"test")))
with open(path, 'wb') as TestCert:
TestCert.write(test_cert.public_bytes(serialization_format))
return private_test_key, test_cert
def generate_node_certificates(private_key, public_key):
today = datetime.datetime.today()
one_day = datetime.timedelta(1, 0, 0)
address = node_public_address(public_key)
builder = x509.CertificateBuilder()
builder = builder.not_valid_before(today)
# TODO: Where's documentation of the decision to make keys valid for 1 year only?
builder = builder.not_valid_after(today + 365 * one_day)
issuer = x509.Name(
[
x509.NameAttribute(x509.NameOID.COUNTRY_NAME, "US"),
x509.NameAttribute(x509.NameOID.STATE_OR_PROVINCE_NAME, "CA"),
x509.NameAttribute(x509.NameOID.LOCALITY_NAME, "San-Diego"),
x509.NameAttribute(x509.NameOID.ORGANIZATION_NAME, "CasperLabs, LLC"),
x509.NameAttribute(x509.NameOID.ORGANIZATIONAL_UNIT_NAME, "IT Department"),
x509.NameAttribute(x509.NameOID.COMMON_NAME, address),
]
)
builder = builder.issuer_name(issuer)
builder = builder.subject_name(issuer)
builder = builder.public_key(public_key)
builder = builder.serial_number(x509.random_serial_number())
ski = x509.SubjectKeyIdentifier.from_public_key(public_key)
builder = builder.add_extension(ski, critical=False)
builder = builder.add_extension(
x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(ski),
critical=False,
)
builder = builder.add_extension(
x509.BasicConstraints(ca=True, path_length=None), critical=True
)
certificate = builder.sign(
private_key=private_key, algorithm=hashes.SHA256(), backend=default_backend()
)
cert_pem = certificate.public_bytes(encoding=serialization.Encoding.PEM)
key_pem = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption(),
)
return cert_pem, key_pem
def create_CA(path, path_key, CA_subj_dict):
'''Creating CA
dirpath - path to directory, where CA will be placed
CA_subj_dict - dict, like this CA_subj_dict={'Country':u'PL', ...}'''
private_key_CA = rsa.generate_private_key(public_exponent=65537,
key_size=2048,
backend=default_backend())
public_key_CA = private_key_CA.public_key()
with open(path_key, 'wb') as f:
f.write(
private_key_CA.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.BestAvailableEncryption(
b"password")))
CA_subject = [
x509.NameAttribute(NameOID.COUNTRY_NAME, CA_subj_dict['Country']),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME,
CA_subj_dict['State']),
x509.NameAttribute(NameOID.LOCALITY_NAME, CA_subj_dict['Locality']),
x509.NameAttribute(NameOID.ORGANIZATION_NAME,
CA_subj_dict['Organization']),
x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME,
CA_subj_dict['OU']),
x509.NameAttribute(NameOID.COMMON_NAME, CA_subj_dict['CN'])
]
CA_cert = x509.CertificateBuilder().subject_name(x509.Name(CA_subject))
CA_cert = CA_cert.issuer_name(x509.Name(CA_subject))
CA_cert = CA_cert.public_key(public_key_CA)
CA_cert = CA_cert.serial_number(x509.random_serial_number())
CA_cert = CA_cert.not_valid_before(datetime.datetime.utcnow())
CA_cert = CA_cert.not_valid_after(datetime.datetime.utcnow() +
datetime.timedelta(days=10))
CA_cert = CA_cert.add_extension(x509.BasicConstraints(ca=True,
path_length=None),
critical=True)
CA_cert = CA_cert.sign(private_key_CA, hashes.SHA256(), default_backend())
with open(path, 'wb') as CAcert:
CAcert.write(CA_cert.public_bytes(serialization.Encoding.PEM))
return private_key_CA, CA_subject, CA_cert
def generateCSR(username, key, country_name, state_name, locality_name,
organization_name, unit_name, common_name):
csr = x509.CertificateSigningRequestBuilder()
csr = csr.subject_name(
x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, country_name),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, state_name),
x509.NameAttribute(NameOID.LOCALITY_NAME, locality_name),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, organization_name),
x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, unit_name),
x509.NameAttribute(NameOID.COMMON_NAME, common_name),
]))
csr = csr.sign(key, hashes.SHA256(), default_backend())
path = getUserFilePath(username, 'csr')
with open(path, 'wb') as f:
f.write(csr.public_bytes(serialization.Encoding.PEM))
return csr.public_bytes(serialization.Encoding.PEM).decode()
