def create_certificate(): root_ca_public_key, root_ca_private_key = asymmetric.generate_pair( 'rsa', bit_size=2048) with open('root_ca.key', 'wb') as f: f.write(asymmetric.dump_private_key(root_ca_private_key, u'p')) with open('root_ca_public.key', 'wb') as f: f.write(asymmetric.dump_public_key(root_ca_public_key, 'pem')) builder = CertificateBuilder( { u'country_name': u'US', u'state_or_province_name': u'Massachusetts', u'locality_name': u'Amherst', u'organization_name': u'Name Certifying service', u'common_name': u'NCS Root CA', }, root_ca_public_key) builder.self_signed = True builder.ca = True root_ca_certificate = builder.build(root_ca_private_key) with open('root_ca.crt', 'wb') as f: f.write(pem_armor_certificate(root_ca_certificate)) # Generate an end-entity key and certificate, signed by the root end_entity_public_key, end_entity_private_key = asymmetric.generate_pair( 'rsa', bit_size=2048) with open('ramteja_tadishetti_private.key', 'wb') as f: f.write(asymmetric.dump_private_key(end_entity_private_key, u'p')) with open('ramteja_tadishetti_public.key', 'wb') as f: f.write(asymmetric.dump_public_key(end_entity_public_key, 'pem')) builder = CertificateBuilder( { u'country_name': u'US', u'state_or_province_name': u'Massachusetts', u'locality_name': u'Amherst', u'organization_name': u'Ramteja Tadishetti Corp', u'common_name': u'ramtejatadishetti', }, end_entity_public_key) builder.issuer = root_ca_certificate #builder.set_extension( u'1.2.840.113549.1.1.1', 'ramteja', allow_deprecated=False) end_entity_certificate = builder.build(root_ca_private_key) with open('ramteja_tadishetti.crt', 'wb') as f: f.write(pem_armor_certificate(end_entity_certificate))
def build_ca(): if not os.path.exists(settings.CA_PATH): os.makedirs(settings.CA_PATH) root_ca_public_key, root_ca_private_key = asymmetric.generate_pair( 'rsa', bit_size=4096) with open(settings.CA_KEY, 'wb') as f: f.write( asymmetric.dump_private_key(root_ca_private_key, settings.CA_KEY_PASSWD)) builder = CertificateBuilder( { 'country_name': 'CR', 'state_or_province_name': 'San Jose', 'locality_name': 'Costa Rica', 'organization_name': 'DFVA Independiente', 'common_name': 'DFVA Root CA 1', }, root_ca_public_key) now = timezone.now() builder.self_signed = True builder.ca = True builder.end_date = now + timedelta(settings.CA_CERT_DURATION * 10) root_ca_certificate = builder.build(root_ca_private_key) with open(settings.CA_CERT, 'wb') as f: f.write(pem_armor_certificate(root_ca_certificate)) builder = CertificateListBuilder('http://crl.dfva.info', root_ca_certificate, 1000) crl_list = builder.build(root_ca_private_key) with open(settings.CA_CRL, 'wb') as f: f.write(crl_list.dump())
def generate_cert_and_key(cn, filename, keysize, keytype='rsa'): ca_key_name = '%s.key' % filename ca_cert_name = '%s.crt' % filename curdir = pathlib.Path(__file__).parent # Generate and save the key and certificate for the root CA root_ca_public_key, root_ca_private_key = asymmetric.generate_pair( keytype, bit_size=keysize) with open(curdir.joinpath(ca_key_name), 'wb') as f: f.write(asymmetric.dump_private_key(root_ca_private_key, None)) builder = CertificateBuilder( { 'country_name': 'US', 'state_or_province_name': 'Massachusetts', 'locality_name': 'Newbury', 'organization_name': 'Codex Non Sufficit LC', 'common_name': cn, }, root_ca_public_key) builder.self_signed = True builder.ca = True root_ca_certificate = builder.build(root_ca_private_key) with open(curdir.joinpath(ca_cert_name), 'wb') as f: f.write(pem_armor_certificate(root_ca_certificate))
def generate_certificate(self, domain, save_model): """This function takes a domain name as a parameter and then creates a certificate and key with the domain name (replacing dots by underscores), finally signing the certificate using specified CA and returns the path of key and cert files. If you are yet to generate a CA then check the top comments""" logger.info("SimpleCA: certificate creation request %s" % (domain,)) ca_private_key = asymmetric.load_private_key( self.ca_key, password=settings.CA_KEY_PASSWD) ca_certificate = asymmetric.load_certificate(self.ca_crt) end_entity_public_key, end_entity_private_key = \ asymmetric.generate_pair('rsa', bit_size=2048) builder = CertificateBuilder( { 'country_name': 'CR', 'state_or_province_name': 'San Jose', 'locality_name': 'Costa Rica', 'organization_name': save_model.name, "organizational_unit_name": save_model.institution_unit, 'common_name': domain, }, end_entity_public_key ) now = timezone.now() builder.issuer = ca_certificate builder.begin_date = now builder.end_date = now+timedelta(settings.CA_CERT_DURATION) builder.key_usage = set(['digital_signature']) end_entity_certificate = builder.build(ca_private_key) # settings.CA_CERT_DURATION server_public_key, server_private_key = \ asymmetric.generate_pair('rsa', bit_size=2048) save_model.private_key = asymmetric.dump_private_key( end_entity_private_key, None) save_model.public_key = asymmetric.dump_public_key( end_entity_public_key) save_model.public_certificate = pem_armor_certificate( end_entity_certificate) save_model.server_sign_key = asymmetric.dump_private_key( server_private_key, None) save_model.server_public_key = asymmetric.dump_public_key( server_public_key) logger.debug("SimpleCA: New certificate for %s is %r" % (domain, save_model.public_certificate)) return save_model
def create_certificate_for_client(client_details): # load client public key path_for_client_public_key = PUBLIC_KEY_STORE + file_names.get_public_key_name( client_details['domain_name']) client_public_key = asymmetric.load_public_key\ (get_byte_stream_for_file(path_for_client_public_key)) root_ca_private_key = asymmetric.load_private_key\ (get_byte_stream_for_file(ROOT_CA_PRIVATE_KEY_PATH), ROOT_CA_PRIVATE_KEY_PASSWORD) root_ca_public_key = asymmetric.load_public_key\ (get_byte_stream_for_file(ROOT_CA_PUBLIC_KEY)) root_ca_certificate = asymmetric.load_certificate\ (get_byte_stream_for_file(ROOT_CA_CERTIFICATE)) builder = CertificateBuilder( { u'country_name': client_details['country'], #.decode('utf-8'), u'state_or_province_name': client_details['state'], #.decode('utf-8'), u'locality_name': client_details['city'], #.decode('utf-8'), u'organization_name': client_details['name'], #.decode('utf-8'), u'common_name': get_dns_formatted_name( client_details['domain_name']), #.decode('utf-8'), }, client_public_key) dns_name = [] dns_name.append(u'opengns.com') builder.issuer = root_ca_certificate builder.subject_alt_domains = dns_name #builder.set_extension(u'authority_information_access', u'1.3.6.1.5.5.7.1.1') client_certificate = builder.build(root_ca_private_key) client_certificate_name = file_names.get_certificate_name( client_details['domain_name']) total_path = CERTIFICATE_OUTPUT_DIRECTORY + client_certificate_name with open(total_path, 'wb') as f: f.write(pem_armor_certificate(client_certificate)) return client_certificate_name
def retrieve_cert(self, certificate_request): log.debug("Getting certificate status for id %s" % certificate_request.id) time.sleep(0.1) end_entity_public_key, end_entity_private_key = asymmetric.generate_pair( 'rsa', bit_size=2048) builder = CertificateBuilder( { 'common_name': certificate_request.common_name, }, end_entity_public_key) root_ca_certificate = asymmetric.load_certificate(ROOT_CA) root_ca_private_key = asymmetric.load_private_key(ROOT_CA_KEY) builder.issuer = root_ca_certificate end_entity_certificate = builder.build(root_ca_private_key) return (pem_armor_certificate(end_entity_certificate).decode())
def issue_cert(self, csr: CsrBuilder) -> (PrivateKey, Cert): public_key, private_key = asymmetric.generate_pair('rsa', bit_size=4096) builder = CertificateBuilder( { 'country_name': 'US', 'state_or_province_name': 'Massachusetts', 'locality_name': 'Newbury', 'organization_name': 'Codex Non Sufficit LC', 'common_name': 'Will Bond', }, public_key) builder.self_signed = True cert = builder.build(private_key) serial = SerialNumber.from_int(cert.serial_number).as_hex() keypath = self._cert_dir / (serial + '.key') with keypath.open('wb') as f: f.write(asymmetric.dump_private_key(private_key, 'password')) certpath = self._cert_dir / (serial + '.pem') with certpath.open('wb') as f: f.write(pem_armor_certificate(cert))
def create_certificate(): root_ca_public_key, root_ca_private_key = asymmetric.generate_pair( 'rsa', bit_size=2048) with open('root_ca.key', 'wb') as f: f.write(asymmetric.dump_private_key(root_ca_private_key, u'p')) with open('root_ca_public.key', 'wb') as f: f.write(asymmetric.dump_public_key(root_ca_public_key, 'pem')) builder = CertificateBuilder( { u'country_name': u'US', u'state_or_province_name': u'Massachusetts', u'locality_name': u'Amherst', u'organization_name': u'Name Certifying service', u'common_name': u'NCS Root CA', }, root_ca_public_key) builder.self_signed = True builder.ca = True root_ca_certificate = builder.build(root_ca_private_key) with open('root_ca.crt', 'wb') as f: f.write(pem_armor_certificate(root_ca_certificate))
import json import sys f = open("orqIp.txt", "r") orq_ip = f.read() f.close() keyId = sys.argv[1] r = requests.get("http://" + orq_ip + ":5000/getKey/" + keyId) response = dict(json.loads(r.text)) pub_key = response["pubKey"] asn1PublicKey = core.Asn1Value.load(unhexlify(pub_key)) publicKey = keys.PublicKeyInfo.wrap(asn1PublicKey, u'rsa') builder = CertificateBuilder( { u'country_name': u'SP', u'state_or_province_name': u'Malaga', u'locality_name': u'Malaga', u'organization_name': u'NICS Lab', u'common_name': u'Certificacion Raiz' }, publicKey) builder.self_signed = True builder.ca = True root_ca_certificate = builder.build_mpc(int(keyId), orq_ip, "5000") with open('certificado_raiz.crt', 'wb') as f: f.write(pem_armor_certificate(root_ca_certificate))
def build_certificate( hostnames: Collection[str], password: Optional[str] = None, ) -> Tuple[bytes, bytes]: """ Build a self-signed certificate with SANs (subject alternative names). Returns a tuple of the certificate and its private key (PEM-formatted). The certificate is "minimally sufficient", without much of the extra information on the subject besides its common and alternative names. However, IP addresses are properly recognised and normalised for better compatibility with strict SSL clients (like apiservers of Kubernetes). The first non-IP hostname becomes the certificate's common name -- by convention, non-configurable. If no hostnames are found, the first IP address is used as a fallback. Magic IPs like 0.0.0.0 are excluded. ``certbuilder`` is used as an implementation because it is lightweight: 2.9 MB vs. 8.7 MB for cryptography. Still, it is too heavy to include as a normal runtime dependency (for 8.8 MB of Kopf itself), so it is only available as the ``kopf[dev]`` extra for development-mode dependencies. This can change in the future if self-signed certificates become used at runtime (e.g. in production/staging environments or other real clusters). """ try: import certbuilder import oscrypto.asymmetric except ImportError: raise MissingDependencyError( "Using self-signed certificates requires an extra dependency: " "run `pip install certbuilder` or `pip install kopf[dev]`. " "Or pass `insecure=True` to a webhook server to use only HTTP. " "Or generate your own certificates and pass as certfile=/pkeyfile=. " "More: https://kopf.readthedocs.io/en/stable/admission/") # Detect which ones of the hostnames are probably IPv4/IPv6 addresses. # A side-effect: bring them all to their canonical forms. parsed_ips: Dict[str, Union[ipaddress.IPv4Address, ipaddress.IPv6Address]] = {} for hostname in hostnames: try: parsed_ips[hostname] = ipaddress.IPv4Address(hostname) except ipaddress.AddressValueError: pass try: parsed_ips[hostname] = ipaddress.IPv6Address(hostname) except ipaddress.AddressValueError: pass # Later, only the normalised IPs are used as SANs, not the raw IPs. # Remove bindable but non-accessible addresses (like 0.0.0.0) form the SANs. true_hostnames = [ hostname for hostname in hostnames if hostname not in parsed_ips ] accessible_ips = [ str(ip) for ip in parsed_ips.values() if not ip.is_unspecified ] # Build a certificate as the framework believe is good enough for itself. subject = { 'common_name': true_hostnames[0] if true_hostnames else accessible_ips[0] } public_key, private_key = oscrypto.asymmetric.generate_pair( 'rsa', bit_size=2048) builder = certbuilder.CertificateBuilder(subject, public_key) builder.ca = True builder.key_usage = { 'digital_signature', 'key_encipherment', 'key_cert_sign', 'crl_sign' } builder.extended_key_usage = {'server_auth', 'client_auth'} builder.self_signed = True builder.subject_alt_ips = list(set(accessible_ips)) # deduplicate builder.subject_alt_domains = list( set(true_hostnames) | set(accessible_ips)) # deduplicate certificate = builder.build(private_key) cert_pem: bytes = certbuilder.pem_armor_certificate(certificate) pkey_pem: bytes = oscrypto.asymmetric.dump_private_key(private_key, password, target_ms=10) return cert_pem, pkey_pem
def _dump_cert(cert): return pem_armor_certificate(cert)