def _extract_public_key(file_path: str, password: Optional[str]) -> crypto.RSAPublicKey:
cert_candidate = crypto.load_certificate(file_path)
if cert_candidate:
return cert_candidate.public_key()
private_candidate = crypto.load_private_key(file_path, password.encode() if password else None)
if private_candidate:
return private_candidate.public_key()
public_candidate = crypto.load_public_key(file_path)
if public_candidate:
return public_candidate
assert False, f"Unable to load secret file '{file_path}'."
def test_certificate_generation_cli(tmpdir, data_dir):
with use_working_directory(data_dir):
cert_path = os.path.join(tmpdir, "cert.crt")
cmd = f'-j {os.path.join(data_dir, "certgen_config.json")} -c {cert_path}'
runner = CliRunner()
result = runner.invoke(main, cmd.split())
assert result.exit_code == 0
assert os.path.isfile(cert_path)
generated_cert = load_certificate(cert_path)
assert isinstance(generated_cert, Certificate)
assert generated_cert.issuer.get_attributes_for_oid(
NameOID.COMMON_NAME).pop(0).value == 'ONE'
assert generated_cert.subject.get_attributes_for_oid(
NameOID.COMMON_NAME).pop(0).value == 'TWO'
assert generated_cert.extensions.get_extension_for_oid(
ExtensionOID.BASIC_CONSTRAINTS).value.ca
assert generated_cert.serial_number == 777
def main() -> None:
"""Main function."""
# Set the folder for data (certificates, keys)
data_dir = path.join(path.dirname(__file__), "data")
os.makedirs(data_dir, exist_ok=True)
# Load public key of CA certificate
ca0_pubkey_rsa2048 = load_public_key(
path.join(data_dir, "ca_publickey_rsa2048.pem"))
# Load CA certificate
ca0_cert = load_certificate(path.join(data_dir, "ca_cert_pem.crt"))
# Obtain public key from CA certificate
pubkey_from_ca0_cert = get_public_key_from_certificate(ca0_cert)
# Check if public key of certificate has proper format
assert isinstance(pubkey_from_ca0_cert, RSAPublicKey)
# Compare CA's public key from file and the one from certificate
if ca0_pubkey_rsa2048.public_numbers(
) != pubkey_from_ca0_cert.public_numbers():
raise SPSDKError(
"Keys are not the same (the one from disc and the one from cert)")
# Load certificate, which is singed by CA
crt = load_certificate(path.join(data_dir, "crt_pem.crt"))
if not validate_certificate(crt, ca0_cert):
raise SPSDKError("The certificate is not valid")
print("The certificate was signed by the CA.")
# Load chain of certificate
chain = ["chain_crt2_pem.crt", "chain_crt_pem.crt", "ca_cert_pem.crt"]
chain_cert = [
load_certificate(path.join(data_dir, cert_name)) for cert_name in chain
]
ch3_crt2 = load_certificate(path.join(data_dir, "chain_crt2_pem.crt"))
ch3_crt = load_certificate(path.join(data_dir, "chain_crt_pem.crt"))
ch3_ca = load_certificate(path.join(data_dir, "ca_cert_pem.crt"))
# Validate the chain (if corresponding items in chain are singed by one another)
if not validate_certificate_chain(chain_cert):
raise SPSDKError("The certificate chain is not valid")
print("The chain of certificates is valid.")
# Checks if CA flag is set correctly
if is_ca_flag_set(ch3_crt2):
raise SPSDKError("CA flag is set")
if not is_ca_flag_set(ch3_crt):
raise SPSDKError("CA flag is not set")
if not is_ca_flag_set(ch3_ca):
raise SPSDKError("CA flag is not set")
def test_is_cert(data_dir, file_name, expect_cer):
cert_path = path.join(data_dir, file_name)
result = bool(load_certificate(cert_path))
assert result is expect_cer
def get_certificate(data_dir, cert_file_name: str) -> Certificate:
cert = load_certificate(path.join(data_dir, cert_file_name))
return cert
#!/usr/bin/env python
# -*- coding: UTF-8 -*-
#
# Copyright 2021 NXP
#
# SPDX-License-Identifier: BSD-3-Clause
from spsdk.crypto import load_certificate, save_rsa_public_key
cert = load_certificate("keys_and_certs/root_k0_signed_cert0_noca.der.cert")
pub_key = cert.public_key()
save_rsa_public_key(pub_key, "keys_and_cers/root_k0_public_key.pub")
