def create_csr(self, fully_qualified_identity, remote_instance_name): """ Create a csr with name as the common name. The key that is used to sign the csr is <instance_name>.name. :param fully_qualified_identity: :param target_volttron: :return: """ assert fully_qualified_identity remote_rmq_user = "******".format(remote_instance_name, fully_qualified_identity) xname = x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, six.u(remote_rmq_user)), ]) key = _load_key(self.private_key_file(fully_qualified_identity)) csr = x509.CertificateSigningRequestBuilder().subject_name( xname).sign(key, hashes.SHA256(), default_backend()) # with open(self.csr_create_file(name, target_volttron), "wb") as fw: # fw.write(csr.public_bytes(serialization.Encoding.PEM)) return csr.public_bytes(serialization.Encoding.PEM)
def generate_ec_certificate(common_name, curve=ec.SECP256R1, alternative_names=[]): key = ec.generate_private_key(backend=default_backend(), curve=curve) subject = issuer = x509.Name( [x509.NameAttribute(x509.NameOID.COMMON_NAME, common_name)]) builder = (x509.CertificateBuilder().subject_name(subject).issuer_name( issuer).public_key(key.public_key()).serial_number( x509.random_serial_number()).not_valid_before( datetime.datetime.utcnow()).not_valid_after( datetime.datetime.utcnow() + datetime.timedelta(days=10))) if alternative_names: builder = builder.add_extension( x509.SubjectAlternativeName( [x509.DNSName(name) for name in alternative_names]), critical=False, ) cert = builder.sign(key, hashes.SHA256(), default_backend()) return cert, key
def create(cls, common_name: str = 'COMMANDMENT-CA', key_size=2048): ca = cls() ca.common_name = common_name name = x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, common_name), x509.NameAttribute(NameOID.ORGANIZATION_NAME, 'commandment') ]) private_key = rsa.generate_private_key( public_exponent=65537, key_size=key_size, backend=default_backend(), ) ca.rsa_private_key = RSAPrivateKey.from_crypto(private_key) db.session.add(ca.rsa_private_key) certificate = x509.CertificateBuilder().subject_name( name ).issuer_name( name ).public_key( private_key.public_key() ).serial_number( x509.random_serial_number() ).not_valid_before( datetime.datetime.utcnow() ).not_valid_after( datetime.datetime.utcnow() + datetime.timedelta(days=365) ).add_extension( x509.BasicConstraints(ca=True, path_length=None), True ).sign(private_key, hashes.SHA256(), default_backend()) ca_certificate_model = CACertificate.from_crypto(certificate) ca_certificate_model.rsa_private_key = ca.rsa_private_key ca.certificate = ca_certificate_model db.session.add(ca) db.session.commit() return ca
def generate_p12(common_name, organization_name, country, password): # Load CA certificate and private key cakey = load_pem_private_key(ca_private.encode('ascii'), ca_password.encode('ascii'), default_backend()) cacert = x509.load_pem_x509_certificate(ca_cert.encode('ascii'), default_backend()) subject = x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, common_name), x509.NameAttribute(NameOID.ORGANIZATION_NAME, organization_name), x509.NameAttribute(NameOID.COUNTRY_NAME, country),]) sernum = x509.random_serial_number() key = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend()) cert = x509.CertificateBuilder().subject_name(subject) \ .issuer_name(cacert.subject) \ .serial_number(sernum) \ .public_key(key.public_key()) \ .not_valid_before(datetime.now())\ .not_valid_after(datetime.now() + timedelta(days=366))\ .add_extension(x509.KeyUsage(digital_signature=False , content_commitment=False , key_encipherment=True , data_encipherment=True , key_agreement=False , key_cert_sign=False , crl_sign=False , encipher_only=False , decipher_only = False), critical=True)\ .sign(cakey, hashes.SHA256(), default_backend()) cas = [cacert] p12 = pkcs12.serialize_key_and_certificates(common_name.encode('utf-8'), key, cert, cas, serialization.BestAvailableEncryption(password.encode('ascii'))) return p12
def generate_builder( options: dict ) -> typing.Union[x509.CertificateBuilder, x509.CertificateSigningRequestBuilder]: # We expect backend_mapping keys for crypto_subject_name attr in options and for crypto_issuer_name as well data = {} for key in ('crypto_subject_name', 'crypto_issuer_name'): data[key] = x509.Name([ x509.NameAttribute(getattr(NameOID, k.upper()), v) for k, v in (options.get(key) or {}).items() if v ]) if not data['crypto_issuer_name']: data['crypto_issuer_name'] = data['crypto_subject_name'] # Lifetime represents no of days # Let's normalize lifetime value not_valid_before = datetime.datetime.utcnow() not_valid_after = datetime.datetime.utcnow() + datetime.timedelta( days=options.get('lifetime') or DEFAULT_LIFETIME_DAYS) # Let's normalize `san` san = x509.SubjectAlternativeName([ x509.IPAddress(ipaddress.ip_address(v)) if t == 'IP' else x509.DNSName(v) for t, v in options.get('san') or [] ]) builder = x509.CertificateSigningRequestBuilder if options.get( 'csr') else x509.CertificateBuilder cert = builder(subject_name=data['crypto_subject_name']) if not options.get('csr'): cert = cert.issuer_name(data['crypto_issuer_name']).not_valid_before( not_valid_before).not_valid_after(not_valid_after).serial_number( options.get('serial') or random.randint(1000, pow(2, 30))) if san: cert = cert.add_extension(san, False) return cert
def generate_admin_crt(config, host): private_key = generate_key() public_key = private_key.public_key() one_day = datetime.timedelta(1, 0, 0) ca_cert = config.get("CA_CERT", None) ca_key = config.get("CA_KEY", None) cert_expiration = config.get("CERT_ADMIN_EXPIRE", 1825) if not ca_cert or not ca_key: raise Exception('CA_CERT or CA_KEY not defined') ca_key = serialization.load_pem_private_key(str(ca_key), password=None, backend=default_backend()) ca_cert = x509.load_pem_x509_certificate(str(ca_cert), backend=default_backend()) builder = x509.CertificateBuilder() builder = builder.subject_name(x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, host), ])) builder = builder.issuer_name(ca_cert.subject) builder = builder.not_valid_before(datetime.datetime.today() - one_day) builder = builder.not_valid_after(datetime.datetime.today() + datetime.timedelta(days=cert_expiration)) builder = builder.serial_number(x509.random_serial_number()) builder = builder.public_key(public_key) builder = builder.add_extension( x509.SubjectAlternativeName( [x509.IPAddress(ipaddress.IPv4Address(host))] ), critical=False ) builder = builder.add_extension( x509.BasicConstraints(ca=False, path_length=None), critical=True, ) certificate = builder.sign( private_key=ca_key, algorithm=hashes.SHA256(), backend=default_backend() ) private_key = private_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption(), ) certificate = certificate.public_bytes(serialization.Encoding.PEM) return private_key, certificate
def test_freshestcrl_extension(self, backend): private_key = RSA_KEY_2048.private_key(backend) last_update = datetime.datetime(2002, 1, 1, 12, 1) next_update = datetime.datetime(2030, 1, 1, 12, 1) freshest = x509.FreshestCRL( [ x509.DistributionPoint( [x509.UniformResourceIdentifier("http://d.om/delta")], None, None, None, ) ] ) builder = ( x509.CertificateRevocationListBuilder() .issuer_name( x509.Name( [ x509.NameAttribute( NameOID.COMMON_NAME, "cryptography.io CA" ) ] ) ) .last_update(last_update) .next_update(next_update) .add_extension(freshest, False) ) crl = builder.sign(private_key, hashes.SHA256(), backend) assert len(crl) == 0 assert len(crl.extensions) == 1 ext1 = crl.extensions.get_extension_for_class(x509.FreshestCRL) assert ext1.critical is False assert isinstance(ext1.value[0], x509.DistributionPoint) assert ext1.value[0].full_name is not None uri = ext1.value[0].full_name[0] assert isinstance(uri, x509.UniformResourceIdentifier) assert uri.value == "http://d.om/delta"
def generate_self_signed_cert(path: str, key_name: str = "key.pem", cert_name: str = "cert.pem"): if not os.path.isdir(path): raise ValueError("'path' should be an existing directory") key = rsa.generate_private_key( public_exponent=65537, key_size=4096, backend=backend, ) with open(os.path.join(path, key_name), "wb") as file: file.write( key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption(), )) subject = issuer = x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"California"), x509.NameAttribute(NameOID.LOCALITY_NAME, u"Santa Clara"), x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"Couchbase"), x509.NameAttribute(NameOID.COMMON_NAME, u"couchbase.com"), ]) cert = x509.CertificateBuilder() \ .subject_name(subject) \ .issuer_name(issuer) \ .public_key(key.public_key()) \ .serial_number(x509.random_serial_number()) \ .not_valid_before(datetime.datetime.utcnow()) \ .not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=365)) \ .add_extension(x509.SubjectAlternativeName([x509.DNSName(u"localhost")]), critical=False) \ .sign(key, hashes.SHA256(), backend=backend) with open(os.path.join(path, cert_name), "wb") as file: file.write(cert.public_bytes(serialization.Encoding.PEM))
def create_device_csr(self, common_name: str) -> (rsa.RSAPrivateKeyWithSerialization, x509.CertificateSigningRequest): """ Create a Certificate Signing Request with the specified Common Name. Args: common_name (str): The certificate Common Name attribute Returns: Tuple[rsa.RSAPrivateKeyWithSerialization, x509.CertificateSigningRequest] """ private_key = rsa.generate_private_key( public_exponent=65537, key_size=2048, backend=default_backend(), ) private_key_model = RSAPrivateKey.from_crypto(private_key) db.session.add(private_key_model) db.session.commit() name = x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, common_name), x509.NameAttribute(NameOID.ORGANIZATION_NAME, 'commandment') ]) builder = x509.CertificateSigningRequestBuilder() builder = builder.subject_name(name) builder = builder.add_extension(x509.BasicConstraints(ca=False, path_length=None), critical=True) request = builder.sign( private_key, hashes.SHA256(), default_backend() ) csr_model = CertificateSigningRequest().from_crypto(request) db.session.add(csr_model) db.session.commit() return private_key, request
def generate_csr_client_cert(hostname, server_ca_cert, server_key, client_key): """ Generate client-side certificate with CSR. """ csr = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, hostname), ])).add_extension( x509.SubjectAlternativeName([ x509.DNSName(hostname), ]), critical=False, ).sign(client_key, hashes.SHA256(), default_backend()) crt = x509.CertificateBuilder().subject_name(csr.subject).issuer_name( server_ca_cert.subject).public_key(csr.public_key()).serial_number( uuid.uuid4().int).not_valid_before( datetime.datetime.utcnow()).not_valid_after( datetime.datetime.utcnow() + datetime.timedelta(days=365 * 100)).add_extension( extension=x509.KeyUsage(digital_signature=True, key_encipherment=True, content_commitment=True, data_encipherment=False, key_agreement=False, encipher_only=False, decipher_only=False, key_cert_sign=False, crl_sign=False), critical=True).add_extension( extension=x509.BasicConstraints(ca=False, path_length=None), critical=True).add_extension( extension=x509.AuthorityKeyIdentifier. from_issuer_public_key( server_key.public_key()), critical=False).sign(private_key=server_key, algorithm=hashes.SHA256(), backend=default_backend()) crt_pem = crt.public_bytes(serialization.Encoding.PEM) return crt_pem
def generate_public_key(private_key, filename, **kwargs): subject = x509.Name( [ x509.NameAttribute(NameOID.COUNTRY_NAME, kwargs["country"]), x509.NameAttribute( NameOID.STATE_OR_PROVINCE_NAME, kwargs["state"] ), x509.NameAttribute(NameOID.LOCALITY_NAME, kwargs["locality"]), x509.NameAttribute(NameOID.ORGANIZATION_NAME, kwargs["org"]), x509.NameAttribute(NameOID.COMMON_NAME, kwargs["hostname"]), ] ) # Because this is self signed, the issuer is always the subject issuer = subject # This certificate is valid from now until 30 days valid_from = datetime.utcnow() valid_to = valid_from + timedelta(days=30) # Used to build the certificate builder = ( x509.CertificateBuilder() .subject_name(subject) .issuer_name(issuer) .public_key(private_key.public_key()) .serial_number(x509.random_serial_number()) .not_valid_before(valid_from) .not_valid_after(valid_to) ) # Sign the certificate with the private key public_key = builder.sign( private_key, hashes.SHA256(), default_backend() ) with open(filename, "wb") as certfile: certfile.write(public_key.public_bytes(serialization.Encoding.PEM)) return public_key
def build_root_certificate(options): private_key = rsa.generate_private_key( public_exponent=65537, key_size=2048, backend=default_backend() ) subject = issuer = x509.Name([ x509.NameAttribute(x509.OID_COUNTRY_NAME, options['country']), x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, options['state']), x509.NameAttribute(x509.OID_LOCALITY_NAME, options['location']), x509.NameAttribute(x509.OID_ORGANIZATION_NAME, options['organization']), x509.NameAttribute(x509.OID_ORGANIZATIONAL_UNIT_NAME, options['organizational_unit']), x509.NameAttribute(x509.OID_COMMON_NAME, options['common_name']) ]) builder = x509.CertificateBuilder( subject_name=subject, issuer_name=issuer, public_key=private_key.public_key(), not_valid_after=options['validity_end'], not_valid_before=options['validity_start'], serial_number=options['first_serial'] ) builder.add_extension(x509.SubjectAlternativeName([x509.DNSName(options['common_name'])]), critical=False) cert = builder.sign(private_key, hashes.SHA256(), default_backend()) cert_pem = cert.public_bytes( encoding=serialization.Encoding.PEM ).decode('utf-8') private_key_pem = private_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, # would like to use PKCS8 but AWS ELBs don't like it encryption_algorithm=serialization.NoEncryption() ) return cert_pem, private_key_pem
def _generate_self_signed_cert(key_type): """Generates a self signed certificate""" if key_type == 'rsa': key = rsa.generate_private_key( public_exponent=65537, key_size=2048, backend=default_backend() ) elif key_type == 'ecdsa': key = ec.generate_private_key( ec.SECP256R1(), default_backend() ) else: raise Exception('what') subject = issuer = x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u"NO"), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"State or Province Name"), x509.NameAttribute(NameOID.LOCALITY_NAME, u"Locality name"), x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"Organization Name"), x509.NameAttribute(NameOID.COMMON_NAME, u"commonName"), ]) cert = x509.CertificateBuilder().subject_name( subject ).issuer_name( issuer ).public_key( key.public_key() ).serial_number( x509.random_serial_number() ).not_valid_before( datetime.datetime.utcnow() ).not_valid_after( datetime.datetime.utcnow() + datetime.timedelta(days=10) ).add_extension( x509.SubjectAlternativeName([x509.DNSName(u"testulf")]), critical=False, ).sign(key, hashes.SHA256(), default_backend()) return cert, key
def generate_adhoc_ssl_pair( cn: t.Optional[str] = None, ) -> t.Tuple["Certificate", "RSAPrivateKeyWithSerialization"]: try: from cryptography import x509 from cryptography.x509.oid import NameOID from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.asymmetric import rsa except ImportError: raise TypeError( "Using ad-hoc certificates requires the cryptography library." ) from None backend = default_backend() pkey = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=backend) # pretty damn sure that this is not actually accepted by anyone if cn is None: cn = "*" subject = x509.Name([ x509.NameAttribute(NameOID.ORGANIZATION_NAME, "Dummy Certificate"), x509.NameAttribute(NameOID.COMMON_NAME, cn), ]) backend = default_backend() cert = (x509.CertificateBuilder().subject_name(subject).issuer_name( subject).public_key(pkey.public_key()).serial_number( x509.random_serial_number()).not_valid_before(dt.now( timezone.utc)).not_valid_after( dt.now(timezone.utc) + timedelta(days=365)).add_extension( x509.ExtendedKeyUsage([x509.OID_SERVER_AUTH]), critical=False).add_extension( x509.SubjectAlternativeName([x509.DNSName(cn)]), critical=False).sign(pkey, hashes.SHA256(), backend)) return cert, pkey
def createCertificate(key): # create certificate subject = issuer = x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Utah"), x509.NameAttribute(NameOID.LOCALITY_NAME, u"Salt Lake City"), x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"), x509.NameAttribute(NameOID.COMMON_NAME, u"My CA"), ]) cert = x509.CertificateBuilder().subject_name(subject).issuer_name( issuer).public_key(key.public_key()).serial_number( x509.random_serial_number()).not_valid_before( datetime.datetime.utcnow()).not_valid_after( datetime.datetime.utcnow() + datetime.timedelta(days=10)).add_extension( x509.SubjectAlternativeName( [x509.DNSName(u"localhost")]), critical=False).sign(key, hashes.SHA256(), default_backend()) return cert
def create_self_signed_cert(): key = rsa.generate_private_key(public_exponent=65537, key_size=4096, backend=default_backend()) # create a self-signed cert name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, 'localhost')]) now = datetime.utcnow() cert = (x509.CertificateBuilder().subject_name(name).issuer_name( name).serial_number(1000).not_valid_before(now).not_valid_after( now + timedelta(days=10 * 365)).public_key(key.public_key()).sign( key, hashes.SHA256(), default_backend())) with open(CERT_FILE, "wb") as output_cert: output_cert.write( cert.public_bytes(encoding=serialization.Encoding.PEM)) with open(KEY_FILE, "wb") as output_key: output_key.write( key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption()))
def _create_emergency_ssl_context(self) -> ssl.SSLContext: """Create an emergency ssl certificate so we can still startup.""" context = ssl_util.server_context_modern() host: str try: host = cast(str, URL(get_url(self.hass, prefer_external=True)).host) except NoURLAvailableError: host = "homeassistant.local" key = rsa.generate_private_key( public_exponent=65537, key_size=2048, ) subject = issuer = x509.Name([ x509.NameAttribute(NameOID.ORGANIZATION_NAME, "Home Assistant Emergency Certificate"), x509.NameAttribute(NameOID.COMMON_NAME, host), ]) cert = (x509.CertificateBuilder().subject_name(subject).issuer_name( issuer).public_key(key.public_key()).serial_number( x509.random_serial_number()).not_valid_before( datetime.datetime.utcnow()).not_valid_after( datetime.datetime.utcnow() + datetime.timedelta(days=30)).add_extension( x509.SubjectAlternativeName([x509.DNSName(host)]), critical=False, ).sign(key, hashes.SHA256())) with NamedTemporaryFile() as cert_pem, NamedTemporaryFile() as key_pem: cert_pem.write(cert.public_bytes(serialization.Encoding.PEM)) key_pem.write( key.private_bytes( serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption(), )) cert_pem.flush() key_pem.flush() context.load_cert_chain(cert_pem.name, key_pem.name) return context
def generate_certificate_signing_request(self, slot, public_key, subject, touch_callback=None): builder = x509.CertificateSigningRequestBuilder() builder = builder.subject_name( x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, subject), ])) try: return self.sign_csr_builder(slot, public_key, builder, touch_callback=touch_callback) except APDUError as e: logger.error( 'Failed to generate Certificate Signing Request for slot %s', slot, exc_info=e) raise
def process_csr(self, certificate_request, key, not_valid_before=None, not_valid_after=None): public_key = certificate_request.public_key() subject = certificate_request.subject issuer = x509.Name([ x509.NameAttribute(NameOID.ORGANIZATION_NAME, PUB_KEY_ORGANIZATION), x509.NameAttribute(NameOID.USER_ID, self.get_signer_pubkey()) ]) not_valid_before = not_valid_before if not_valid_before else datetime.datetime.utcnow( ) not_valid_after = not_valid_after if not_valid_after else not_valid_before + PUB_KEY_MAX_VALIDITY return x509.CertificateBuilder().subject_name(subject).issuer_name( issuer).public_key(public_key).serial_number( x509.random_serial_number()).not_valid_before( not_valid_before).not_valid_after(not_valid_after).sign( key, hashes.SHA256(), default_backend())
def generate_csr(CN: str, private_key: rsa.RSAPrivateKey, path: Path, names: typing.List[str]): """Generates a certificate signing request. :param CN: The requested common name. :param private_key: The private key to sign the CSR with. :param path: The path to write the PEM-serialized CSR to. :param names: The requested names in the CSR. :return: The generated CSR. """ csr = (x509.CertificateSigningRequestBuilder().subject_name( x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, CN) ])).add_extension( x509.SubjectAlternativeName( [x509.DNSName(name) for name in names]), critical=False, ).sign(private_key, hashes.SHA256())) with open(path, "wb") as pem_out: pem_out.write(csr.public_bytes(serialization.Encoding.PEM)) return csr
def generate_ad_hoc_certificate(hostname: str) -> typing.Tuple[str, str]: """ Utility function to generate an ad-hoc self-signed SSL certificate. """ certfile = os.path.join(tempfile.gettempdir(), f"{hostname}.crt") keyfile = os.path.join(tempfile.gettempdir(), f"{hostname}.key") if not os.path.exists(certfile) or not os.path.exists(keyfile): backend = default_backend() private_key = rsa.generate_private_key(65537, 2048, backend) with open(keyfile, "wb") as fp: # noinspection PyTypeChecker key_data = private_key.private_bytes( serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption(), ) fp.write(key_data) common_name = x509.NameAttribute(COMMON_NAME, hostname) subject_name = x509.Name([common_name]) not_valid_before = datetime.datetime.utcnow() not_valid_after = not_valid_before + datetime.timedelta(days=365) cert_builder = x509.CertificateBuilder( subject_name=subject_name, issuer_name=subject_name, public_key=private_key.public_key(), serial_number=x509.random_serial_number(), not_valid_before=not_valid_before, not_valid_after=not_valid_after, ) certificate = cert_builder.sign(private_key, hashes.SHA256(), backend) with open(certfile, "wb") as fp: # noinspection PyTypeChecker cert_data = certificate.public_bytes(serialization.Encoding.PEM) fp.write(cert_data) return certfile, keyfile
def csRequest(self): # Generate a CSR csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([ # Provide various details about who we are. x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"California"), x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"), x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"), x509.NameAttribute(NameOID.COMMON_NAME, u"mysite.com"), ])).add_extension( x509.SubjectAlternativeName([ # Describe what sites we want this certificate for. x509.DNSName(u"mysite.com"), ]), critical=False, # Sign the CSR with our private key. ).sign(self.key, hashes.SHA256()) # Write our CSR out to disk. with open(self.path, "wb") as f: # path = path/to/store/csr.pem f.write(csr.public_bytes(serialization.Encoding.PEM))
def _generate_csr(cls, cn, private_key, passphrase=None): pk = serialization.load_pem_private_key( data=private_key, password=passphrase, backend=backends.default_backend()) csr = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, cn), ]) ) csr = csr.add_extension( x509.BasicConstraints( ca=False, path_length=None ), critical=True ) csr = csr.add_extension( x509.KeyUsage( digital_signature=True, key_encipherment=True, data_encipherment=True, key_agreement=True, content_commitment=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False ), critical=True ) csr = csr.add_extension( x509.SubjectAlternativeName([x509.DNSName(cn)]), critical=False ) signed_csr = csr.sign( pk, getattr(hashes, CONF.certificates.signing_digest.upper())(), backends.default_backend()) return signed_csr.public_bytes(serialization.Encoding.PEM)
def create_self_signed_cert(common_name, days=30): password_file = "self_key.pem" private_key = create_private_key(key_file=password_file, key_size=4096) file_certificate = "self_cert.pem" public_key = private_key.public_key() subject = x509.Name( [x509.NameAttribute(NameOID.COMMON_NAME, str.encode(common_name).decode("utf-8"))] ) builder = create_cert_builder( subject=subject, issuer_name=subject, public_key=public_key, days=days, is_ca=False ) self_cert = builder.sign( private_key=private_key, algorithm=hashes.SHA256(), backend=default_backend() ) with open(file_certificate, "wb") as f: f.write(self_cert.public_bytes(serialization.Encoding.PEM)) return self_cert
def generate_certificate(self): key = rsa.generate_private_key( public_exponent=65537, key_size=2048, backend=default_backend(), ) with open("domain_srv.key", "wb") as f: f.write( key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption(), )) subject = issuer = x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"CA"), x509.NameAttribute(NameOID.LOCALITY_NAME, u"locality"), x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"A place"), x509.NameAttribute(NameOID.COMMON_NAME, self.hostname), ]) cert = x509.CertificateBuilder().subject_name(subject).issuer_name( issuer).public_key(key.public_key()).serial_number( x509.random_serial_number()).not_valid_before( datetime.datetime.utcnow()).not_valid_after( datetime.datetime.utcnow() + datetime.timedelta(days=365)).add_extension( x509.SubjectAlternativeName([ x509.DNSName(u"localhost"), x509.DNSName(self.hostname), x509.DNSName(u"127.0.0.1") ]), critical=False, ).sign(key, hashes.SHA256(), default_backend()) with open("domain_srv.crt", "wb") as f: f.write(cert.public_bytes(serialization.Encoding.PEM))
def generate_key_and_cert(): signing_key = rsa.generate_private_key(backend=crypto_default_backend(), public_exponent=65537, key_size=2048) subject = issuer = x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"CA"), x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"), x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"), x509.NameAttribute(NameOID.COMMON_NAME, u"example.com"), ]) signing_cert = x509.CertificateBuilder().subject_name(subject).issuer_name( issuer).public_key(signing_key.public_key()).serial_number( x509.random_serial_number()).not_valid_before( datetime.utcnow()).not_valid_after( # Our certificate will be valid for 10 days datetime.utcnow() + timedelta(days=10) # Sign our certificate with our private key ).sign(signing_key, hashes.SHA256(), crypto_default_backend()).public_bytes( crypto_serialization.Encoding.DER) return signing_key, signing_cert
def test_sign_extensions(self, backend, extension): private_key = RSA_KEY_2048.private_key(backend) last_update = datetime.datetime(2002, 1, 1, 12, 1) next_update = datetime.datetime(2030, 1, 1, 12, 1) builder = x509.CertificateRevocationListBuilder().issuer_name( x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA") ]) ).last_update( last_update ).next_update( next_update ).add_extension( extension, False ) crl = builder.sign(private_key, hashes.SHA256(), backend) assert len(crl) == 0 assert len(crl.extensions) == 1 ext = crl.extensions.get_extension_for_class(type(extension)) assert ext.critical is False assert ext.value == extension
def _generate_csr_and_key(self): """Return a dict with a new csr and key.""" key = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=backends.default_backend()) csr = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ x509.NameAttribute(oid.NameOID.COMMON_NAME, u"Magnum User"), ])).sign(key, hashes.SHA256(), backends.default_backend()) result = { "csr": csr.public_bytes(encoding=serialization.Encoding.PEM), "key": key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption()), } return result
def generate_csr(cn, is_hostname=True): """ Generate certificate signing request :param cn: common name (str|unicode) :param is_hostname: is the common name a hostname (default: True) """ key = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend()) if isinstance(cn, bytes): cn = cn.decode() csr = x509.CertificateSigningRequestBuilder() csr = csr.subject_name( x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, cn)])) if is_hostname: csr = csr.add_extension(x509.SubjectAlternativeName([x509.DNSName(cn) ]), critical=False) csr = csr.sign(key, hashes.SHA256(), default_backend()) return csr.public_bytes(serialization.Encoding.PEM).decode()
def generate_server_cert_and_key(ca_cert, ca_key, server_uuid): """Creates a server cert and key for testing. :param ca_cert: A cryptography CA certificate (x509) object. :param ca_key: A cryptography CA key (x509) object. :param server_uuid: A UUID identifying the server. :returns: The cryptography server cert and key objects. """ server_key = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend()) subject = x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Denial"), x509.NameAttribute(NameOID.LOCALITY_NAME, u"Corvallis"), x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"OpenStack"), x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u"Octavia"), x509.NameAttribute(NameOID.COMMON_NAME, u"{}.example.com".format(server_uuid)), ]) server_cert = x509.CertificateBuilder().subject_name(subject).issuer_name( ca_cert.subject).public_key(server_key.public_key()).serial_number( x509.random_serial_number()).not_valid_before( datetime.datetime.utcnow()).not_valid_after( datetime.datetime.utcnow() + datetime.timedelta(days=10)).add_extension( x509.SubjectAlternativeName([ x509.DNSName(u"{}.example.com".format(server_uuid)) ]), critical=False, ).add_extension( x509.BasicConstraints(ca=False, path_length=None), critical=True, ).sign(ca_key, hashes.SHA256(), default_backend()) return server_cert, server_key