def generate_self_signed(private_key: rsa.RSAPrivateKey, subject: x509.Name) -> x509.Certificate: """Generate a Self-Signed certificate for use with a CMS PKCS#10 request. Args: private_key (rsa.RSAPrivateKey): The private key to sign the certificate with. subject (x509.Name): The subject used in the CSR, which must match this certificates subject. Returns: x509.Certificate: Self signed certificate for CMS envelope """ one_day = datetime.timedelta(1, 0, 0) builder = x509.CertificateBuilder() builder = builder.subject_name(subject) builder = builder.issuer_name(subject) builder = builder.not_valid_before(datetime.datetime.today() - one_day) builder = builder.not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=365)) builder = builder.serial_number(x509.random_serial_number()) builder = builder.public_key(private_key.public_key()) # builder = builder.add_extension( # x509.KeyUsage(digital_signature=True, key_encipherment=True), critical=True # ) certificate = builder.sign(private_key=private_key, algorithm=hashes.SHA256(), backend=default_backend()) return certificate
def generate_root_certificate(private_key: rsa.RSAPrivateKey) -> x509.Certificate: backend = cryptography.hazmat.backends.default_backend() subject = x509.Name( [x509.NameAttribute( x509.oid.NameOID.COMMON_NAME, 'root' )] ) builder = x509.CertificateBuilder() return builder.subject_name(subject).issuer_name(subject) \ .not_valid_before(datetime.datetime.utcnow()) \ .not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=1)) \ .serial_number(1) \ .public_key(private_key.public_key()) \ .add_extension(extension=x509.BasicConstraints(ca=True, path_length=1), critical=True) \ .add_extension(extension=x509.KeyUsage(digital_signature=False, content_commitment=False, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=True, crl_sign=True, encipher_only=False, decipher_only=False, ), critical=True) \ .sign(private_key=private_key, algorithm=hashes.SHA256(), backend=backend)
def obtain_key_id(token: str, rsa_key: RSAPrivateKey, staging: bool = False) -> Response: target = '/g_business/v1/authentication_keys' key_encoding = Encoding.PEM key_format = PublicFormat.SubjectPublicKeyInfo public_key = rsa_key.public_key().public_bytes(key_encoding, key_format) body = {'public_key': public_key.decode(), 'token': token} with SatispayClient('PLACEHOLDER', rsa_key, staging) as client: return client.post(target, json=body)
def check_certificate_against_private_key( cert: Certificate, private_key: RSAPrivateKey, ) -> None: # Check if the public key of certificate matches the public key corresponding to the given # private one assert (_rsa_public_key_from_cert_or_csr(cert).public_numbers() == private_key.public_key().public_numbers())
def decode(cls, private_key: RSAPrivateKey, token_bytes: str) -> str: public_bytes = private_key.public_key().public_bytes( encoding=Encoding.PEM, format=PublicFormat.SubjectPublicKeyInfo) token = jwt_decode(token_bytes, public_bytes, algorithms=['RS256'], verify=False) return token['sub']
def gen_self_signed(key: rsa.RSAPrivateKey, cert_opts: Dict, crypto_opts: Dict) -> None: # noqa # subject / issuer subject = issuer = _subject(cert_opts) # init builder builder = x509.CertificateBuilder() # set subject and issuer builder = builder.subject_name(subject) builder = builder.issuer_name(issuer) # set public key builder = builder.public_key(key.public_key()) # set serial number serial = x509.random_serial_number() builder = builder.serial_number(serial) # set expiration now = datetime.datetime.utcnow() days = cert_opts['days'] builder = builder.not_valid_before(now) builder = builder.not_valid_after(now + datetime.timedelta(days=days)) # add base extensions for is_critical, ext in _extensions(key, cert_opts): builder = builder.add_extension(ext, critical=is_critical) # add AuthorityKeyIdentifier extension (experimental feature) pkey = key.public_key() key_identifier = x509.extensions._key_identifier_from_public_key(pkey) authority_cert_issuer = [x509.DirectoryName(issuer)] builder = builder.add_extension(x509.AuthorityKeyIdentifier( key_identifier, authority_cert_issuer, serial), critical=False) # sign the certificate md_alg = MD_ALGS[crypto_opts['md_alg']] crt = builder.sign(key, md_alg) # write to file crt_out = crypto_opts['crt_out'] with open(str(crt_out), "wb") as fp: fp.write(crt.public_bytes(serialization.Encoding.PEM)) fp.close()
def make_jwks(_private_key: RSAPrivateKey): """Returns JWKS.""" jwk = json.loads( RSAAlgorithm.to_jwk(_private_key.public_key()), ) jwk['kid'] = TEST_KID return { 'keys': [jwk] }
def attack_pubkey_deception_jwk(self, pk: RSAPrivateKey, kid: str, jwt: TestJWT = None): if jwt is None: jwt = self.init_token() pubkey: RSAPublicKey = pk.public_key() jwk = utils.rsa_pubkey_to_jwk(pem_file=None, key_id=kid, pubkey=pubkey) jwt.header['jwk'] = jwk jwt.header['jwk']['use'] = "sig" del (jwt.header['jwk']['alg']) self.payloads['attack_pubkey_deception_jwk'] = utils.force_unicode( jwt.build_token(pk))
def generate_cert(key: rsa.RSAPrivateKey, server_name: str) -> x509.Certificate: now = datetime.datetime.utcnow() subject = x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, "US"), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "MN"), x509.NameAttribute(NameOID.LOCALITY_NAME, "Minneapolis"), x509.NameAttribute(NameOID.ORGANIZATION_NAME, "pcsd"), x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, "pcsd"), x509.NameAttribute(NameOID.COMMON_NAME, server_name), ]) return (x509.CertificateBuilder().subject_name(subject).issuer_name( subject).public_key(key.public_key()).serial_number( int(now.timestamp() * 1000)).not_valid_before(now).not_valid_after( now + datetime.timedelta(days=3650)).sign( key, hashes.SHA256(), default_backend()))
def _extensions(key: rsa.RSAPrivateKey, cert_opts: Dict) -> List[Tuple[bool, x509.Extension]]: # noqa sector = cert_opts['sector'] # certificate policies policies = [ x509.PolicyInformation(x509.ObjectIdentifier('1.3.76.16'), [x509.UserNotice(None, 'AgIDroot')]), x509.PolicyInformation(x509.ObjectIdentifier('1.3.76.16.6'), [x509.UserNotice(None, 'agIDcert')]), ] if sector == 'private': policies.append( x509.PolicyInformation(x509.ObjectIdentifier('1.3.76.16.4.3.1'), [x509.UserNotice(None, 'cert_SP_Priv')])) elif sector == 'public': policies.append( x509.PolicyInformation(x509.ObjectIdentifier('1.3.76.16.4.2.1'), [x509.UserNotice(None, 'cert_SP_Pub')])) else: emsg = 'Invalid value for sector (%s)' % sector raise Exception(emsg) # extensions list return [ # basicCinstraints (False, x509.BasicConstraints(ca=False, path_length=None)), # keyUsage (True, x509.KeyUsage( digital_signature=True, content_commitment=True, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False, )), # certifcatePolicies (False, x509.CertificatePolicies(policies)), # subjectKeyIdentifier (False, x509.SubjectKeyIdentifier.from_public_key(key.public_key())), ]
def encode(self, private_key: RSAPrivateKey) -> bytes: private_bytes = private_key.private_bytes( encoding=Encoding.PEM, format=PrivateFormat.TraditionalOpenSSL, encryption_algorithm=NoEncryption()) public_key = private_key.public_key() numbers = public_key.public_numbers() n = numbers.n.to_bytes(int(public_key.key_size / 8), 'big').lstrip(b'\x00') kid = sha1(n).hexdigest() payload = self.payload() return jwt_encode(payload, private_bytes, algorithm='RS256', headers={'kid': kid})
def ca_certificate(private_key: rsa.RSAPrivateKey) -> x509.Certificate: b = x509.CertificateBuilder() name = x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"CA"), x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"), x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"Commandment"), x509.NameAttribute(NameOID.COMMON_NAME, u"CA-CERTIFICATE"), ]) cert = b.serial_number(1).issuer_name(name).subject_name(name).public_key( private_key.public_key()).not_valid_before( datetime.datetime.utcnow()).not_valid_after( datetime.datetime.utcnow() + datetime.timedelta(days=10)).add_extension( x509.BasicConstraints(ca=True, path_length=None), True).sign(private_key, hashes.SHA256(), default_backend()) return cert
def _save_key(namespace: str, identifier: str, key_pair: rsa.RSAPrivateKey): key_dir = pathlib.Path(KEY_STORE_PATH) / namespace / identifier os.makedirs(key_dir) with open(key_dir / 'id_rsa', 'wb') as f: key_binary = key_pair.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption() ) f.write(key_binary) with open(key_dir / 'id_rsa.pub', 'wb') as f: key_binary = key_pair.public_key().public_bytes( encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo ) f.write(key_binary)
def attack_pubkey_deception_jku(self, pk: RSAPrivateKey, jku_url, jwt: TestJWT = None, kid=None): if jwt is None: jwt = self.init_token() print("jwt {}".format(jwt)) jwt.header['jku'] = jku_url if kid is not None: jwt.header['kid'] = kid self.payloads['attack_pubkey_deception_jku'] = utils.force_unicode( jwt.build_token(pk)) pubkey: RSAPublicKey = pk.public_key() jwks = {} jwks['keys'] = [ utils.rsa_pubkey_to_jwk(pem_file=None, key_id=kid, pubkey=pubkey) ] self.payloads['attack_pubkey_deception_jku_jwks'] = json.dumps( jwks, separators=(",", ":"))
def generate_root_certificate( private_key: rsa.RSAPrivateKey) -> x509.Certificate: backend = cryptography.hazmat.backends.default_backend() subject = x509.Name( [x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, 'root')]) builder = x509.CertificateBuilder() return builder.subject_name(subject).issuer_name(subject) \ .not_valid_before(datetime.datetime.utcnow()) \ .not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=1)) \ .serial_number(x509.random_serial_number()) \ .public_key(private_key.public_key()) \ .add_extension(extension=x509.BasicConstraints(ca=True, path_length=1), critical=True) \ .add_extension(extension=x509.KeyUsage(digital_signature=False, content_commitment=False, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=True, crl_sign=True, encipher_only=False, decipher_only=False, ), critical=True) \ .sign(private_key=private_key, algorithm=hashes.SHA256(), backend=backend)
def generate_cert(path: Path, private_key: rsa.RSAPrivateKey, validity: int = 365, distinguished_name: DistinguishedName = None, basicConstraints: Dict[str, Union[str, bool]] = None, keyUsage: Dict[str, bool] = None, subjectAltName: [str, str] = None) -> x509.Certificate: distinguished_name = distinguished_name or test_distinguished_name subject = issuer = x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, distinguished_name['C']), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, distinguished_name['ST']), x509.NameAttribute(NameOID.LOCALITY_NAME, distinguished_name['L']), x509.NameAttribute(NameOID.ORGANIZATION_NAME, distinguished_name['O']), x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, distinguished_name['O']), x509.NameAttribute(NameOID.COMMON_NAME, distinguished_name['CN']), x509.NameAttribute(NameOID.EMAIL_ADDRESS, distinguished_name['emailAddress']) ]) cert = x509.CertificateBuilder().subject_name( subject ).issuer_name( issuer ).public_key( private_key.public_key() ).serial_number( x509.random_serial_number() ).not_valid_before( datetime.datetime.utcnow() ).not_valid_after( datetime.datetime.utcnow() + datetime.timedelta(days=validity) ) if basicConstraints: basicConstraints = {key.lower(): True if value is True or value.lower() == 'true' else False for key, value in basicConstraints.items()} for key in ('ca', 'path_length'): if key not in basicConstraints: basicConstraints[key] = None cert.add_extension( x509.BasicConstraints(**basicConstraints), critical=True, ) if keyUsage: key_usage = { 'crl_sign': keyUsage.get('crlSign', False), 'data_encipherment': keyUsage.get('dataEncipherment', False), 'digital_signature': keyUsage.get('digitalSignature', False), 'content_commitment': keyUsage.get('nonRepudiation', False), 'key_agreement': keyUsage.get('keyAgreement', False), 'key_cert_sign': keyUsage.get('keyCertSign', False), 'key_encipherment': keyUsage.get('keyEncipherment', False), 'encipher_only': keyUsage.get('encipherOnly', False), 'decipher_only': keyUsage.get('decipherOnly', False), } cert.add_extension( x509.KeyUsage(**key_usage), critical=True, ) if subjectAltName: alt_names = [] for key, value in subjectAltName.items(): if key.startswith('IP'): value = ipv4_or_ipv6(value) san_type = get_name_type(key) alt_names.append(san_type(value)) cert = cert.add_extension( x509.SubjectAlternativeName(alt_names), critical=False, ) cert = cert.sign(private_key, hashes.SHA256(), default_backend()) data = cert.public_bytes(serialization.Encoding.PEM) Path(path).write_bytes(data) return cert
def is_pareja(cer: x509.Certificate, private_key: rsa.RSAPrivateKey) -> bool: encoding = serialization.Encoding.PEM fmt = serialization.PublicFormat.PKCS1 return cer.public_key().public_bytes(encoding, fmt) == private_key.public_key().public_bytes(encoding, fmt)
async def node_id_from_private_key(key: rsa.RSAPrivateKey) -> bytes: """Wrapper to get the node id from the private key""" return await node_id_from_public_key(key.public_key())
def __init__(self, privkey: cr_rsa.RSAPrivateKey) -> None: self._privkey = privkey self._pubkey = RsaPublicKey(privkey.public_key()) self._private_numbers = privkey.private_numbers()
def __init__(self, hostname: str, private_key: RSAPrivateKey): self.hostname = hostname self.unit = Unit(hostname, private_key.public_key(), private_key) self.session = PwngridSession( refresh_token_fn=self._refresh_session_token)