def gen_certificate(self, key, common_name, issuer=None, sign_key=None):
"""generate a certificate with cryptography"""
now = datetime.datetime.utcnow()
certificate = x509.CertificateBuilder().subject_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, common_name),
])
).issuer_name(
x509.Name([
x509.NameAttribute(
NameOID.COMMON_NAME,
issuer or common_name
)
])
).not_valid_before(
now
).not_valid_after(
now + datetime.timedelta(seconds=86400)
).serial_number(
x509.random_serial_number()
).public_key(
key.public_key()
).add_extension(
x509.BasicConstraints(ca=True, path_length=0), critical=True
).sign(
private_key=sign_key or key,
algorithm=hashes.SHA256(),
backend=default_backend()
)
return certificate
def sns_certificate(sns_privatekey, sns_publickey):
one_day = datetime.timedelta(1, 0, 0)
private_key = load_pem_private_key(
sns_privatekey, password=None, backend=default_backend()
)
public_key = load_pem_public_key(sns_publickey, backend=default_backend())
builder = x509.CertificateBuilder()
builder = builder.subject_name(
x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, "sns.amazonaws.com")])
)
builder = builder.issuer_name(
x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, "sns.amazonaws.com")])
)
builder = builder.not_valid_before(datetime.datetime.today() - one_day)
builder = builder.not_valid_after(datetime.datetime.today() + one_day)
builder = builder.serial_number(x509.random_serial_number())
builder = builder.public_key(public_key)
builder = builder.add_extension(
x509.SubjectAlternativeName([x509.DNSName("sns.amazonaws.com")]), critical=False
)
builder = builder.add_extension(
x509.BasicConstraints(ca=False, path_length=None), critical=True
)
cert = builder.sign(
private_key=private_key, algorithm=hashes.SHA256(), backend=default_backend()
)
return cert.public_bytes(Encoding.PEM)
def generate_certificate(hostname):
"""
Generate self-signed certificate for some DNS name.
The certificate is valid for 100 days from moment of generation.
:param hostname: DNS name (str|unicode)
"""
key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend()
)
if isinstance(hostname, bytes):
hostname = hostname.decode()
subject = issuer = x509.Name(
[x509.NameAttribute(NameOID.COMMON_NAME, hostname)]
)
cert = x509.CertificateBuilder()
cert = cert.subject_name(subject).issuer_name(issuer).public_key(
key.public_key()
).serial_number(
x509.random_serial_number()
).not_valid_before(
datetime.utcnow()
).not_valid_after(
datetime.utcnow() + timedelta(days=100)
).add_extension(
x509.SubjectAlternativeName([x509.DNSName(hostname)]),
critical=False
).sign(key, hashes.SHA256(), default_backend())
return cert.public_bytes(serialization.Encoding.PEM).decode()
def from_key(cls, private_key, project_id):
""" Creates a new certificate from a private key.
Args:
private_key: An RSAPrivateKey.
project_id: A string specifying the project ID.
Returns:
A PublicCertificate.
"""
# NameAttribute requires unicode objects in Python 2.
if not isinstance(project_id, six.text_type):
project_id = six.u(project_id)
subject = x509.Name(
[x509.NameAttribute(NameOID.COMMON_NAME, project_id)])
issuer = x509.Name(
[x509.NameAttribute(NameOID.COMMON_NAME, u'AppScale')])
cert = x509.CertificateBuilder().\
subject_name(subject).\
issuer_name(issuer).\
public_key(private_key.key.public_key()).\
serial_number(x509.random_serial_number()).\
not_valid_before(datetime.datetime.utcnow()).\
not_valid_after(datetime.datetime.utcnow() + CERTIFICATE_TTL).\
sign(private_key.key, hashes.SHA256(), default_backend())
return cls(private_key.key_name, cert)
def create_ca(self, cn=ISSUER_CN):
"""Create root CA.
:returns: bytes -- Root CA in PEM format.
"""
self.ca_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend(),
)
self.ca_public_key = self.ca_key.public_key()
subject = self.issuer = x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, six.text_type(cn)),
])
builder = x509.CertificateBuilder()
builder = builder.subject_name(subject)
builder = builder.issuer_name(self.issuer)
builder = builder.public_key(self.ca_public_key)
builder = builder.serial_number(x509.random_serial_number())
builder = builder.not_valid_before(self.now)
builder = builder.not_valid_after(self.now + self.delta)
builder = builder.add_extension(
x509.KeyUsage(
digital_signature=False,
content_commitment=False,
key_encipherment=False,
data_encipherment=False,
key_agreement=False,
key_cert_sign=True,
crl_sign=True,
encipher_only=False,
decipher_only=False,
),
critical=True,
)
builder = builder.add_extension(
x509.BasicConstraints(ca=True, path_length=None),
critical=True,
)
builder = builder.add_extension(
x509.SubjectKeyIdentifier.from_public_key(self.ca_public_key),
critical=False,
)
builder = builder.add_extension(
x509.AuthorityKeyIdentifier.from_issuer_public_key(
self.ca_public_key
),
critical=False,
)
cert = builder.sign(self.ca_key, hashes.SHA256(), default_backend())
return cert.public_bytes(serialization.Encoding.PEM)
def create_root_certificate(self, passphrase):
"""
Create self signed Root CA Certificate
:param passphrase: Private key pass phrase
:return:
"""
node = self._node
key = self.private_key(passphrase)
subject = issuer = x509.Name(subject_string(node))
builder = x509.CertificateBuilder()
builder = builder.subject_name(subject)
builder = builder.issuer_name(issuer)
builder = builder.public_key(key.public_key())
builder = builder.serial_number(x509.random_serial_number())
builder = builder.not_valid_before(datetime.datetime.utcnow())
builder = builder.not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=randint(7000, 15000)))
builder = builder.add_extension(x509.SubjectAlternativeName(subject_alt_name_string(node)), critical=False, )
builder = builder.add_extension(x509.SubjectKeyIdentifier.from_public_key(key.public_key()), critical=False)
builder = builder.add_extension(x509.KeyUsage(digital_signature=node.key_usage['digital_signature'],
content_commitment=node.key_usage['content_commitment'],
key_encipherment=node.key_usage['key_encipherment'],
data_encipherment=node.key_usage['data_encipherment'],
key_agreement=node.key_usage['key_agreement'],
key_cert_sign=node.key_usage['key_cert_sign'],
crl_sign=node.key_usage['crl_sign'],
encipher_only=node.key_usage['encipher_only'],
decipher_only=node.key_usage['decipher_only']), critical=True)
builder = builder.add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True, )
if self._key_length == 256:
self.certificate = builder.sign(key, hashes.SHA256(), default_backend())
elif self._key_length == 384:
self.certificate = builder.sign(key, hashes.SHA384(), default_backend())
else:
raise ValueError
def sign_csr(self, ipa_csr, path_length=1):
"""Sign certificate CSR.
:param ipa_csr: CSR in PEM format.
:type ipa_csr: bytes.
:returns: bytes -- Signed CA in PEM format.
"""
csr_tbs = x509.load_pem_x509_csr(ipa_csr, default_backend())
csr_public_key = csr_tbs.public_key()
csr_subject = csr_tbs.subject
builder = x509.CertificateBuilder()
builder = builder.public_key(csr_public_key)
builder = builder.subject_name(csr_subject)
builder = builder.serial_number(x509.random_serial_number())
builder = builder.issuer_name(self.issuer)
builder = builder.not_valid_before(self.now)
builder = builder.not_valid_after(self.now + self.delta)
builder = builder.add_extension(
x509.KeyUsage(
digital_signature=False,
content_commitment=False,
key_encipherment=False,
data_encipherment=False,
key_agreement=False,
key_cert_sign=True,
crl_sign=True,
encipher_only=False,
decipher_only=False,
),
critical=True,
)
builder = builder.add_extension(
x509.SubjectKeyIdentifier.from_public_key(csr_public_key),
critical=False,
)
builder = builder.add_extension(
x509.AuthorityKeyIdentifier.from_issuer_public_key(
self.ca_public_key
),
critical=False,
)
builder = builder.add_extension(
x509.BasicConstraints(ca=True, path_length=path_length),
critical=True,
)
cert = builder.sign(
private_key=self.ca_key,
algorithm=hashes.SHA256(),
backend=default_backend(),
)
return cert.public_bytes(serialization.Encoding.PEM)
def from_csr(cls, csr: "x509CertSignReq", key: PrivateKey,
issuer: "x509Cert" = None,
not_valid_before: datetime.datetime = None,
not_valid_after: datetime.datetime = None,
serial_number: int = None, is_ca: bool = False):
issuer = issuer or csr # type: x509Base
private_key = serialization.load_der_private_key(
key.to_bytes(encoding=EncodingType.DER),
None,
default_backend()
)
builder = x509.CertificateBuilder().subject_name(
csr._x509_obj.subject
).issuer_name(
issuer._x509_obj.subject
).public_key(
csr._x509_obj.public_key()
).not_valid_before(
not_valid_before or datetime.datetime.today()
).not_valid_after(
# TODO: Will probably want this to max out at the issuer's
# TODO: not_valid_after value (if provided)
not_valid_after or (
datetime.datetime.today() + datetime.timedelta(days=365 * 2))
).serial_number(
serial_number or x509.random_serial_number()
)
# Load Extensions
for e in csr._x509_obj.extensions:
builder = builder.add_extension(
e.value,
critical=e.critical
)
if is_ca:
builder = builder.add_extension(
x509.BasicConstraints(True, None),
critical=True
)
# Sign and Return a New x509Cert Instance containing the new Cert.
cert = builder.sign(private_key, hashes.SHA256(), default_backend())
crt_bytes = cert.public_bytes(EncodingType.DER)
return cls(data=crt_bytes)
def access_keys():
access_key_data = request.get_json()
identity = access_key_data['identity']
csr_data = base64.decodebytes(access_key_data['csr'].encode())
signature = base64.decodebytes(access_key_data['signature'].encode())
key_string = database_functions.get_key(DATABASE_FILE, identity)
# ...and we need to restore the key to the full PEM format that the RSA functions are expecting.
restored_key = KeyEx_helpers.fixkey(key_string)
# Now we can import that restored key string into a full RSA key object, get the SAH256 hash for the
# message (the device ID), and create a verifier object to check the signature...
pbkey = serialization.load_pem_public_key(restored_key.encode(), backend=default_backend())
# Validate that the signature is valid for the csr_data signed by this device...
try:
pbkey.verify(signature, csr_data,
padding.PSS(mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH),
hashes.SHA256())
# We're okay – so sign it...
with open(CA_KEY, 'rb') as f:
ca_key_data = f.read()
ca_key = serialization.load_pem_private_key(ca_key_data, b'rabbit', default_backend())
csr = x509.load_pem_x509_csr(csr_data, default_backend())
with open(CA_CRT, 'rb') as f:
ca_crt_data = f.read()
ca_crt = x509.load_pem_x509_certificate(ca_crt_data, default_backend())
if isinstance(csr.signature_hash_algorithm, hashes.SHA256):
cert = x509.CertificateBuilder().subject_name(csr.subject).issuer_name(ca_crt.issuer).public_key\
(csr.public_key()).serial_number(x509.random_serial_number()).not_valid_before\
(datetime.datetime.utcnow()).not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=365))\
.sign(ca_key, hashes.SHA256(), default_backend())
return_data = {'certificate': base64.encodebytes(cert.public_bytes(serialization.Encoding.PEM)).decode(),
'CA_certificate': base64.encodebytes(ca_crt_data).decode()}
rv = KeyExReturn.OK(json.dumps(return_data))
return rv()
except (InvalidSignature, ValueError, TypeError) as e:
rv = KeyExReturn.CSRVerificationError()
return rv()
def _create_dummy_cert():
key = ec.generate_private_key(ec.SECP384R1(), default_backend())
subject = issuer = x509.Name([
x509.NameAttribute(x509.oid.NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(x509.oid.NameOID.STATE_OR_PROVINCE_NAME, u"CA"),
x509.NameAttribute(x509.oid.NameOID.LOCALITY_NAME, u"San Francisco"),
x509.NameAttribute(x509.oid.NameOID.ORGANIZATION_NAME, u"My Company"),
x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, u"mysite.com"),
])
cert = x509.CertificateBuilder().subject_name(subject).issuer_name(
issuer).public_key(key.public_key()).serial_number(
x509.random_serial_number()).not_valid_before(
datetime.datetime.utcnow()).not_valid_after(
datetime.datetime.utcnow() +
datetime.timedelta(days=10)).sign(key, hashes.SHA256(),
default_backend())
return cert
def make_cert(netid, pubkey, ca_key = ECE422_CA_KEY, serial=x509.random_serial_number()):
builder = x509.CertificateBuilder()
builder = builder.not_valid_before(datetime.datetime(2017, 3, 1))
builder = builder.not_valid_after (datetime.datetime(2017, 3,27))
builder = builder.subject_name(x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, unicode(netid)),
x509.NameAttribute(NameOID.PSEUDONYM, u'unused'),
x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Illinois'),
]))
builder = builder.issuer_name(x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u'ece422'),
]))
builder = builder.serial_number(serial)
builder = builder.public_key(pubkey)
cert = builder.sign(private_key=ECE422_CA_KEY, algorithm=hashes.MD5(), backend=default_backend())
return cert
def sign_cert():
"""
csr - PEM-format Certificate Signing Request
Needs to have the field Organization Name filled
"""
if not request.files.get(key="csr"):
abort(400)
try:
csr = x509.load_pem_x509_csr(request.files["csr"].stream.read())
except ValueError:
logging.info("Invalid CSR")
abort(415)
# Check if has organization name
org = csr.subject.get_attributes_for_oid(
NameOID.ORGANIZATION_NAME)[0].value
if org is None:
abort(415)
# Sign
cert = x509.CertificateBuilder() \
.subject_name(csr.subject) \
.issuer_name(CA_CERT.subject) \
.public_key(csr.public_key()) \
.serial_number(x509.random_serial_number()) \
.not_valid_before(datetime.datetime.utcnow()) \
.not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=SIGNED_VALIDITY)) \
.sign(PRIV_KEY, hashes.SHA256())
# Easier to sign (expensive operation) more certificates and then discard them than
# to sign only one at a time due to possible colisions
output = b""
with CERT_LOCK:
# Check if there isn't another issued certificate for same organization
path = os.path.join(PATH_SIGNED, org + ".cert")
if os.path.isfile(path):
abort(409)
# Save certificate
output = cert.public_bytes(serialization.Encoding.PEM)
with open(path, "wb") as f:
f.write(output)
return output.decode("ascii")
def _gen_cryptography():
import datetime
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization
from cryptography.x509.oid import NameOID
one_day = datetime.timedelta(1, 0, 0)
private_key = rsa.generate_private_key(public_exponent=65537,
key_size=2048,
backend=default_backend())
public_key = private_key.public_key()
builder = x509.CertificateBuilder()
builder = builder.subject_name(
x509.Name(
[x509.NameAttribute(NameOID.COMMON_NAME, socket.gethostname())]))
builder = builder.issuer_name(
x509.Name(
[x509.NameAttribute(NameOID.COMMON_NAME, socket.gethostname())]))
builder = builder.not_valid_before(datetime.datetime.today() - one_day)
builder = builder.not_valid_after(datetime.datetime.today() +
(one_day * 365 * 5))
builder = builder.serial_number(x509.random_serial_number())
builder = builder.public_key(public_key)
builder = builder.add_extension(x509.SubjectAlternativeName([
x509.DNSName(socket.gethostname()),
x509.DNSName('*.%s' % socket.gethostname()),
x509.DNSName('localhost'),
x509.DNSName('*.localhost'),
]),
critical=False)
builder = builder.add_extension(x509.BasicConstraints(ca=False,
path_length=None),
critical=True)
certificate = builder.sign(private_key=private_key,
algorithm=hashes.SHA256(),
backend=default_backend())
return (certificate.public_bytes(serialization.Encoding.PEM),
private_key.private_bytes(serialization.Encoding.PEM,
serialization.PrivateFormat.PKCS8,
serialization.NoEncryption()))
def generate_certs(path, days=3652, key_size=2048, separate_key=False):
# DO NOT USE THIS FOR ANYTHING PRODUCTION RELATED, EVER!
# Generate private key
# 2048 is the minimum that works as of 3.9
key = rsa.generate_private_key(public_exponent=65537, key_size=key_size)
key_file = "key.pem" if separate_key else "cert.pem"
key_path = Path(path).joinpath(key_file)
with open(key_path, "ab") as f:
f.write(
key.private_bytes(
encoding=serialization.Encoding.PEM,
encryption_algorithm=serialization.NoEncryption(),
format=serialization.PrivateFormat.TraditionalOpenSSL))
log.debug(f"Private key written to {key_path}")
# Generate public certificate
hostname = socket.gethostname()
ip = socket.gethostbyname(hostname)
subject = Name([NameAttribute(NameOID.COMMON_NAME, "smtpdfix_cert")])
alt_names = [
DNSName("localhost"),
DNSName("localhost.localdomain"),
DNSName(hostname),
IPAddress(ip_address("127.0.0.1")),
IPAddress(ip_address("0.0.0.1")),
IPAddress(ip_address("::1")),
IPAddress(ip_address(ip)),
]
cert = (CertificateBuilder().issuer_name(subject).subject_name(
subject).serial_number(random_serial_number()).not_valid_before(
datetime.utcnow()).not_valid_after(datetime.utcnow() + timedelta(
days=days)).add_extension(
SubjectAlternativeName(alt_names),
critical=False).public_key(key.public_key()).add_extension(
BasicConstraints(ca=False, path_length=None),
critical=True).add_extension(
ExtendedKeyUsage([ExtendedKeyUsageOID.CLIENT_AUTH
]),
critical=True).sign(private_key=key,
algorithm=hashes.SHA256()))
cert_path = Path(path).joinpath("cert.pem")
with open(cert_path, "ab") as f:
f.write(cert.public_bytes(serialization.Encoding.PEM))
log.debug(f"Certificate written to {cert_path}")
def create_self_signed_cert(key_path="./data/key.pem", cert_path="./data/cert.pem"):
logging.info('Creating self-signed certificate')
key = rsa.generate_private_key(
public_exponent=65537,
key_size=4096,
backend=default_backend()
)
with open(key_path, "wb") as f:
f.write(key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption(),
))
subject = issuer = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"CA"),
x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"),
x509.NameAttribute(NameOID.COMMON_NAME, u"mysite.com"),
])
cert = x509.CertificateBuilder().subject_name(
subject
).issuer_name(
issuer
).public_key(
key.public_key()
).serial_number(
x509.random_serial_number()
).not_valid_before(
datetime.datetime.utcnow()
).not_valid_after(
# Our certificate will be valid for 9999 days
datetime.datetime.utcnow() + datetime.timedelta(days=9999)
).add_extension(
x509.SubjectAlternativeName([x509.DNSName(u"localhost")]),
critical=False,
# Sign our certificate with our private key
).sign(key, hashes.SHA256(), default_backend())
with open(cert_path, "wb") as f:
f.write(cert.public_bytes(serialization.Encoding.PEM))
logging.info(f"Self-signed certificate written to {key_path} and {cert_path}")
def generate_certificat_auto_sign():
""" Cette fonction permet de générer un certificat auto-signé, il ne prend aucun paramètre,
elle retoune un certificat.
=====================================================
Exemple :
certificat = generate_certificat_auto_sign()
"""
contry_name = input(
"Entrer le nom de votre pays : [Ex. CM, pour Cameroun] : ")
city_name = input(
"Entrer le nom de l'État ou de la province : [Ex. Centre] : ")
locality_name = input("Entrer le nom de votre ville : [Ex. Yaoundé] : ")
organi_name = input("Entrer le nom de votre organisation : [Ex. ITS] : ")
common_name = input("Entrer le nom de votre section : [Ex. SECURITÉ] : ")
nom_domaine = input("Entrer le nom de domaine : [Ex. groupits.cm] : ")
key, private, public = generate_keys_rsa()
# Generation de CSR(Certificate Signing Request)
# Divers détails sur qui nous sommes. Pour un certificat auto-signé, le sujet et l'émetteur sont toujours les mêmes
subject = issuer = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, contry_name),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, city_name),
x509.NameAttribute(NameOID.LOCALITY_NAME, locality_name),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, organi_name),
x509.NameAttribute(NameOID.COMMON_NAME, common_name),
])
cert = x509.CertificateBuilder().subject_name(subject).issuer_name(
issuer).public_key(key.public_key()).serial_number(
x509.random_serial_number()).not_valid_before(
datetime.datetime.utcnow()).not_valid_after(
# notre certificate sera valide pour 10 jours
datetime.datetime.utcnow() +
datetime.timedelta(days=30)).add_extension(
x509.SubjectAlternativeName(
[x509.DNSName(nom_domaine)]),
critical=False,
# Signer notre certificat avec notre clé privé
).sign(key, hashes.SHA256(), default_backend())
certif = cert.public_bytes(serialization.Encoding.PEM)
return certif
def make_tls_cert(hostname):
# type: (str) -> Tuple[x509.Certificate, rsa.RSAPrivateKey]
key = rsa.generate_private_key(public_exponent=65537,
key_size=2048,
backend=default_backend())
subject = issuer = x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, hostname),
])
cert = (x509.CertificateBuilder().subject_name(subject).issuer_name(
issuer).public_key(key.public_key()).serial_number(
x509.random_serial_number()).not_valid_before(
datetime.utcnow()).not_valid_after(
datetime.utcnow() + timedelta(days=10)).add_extension(
x509.SubjectAlternativeName([x509.DNSName(hostname)]),
critical=False,
).sign(key, hashes.SHA256(), default_backend()))
return cert, key
def create_ca(
organization: str,
cn: str,
key_size: int,
) -> Tuple[rsa.RSAPrivateKeyWithSerialization, x509.Certificate]:
now = datetime.datetime.now()
private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=key_size,
) # type: ignore
name = x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, cn),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, organization)
])
builder = x509.CertificateBuilder()
builder = builder.serial_number(x509.random_serial_number())
builder = builder.subject_name(name)
builder = builder.not_valid_before(now - datetime.timedelta(days=2))
builder = builder.not_valid_after(now + CA_EXPIRY)
builder = builder.issuer_name(name)
builder = builder.public_key(private_key.public_key())
builder = builder.add_extension(x509.BasicConstraints(ca=True,
path_length=None),
critical=True)
builder = builder.add_extension(x509.ExtendedKeyUsage(
[ExtendedKeyUsageOID.SERVER_AUTH]),
critical=False)
builder = builder.add_extension(x509.KeyUsage(
digital_signature=False,
content_commitment=False,
key_encipherment=False,
data_encipherment=False,
key_agreement=False,
key_cert_sign=True,
crl_sign=True,
encipher_only=False,
decipher_only=False,
),
critical=True)
builder = builder.add_extension(x509.SubjectKeyIdentifier.from_public_key(
private_key.public_key()),
critical=False)
cert = builder.sign(private_key=private_key,
algorithm=hashes.SHA256()) # type: ignore
return private_key, cert
def _create_certificate(self, keys, certificate_data_to_create):
"""
Create certificate and sign it.
Args:
keys (bytes): RSA private and public key
certificate_data_to_create (dict)
Returns:
Signed certificate object.
"""
private_key, public_key = keys
subject = issuer = self._create_subject(certificate_data_to_create)
if 'validity_after' in certificate_data_to_create:
not_valid_before = datetime.utcnow() + timedelta(
days=certificate_data_to_create.get('validity_after'))
else:
not_valid_before = datetime.utcnow()
if 'validity' in certificate_data_to_create:
not_valid_after = not_valid_before + timedelta(
days=certificate_data_to_create.get('validity'))
else:
not_valid_after = not_valid_before + timedelta(days=365)
certificate_builder = X509CertificateBuilder(
private_key=private_key_der_to_object(private_key),
issuer_name=issuer,
subject_name=subject,
public_key=public_key_der_to_object(public_key),
serial_number=x509.random_serial_number(),
not_valid_before=not_valid_before,
not_valid_after=not_valid_after,
)
certificate = certificate_builder.sign(
private_key=certificate_builder.private_key,
algorithm=hashes.SHA256(),
backend=default_backend(),
)
certificate.private_key = certificate_builder.private_key
return certificate
def setUp(self):
super(ApiSslServerTestBase, self).setUp()
key = rdf_crypto.RSAPrivateKey.GenerateKey()
key_path = os.path.join(self.temp_dir, "key.pem")
with open(key_path, "wb") as f:
f.write(key.AsPEM())
subject = issuer = x509.Name([
x509.NameAttribute(oid.NameOID.COMMON_NAME, u"localhost"),
])
cert = x509.CertificateBuilder().subject_name(subject).issuer_name(
issuer).public_key(key.GetPublicKey().GetRawPublicKey()).serial_number(
x509.random_serial_number()).not_valid_before(
datetime.datetime.utcnow()).not_valid_after(
datetime.datetime.utcnow() +
datetime.timedelta(days=1)).add_extension(
x509.SubjectAlternativeName(
[x509.DNSName(u"localhost")]),
critical=False,
).sign(key.GetRawPrivateKey(), hashes.SHA256(),
backends.default_backend())
self.cert_path = os.path.join(self.temp_dir, "certificate.pem")
with open(self.cert_path, "wb") as f:
f.write(cert.public_bytes(serialization.Encoding.PEM))
config_overrider = test_lib.ConfigOverrider({
"AdminUI.enable_ssl": True,
"AdminUI.ssl_key_file": key_path,
"AdminUI.ssl_cert_file": self.cert_path,
})
config_overrider.Start()
self.addCleanup(config_overrider.Stop)
self.port = portpicker.pick_unused_port()
thread = wsgiapp_testlib.ServerThread(self.port, name="ApiSslServerTest")
thread.StartAndWaitUntilServing()
self.addCleanup(thread.Stop)
api_auth_manager.APIACLInit.InitApiAuthManager()
self.token.username = "******"
webauth.WEBAUTH_MANAGER.SetUserName(self.token.username)
self.endpoint = "https://localhost:%s" % self.port
def create_cert(self, RSA_private_key):
subject = issuer = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(NameOID.COMMON_NAME, u"Bo Hui"),
])
cert = x509.CertificateBuilder().subject_name(subject).issuer_name(
issuer).public_key(
self.RSA_private_key.public_key()).serial_number(
x509.random_serial_number()).not_valid_before(
datetime.datetime.utcnow()).not_valid_after(
datetime.datetime.utcnow() +
datetime.timedelta(days=30)).sign(
private_key=RSA_private_key,
algorithm=hashes.SHA256(),
backend=default_backend()).public_bytes(
Encoding.PEM)
return cert
def generate_x509(key_type, key_scope, key_format='der'):
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.x509.oid import NameOID
import datetime
from cryptography.hazmat.primitives import serialization
public_key, private_key = get_keys( key_type, key_scope, \
key_format=key_format )
subject = x509.Name([\
x509.NameAttribute(NameOID.COUNTRY_NAME, u"CA"),\
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"QC"),\
x509.NameAttribute(NameOID.LOCALITY_NAME, u"Montreal"),\
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"),\
x509.NameAttribute(NameOID.COMMON_NAME, u"www.example.com"),\
])
issuer = subject
builder = x509.CertificateBuilder()
builder = builder.subject_name(subject)
builder = builder.issuer_name(issuer)
#builder.public_key( public_key.public_key() )
builder = builder.public_key(public_key)
builder = builder.serial_number(x509.random_serial_number())
builder = builder.not_valid_before(datetime.datetime.utcnow())
builder = builder.not_valid_after(
# Our certificate will be valid for 10 days
datetime.datetime.utcnow() + datetime.timedelta(days=365 * 100))
builder = builder.add_extension(x509.SubjectAlternativeName(
[x509.DNSName(u"www.example.com")]),
critical=False)
# Sign our certificate with our private key
cert = builder.sign(private_key, hashes.SHA256(), default_backend())
# Write our certificate out to disk.
cert_file = "cert-%s-%s.%s" % (key_type, key_scope, key_format)
with open(cert_file, "wb") as f:
if key_format == 'pem':
f.write(cert.public_bytes(serialization.Encoding.PEM))
if key_format == 'der':
f.write(cert.public_bytes(serialization.Encoding.DER))
def gen_self_signed(key: rsa.RSAPrivateKey, cert_opts: Dict,
crypto_opts: Dict) -> None: # noqa
# subject / issuer
subject = issuer = _subject(cert_opts)
# init builder
builder = x509.CertificateBuilder()
# set subject and issuer
builder = builder.subject_name(subject)
builder = builder.issuer_name(issuer)
# set public key
builder = builder.public_key(key.public_key())
# set serial number
serial = x509.random_serial_number()
builder = builder.serial_number(serial)
# set expiration
now = datetime.datetime.utcnow()
days = cert_opts['days']
builder = builder.not_valid_before(now)
builder = builder.not_valid_after(now + datetime.timedelta(days=days))
# add base extensions
for is_critical, ext in _extensions(key, cert_opts):
builder = builder.add_extension(ext, critical=is_critical)
# add AuthorityKeyIdentifier extension (experimental feature)
pkey = key.public_key()
key_identifier = x509.extensions._key_identifier_from_public_key(pkey)
authority_cert_issuer = [x509.DirectoryName(issuer)]
builder = builder.add_extension(x509.AuthorityKeyIdentifier(
key_identifier, authority_cert_issuer, serial),
critical=False)
# sign the certificate
md_alg = MD_ALGS[crypto_opts['md_alg']]
crt = builder.sign(key, md_alg)
# write to file
crt_out = crypto_opts['crt_out']
with open(str(crt_out), "wb") as fp:
fp.write(crt.public_bytes(serialization.Encoding.PEM))
fp.close()
def _generate_certificate(path, keyfile=None, password=None):
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
if keyfile:
with open(path, "rb") as kf:
key_bytes = kf.read()
key = serialization.load_pem_private_key(key_bytes, password,
default_backend())
else:
key = rsa.generate_private_key(public_exponent=65537,
key_size=2048,
backend=default_backend())
key_bytes = key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.BestAvailableEncryption(
password) if password else serialization.NoEncryption(),
)
# Various details about who we are. For a self-signed certificate the
# Subject and issuer are always the same.
subject = issuer = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'WA'),
x509.NameAttribute(NameOID.LOCALITY_NAME, u'Redmond'),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"),
x509.NameAttribute(NameOID.COMMON_NAME, u"mysite.com")
])
cert = x509.CertificateBuilder().subject_name(subject) \
.issuer_name(issuer) \
.public_key(key.public_key()) \
.serial_number(x509.random_serial_number()) \
.not_valid_before(datetime.utcnow()) \
.not_valid_after(datetime.utcnow() + timedelta(days=10)) \
.sign(key, hashes.SHA256(), default_backend())
# Write the cert out to disk
with open(path, "wb") as f:
f.write(key_bytes)
f.write(cert.public_bytes(serialization.Encoding.PEM))
def create_client(common_name, ca):
key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, common_name)])
issuer_name = x509.Name(
ca.cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME))
now = datetime.utcnow()
cert = (x509.CertificateBuilder().subject_name(name).issuer_name(
issuer_name).public_key(key.public_key()).serial_number(
x509.random_serial_number()).add_extension(
x509.BasicConstraints(ca=False, path_length=None),
critical=True).not_valid_before(now).not_valid_after(
now + timedelta(days=60)).sign(ca.key, hashes.SHA256()))
return Identity(key=key, cert=cert)
def generate_and_save(cls):
dns = conf.settings['api_host']
private_key = rsa.generate_private_key(public_exponent=65537,
key_size=4096,
backend=default_backend())
subject = issuer = x509.Name([
NameAttribute(NameOID.COUNTRY_NAME, "US"),
NameAttribute(NameOID.ORGANIZATION_NAME, "LBRY"),
NameAttribute(NameOID.COMMON_NAME, "LBRY API"),
])
alternative_name = x509.SubjectAlternativeName([x509.DNSName(dns)])
certificate = x509.CertificateBuilder(
subject_name=subject,
issuer_name=issuer,
public_key=private_key.public_key(),
serial_number=x509.random_serial_number(),
not_valid_before=datetime.datetime.utcnow(),
not_valid_after=datetime.datetime.utcnow() +
datetime.timedelta(days=365),
extensions=[
x509.Extension(oid=alternative_name.oid,
critical=False,
value=alternative_name)
]).sign(private_key, hashes.SHA256(), default_backend())
public_certificate = certificate.public_bytes(cls.encoding).decode()
private_certificate = ssl.PrivateCertificate.load(
public_certificate,
ssl.KeyPair.load(
private_key.private_bytes(
encoding=cls.encoding,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption()).decode(
), cls.filetype), cls.filetype)
auth_token = APIKey.create(seed=None, name="api")
with open(os.path.join(conf.settings.data_dir, 'auth_token'),
'wb') as f:
f.write(auth_token.secret.encode())
with open(os.path.join(conf.settings.data_dir, 'api_ssl_cert.pem'),
'wb') as f:
f.write(public_certificate.encode())
return cls(auth_token, public_certificate, private_certificate)
def rsa_ca(self, ca_key_name, ca_crt_name, sign_hash_change):
with open(ca_key_name + '.key', 'rb') as key_file:
key = serialization.load_pem_private_key(key_file.read(),
password=None,
backend=default_backend())
if sign_hash_change == 1:
algorithm = hashes.MD5()
elif sign_hash_change == 2:
algorithm = hashes.SHA1()
elif sign_hash_change == 3:
algorithm = hashes.SHA224()
elif sign_hash_change == 4:
algorithm = hashes.SHA256()
elif sign_hash_change == 5:
algorithm = hashes.SHA512()
subject = issuer = x509.Name([
x509.NameAttribute(x509.oid.NameOID.COUNTRY_NAME, u"CN"),
x509.NameAttribute(x509.oid.NameOID.STATE_OR_PROVINCE_NAME,
u"ShaanXi"),
x509.NameAttribute(x509.oid.NameOID.LOCALITY_NAME, u"XiAN"),
x509.NameAttribute(x509.oid.NameOID.ORGANIZATION_NAME, u"LQtest"),
x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, u"ca"),
])
cert = x509.CertificateBuilder().subject_name(subject).issuer_name(
issuer).public_key(key.public_key()).serial_number(
x509.random_serial_number()
).not_valid_before(datetime.datetime.utcnow()).not_valid_after(
#设置证书有效期
datetime.datetime.utcnow() +
datetime.timedelta(days=3650)).add_extension(
extension=x509.SubjectKeyIdentifier.from_public_key(
key.public_key()),
critical=False).add_extension(
extension=x509.AuthorityKeyIdentifier.
from_issuer_public_key(key.public_key()),
critical=False).add_extension(
extension=x509.BasicConstraints(ca=True,
path_length=None),
critical=True).sign(key, algorithm,
default_backend())
with open(ca_crt_name + ".crt", "wb") as f:
f.write(cert.public_bytes(serialization.Encoding.PEM))
def _generate_certificate(path, keyfile=None, password=None):
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
if keyfile:
with open(path, "rb") as kf:
key_bytes = kf.read()
key = serialization.load_pem_private_key(key_bytes, password, default_backend())
else:
key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend()
)
key_bytes = key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.BestAvailableEncryption(password) if password else serialization.NoEncryption(),
)
# Various details about who we are. For a self-signed certificate the
# Subject and issuer are always the same.
subject = issuer = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'WA'),
x509.NameAttribute(NameOID.LOCALITY_NAME, u'Redmond'),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"),
x509.NameAttribute(NameOID.COMMON_NAME, u"mysite.com")])
cert = x509.CertificateBuilder().subject_name(subject) \
.issuer_name(issuer) \
.public_key(key.public_key()) \
.serial_number(x509.random_serial_number()) \
.not_valid_before(datetime.utcnow()) \
.not_valid_after(datetime.utcnow() + timedelta(days=10)) \
.sign(key, hashes.SHA256(), default_backend())
# Write the cert out to disk
with open(path, "wb") as f:
f.write(key_bytes)
f.write(cert.public_bytes(serialization.Encoding.PEM))
def setUpClass(cls):
super(ApiSslServerTestBase, cls).setUpClass()
if ApiSslServerTestBase._api_set_up_done:
return
key = rdf_crypto.RSAPrivateKey.GenerateKey()
key_path = temp.TempFilePath("key.pem")
with open(key_path, "wb") as f:
f.write(key.AsPEM())
subject = issuer = x509.Name([
x509.NameAttribute(oid.NameOID.COMMON_NAME, u"localhost"),
])
cert = x509.CertificateBuilder().subject_name(subject).issuer_name(
issuer).public_key(key.GetPublicKey().GetRawPublicKey()).serial_number(
x509.random_serial_number()).not_valid_before(
datetime.datetime.utcnow()).not_valid_after(
datetime.datetime.utcnow() +
datetime.timedelta(days=1)).add_extension(
x509.SubjectAlternativeName(
[x509.DNSName(u"localhost")]),
critical=False,
).sign(key.GetRawPrivateKey(), hashes.SHA256(),
backends.default_backend())
ApiSslServerTestBase.ssl_cert_path = temp.TempFilePath("certificate.pem")
with open(ApiSslServerTestBase.ssl_cert_path, "wb") as f:
f.write(cert.public_bytes(serialization.Encoding.PEM))
ApiSslServerTestBase.ssl_port = portpicker.pick_unused_port()
with test_lib.ConfigOverrider({
"AdminUI.enable_ssl": True,
"AdminUI.ssl_key_file": key_path,
"AdminUI.ssl_cert_file": ApiSslServerTestBase.ssl_cert_path,
}):
ApiSslServerTestBase._ssl_trd = wsgiapp_testlib.ServerThread(
ApiSslServerTestBase.ssl_port, name="ApiSslServerTest")
ApiSslServerTestBase._ssl_trd.StartAndWaitUntilServing()
ApiSslServerTestBase.ssl_endpoint = ("https://localhost:%s" %
ApiSslServerTestBase.ssl_port)
ApiSslServerTestBase._api_set_up_done = True
def __enter__(self):
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import rsa
subject = issuer = x509.Name(
[x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, 'localhost')])
with contextlib.ExitStack() as stack:
key = rsa.generate_private_key(public_exponent=65537,
key_size=2048,
backend=default_backend())
key_file = stack.enter_context(tempfile.NamedTemporaryFile())
key_file.write(
key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
))
key_file.flush()
cert = (x509.CertificateBuilder().subject_name(
subject).issuer_name(issuer).public_key(
key.public_key()).serial_number(
x509.random_serial_number()).not_valid_before(
datetime.datetime.utcnow()).not_valid_after(
datetime.datetime.utcnow() +
datetime.timedelta(days=1)).add_extension(
x509.SubjectAlternativeName([
x509.DNSName('localhost'),
x509.DNSName('127.0.0.1'),
]),
critical=False,
).sign(key, hashes.SHA256(),
default_backend()))
cert_file = stack.enter_context(tempfile.NamedTemporaryFile())
cert_file.write(cert.public_bytes(serialization.Encoding.PEM))
cert_file.flush()
self._key_file, self._cert_file = key_file, cert_file
stack.pop_all()
return self
def ca_create(self, key):
subject = issuer = x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u"CA"),
])
return x509.CertificateBuilder().subject_name(subject).issuer_name(
issuer).public_key(key.public_key()).serial_number(
x509.random_serial_number()).not_valid_before(
datetime.datetime.utcnow()).not_valid_after(
# Our certificate will be valid for 10 years
datetime.datetime.utcnow() +
datetime.timedelta(days=10 * 365)).add_extension(
extension=x509.BasicConstraints(ca=True,
path_length=None),
critical=True).sign(
# Sign our certificate with our private key
key,
hashes.SHA256(),
default_backend())
def generate_certificate(*, alternative_names, common_name, hash_algorithm,
key):
subject = issuer = x509.Name(
[x509.NameAttribute(x509.NameOID.COMMON_NAME, common_name)])
builder = (x509.CertificateBuilder().subject_name(subject).issuer_name(
issuer).public_key(key.public_key()).serial_number(
x509.random_serial_number()).not_valid_before(
datetime.datetime.utcnow()).not_valid_after(
datetime.datetime.utcnow() + datetime.timedelta(days=10)))
if alternative_names:
builder = builder.add_extension(
x509.SubjectAlternativeName(
[x509.DNSName(name) for name in alternative_names]),
critical=False,
)
cert = builder.sign(key, hash_algorithm, default_backend())
return cert, key
def create_cert(not_before, not_after):
key = rsa.generate_private_key(65537, 2048, default_backend())
subject = issuer = x509.Name([
x509.NameAttribute(x509.oid.NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(x509.oid.NameOID.STATE_OR_PROVINCE_NAME, u"CA"),
x509.NameAttribute(x509.oid.NameOID.LOCALITY_NAME, u"San Francisco"),
x509.NameAttribute(x509.oid.NameOID.ORGANIZATION_NAME, u"My Company"),
x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, u"mysite.com"),
])
cert = x509.CertificateBuilder().subject_name(subject, ).issuer_name(
issuer, ).public_key(key.public_key(), ).serial_number(
x509.random_serial_number(), ).not_valid_before(
not_before, ).not_valid_after(not_after, ).sign(
key, hashes.SHA256(), default_backend())
return cert
def test_generate_crl(ca_cert, ca_key):
revoked_certs = [
x509.RevokedCertificateBuilder() \
.revocation_date(time=datetime.datetime.today()) \
.serial_number(x509.random_serial_number()) \
.build(default_backend()) for x in range(10)
]
crl = generate_crl(ca_cert, ca_key, revoked_certs[0])
crl2 = generate_crl(ca_cert, ca_key, *revoked_certs)
assert crl[0].serial_number == revoked_certs[0].serial_number
assert all([
c.serial_number == r.serial_number
for c, r in zip(crl2, revoked_certs)
])
def generate_ec_certificate(curve):
key = ec.generate_private_key(backend=default_backend(), curve=curve)
subject = issuer = x509.Name(
[x509.NameAttribute(x509.NameOID.COMMON_NAME, "example.com")]
)
cert = (
x509.CertificateBuilder()
.subject_name(subject)
.issuer_name(issuer)
.public_key(key.public_key())
.serial_number(x509.random_serial_number())
.not_valid_before(datetime.datetime.utcnow())
.not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=10))
.sign(key, hashes.SHA256(), default_backend())
)
return cert, key
def generate_ca(common_name):
private_key = rsa.generate_private_key(public_exponent=65537,
key_size=2048,
backend=default_backend())
name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, common_name)] +
COMMON_SUBJECT_ATTRIB)
certificate = (x509.CertificateBuilder().subject_name(name).issuer_name(
name).not_valid_before(datetime.datetime.today() - datetime.timedelta(
days=1)).not_valid_after(
datetime.datetime.today() +
datetime.timedelta(days=365)).serial_number(
x509.random_serial_number()).public_key(
private_key.public_key()).add_extension(
x509.BasicConstraints(ca=True, path_length=None),
critical=True).sign(private_key=private_key,
algorithm=hashes.SHA256(),
backend=default_backend()))
return certificate, private_key
def _create_x509_certificate(key_der, subject_name): #type(Union[EllipticCurvePrivateKey,RSAPrivateKey], str) -> Certificate
signing_key = serialization.load_der_private_key(key_der, password=None, backend=default_backend())
builder = CertificateBuilder()
builder = builder.subject_name(x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, subject_name),
]))
builder = builder.issuer_name(x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, subject_name),
]))
one_day = datetime.timedelta(1, 0, 0)
builder = builder.not_valid_before(datetime.datetime.today() - one_day)
builder = builder.not_valid_after(datetime.datetime.today() + (one_day * 30))
builder = builder.serial_number(x509.random_serial_number())
builder = builder.public_key(signing_key.public_key())
builder = builder.add_extension(SubjectAlternativeName([x509.DNSName(subject_name)]), critical=False)
builder = builder.add_extension(BasicConstraints(ca=False, path_length=None), critical=True)
return builder.sign(private_key=signing_key, algorithm=hashes.SHA256(), backend=default_backend()).public_bytes(serialization.Encoding.DER)
def _create_self_signed_certificate(self, private_key):
issuer = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"CA"),
x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"),
x509.NameAttribute(NameOID.COMMON_NAME, u"Test Certificate"),
])
cert_builder = x509.CertificateBuilder(
issuer_name=issuer,
subject_name=issuer,
public_key=private_key.public_key(),
serial_number=x509.random_serial_number(),
not_valid_before=datetime.utcnow(),
not_valid_after=datetime.utcnow() + timedelta(days=10))
cert = cert_builder.sign(private_key, hashes.SHA256(),
default_backend())
return cert
def create_cert(cred):
subject = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u'%s' % cred.country),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME,
u'%s' % cred.province),
x509.NameAttribute(NameOID.LOCALITY_NAME, u'%s' % cred.locality),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'%s' % cred.org_name),
x509.NameAttribute(NameOID.COMMON_NAME, u'%s' % cred.cn),
])
subject_private_key = serialization.load_pem_private_key(open(
cred.pvt_key_path, 'rb').read(),
password=None)
if len(cred.ca_pvt_key_path) == 0: # Self signed
signing_private_key = subject_private_key
issuer = subject
else: # Signed by CA
signing_private_key = serialization.load_pem_private_key(open(
cred.ca_pvt_key_path, 'rb').read(),
password=None)
ca_cert = x509.load_pem_x509_certificate(
open(cred.ca_cert_path, 'rb').read())
issuer = ca_cert.issuer
builder = x509.CertificateBuilder()
builder = builder.subject_name(subject)
builder = builder.issuer_name(issuer)
builder = builder.not_valid_before(
dt.datetime.now(dt.timezone.utc) - dt.timedelta(days=1))
builder = builder.not_valid_after(
dt.datetime.now(dt.timezone.utc) + dt.timedelta(days=cred.valid_days))
builder = builder.serial_number(x509.random_serial_number())
builder = builder.public_key(subject_private_key.public_key())
builder = builder.add_extension(x509.BasicConstraints(ca=cred.is_ca,
path_length=None),
critical=True)
builder = builder.add_extension(x509.SubjectKeyIdentifier.from_public_key(
subject_private_key.public_key()),
critical=False)
builder = builder.sign(signing_private_key, hashes.SHA256())
fd = open(cred.cert_path, 'wb')
fd.write(builder.public_bytes(serialization.Encoding.PEM))
fd.close()
def generate_root_cert(self) -> Tuple[str, str]:
self.root_key = rsa.generate_private_key(public_exponent=65537,
key_size=4096,
backend=default_backend())
root_public_key = self.root_key.public_key()
root_builder = x509.CertificateBuilder()
root_builder = root_builder.subject_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u'cephadm-root'),
]))
root_builder = root_builder.issuer_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u'cephadm-root'),
]))
root_builder = root_builder.not_valid_before(datetime.now())
root_builder = root_builder.not_valid_after(datetime.now() + timedelta(
days=(365 * 10 + 3)))
root_builder = root_builder.serial_number(x509.random_serial_number())
root_builder = root_builder.public_key(root_public_key)
root_builder = root_builder.add_extension(x509.SubjectAlternativeName([
x509.IPAddress(ipaddress.IPv4Address(str(self.mgr.get_mgr_ip())))
]),
critical=False)
root_builder = root_builder.add_extension(
x509.BasicConstraints(ca=True, path_length=None),
critical=True,
)
self.root_cert = root_builder.sign(private_key=self.root_key,
algorithm=hashes.SHA256(),
backend=default_backend())
cert_str = crypto.dump_certificate(crypto.FILETYPE_PEM,
self.root_cert).decode('utf-8')
key_str = self.root_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption()).decode('utf-8')
return (cert_str, key_str)
def cert_gen(self):
subject = issuer = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u"PT"),
x509.NameAttribute(NameOID.JURISDICTION_LOCALITY_NAME, u"Aveiro"),
x509.NameAttribute(NameOID.LOCALITY_NAME, u"Aveiro"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"SIO"),
x509.NameAttribute(NameOID.COMMON_NAME, u"serverSIO"),
])
if self.private_key is not None:
cert = x509.CertificateBuilder().subject_name(subject).issuer_name(
issuer).public_key(
self.private_key.public_key()).serial_number(
x509.random_serial_number()).not_valid_before(
datetime.datetime.utcnow()).not_valid_after(
datetime.datetime.utcnow() +
datetime.timedelta(days=10)).add_extension(
x509.SubjectAlternativeName(
[x509.DNSName(u"serversio.io")]),
critical=False,
).add_extension(
x509.BasicConstraints(ca=True,
path_length=None),
critical=True,
).add_extension(x509.KeyUsage(
digital_signature=True,
key_encipherment=True,
content_commitment=False,
data_encipherment=False,
key_agreement=False,
encipher_only=False,
decipher_only=False,
key_cert_sign=True,
crl_sign=False),
critical=True).sign(
self.private_key,
hashes.SHA256(),
default_backend())
if not os.path.exists("certs"):
os.mkdir("certs")
with open(
"certs\\server.pem"
if sys.platform == 'win32' else "certs/server.pem", "wb") as f:
f.write(cert.public_bytes(serialization.Encoding.PEM))
def _generate_certificate(
ip_address: str, ) -> typing.Tuple[str, bytes, bytes]:
"""Generate a private key and a certificate signed with it
The key is encrypted before being stored.
Returns the certificate as a string, the key as bytes (encrypted), and
the password used for encrypting the key
"""
# Generate private key
key = rsa.generate_private_key(public_exponent=65537,
key_size=4096,
backend=default_backend())
# Generate the certificate and sign it with the private key
cert_name = get_machine_name()
subject = issuer = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, "NO"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "Bergen"),
x509.NameAttribute(NameOID.LOCALITY_NAME, "Sandsli"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, "Equinor"),
x509.NameAttribute(NameOID.COMMON_NAME, "{}".format(cert_name)),
])
cert = (
x509.CertificateBuilder().subject_name(subject).issuer_name(
issuer).public_key(key.public_key()).serial_number(
x509.random_serial_number()).not_valid_before(
datetime.utcnow()).not_valid_after(
datetime.utcnow() + timedelta(days=365)) # 1 year
.add_extension(
x509.SubjectAlternativeName([
x509.DNSName("{}".format(cert_name)),
x509.DNSName(ip_address),
x509.IPAddress(ipaddress.ip_address(ip_address)),
]),
critical=False,
).sign(key, hashes.SHA256(), default_backend()))
cert_str = cert.public_bytes(serialization.Encoding.PEM).decode("utf-8")
pw = bytes(os.urandom(28))
key_bytes = key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.BestAvailableEncryption(pw),
)
return cert_str, key_bytes, pw
def generate_admin_crt(config, host):
private_key = generate_key()
public_key = private_key.public_key()
one_day = datetime.timedelta(1, 0, 0)
ca_cert = config.get("CA_CERT", None)
ca_key = config.get("CA_KEY", None)
cert_expiration = config.get("CERT_ADMIN_EXPIRE", 1825)
if not ca_cert or not ca_key:
raise Exception('CA_CERT or CA_KEY not defined')
ca_key = serialization.load_pem_private_key(str(ca_key), password=None, backend=default_backend())
ca_cert = x509.load_pem_x509_certificate(str(ca_cert), backend=default_backend())
builder = x509.CertificateBuilder()
builder = builder.subject_name(x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, host),
]))
builder = builder.issuer_name(ca_cert.subject)
builder = builder.not_valid_before(datetime.datetime.today() - one_day)
builder = builder.not_valid_after(datetime.datetime.today() + datetime.timedelta(days=cert_expiration))
builder = builder.serial_number(x509.random_serial_number())
builder = builder.public_key(public_key)
builder = builder.add_extension(
x509.SubjectAlternativeName(
[x509.IPAddress(ipaddress.IPv4Address(host))]
),
critical=False
)
builder = builder.add_extension(
x509.BasicConstraints(ca=False, path_length=None), critical=True,
)
certificate = builder.sign(
private_key=ca_key, algorithm=hashes.SHA256(),
backend=default_backend()
)
private_key = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
)
certificate = certificate.public_bytes(serialization.Encoding.PEM)
return private_key, certificate
def generate_ca(cls):
key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend()
)
subject = issuer = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u"BR"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"RJ"),
x509.NameAttribute(NameOID.LOCALITY_NAME, u"Rio de Janeiro"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"Tsuru Inc"),
x509.NameAttribute(NameOID.COMMON_NAME, u"tsuru.io"),
])
cert = x509.CertificateBuilder().subject_name(
subject
).issuer_name(
issuer
).public_key(
key.public_key()
).serial_number(
x509.random_serial_number()
).not_valid_before(
datetime.datetime.utcnow()
).not_valid_after(
datetime.datetime.utcnow() + datetime.timedelta(days=10)
).add_extension(
x509.SubjectAlternativeName([x509.DNSName(u"tsuru.io")]),
critical=False,
).sign(key, hashes.SHA256(), default_backend())
key = key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
)
cert = cert.public_bytes(serialization.Encoding.PEM)
return key, cert
def _certificates_for_authority_and_server(service_identity, key_size=1024):
"""
Create a self-signed CA certificate and server certificate signed
by the CA.
:param service_identity: The identity (hostname) of the server.
:type service_identity: :py:class:`unicode`
:param key_size: (optional) The size of CA's and server's private
RSA keys. Defaults to 1024 bits, which is the minimum allowed
by OpenSSL Contexts at the default security level as of 1.1.
:type key_size: :py:class:`int`
:return: a 3-tuple of ``(certificate_authority_certificate,
server_private_key, server_certificate)``.
:rtype: :py:class:`tuple` of (:py:class:`sslverify.Certificate`,
:py:class:`OpenSSL.crypto.PKey`,
:py:class:`OpenSSL.crypto.X509`)
"""
common_name_for_ca = x509.Name(
[x509.NameAttribute(NameOID.COMMON_NAME, u'Testing Example CA')]
)
common_name_for_server = x509.Name(
[x509.NameAttribute(NameOID.COMMON_NAME, u'Testing Example Server')]
)
one_day = datetime.timedelta(1, 0, 0)
private_key_for_ca = rsa.generate_private_key(
public_exponent=65537,
key_size=key_size,
backend=default_backend()
)
public_key_for_ca = private_key_for_ca.public_key()
ca_certificate = (
x509.CertificateBuilder()
.subject_name(common_name_for_ca)
.issuer_name(common_name_for_ca)
.not_valid_before(datetime.datetime.today() - one_day)
.not_valid_after(datetime.datetime.today() + one_day)
.serial_number(x509.random_serial_number())
.public_key(public_key_for_ca)
.add_extension(
x509.BasicConstraints(ca=True, path_length=9), critical=True,
)
.sign(
private_key=private_key_for_ca, algorithm=hashes.SHA256(),
backend=default_backend()
)
)
private_key_for_server = rsa.generate_private_key(
public_exponent=65537,
key_size=key_size,
backend=default_backend()
)
public_key_for_server = private_key_for_server.public_key()
server_certificate = (
x509.CertificateBuilder()
.subject_name(common_name_for_server)
.issuer_name(common_name_for_ca)
.not_valid_before(datetime.datetime.today() - one_day)
.not_valid_after(datetime.datetime.today() + one_day)
.serial_number(x509.random_serial_number())
.public_key(public_key_for_server)
.add_extension(
x509.BasicConstraints(ca=False, path_length=None), critical=True,
)
.add_extension(
x509.SubjectAlternativeName(
[x509.DNSName(service_identity)]
),
critical=True,
)
.sign(
private_key=private_key_for_ca, algorithm=hashes.SHA256(),
backend=default_backend()
)
)
ca_self_cert = Certificate.loadPEM(
ca_certificate.public_bytes(Encoding.PEM)
)
pkey = PKey.from_cryptography_key(private_key_for_server)
x509_server_certificate = X509.from_cryptography(server_certificate)
return ca_self_cert, pkey, x509_server_certificate
public_exponent=65537,
key_size=2048,
backend=default_backend()
)
subject = issuer = x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u"hendrix-tls-example"),
])
cert = x509.CertificateBuilder().subject_name(
subject
).issuer_name(
issuer
).public_key(
rsa_key.public_key()
).serial_number(
x509.random_serial_number()
).not_valid_before(
datetime.datetime.utcnow()
).not_valid_after(
datetime.datetime.utcnow() + datetime.timedelta(days=10)
).add_extension(
x509.SubjectAlternativeName([x509.DNSName(u"localhost")]),
critical=False,
).sign(rsa_key, hashes.SHA256(), default_backend())
with open("rsa-privkey.pem", "wb") as f:
f.write(rsa_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
))
def make_saml_cert(key, country=None, state=None, locality=None, org=None,
domain=None, email=None, alt_names=None, days=365,
self_sign=True):
if isinstance(key, basestring):
key = private_key_from_cleaned_text(key)
if alt_names and isinstance(alt_names, basestring):
alt_names = alt_names.decode('utf-8').split()
name_components = []
if country:
name_components.append(x509.NameAttribute(
NameOID.COUNTRY_NAME, country.decode('utf-8')))
if state:
name_components.append(x509.NameAttribute(
NameOID.STATE_OR_PROVINCE_NAME, state.decode('utf-8')))
if locality:
name_components.append(x509.NameAttribute(
NameOID.LOCALITY_NAME, locality.decode('utf-8')))
if org:
name_components.append(x509.NameAttribute(
NameOID.ORGANIZATION_NAME, org.decode('utf-8')))
if domain:
name_components.append(x509.NameAttribute(
NameOID.COMMON_NAME, domain.decode('utf-8')))
if email:
name_components.append(x509.NameAttribute(
NameOID.EMAIL_ADDRESS, email.decode('utf-8')))
subject = x509.Name(name_components)
pkey = key.public_key()
skid = x509.SubjectKeyIdentifier.from_public_key(pkey)
if self_sign:
# Create self-signed
serial_number = random_serial_number()
builder = x509.CertificateBuilder()
else:
builder = x509.CertificateSigningRequestBuilder()
builder = builder.subject_name(
subject
).add_extension(
x509.KeyUsage(True, False, False, False, True, False, False, False, False), False
)
if alt_names:
# Describe what sites we want this certificate for.
builder = builder.add_extension(
x509.SubjectAlternativeName([
x509.DNSName(n) for n in alt_names]),
critical=False)
if self_sign:
builder = builder.public_key(
pkey
).issuer_name(
subject
).serial_number(
serial_number
).not_valid_before(
datetime.datetime.utcnow()
).not_valid_after(
datetime.datetime.utcnow() + datetime.timedelta(days=days)
).add_extension(
skid, False
).add_extension(
x509.AuthorityKeyIdentifier(
skid.digest, [x509.DirectoryName(subject)], serial_number), False
)
else:
builder = builder.add_extension(
x509.BasicConstraints(True, 0), False)
builder = builder.sign(key, hashes.SHA256(), default_backend())
builder_text = builder.public_bytes(serialization.Encoding.PEM)
return (builder_text, builder)
def certclone(chain, copy_extensions=False):
for i in range(len(chain)):
chain[i] = chain[i].to_cryptography()
newchain = []
'''
key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend()
)
pubkey = key.public_key()
'''
first = True
for original in chain[::-1]:
#print(cert)
key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend()
)
key_pem = key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption()
).decode()
if first:
print(key_pem)
first=False
pubkey = key.public_key()
# Todo: Code to mimic the private key type of original cert
# maybe based on pubkey.__class__
cert = x509.CertificateBuilder()
cert = cert.subject_name(original.subject)
cert = cert.issuer_name(original.issuer)
#cert = cert.serial_number(original.serial_number)
cert = cert.serial_number(x509.random_serial_number())
cert = cert.not_valid_before(original.not_valid_before)
cert = cert.not_valid_after(original.not_valid_after)
cert = cert.public_key(pubkey)
if copy_extensions:
for ext in original.extensions:
cert = cert.add_extension(ext.value, critical=ext.critical)
cert = cert.sign(private_key=key, algorithm=original.signature_hash_algorithm, backend=default_backend())
cert_pem = cert.public_bytes(serialization.Encoding.PEM).decode()
print(cert_pem)
newchain.insert(0, cert)
def generate_x509_certificate(signing_key, key, subject, issuer, serial,
valid_after, valid_before, ca, ca_path_len,
purposes, user_principals, host_principals,
hash_alg, comment):
"""Generate a new X.509 certificate"""
builder = x509.CertificateBuilder()
subject = X509Name(subject)
issuer = X509Name(issuer) if issuer else subject
self_signed = subject == issuer
builder = builder.subject_name(subject)
builder = builder.issuer_name(issuer)
if serial is None:
serial = x509.random_serial_number()
builder = builder.serial_number(serial)
builder = builder.not_valid_before(_to_generalized_time(valid_after))
builder = builder.not_valid_after(_to_generalized_time(valid_before))
builder = builder.public_key(key.pyca_key)
if ca:
basic_constraints = x509.BasicConstraints(ca=True,
path_length=ca_path_len)
key_usage = x509.KeyUsage(digital_signature=False,
content_commitment=False,
key_encipherment=False,
data_encipherment=False,
key_agreement=False, key_cert_sign=True,
crl_sign=True, encipher_only=False,
decipher_only=False)
else:
basic_constraints = x509.BasicConstraints(ca=False, path_length=None)
key_usage = x509.KeyUsage(digital_signature=True,
content_commitment=False,
key_encipherment=True,
data_encipherment=False,
key_agreement=True, key_cert_sign=False,
crl_sign=False, encipher_only=False,
decipher_only=False)
builder = builder.add_extension(basic_constraints, critical=True)
if ca or not self_signed:
builder = builder.add_extension(key_usage, critical=True)
purpose_oids = _to_purpose_oids(purposes)
if purpose_oids:
builder = builder.add_extension(x509.ExtendedKeyUsage(purpose_oids),
critical=False)
sans = _encode_user_principals(user_principals) + \
_encode_host_principals(host_principals)
if sans:
builder = builder.add_extension(x509.SubjectAlternativeName(sans),
critical=False)
if comment:
if isinstance(comment, str):
comment = comment.encode('utf-8')
comment = der_encode(IA5String(comment))
builder = builder.add_extension(
x509.UnrecognizedExtension(_nscomment_oid, comment), critical=False)
try:
hash_alg = _hashes[hash_alg]()
except KeyError:
raise ValueError('Unknown hash algorithm') from None
cert = builder.sign(signing_key.pyca_key, hash_alg, default_backend())
data = cert.public_bytes(Encoding.DER)
return X509Certificate(cert, data)
