def make_csr(private_key: bytes) -> str:
"""Return a CSR based on the given private key.
:param private_key:
:return csr:
"""
csr = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME,
cache.get('csr_country_name') or 'GB'),
x509.NameAttribute(
NameOID.STATE_OR_PROVINCE_NAME,
cache.get('csr_state_or_province_name') or 'Middlesex'),
x509.NameAttribute(NameOID.LOCALITY_NAME,
cache.get('csr_locality_name') or 'London'),
x509.NameAttribute(
NameOID.ORGANIZATIONAL_UNIT_NAME,
cache.get('csr_organizational_unit_name') or 'My TPP'),
x509.NameAttribute(NameOID.COMMON_NAME,
cache.get('csr_common_name') or 'IT'),
])).sign(private_key, hashes.SHA256(), default_backend())
return csr
def csRequest(self):
# Generate a CSR
csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([
# Provide various details about who we are.
x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"California"),
x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"),
x509.NameAttribute(NameOID.COMMON_NAME, u"mysite.com"),
])).add_extension(
x509.SubjectAlternativeName([
# Describe what sites we want this certificate for.
x509.DNSName(u"mysite.com"),
]),
critical=False,
# Sign the CSR with our private key.
).sign(self.key, hashes.SHA256())
# Write our CSR out to disk.
with open(self.path, "wb") as f: # path = path/to/store/csr.pem
f.write(csr.public_bytes(serialization.Encoding.PEM))
def generate_certificate_signing_request(self,
slot,
public_key,
subject,
touch_callback=None):
builder = x509.CertificateSigningRequestBuilder()
builder = builder.subject_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, subject),
]))
try:
return self.sign_csr_builder(slot,
public_key,
builder,
touch_callback=touch_callback)
except APDUError as e:
logger.error(
'Failed to generate Certificate Signing Request for slot %s',
slot,
exc_info=e)
raise
def generate(fqdn, write_dir, key_length, mode, owner_uid, group_gid):
"""Generate a key and CSR for headless operation.
The private key is written out to the provided directory and
the CSR is returned as a PEM encoded string.
"""
public_exp = 65537
priv_key = rsa.generate_private_key(
public_exponent=public_exp,
key_size=key_length,
backend=default_backend())
for key_filename in (KEY_FILENAME, PKCS8_KEY_FILENAME):
key_format = KEY_FILENAME_TO_FORMAT.get(key_filename)
if not key_format:
raise GenerationError(
'Invalid key format for file {}'.format(key_filename)
)
priv_key_filepath = os.path.join(write_dir, key_filename)
try:
with open(priv_key_filepath, 'w') as keyfile:
keyfile.write(priv_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=key_format,
encryption_algorithm=serialization.NoEncryption()))
os.chmod(priv_key_filepath, mode)
os.chown(priv_key_filepath, owner_uid, group_gid)
except IOError:
raise GenerationError('Error writing key file {}'.format(keyfile))
builder = x509.CertificateSigningRequestBuilder()
common_name = x509.NameAttribute(
x509.oid.NameOID.COMMON_NAME,
six.u(fqdn))
builder = builder.subject_name(x509.Name([common_name]))
builder = builder.add_extension(x509.BasicConstraints(
ca=False,
path_length=None), critical=True)
csr = builder.sign(priv_key, hashes.SHA256(), default_backend())
csr_pem_encoded = csr.public_bytes(serialization.Encoding.PEM)
return csr_pem_encoded
def make_csr(self, common_name_prefix: str = None):
"""
Generate CSR.
"""
# Create a random common name.
common_name = Nagamani19().generate()
if common_name_prefix:
common_name = f"{common_name_prefix}-{common_name}"
# Generate the CSR.
csr_unsigned = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name(
[
# Provide various details about who we are.
x509.NameAttribute(NameOID.COMMON_NAME, common_name),
]
)
)
# Sign the CSR with the private key.
self.csr = csr_unsigned.sign(self.private_key, hashes.SHA512())
def generate_csr_and_key():
"""Return a dict with a new csr and key."""
key = rsa.generate_private_key(public_exponent=65537,
key_size=2048,
backend=default_backend())
csr = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u"Magnum User"),
])).sign(key, hashes.SHA256(), default_backend())
result = {
'csr':
csr.public_bytes(encoding=serialization.Encoding.PEM).decode("utf-8"),
'key':
key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption()).decode("utf-8"),
}
return result
def _generate_csr(cls, cn, private_key, passphrase=None):
pk = serialization.load_pem_private_key(
data=private_key, password=passphrase,
backend=backends.default_backend())
csr = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, cn),
])
)
csr = csr.add_extension(
x509.BasicConstraints(
ca=False,
path_length=None
),
critical=True
)
csr = csr.add_extension(
x509.KeyUsage(
digital_signature=True,
key_encipherment=True,
data_encipherment=True,
key_agreement=True,
content_commitment=False,
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
decipher_only=False
),
critical=True
)
csr = csr.add_extension(
x509.SubjectAlternativeName([x509.DNSName(cn)]),
critical=False
)
signed_csr = csr.sign(
pk,
getattr(hashes, CONF.certificates.signing_digest.upper())(),
backends.default_backend())
return signed_csr.public_bytes(serialization.Encoding.PEM)
def test_build_ca_request_with_rsa(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
request = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
])).add_extension(x509.BasicConstraints(ca=True, path_length=2),
critical=True).sign(private_key, hashes.SHA1(),
backend)
assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
public_key = request.public_key()
assert isinstance(public_key, rsa.RSAPublicKey)
subject = request.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
]
basic_constraints = request.extensions.get_extension_for_oid(
x509.OID_BASIC_CONSTRAINTS)
assert basic_constraints.value.ca is True
assert basic_constraints.value.path_length == 2
def test_add_unsupported_extension_in_backend(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
builder = x509.CertificateSigningRequestBuilder()
builder = builder.subject_name(
x509.Name([
x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
])).add_extension(
x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")
]),
critical=False,
).add_extension(x509.KeyUsage(digital_signature=True,
content_commitment=True,
key_encipherment=False,
data_encipherment=False,
key_agreement=False,
key_cert_sign=True,
crl_sign=False,
encipher_only=False,
decipher_only=False),
critical=False)
with pytest.raises(NotImplementedError):
builder.sign(private_key, hashes.SHA256(), backend)
def certificateRequest():
user = request.form['user']
country = request.form['country']
state = request.form['state']
locality = request.form['locality']
private_key = rsa.generate_private_key(
public_exponent = 65537,
key_size = 2048,
backend = default_backend()
)
builder = x509.CertificateSigningRequestBuilder()
builder = builder.subject_name(x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME,str(user)),
x509.NameAttribute(NameOID.COUNTRY_NAME, str(country)),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, str(state)),
x509.NameAttribute(NameOID.LOCALITY_NAME,str(locality)),
]))
requestcsr = builder.sign(
private_key, hashes.SHA256(),default_backend()
)
builder = builder.add_extension(
x509.BasicConstraints(ca=False,path_length=None), critical= True
)
csrpem = requestcsr.public_bytes(Encoding.PEM)
with open(user+'.csr','wb') as f :
f.write(csrpem)
keypem = private_key.private_bytes(Encoding.PEM,
PrivateFormat.TraditionalOpenSSL, NoEncryption())
with open(user+'.key','wb') as f :
f.write(keypem)
json_response = {
"csr" : csrpem,
"key" : keypem
}
return jsonify(json_response)
def generate_certificate_request(common_name,
country=None,
state=None,
locality=None,
organization=None,
organization_unit=None,
email=None,
passphrase=None,
_backend=None):
attribs = {
"common_name": common_name,
"country": country,
"state": state,
"locality": locality,
"organization": organization,
"organization_unit": organization_unit,
"email": email,
}
backend = _backend or default_backend()
private_key = generate_private_key(common_name + ".key", passphrase,
backend)
builder = x509.CertificateSigningRequestBuilder()
builder = builder.subject_name(x509.Name(_convert_attributes(attribs)))
builder = builder.add_extension(x509.BasicConstraints(ca=False,
path_length=None),
critical=True)
builder = builder.add_extension(x509.SubjectAlternativeName(
[x509.DNSName(common_name)]),
critical=True)
request = builder.sign(private_key, hashes.SHA256(), backend)
with open(common_name + ".csr.pem", "wb") as fo:
fo.write(request.public_bytes(serialization.Encoding.PEM))
return private_key, request
def issue_certificate(server, domains, cert_key, key):
# generate csr
from cryptography import x509
from cryptography.x509 import NameOID
assert domains
try:
domains = [unicode(domain) for domain in domains]
except NameError:
pass
name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, domains[0])])
san = x509.SubjectAlternativeName(
[x509.DNSName(domain) for domain in domains])
csr = x509.CertificateSigningRequestBuilder().subject_name(name) \
.add_extension(san, critical=False).sign(cert_key, hashes.SHA256(), default_backend())
csr = csr.public_bytes(serialization.Encoding.DER)
# requests
header = generate_header(key)
nonce = get_nonce(server)
payload = {
'resource': 'new-cert',
'csr': base64url_encode(csr),
}
r = requests.post(lookup(server, 'new-cert'),
json=sign_request(payload, nonce, key))
if r.status_code == 201: # Created
cert = x509.load_der_x509_certificate(r.content,
default_backend()).public_bytes(
serialization.Encoding.PEM)
chain = r.links.get('up')
if chain:
inter_cert = requests.get(chain['url']).content
inter_cert = x509.load_der_x509_certificate(
inter_cert,
default_backend()).public_bytes(serialization.Encoding.PEM)
return cert + (inter_cert or b'')
else:
raise IOError('Issue Certificate Failed: {} {}: {}'.format(
r.status_code, r.reason, r.text))
def generate_csr(common_name, dnsnames, ips, keysize):
key = rsa.generate_private_key(public_exponent=65537,
key_size=keysize,
backend=default_backend())
key_pem = key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
)
csr = x509.CertificateSigningRequestBuilder()
csr = csr.subject_name(
x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, common_name)]))
csr = csr.add_extension(
x509.SubjectAlternativeName(dnsnames + ips),
critical=False,
)
csr = csr.sign(key, hashes.SHA256(), default_backend())
csr_pem = csr.public_bytes(serialization.Encoding.PEM)
return key_pem, csr_pem
def __init__(self,
initializer=None,
common_name=None,
private_key=None,
age=None):
super(CertificateSigningRequest, self).__init__(
initializer=initializer, age=age)
if self._value is None:
if isinstance(initializer, x509.CertificateSigningRequest):
self._value = initializer
elif isinstance(initializer, string_types):
self.ParseFromString(initializer)
elif common_name and private_key:
self._value = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name(
[x509.NameAttribute(oid.NameOID.COMMON_NAME,
str(common_name))])).sign(
private_key.GetRawPrivateKey(),
hashes.SHA256(),
backend=openssl.backend)
elif initializer is not None:
raise rdfvalue.InitializeError(
"Cannot initialize %s from %s." % (self.__class__, initializer))
def make_csr_request(domains, private_key, account, order):
x509_dnsnames = []
for domain in domains:
x509_dnsnames.append(x509.DNSName(domain))
csr = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u'CH'),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Schwyz'),
x509.NameAttribute(NameOID.LOCALITY_NAME, u'Wollerau'),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Intamin'),
])).add_extension(x509.SubjectAlternativeName(x509_dnsnames),
critical=False).sign(private_key, hashes.SHA256(),
default_backend())
payload = {}
payload['csr'] = base64_encode_as_string(
csr.public_bytes(serialization.Encoding.DER))
headers, response = make_request(private_key, account, order['finalize'],
payload)
if DEBUG:
print('CSR_RESPONSE')
prettyprinter.pprint(response)
def create_csr(self) -> Dict:
"""Creates a csr and signing it with device private key"""
self._create_keys()
csr_issuer = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, COUNTRY_NAME),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, STATE),
x509.NameAttribute(NameOID.LOCALITY_NAME, LOCALITY_NAME),
x509.NameAttribute(NameOID.COMMON_NAME, COMMON_NAME)
])
self.csr = x509.CertificateSigningRequestBuilder().subject_name(
csr_issuer).sign(self.device_pri_key, hashes.SHA256(),
default_backend())
response = {}
keys = self._serialize_key_pair()
response.update(keys)
response.update({
'csr':
self.csr.public_bytes(
encoding=serialization.Encoding.PEM).decode('utf-8')
})
return response
def generate_csr(private_key, filename: str, config: Configuration):
# Construction des informations qui font l'objet de la certification
subject = read_configuration(config)
# Génération des alternatives de serveurs DNS valides pour le certificat
alt_names = []
for name in config.alt_names:
alt_names.append(x509.DNSName(name))
san = x509.SubjectAlternativeName(alt_names)
# Génération des différents constructeurs d'objet des attributs du CSR
builder = (x509.CertificateSigningRequestBuilder().subject_name(
subject).add_extension(san, critical=False))
# Signature du CSR avec la clé privée
csr = builder.sign(private_key, hashes.SHA256(), default_backend())
# Écriture de la requête de signature du certificat dans le fichier PEM
with open(filename, "wb") as csrfile:
# FIXME Expected type 'Encoding', got 'str' instead
csrfile.write(csr.public_bytes(serialization.Encoding.PEM))
return csr
def test_subject_alt_names(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
csr = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
x509.NameAttribute(x509.OID_COMMON_NAME, u"SAN"),
])).add_extension(
x509.SubjectAlternativeName([
x509.DNSName(u"example.com"),
x509.DNSName(u"*.example.com"),
]),
critical=False,
).sign(private_key, hashes.SHA256(), backend)
assert len(csr.extensions) == 1
ext = csr.extensions.get_extension_for_oid(
x509.OID_SUBJECT_ALTERNATIVE_NAME)
assert not ext.critical
assert ext.oid == x509.OID_SUBJECT_ALTERNATIVE_NAME
assert list(ext.value) == [
x509.DNSName(u"example.com"),
x509.DNSName(u"*.example.com"),
]
def _generate_csr(self, key, domainname):
# Generate a CSR
private_key = serialization.load_pem_private_key(
key, password=None, backend=default_backend())
csr = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
# Provide various details about who we are.
x509.NameAttribute(NameOID.COUNTRY_NAME, u"BR"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"RJ"),
x509.NameAttribute(NameOID.LOCALITY_NAME, u"Rio de Janeiro"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"globo.com"),
x509.NameAttribute(NameOID.COMMON_NAME, domainname),
])).add_extension(
x509.SubjectAlternativeName([
# Sites we want this certificate for.
x509.DNSName(domainname),
]),
critical=False,
# Sign the CSR with our private key.
).sign(private_key, hashes.SHA256(), default_backend())
# Return serialized CSR
return csr.public_bytes(serialization.Encoding.PEM)
def generate_csr(self, key):
country = self.config.get(self.server, 'country')
state = self.config.get(self.server, 'state')
locality = self.config.get(self.server, 'locality')
organization_name = self.config.get(self.server, 'organization_name')
common_name = self.config.get(self.server, 'common_name')
csr = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, country),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, state),
x509.NameAttribute(NameOID.LOCALITY_NAME, locality),
x509.NameAttribute(NameOID.ORGANIZATION_NAME,
organization_name),
x509.NameAttribute(NameOID.COMMON_NAME, common_name),
])).sign(key, hashes.SHA256(), default_backend())
csr_fname = '{}.csr.asc'.format(self.server)
with open('{}/{}'.format(self.CONFIG_FOLDER_PATH, csr_fname),
'wb') as f:
enc_csr = self.encrypt(
csr.public_bytes(serialization.Encoding.PEM).decode('utf-8'),
self.config.get(self.server, 'fingerprint'))
f.write(bytes(str(enc_csr), 'utf-8'))
return csr
def generate_csr(
private_key: rsa.RSAPrivateKey = None
) -> Tuple[rsa.RSAPrivateKey, x509.CertificateSigningRequest]:
"""Generate a Certificate Signing Request using a few defaults.
Args:
private_key (rsa.RSAPrivateKey): Optional. If not supplied a key will be generated
Returns:
Tuple of private_key, x509.CertificateSigningRequest
"""
if private_key is None:
private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend(),
)
builder = x509.CertificateSigningRequestBuilder()
builder = builder.subject_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u'scepy2 client'),
]))
builder = builder.add_extension(
# Absolutely critical for SCEP
x509.KeyUsage(digital_signature=True,
content_commitment=False,
key_encipherment=True,
data_encipherment=False,
key_agreement=False,
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
decipher_only=False),
True)
csr = builder.sign(private_key, hashes.SHA512(), default_backend())
return private_key, csr
def generate_keys(id, oid):
#Génération de la clef publique
private_key = rsa.generate_private_key(public_exponent=65537,
key_size=1024,
backend=default_backend())
client_infos = x509.Name([
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'REIMS'),
x509.NameAttribute(NameOID.COMMON_NAME, u'{}_{}.mrt'.format(id, oid)),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'{}'.format(id)),
x509.NameAttribute(NameOID.COUNTRY_NAME, u'FR')
])
public_key = private_key.public_key()
csr = x509.CertificateSigningRequestBuilder()
csr = csr.subject_name(client_infos)
csr = csr.add_extension(x509.BasicConstraints(ca=False, path_length=None),
critical=False)
csr = csr.sign(private_key=private_key,
algorithm=hashes.SHA256(),
backend=default_backend())
private_bytes = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption())
public_bytes = csr.public_bytes(encoding=serialization.Encoding.PEM)
#Ecriture des fichiers
with open("pool/keys/{}_{}.csr".format(id, oid), "wb") as fout:
fout.write(public_bytes)
with open("pool/keys/{}_{}.pem".format(id, oid), "wb") as fout:
fout.write(private_bytes)
return public_bytes
def generate_key_and_csr(thing_name):
key = rsa.generate_private_key(
public_exponent=65537, key_size=4096, backend=default_backend()
)
log.info("Generated private key.")
csr = (
x509.CertificateSigningRequestBuilder()
.subject_name(
x509.Name(
[
# Provide various details about who we are.
x509.NameAttribute(NameOID.COUNTRY_NAME, "US"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "WA"),
x509.NameAttribute(NameOID.LOCALITY_NAME, "Seattle"),
x509.NameAttribute(
NameOID.ORGANIZATION_NAME, "IoT Static IP Endpoints"
),
x509.NameAttribute(NameOID.COMMON_NAME, thing_name),
]
)
)
.sign(key, hashes.SHA256(), default_backend())
)
log.info("Generated CSR")
key_pem = key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
).decode("utf-8")
log.info("Encoded key in pem format")
csr_pem = str(csr.public_bytes(serialization.Encoding.PEM), "utf-8")
log.info("Encoded CSR in pem format")
return (key_pem, csr_pem)
def makeCSR(self, identifiers):
# Generate a CSR
'''
csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),\
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"California"),\
x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"),\
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"),\
x509.NameAttribute(NameOID.COMMON_NAME, u"mysite.com"),\
])).add_extension(x509.SubjectAlternativeName([\
x509.DNSName(u"mysite.com"),\
x509.DNSName(u"www.mysite.com"),\
x509.DNSName(u"subdomain.mysite.com"),\
]),
critical = False,).sign(self.private_key, hashes.SHA256(), default_backend())
csr.public_bytes(serialization.Encoding.DER)
'''
print("IDENTIFIERS ARE: ", identifiers, "and are of type ",
type(identifiers))
alternatives = [None] * len(
identifiers) #create array to suit csr format
for i in range(len(identifiers)):
alternatives[i] = x509.DNSName(identifiers[i])
builder = x509.CertificateSigningRequestBuilder()
builder = builder.subject_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
]))
builder = builder.add_extension(
x509.SubjectAlternativeName(alternatives),
critical=False,
)
request = builder.sign(self.private_key, hashes.SHA256(),
default_backend())
csr = request.public_bytes(serialization.Encoding.DER)
return csr
def generate_csr(key, domain_name, platform):
"""
generate csr for the client certificate
"""
domain_id = domain_name.split(".")[0].replace('time', '')
ip_offset = 16 + int(domain_id)
# ~ if platform == 'mobile':
# ~ ip_address = '10.175.' + str(ip_offset) + '.163'
# ~ sans = [x509.IPAddress(ipaddress.IPv4Address(ip_address))]
# ~ common_name = ip_address
# ~ elif platform == 'desktop':
# ~ common_name = domain_name
sans = [x509.DNSName(domain_name)]
csr = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"MA"),
x509.NameAttribute(NameOID.LOCALITY_NAME, u"Boston"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"Northeastern"),
x509.NameAttribute(NameOID.COMMON_NAME, domain_name),
])).add_extension(
x509.SubjectAlternativeName(sans),
critical=True,
# Sign the CSR with our private key.
).sign(key, hashes.SHA256(), default_backend())
# Write our CSR out to disk.
with open(domain_name + ".csr", "wb") as f:
f.write(csr.public_bytes(serialization.Encoding.PEM))
return csr
def generate_signing_request(
cn: str,
dnsname: Optional[str] = None
) -> (rsa.RSAPrivateKey, x509.CertificateSigningRequest):
"""Generate a Private Key + Certificate Signing Request using the given dnsname as the CN and SAN dNSName.
Args:
cn (str): The certificate common name
dnsname (str): The public facing dns name of the MDM server.
Returns:
Tuple of rsa private key, csr
"""
private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend(),
)
name = x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, cn),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, 'commandment')
])
builder = x509.CertificateSigningRequestBuilder()
builder = builder.subject_name(name)
if dnsname is not None:
san = x509.SubjectAlternativeName([x509.DNSName(dnsname)])
builder = builder.add_extension(san, critical=True)
builder = builder.add_extension(x509.BasicConstraints(ca=False,
path_length=None),
critical=True)
request = builder.sign(private_key, hashes.SHA256(), default_backend())
return private_key, request
def gen_csr(
csr_key: RSAPrivateKey,
common_name: str = "some.engineering",
san_dns_names: Optional[List[str]] = None,
san_ip_addresses: Optional[List[str]] = None,
include_loopback: bool = True,
) -> CertificateSigningRequest:
if san_dns_names is None:
san_dns_names = get_local_hostnames(include_loopback=include_loopback,
args=ArgumentParser.args)
if san_ip_addresses is None:
san_ip_addresses = get_local_ip_addresses(
include_loopback=include_loopback, args=ArgumentParser.args)
csr_build = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, common_name)]))
if len(san_dns_names) + len(san_ip_addresses) > 0:
csr_build = csr_build.add_extension(
x509.SubjectAlternativeName(
[x509.DNSName(n) for n in san_dns_names] +
[x509.IPAddress(make_ip(i)) for i in san_ip_addresses]),
critical=
False, # Optional extensions are not critical if unsupported
)
return csr_build.sign(csr_key, hashes.SHA256(), default_backend())
def build_csr(domain):
try:
private_key = serialization.load_pem_private_key(
DOMAIN_KEY, None, default_backend())
except ValueError:
private_key = rsa.generate_private_key(public_exponent=65537,
key_size=2048,
backend=default_backend())
with open(DOMAIN_KEY, "wb") as f:
f.write(
private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption()))
csr = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"CA"),
x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"),
x509.NameAttribute(NameOID.COMMON_NAME, unicode(domain)),
])).sign(private_key, hashes.SHA256(), default_backend())
return csr
def generate_csr(private_key, filename, **kwargs):
subject = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, kwargs["country"]),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, kwargs["state"]),
x509.NameAttribute(NameOID.LOCALITY_NAME, kwargs["locality"]),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, kwargs["org"]),
x509.NameAttribute(NameOID.COMMON_NAME, kwargs["hostname"]),
])
# Generate any alternative dns names
alt_names = []
for name in kwargs.get("alt_names", []):
alt_names.append(x509.DNSName(name))
san = x509.SubjectAlternativeName(alt_names)
builder = (x509.CertificateSigningRequestBuilder().subject_name(
subject).add_extension(san, critical=False))
csr = builder.sign(private_key, hashes.SHA256(), default_backend())
with open(filename, "wb") as csrfile:
csrfile.write(csr.public_bytes(serialization.Encoding.PEM))
return csr
def generate_certificate_signing_request(username, passphrase, key_file):
"""
Generate the certificate signing request for the new user in Kubernetes
"""
file_location = _ensure_cert_working_path()
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
key_bytes = None
with open(key_file, "rb") as f:
key_bytes = f.read()
key = serialization.load_pem_private_key(key_bytes,
bytes(passphrase, "utf-8"),
default_backend())
csr = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
# Provide various details about who we are.
x509.NameAttribute(NameOID.COMMON_NAME,
u"{0}".format(username)),
])).sign(key, hashes.SHA256(), default_backend())
csr_file = Path(file_location).joinpath(f"{username}_csr.pem")
# write CSR to file
with open(csr_file, "wb") as f:
f.write(csr.public_bytes(serialization.Encoding.PEM))
if csr_file.is_file():
return csr_file
else:
return None
