def sign_certificate_request(self, cert_req: X509Req, serial_number: int) -> X509:
cert = X509()
cert.set_issuer(self.__cert.get_subject())
cert.set_pubkey(cert_req.get_pubkey())
cert.set_subject(cert_req.get_subject())
cert.set_serial_number(serial_number)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(365 * 24 * 60 * 60)
cert.sign(self.__pkey, "sha256")
return cert
def make_cert(req: X509Req, ca_pkey: PKey) -> X509:
cert = X509()
cert.set_serial_number(1)
cert.set_version(2)
cert.set_subject(req.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.set_notBefore(x509_time(minutes=-1))
cert.set_notAfter(x509_time(days=30))
# noinspection PyTypeChecker
cert.sign(ca_pkey, 'sha1')
return cert
def createCSR(cert_name, password, subject_dict, csr_type='usr'):
'''
create A Certificate Signing Request for a CA.
csr_type should be set to 'ca' if it is a CSR for an intermediate CA.
CN MUST be passed.
'''
if isinstance(password, str):
password = bytes(password, 'utf-8')
if csr_type == 'ca':
pvt_obj, pvt_bytes = generatePrivate(cert_name,
_size=4096,
password=password)
else:
pvt_obj, pvt_bytes = generatePrivate(cert_name, password=password)
req = X509Req()
subject = req.get_subject()
subject = setSubject(subject, subject_dict)
req.set_pubkey(pvt_obj)
req.sign(pvt_obj, "sha256")
if csr_type == 'usr':
# If it is a request by user then also create the files in the pwd
open(path.abspath(cert_name + '.private.pem'), 'wb').write(pvt_bytes)
open(path.abspath(cert_name + '.csr.pem'),
'wb').write(dump_certificate_request(FILETYPE_PEM, req))
return pvt_bytes, dump_certificate_request(FILETYPE_PEM, req)
def create_csr(csr_file_path):
private_key_path = re.sub(r".(pem|crt)$",
".key",
cert_file_path,
flags=re.IGNORECASE)
# create public/private key
key = PKey()
key.generate_key(TYPE_RSA, 2048)
# Generate CSR
req = X509Req()
req.get_subject().CN = 'localhost'
req.get_subject().O = 'XYZ Widgets Inc'
req.get_subject().OU = 'IT Department'
req.get_subject().L = 'Seattle'
req.get_subject().ST = 'Washington'
req.get_subject().C = 'US'
req.get_subject().emailAddress = '*****@*****.**'
req.set_pubkey(key)
req.sign(key, 'sha256')
with open(csr_file_path, 'wb+') as f:
f.write(dump_certificate_request(FILETYPE_PEM, req))
with open(private_key_path, 'wb+') as f:
f.write(dump_privatekey(FILETYPE_PEM, key))
def __getitem__(self, cn):
cnp = path.sep.join([self.cache_dir, '.pymp_%s.pem' % cn])
if not path.exists(cnp):
# Crea Key
key = PKey()
key.generate_key(TYPE_RSA, 2048)
# Crea CSR
# revisar : http://stackoverflow.com/questions/24043226/generating-a-csr-with-python-crypto
req = X509Req()
req.get_subject().CN = cn
req.set_pubkey(key)
req.sign(key, 'sha1')
# Firmar CSR
cert = X509()
cert.set_subject(req.get_subject())
cert.set_serial_number(self.serial)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(31536000)
cert.set_issuer(self.cert.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.sign(self.key, 'sha1')
with open(cnp, 'wb+') as f:
f.write(dump_privatekey(FILETYPE_PEM, key))
f.write(dump_certificate(FILETYPE_PEM, cert))
return cnp
def __getitem__(self, cn):
'''
Gets the specified Certificate authority file if it already exists, else creates one!
'''
cnp = path.sep.join([self.cache_dir, '.pymp_%s.pem' % cn])
if not path.exists(cnp):
# create certificate
key = PKey()
key.generate_key(TYPE_RSA, 2048)
# Generate CSR
req = X509Req()
req.get_subject().CN = cn
req.set_pubkey(key)
req.sign(key, 'sha1')
# Sign CSR
cert = X509()
cert.set_subject(req.get_subject())
cert.set_serial_number(self.serial)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(31536000)
cert.set_issuer(self.cert.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.sign(self.key, 'sha1')
with open(cnp, 'wb+') as f:
f.write(dump_privatekey(FILETYPE_PEM, key))
f.write(dump_certificate(FILETYPE_PEM, cert))
return cnp
def _sign_ca(self, cn, cnp):
# 使用合法的CA证书为代理程序生成服务器证书
# create certificate
try:
key = PKey()
key.generate_key(TYPE_RSA, 2048)
# Generate CSR
req = X509Req()
req.get_subject().CN = cn
req.set_pubkey(key)
req.sign(key, 'sha256')
# Sign CSR
cert = X509()
cert.set_version(2)
cert.set_subject(req.get_subject())
cert.set_serial_number(self.serial)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(31536000)
cert.set_issuer(self.cert.get_subject())
ss = ("DNS:%s" % cn).encode(encoding="utf-8")
cert.add_extensions([X509Extension(b"subjectAltName", False, ss)])
cert.set_pubkey(req.get_pubkey())
cert.sign(self.key, 'sha256')
with open(cnp, 'wb+') as f:
f.write(dump_privatekey(FILETYPE_PEM, key))
f.write(dump_certificate(FILETYPE_PEM, cert))
except Exception as e:
raise Exception("generate CA fail:{}".format(str(e)))
def CreateCsr(self, Key):
if not self.CsrFile:
CertConfig = self.ParseConfig()
Csr = X509Req()
Csr.get_subject().commonName = CertConfig['CSR'].get('commonName')
Csr.get_subject().stateOrProvinceName = CertConfig['CSR'].get(
'stateOrProvinceName')
Csr.get_subject().localityName = CertConfig['CSR'].get(
'localityName')
Csr.get_subject().organizationName = CertConfig['CSR'].get(
'organizationName')
Csr.get_subject().organizationalUnitName = CertConfig['CSR'].get(
'organizationalUnitName')
Csr.get_subject().emailAddress = CertConfig['CSR'].get(
'emailAddress')
Csr.get_subject().countryName = CertConfig['CSR'].get(
'countryName')
Csr.set_pubkey(Key)
Csr.sign(Key, self.digestType)
else:
with open(self.CsrFile) as CsrFile:
if self.OldCsrFileType == 'PEM':
Csr = load_certificate_request(FILETYPE_PEM,
CsrFile.read())
elif self.OldCsrFileType == 'DER':
Csr = load_certificate_request(FILETYPE_ASN1,
CsrFile.read())
else:
raise TypeError("Unknown Certificate Type %s" %
(self.OldCsrFileType))
return Csr
def __getitem__(self, cn):
cnp = os.path.sep.join([self.cache_dir, '.pymp_%s.pem' % cn])
if not os.path.exists(cnp):
# create certificate
key = PKey()
key.generate_key(TYPE_RSA, 2048)
# Generate CSR
req = X509Req()
req.get_subject().CN = cn
req.set_pubkey(key)
req.sign(key, 'sha256')
# Sign CSR
cert = X509()
cert.set_subject(req.get_subject())
cert.set_serial_number(self.serial)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(31536000)
cert.set_issuer(self.cert.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.sign(self.key, 'sha256')
with open(cnp, 'wb+') as f:
f.write(dump_privatekey(self.filetype, key))
f.write(dump_certificate(self.filetype, cert))
return cnp
def get_cert_path(self, cn):
cnp = os.path.sep.join(
[self.cache_dir,
'%s-%s.pem' % (self.CERT_PREFIX, cn)])
if os.path.exists(cnp):
print("Cert already exists common_name=%s" % cn)
else:
print("Creating and signing cert common_name=%s" % cn)
key = PKey()
key.generate_key(TYPE_RSA, 2048)
# Generate CSR
req = X509Req()
req.get_subject().CN = cn
req.set_pubkey(key)
req.sign(key, 'sha1')
# Sign CSR
cert = X509()
cert.set_subject(req.get_subject())
cert.set_serial_number(123)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(31536000)
cert.set_issuer(self.cert.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.sign(self.key, 'sha256')
with open(cnp, 'wb+') as f:
f.write(dump_privatekey(FILETYPE_PEM, key))
f.write(dump_certificate(FILETYPE_PEM, cert))
print("Created cert common_name=%s location=%s" % (cn, cnp))
return cnp
def create_cert_req(pk, dn):
c = X509Req()
c.set_pubkey(pk)
set_name_from_dict(c.get_subject(), dn)
c.get_subject()
c.sign(pk, 'SHA256')
c.verify(pk)
# csr = OpenSSL.crypto.dump_certificate_request(FILETYPE_PEM, c)
return c
def make_req(pub_key, cn=None, digest=None) -> X509Req:
req = X509Req()
req.set_version(2)
req.set_pubkey(pub_key)
if cn is not None:
subject = req.get_subject()
subject.CN = cn.encode('utf-8')
if digest:
req.sign(pub_key, digest)
return req
def create_certificate_request(self, common_name, pkey) -> X509Req:
cert_req = X509Req()
cert_req.set_pubkey(pkey)
subject = cert_req.get_subject()
subject.countryName = self.__cert.get_subject().countryName
subject.stateOrProvinceName = self.__cert.get_subject().stateOrProvinceName
subject.localityName = self.__cert.get_subject().localityName
subject.organizationName = self.__cert.get_subject().organizationName
subject.organizationalUnitName = self.__cert.get_subject().organizationalUnitName
subject.emailAddress = self.__cert.get_subject().emailAddress
subject.commonName = common_name
cert_req.sign(self.__pkey, "sha256")
return cert_req
def get_csr(client, key_id, key_version_id, subject_name, domain,
kms_algorithm, signature_algorithm):
clear_text_public_key_pem = get_public_key(client, key_id, key_version_id)
# kms get_public_key
pkey = load_publickey(FILETYPE_PEM, clear_text_public_key_pem)
req = X509Req()
req.set_pubkey(pkey)
req.get_subject().CN = subject_name.get('CN')
req.get_subject().C = subject_name.get('C')
req.get_subject().O = subject_name.get('O')
req.set_version(0)
# addExtensions
req.add_extensions([
X509Extension(b'subjectAltName', False,
','.join(domain).encode('ascii'))
])
result_buffer = _ffi.new('unsigned char**')
encode_result = _lib.i2d_re_X509_REQ_tbs(req._req, result_buffer)
md_length = _ffi.new("unsigned int *")
md = _ffi.new("unsigned char[]", 32)
evp_md = _lib.EVP_get_digestbyname(b"sha256")
md_ctx = _lib.Cryptography_EVP_MD_CTX_new()
md_ctx = _ffi.gc(md_ctx, _lib.Cryptography_EVP_MD_CTX_free)
_lib.EVP_DigestInit_ex(md_ctx, evp_md, _ffi.NULL)
_lib.EVP_DigestUpdate(md_ctx, result_buffer[0], encode_result)
_lib.EVP_DigestFinal_ex(md_ctx, md, md_length)
psig = _ffi.new("ASN1_BIT_STRING **")
palg = _ffi.new("X509_ALGOR **")
_lib.X509_REQ_get0_signature(req._req, psig, palg)
# kms_sign
sign_data = kms_sign(client, key_id, key_version_id, kms_algorithm,
bytes(md))
_lib.ASN1_STRING_set(psig[0], sign_data, len(sign_data))
psig[0].flags &= ~(0x08 | 0x07)
psig[0].flags |= 0x08
_lib.OPENSSL_free(result_buffer[0])
palg[0].algorithm = _lib.OBJ_nid2obj(_lib.OBJ_sn2nid(signature_algorithm))
csr_pem_str = dump_certificate_request(FILETYPE_PEM, req)
return csr_pem_str
def _make_certificate(self, cn, cnp): """ Generate private key, generate certificate signing request, sign it using our key, and write out to file. Only call this if the file doesn't yet exist. """ key = self._make_private_key() # generate CSR (certificate signing request) req = X509Req() req.get_subject().CN = cn req.set_pubkey(key) # sign CSR (certificate signing request) and get certificate req.sign(key, 'sha1') cert = self._sign_csr(key, req) # dump out key and certificate to file self._write_cert(cnp, key, cert)
def create_csr_key(subject):
key = PKey()
key.generate_key(TYPE_RSA, 2048)
req = X509Req()
req.get_subject().CN = subject['CN']
req.get_subject().O = subject['O'] # noqa: E741
req.get_subject().OU = subject['OU']
req.get_subject().L = subject['L']
req.get_subject().ST = subject['ST']
req.get_subject().C = subject['C']
req.set_pubkey(key)
req.sign(key, 'sha256')
csr = dump_certificate_request(FILETYPE_PEM, req)
privatekey = dump_privatekey(FILETYPE_PEM, key).decode('utf-8')
return csr, privatekey
def gen_x509_csr(key_pair, csr_fields, csr_sign_bits):
"""
gen_x509_csr creates a certificate signature request by applying the passed
fields to the subject of the request, attaches the public key's fingerprint
and signs the request using the private key.
csr_fields dictionary and generates a
certificate request using the passed keypair. Note that the default digest
is sha256.
:param key_pair: The key pair that will sign the request
:type key_pair: :py:data:`OpenSSL.crypto.PKey` the key must have an attached
private component.
:param csr_fields: The certifcate issuer's details in X.509 Distinguished
Name format.
:type csr_fields: :py:data:`dict`
C - Country name
ST - State or province name
L - Locality name
O - Organization name
OU - Organizational unit name
CN - Common name
emailAddress - E-mail address
:rtype: A `pyopenssl.OpenSSL.crypto.X509Req`
"""
req = X509Req()
subj = req.get_subject()
for field, value in csr_fields.iteritems():
setattr(subj, field, value)
prv_key = load_privatekey(SSL.FILETYPE_PEM, key_pair)
req.set_pubkey(prv_key)
req.sign(prv_key, 'sha' + str(csr_sign_bits))
# TODO clean prv_key and str_prv_key from memory
pem_csr = dump_certificate_request(SSL.FILETYPE_PEM, req)
# TODO clean req from memory
return pem_csr
def otherMakeCertificate(**kw):
keypair = PKey()
keypair.generate_key(TYPE_RSA, 1024)
req = X509Req()
subj = req.get_subject()
for (k, v) in kw.items():
setattr(subj, k, v)
req.set_pubkey(keypair)
req.sign(keypair, "md5")
cert = X509()
cert.set_serial_number(counter())
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(60 * 60 * 24 * 365) # One year
cert.set_issuer(req.get_subject())
cert.set_subject(req.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.sign(keypair, "md5")
return keypair, cert
ca.add_extensions([
X509Extension("authorityKeyIdentifier", False, "keyid:always", issuer=ca)
])
f = open("CA.cert", "w")
f.write(dump_certificate(FILETYPE_PEM, ca))
f.close()
host_key = PKey()
host_key.generate_key(TYPE_RSA, 2048)
f = open("HOST.key", "w")
f.write(dump_privatekey(FILETYPE_PEM, host_key))
f.close()
host_req = X509Req()
host_req.get_subject().commonName = "malware.org"
host_req.get_subject().emailAddress = "*****@*****.**"
host_req.set_pubkey(host_key)
host_req.sign(host_key, "sha1")
f = open("HOST.req", "w")
f.write(dump_certificate_request(FILETYPE_PEM, host_req))
f.close()
host = X509()
host.set_subject(host_req.get_subject())
host.set_serial_number(2)
host.gmtime_adj_notBefore(0)
host.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60)
host.set_issuer(ca.get_subject())
