def test_certificate_generation(tmpdir):
ca_priv_key = generate_rsa_private_key()
save_rsa_private_key(ca_priv_key, path.join(tmpdir, "ca_private_key.pem"))
ca_pub_key = generate_rsa_public_key(ca_priv_key)
save_rsa_public_key(ca_pub_key, path.join(tmpdir, "ca_pub_key.pem"))
assert path.isfile(path.join(tmpdir, "ca_private_key.pem"))
assert path.isfile(path.join(tmpdir, "ca_pub_key.pem"))
subject = issuer = generate_name_struct("highest", "CZ")
ca_cert = generate_certificate(subject,
issuer,
ca_pub_key,
ca_priv_key,
if_ca=True)
save_crypto_item(ca_cert, path.join(tmpdir, "ca_cert.pem"))
assert path.isfile(path.join(tmpdir, "ca_cert.pem"))
srk_priv_key = generate_rsa_private_key()
save_rsa_private_key(srk_priv_key, path.join(tmpdir, "srk_priv_key.pem"))
assert path.isfile(path.join(tmpdir, "srk_priv_key.pem"))
srk_pub_key = generate_rsa_public_key(srk_priv_key)
save_rsa_public_key(srk_pub_key, path.join(tmpdir, "srk_pub_key.pem"))
assert path.isfile(path.join(tmpdir, "srk_pub_key.pem"))
srk_subject = generate_name_struct("srk", "UK")
srk_cert = generate_certificate(srk_subject,
issuer,
srk_pub_key,
ca_priv_key,
if_ca=False)
save_crypto_item(srk_cert, path.join(tmpdir, "srk1.pem"))
assert path.isfile(path.join(tmpdir, "srk1.pem"))
def test_generate_csf_img(cpu_params: CpuParams, srk_key_index: int, cert_name_prefix: str, cert_index: int,
key_size: int = 2048) -> None:
"""Generate additional CSF or IMG certificate for selected SRK key
:param cpu_params: processor specific parameters of the test
:param srk_key_index: index of SRK, for which new certificate is going to be generated
:param cert_name_prefix: prefix/type of the generated certificate: either 'CSF' or 'IMG'
:param cert_index: index of the generated certificate
:param key_size: size of the generated key in bits, 2048 by default
"""
# validate arguments
assert 1 <= srk_key_index <= 4
assert cert_name_prefix == 'CSF' or cert_name_prefix == 'IMG'
assert 1 <= cert_index
# build names
base_key_name = f'_sha256_{str(key_size)}_65537_v3_' # middle path of the output filename
srk_name = f'SRK{srk_key_index}' + base_key_name + 'ca'
out_name = cert_name_prefix + str(srk_key_index) + '_' + str(cert_index) + base_key_name + 'usr'
out_key_path = os.path.join(cpu_params.keys_data_dir, out_name + '_key')
# generate private key
gen_priv_key = generate_rsa_private_key(key_size=key_size)
save_private_key(gen_priv_key, out_key_path + '.pem', password=PRIV_KEY_PASSWORD, encoding=Encoding.PEM)
save_private_key(gen_priv_key, out_key_path + '.der', password=PRIV_KEY_PASSWORD, encoding=Encoding.DER)
# generate public key
gen_pub_key = generate_rsa_public_key(gen_priv_key)
# load private key of the issuer (SRK)
srk_priv_key = load_pem_private_key(load_binary(cpu_params.keys_data_dir, srk_name + '_key.pem'),
password=PRIV_KEY_PASSWORD, backend=default_backend())
# generate certificate
gen_cert = generate_certificate(x509_common_name(out_name), x509_common_name(srk_name), gen_pub_key,
srk_priv_key, serial_number=0x199999A7, if_ca=False, duration=3560)
save_crypto_item(gen_cert, os.path.join(cpu_params.cert_data_dir, out_name + '_crt.pem'), Encoding.PEM)
save_crypto_item(gen_cert, os.path.join(cpu_params.cert_data_dir, out_name + '_crt.der'), Encoding.DER)
def test_certificate_generation(tmpdir):
ca_priv_key = generate_rsa_private_key()
save_rsa_private_key(ca_priv_key, path.join(tmpdir, "ca_private_key.pem"))
ca_pub_key = generate_rsa_public_key(ca_priv_key)
save_rsa_public_key(ca_pub_key, path.join(tmpdir, "ca_pub_key.pem"))
assert path.isfile(path.join(tmpdir, "ca_private_key.pem"))
assert path.isfile(path.join(tmpdir, "ca_pub_key.pem"))
data = yaml.safe_load(
"""
COMMON_NAME: xyz
DOMAIN_COMPONENT: [com, nxp, wbi]
ORGANIZATIONAL_UNIT_NAME: [NXP, CZ, Managed Users, Developers]
"""
)
subject = issuer = generate_name(data)
ca_cert = generate_certificate(subject, issuer, ca_pub_key, ca_priv_key, if_ca=True)
save_crypto_item(ca_cert, path.join(tmpdir, "ca_cert.pem"))
assert path.isfile(path.join(tmpdir, "ca_cert.pem"))
data = yaml.safe_load(
"""
- COMMON_NAME: ccccc
- DOMAIN_COMPONENT: [com, nxp, wbi]
- ORGANIZATIONAL_UNIT_NAME: NXP
- ORGANIZATIONAL_UNIT_NAME: CZ
- ORGANIZATIONAL_UNIT_NAME: Managed Users
- ORGANIZATIONAL_UNIT_NAME: Developers
"""
)
subject = issuer = generate_name(data)
ca_cert = generate_certificate(subject, issuer, ca_pub_key, ca_priv_key, if_ca=True)
save_crypto_item(ca_cert, path.join(tmpdir, "ca_cert_1.pem"))
assert path.isfile(path.join(tmpdir, "ca_cert_1.pem"))
def generate(config: TextIO, output: BinaryIO, encoding: str,
force: bool) -> None:
"""Generate certificate."""
logger.info("Generating Certificate...")
logger.info("Loading configuration from yml file...")
check_destination_dir(output.name, force)
check_file_exists(output.name, force)
config_data = load_configuration(config.name)
cert_config = CertificateParametersConfig(config_data)
priv_key = load_private_key(cert_config.issuer_private_key)
pub_key = load_public_key(cert_config.subject_public_key)
certificate = generate_certificate(
subject=cert_config.subject_name,
issuer=cert_config.issuer_name,
subject_public_key=pub_key,
issuer_private_key=priv_key,
serial_number=cert_config.serial_number,
duration=cert_config.duration,
if_ca=cert_config.BasicConstrains_ca,
path_length=cert_config.BasicConstrains_path_length,
)
logger.info("Saving the generated certificate to the specified path...")
encoding_type = Encoding.PEM if encoding.lower() == "pem" else Encoding.DER
save_crypto_item(certificate, output.name, encoding_type=encoding_type)
logger.info("Certificate generated successfully...")
click.echo(
f"The certificate file has been created: {os.path.abspath(output.name)}"
)
def main(json_conf: click.File, cert_path: str) -> None:
"""Utility for certificate generation."""
logger.info("Generating Certificate...")
logger.info("Loading configuration from json file...")
json_content = json.load(json_conf) # type: ignore
cert_config = CertificateParametersConfig(json_content)
priv_key = load_private_key(cert_config.issuer_private_key)
pub_key = load_public_key(cert_config.subject_public_key)
certificate = generate_certificate(
subject=cert_config.subject_name,
issuer=cert_config.issuer_name,
subject_public_key=pub_key,
issuer_private_key=priv_key,
serial_number=cert_config.serial_number,
duration=cert_config.duration,
if_ca=cert_config.BasicConstrains_ca,
path_length=cert_config.BasicConstrains_path_length)
logger.info("Saving the generated certificate to the specified path...")
save_crypto_item(certificate, cert_path)
logger.info("Certificate generated successfully...")
def main() -> None:
"""Main function."""
# Set the folder for data (certificates, keys)
data_dir = path.join(path.dirname(__file__), 'data')
os.makedirs(data_dir, exist_ok=True)
# load private key from data folder
private_key_2048_ca = load_private_key(path.join(data_dir, "ca_privatekey_rsa2048.pem"))
assert isinstance(private_key_2048_ca, RSAPrivateKey)
# load associated public key
public_key_2048_ca = load_public_key(path.join(data_dir, "ca_publickey_rsa2048.pem"))
assert isinstance(public_key_2048_ca, RSAPublicKey)
subject = issuer = generate_name_struct("first", "CZ")
# generate CA certificate (self-signed certificate)
ca_cert = generate_certificate(subject=subject, issuer=issuer, subject_public_key=public_key_2048_ca,
issuer_private_key=private_key_2048_ca, serial_number=0x1,
if_ca=True, duration=20 * 365, path_length=5)
# Save certificates in two formats (pem and der)
save_crypto_item(ca_cert, path.join(data_dir, "ca_cert_pem.crt"))
save_crypto_item(ca_cert, path.join(data_dir, "ca_cert_der.crt"), encoding_type=Encoding.DER)
print("The CA Certificate was created in der and pem format.")
# Create first chain certificate signed by private key of the CA certificate
subject_crt1 = generate_name_struct("second", "CZ")
public_key_2048_subject = load_public_key(path.join(data_dir, "crt_publickey_rsa2048.pem"))
assert isinstance(public_key_2048_subject, RSAPublicKey)
crt1 = generate_certificate(subject=subject_crt1, issuer=issuer, subject_public_key=public_key_2048_subject,
issuer_private_key=private_key_2048_ca,
serial_number=0x3cc30000babadeda, if_ca=False, duration=20 * 365)
# Save certificates in two formats (pem and der)
save_crypto_item(crt1, path.join(data_dir, "crt_pem.crt"))
save_crypto_item(crt1, path.join(data_dir, "crt_der.crt"), encoding_type=Encoding.DER)
print("The first chain certificate (signed by CA certificate) was created in der and pem format.")
# First chain certificate signed by private key of the CA certificate
subject_crt2 = generate_name_struct("third", "CZ")
private_key_2048_subject_1 = load_private_key(path.join(data_dir, "chain_privatekey_rsa2048.pem"))
assert isinstance(private_key_2048_subject_1, RSAPrivateKey)
public_key_2048_subject_1 = load_public_key(path.join(data_dir, "chain_publickey_rsa2048.pem"))
assert isinstance(public_key_2048_subject_1, RSAPublicKey)
crt1 = generate_certificate(subject=subject_crt2, issuer=issuer, subject_public_key=public_key_2048_subject_1,
issuer_private_key=private_key_2048_ca,
serial_number=0x2, if_ca=True, duration=20 * 365, path_length=3)
# Save certificates in two formats (pem and der)
save_crypto_item(crt1, path.join(data_dir, "chain_crt_pem.crt"))
save_crypto_item(crt1, path.join(data_dir, "chain_crt_der.crt"), encoding_type=Encoding.DER)
print("The first chain certificate (signed by CA certificate) was created in der and pem format.")
# Create first chain certificate signed by private key of first certificate
subject_crt3 = generate_name_struct("fourth", "CZ")
issuer_crt3 = subject_crt2
public_key_2048_subject_2 = load_public_key(path.join(data_dir, "chain_crt2_publickey_rsa2048.pem"))
assert isinstance(public_key_2048_subject_2, RSAPublicKey)
crt1 = generate_certificate(subject=subject_crt3, issuer=issuer_crt3, subject_public_key=public_key_2048_subject_2,
issuer_private_key=private_key_2048_subject_1,
serial_number=0x3cc30000babadeda, if_ca=False, duration=20 * 365)
# Save certificates in two formats (pem and der)
save_crypto_item(crt1, path.join(data_dir, "chain_crt2_pem.crt"))
save_crypto_item(crt1, path.join(data_dir, "chain_crt2_der.crt"), encoding_type=Encoding.DER)
print("The second certificate in a chain was created in der and pem format.")