def test_generate_wrong_types(self, backend): cert, key = _load_ca(backend) cert2 = _load_cert(backend, os.path.join("x509", "letsencryptx3.pem")) encryption = serialization.NoEncryption() with pytest.raises(TypeError) as exc: serialize_key_and_certificates(b"name", cert, cert, None, encryption) assert (str( exc.value) == "Key must be RSA, DSA, or EllipticCurve private key." ) with pytest.raises(TypeError) as exc: serialize_key_and_certificates(b"name", key, key, None, encryption) assert str(exc.value) == "cert must be a certificate" with pytest.raises(TypeError) as exc: serialize_key_and_certificates(b"name", key, cert, None, key) assert str(exc.value) == ("Key encryption algorithm must be a " "KeySerializationEncryption instance") with pytest.raises(TypeError) as exc: serialize_key_and_certificates(None, key, cert, cert2, encryption) with pytest.raises(TypeError) as exc: serialize_key_and_certificates(None, key, cert, [key], encryption) assert str(exc.value) == "all values in cas must be certificates"
def test_must_supply_something(self): with pytest.raises(ValueError) as exc: serialize_key_and_certificates( None, None, None, None, serialization.NoEncryption() ) assert str(exc.value) == ( "You must supply at least one of key, cert, or cas" )
def test_generate_unsupported_encryption_type(self, backend): cert, key = _load_ca(backend) with pytest.raises(ValueError) as exc: serialize_key_and_certificates( None, key, cert, None, DummyKeySerializationEncryption(), ) assert str(exc.value) == "Unsupported key encryption type"
def create_store(path: Path, basename: str, key_size: int, organization=None, cn=None) -> None: path.mkdir(parents=True, exist_ok=True) organization = organization or basename cn = cn or basename key: rsa.RSAPrivateKeyWithSerialization ca: x509.Certificate key, ca = create_ca(organization=organization, cn=cn, key_size=key_size) # Dump the CA plus private key. with CertStore.umask_secret(): # PEM format (path / f"{basename}-ca.pem").write_bytes( key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption(), ) + ca.public_bytes(serialization.Encoding.PEM)) # PKCS12 format for Windows devices (path / f"{basename}-ca.p12").write_bytes( pkcs12.serialize_key_and_certificates( # type: ignore name=basename.encode(), key=key, cert=ca, cas=None, encryption_algorithm=serialization.NoEncryption(), )) # Dump the certificate in PEM format pem_cert = ca.public_bytes(serialization.Encoding.PEM) (path / f"{basename}-ca-cert.pem").write_bytes(pem_cert) # Create a .cer file with the same contents for Android (path / f"{basename}-ca-cert.cer").write_bytes(pem_cert) # Dump the certificate in PKCS12 format for Windows devices (path / f"{basename}-ca-cert.p12").write_bytes( pkcs12.serialize_key_and_certificates( name=basename.encode(), key=None, # type: ignore cert=ca, cas=None, encryption_algorithm=serialization.NoEncryption(), )) (path / f"{basename}-dhparam.pem").write_bytes(DEFAULT_DHPARAM)
def generate_client_cert(name, passphrase): key = rsa.generate_private_key( public_exponent=65537, key_size=2048, ) cert = base_cert(name, key).add_extension( x509.ExtendedKeyUsage([ ExtendedKeyUsageOID.CLIENT_AUTH, ]), critical=True, ).sign(key, hashes.SHA256()) p12 = serialize_key_and_certificates( b'client', key, cert, None, encryption_algorithm=serialization.BestAvailableEncryption( passphrase.encode('utf-8'))) return ( cert.public_bytes(serialization.Encoding.PEM), p12, )
def test_generate_each_supported_keytype(self, backend, kgenerator, ktype, kparam, name, algorithm, password): if ktype == ec.EllipticCurvePrivateKey: _skip_curve_unsupported(backend, *kparam) key = kgenerator(*kparam) assert isinstance(key, ktype) cacert, cakey = _load_ca(backend) now = datetime.utcnow() cert = (x509.CertificateBuilder().subject_name( cacert.subject).issuer_name(cacert.subject).public_key( key.public_key()).serial_number( x509.random_serial_number()).not_valid_before( now).not_valid_after(now).sign(cakey, hashes.SHA256())) assert isinstance(cert, x509.Certificate) p12 = serialize_key_and_certificates(name, key, cert, [cacert], algorithm) parsed_key, parsed_cert, parsed_more_certs = load_key_and_certificates( p12, password, backend) assert parsed_cert == cert assert isinstance(parsed_key, ktype) assert parsed_key.public_key().public_bytes( Encoding.PEM, PublicFormat.SubjectPublicKeyInfo) == key.public_key( ).public_bytes(Encoding.PEM, PublicFormat.SubjectPublicKeyInfo) assert parsed_more_certs == [cacert]
def generate_bytes(self, module): """Generate PKCS#12 file archive.""" pkey = None if self.privatekey_path: try: pkey = load_privatekey(self.privatekey_path, self.privatekey_passphrase, backend=self.backend) except OpenSSLBadPassphraseError as exc: raise PkcsError(exc) cert = None if self.certificate_path: cert = load_certificate(self.certificate_path, backend=self.backend) friendly_name = to_bytes(self.friendly_name) if self.friendly_name is not None else None # Store fake object which can be used to retrieve the components back self.pkcs12 = (pkey, cert, self.other_certificates, friendly_name) return serialize_key_and_certificates( friendly_name, pkey, cert, self.other_certificates, serialization.BestAvailableEncryption(to_bytes(self.passphrase)) if self.passphrase else serialization.NoEncryption(), )
def cryptography_create_pkcs12_bundle(self, keystore_p12_path, key_format='PEM', cert_format='PEM'): if key_format == 'PEM': key_loader = load_pem_private_key else: key_loader = load_der_private_key if cert_format == 'PEM': cert_loader = load_pem_x509_certificate else: cert_loader = load_der_x509_certificate try: with open(self.private_key_path, 'rb') as key_file: private_key = key_loader(key_file.read(), password=to_bytes(self.keypass), backend=backend) except TypeError: # Re-attempt with no password to match existing behavior try: with open(self.private_key_path, 'rb') as key_file: private_key = key_loader(key_file.read(), password=None, backend=backend) except (OSError, TypeError, ValueError, UnsupportedAlgorithm) as e: self.module.fail_json( msg= "The following error occurred while loading the provided private_key: %s" % to_native(e)) except (OSError, ValueError, UnsupportedAlgorithm) as e: self.module.fail_json( msg= "The following error occurred while loading the provided private_key: %s" % to_native(e)) try: with open(self.certificate_path, 'rb') as cert_file: cert = cert_loader(cert_file.read(), backend=backend) except (OSError, ValueError, UnsupportedAlgorithm) as e: self.module.fail_json( msg= "The following error occurred while loading the provided certificate: %s" % to_native(e)) if self.password: encryption = BestAvailableEncryption(to_bytes(self.password)) else: encryption = NoEncryption() pkcs12_bundle = serialize_key_and_certificates( name=to_bytes(self.name), key=private_key, cert=cert, cas=None, encryption_algorithm=encryption) with open(keystore_p12_path, 'wb') as p12_file: p12_file.write(pkcs12_bundle)
def test_generate_no_cert(self, backend): _, key = _load_ca(backend) p12 = serialize_key_and_certificates(None, key, None, None, serialization.NoEncryption()) parsed_key, parsed_cert, parsed_more_certs = load_key_and_certificates( p12, None, backend) assert parsed_cert is None assert parsed_key.private_numbers() == key.private_numbers() assert parsed_more_certs == []
def test_generate_cas_only(self, encryption_algorithm, password, backend): cert, _ = _load_ca(backend) p12 = serialize_key_and_certificates(None, None, None, [cert], encryption_algorithm) parsed_key, parsed_cert, parsed_more_certs = load_key_and_certificates( p12, password, backend) assert parsed_cert is None assert parsed_key is None assert parsed_more_certs == [cert]
def test_generate(self, backend, name, encryption_algorithm, password): cert, key = _load_ca(backend) p12 = serialize_key_and_certificates(name, key, cert, None, encryption_algorithm) parsed_key, parsed_cert, parsed_more_certs = load_key_and_certificates( p12, password, backend) assert parsed_cert == cert assert parsed_key.private_numbers() == key.private_numbers() assert parsed_more_certs == []
def create_pkcs12(username, key, crt): cert = x509.load_pem_x509_certificate(crt.encode()) pem_pkcs12 = urlsafe_b64encode( serialize_key_and_certificates( name=username.encode('utf-8'), key=key, cert=cert, cas=None, encryption_algorithm=serialization.BestAvailableEncryption( pkcs_12_password.encode()))).decode('utf-8') return pem_pkcs12
def export_pfx_key(issuer, serialnr, password): fname = "/tmp/" + create_filename(issuer.encode("utf-8")) + '_' + str( int(serialnr, 0)) + '.p12' f = open(fname, "rb") p12_data = f.read() f.close() (priv, cert, cas) = load_key_and_certificates(p12_data, b'mypassword') cn = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) return serialize_key_and_certificates( cn[0].value.encode(), priv, cert, cas, serialization.BestAvailableEncryption(b'mypassword'))
def test_pkcs12_ordering(): """ In OpenSSL < 3.0.0 PKCS12 parsing reverses the order. However, we accidentally thought it was **encoding** that did it, leading to bug https://github.com/pyca/cryptography/issues/5872 This test ensures our ordering is correct going forward. """ def make_cert(name): key = ec.generate_private_key(ec.SECP256R1()) subject = x509.Name( [ x509.NameAttribute(x509.NameOID.COMMON_NAME, name), ] ) now = datetime.utcnow() cert = ( x509.CertificateBuilder() .subject_name(subject) .issuer_name(subject) .public_key(key.public_key()) .serial_number(x509.random_serial_number()) .not_valid_before(now) .not_valid_after(now) .sign(key, hashes.SHA256()) ) return (key, cert) # Make some certificates with distinct names. a_name = "A" * 20 b_name = "B" * 20 c_name = "C" * 20 a_key, a_cert = make_cert(a_name) _, b_cert = make_cert(b_name) _, c_cert = make_cert(c_name) # Bundle them in a PKCS#12 file in order A, B, C. p12 = serialize_key_and_certificates( b"p12", a_key, a_cert, [b_cert, c_cert], serialization.NoEncryption() ) # Parse them out. The API should report them in the same order. (key, cert, certs) = load_key_and_certificates(p12, None) assert cert == a_cert assert certs == [b_cert, c_cert] # The ordering in the PKCS#12 file itself should also match. a_idx = p12.index(a_name.encode("utf-8")) b_idx = p12.index(b_name.encode("utf-8")) c_idx = p12.index(c_name.encode("utf-8")) assert a_idx < b_idx < c_idx
def import_pfx_key(pkcs12, password): (priv, cert, cas) = load_key_and_certificates(pkcs12, password.encode()) cn = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) p12_data = serialize_key_and_certificates( cn[0].value.encode(), priv, cert, cas, serialization.BestAvailableEncryption(b'mypassword')) issuer = ",".join(attr.rfc4514_string() for attr in cert.issuer) fname = "/tmp/" + create_filename(issuer.encode()) + '_' + str( cert.serial_number) + '.p12' f = open(fname, "wb+") f.write(p12_data) f.close() return
def test_generate_cert_only(self, encryption_algorithm, password, backend): # This test is a bit weird, but when passing *just* a cert # with no corresponding key it will be encoded in the cas # list. We have external consumers relying on this behavior # (and the underlying structure makes no real distinction # anyway) so this test ensures we don't break them. cert, _ = _load_ca(backend) p12 = serialize_key_and_certificates(None, None, cert, [], encryption_algorithm) parsed_key, parsed_cert, parsed_more_certs = load_key_and_certificates( p12, password, backend) assert parsed_cert is None assert parsed_key is None assert parsed_more_certs == [cert]
def test_generate_with_cert_key_ca(self, backend): cert, key = _load_ca(backend) cert2 = _load_cert( backend, os.path.join("x509", "custom", "dsa_selfsigned_ca.pem")) cert3 = _load_cert(backend, os.path.join("x509", "letsencryptx3.pem")) encryption = serialization.NoEncryption() p12 = serialize_key_and_certificates(None, key, cert, [cert2, cert3], encryption) parsed_key, parsed_cert, parsed_more_certs = load_key_and_certificates( p12, None, backend) assert parsed_cert == cert assert parsed_key.private_numbers() == key.private_numbers() assert parsed_more_certs == [cert2, cert3]
def deploy_cert(self, domain, cert_path, key_path, chain_path=None, fullchain_path=None): if not fullchain_path: raise errors.PluginError( "CASTLE Installer plugin requires --fullchain-path to generate a PKCS12 container." ) logger.info("Generating PKCS12 container") logger.debug('Loading cert ') cert = x509.load_pem_x509_certificate(open(cert_path, 'rb').read()) logger.debug('Loading key ') privkey = serialization.load_pem_private_key(open(key_path, 'rb').read(), password=None) logger.debug('Loading chain ') chain = x509.load_pem_x509_certificate(open(chain_path, 'rb').read()) passphrase = None if (not self.conf('no-passphrase')): if (self.conf('passphrase')): passphrase = self.conf('passphrase').encode('utf-8') else: text = 'A passphrase is needed for protecting the PKCS12 container. ' display_util.notification(text, pause=False) pf = getpass.getpass('Enter passphrase: ') vpf = getpass.getpass('Re-enter passphrase: ') while (pf != vpf): display_util.notify('Passphrases do not match.') vpf = getpass.getpass('Re-enter passphrase: ') passphrase = pf.encode('utf-8') algo = serialization.BestAvailableEncryption( passphrase) if passphrase else serialization.NoEncryption() pfxdata = pkcs12.serialize_key_and_certificates( name=domain.encode('utf-8'), key=privkey, cert=cert, cas=[chain], encryption_algorithm=algo) path, _ = os.path.split(cert_path) pfx_f, pfx_filename = util.unique_file(os.path.join(path, 'cert.pfx'), 0o600, "wb") with pfx_f: pfx_f.write(pfxdata) display_util.notification('PKCS12 container generated at ' + pfx_filename, pause=False)
def import_certificate(pemCertificate): cert = x509.load_pem_x509_certificate(pemCertificate, default_backend()) cas = [] priv_filename = "/tmp/" + create_privkey_filename(cert) + ".key" priv = load_private_key(cert) cn = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) p12_data = serialize_key_and_certificates( cn[0].value.encode(), priv, cert, cas, serialization.BestAvailableEncryption(b'mypassword')) issuer = ",".join(attr.rfc4514_string() for attr in cert.issuer) fname = "/tmp/" + create_filename(issuer.encode()) + '_' + str( cert.serial_number) + '.p12' f = open(fname, "wb+") f.write(p12_data) f.close() return
def main(): username = sys.argv[1] [private_key, csr] = create_CSR(username) res = session.post("https://ca_server:10443/certs", cert=('/etc/Flask/certs/core_cert.pem', '/etc/Flask/private/core_key.pem'), data={'csr': csr}) if res.status_code != 200: print("error") else: raw_cert = urlsafe_b64decode(res.text.encode('utf-8')) cert = x509.load_pem_x509_certificate(raw_cert) # print(cert.public_bytes(serialization.Encoding.PEM).decode()) pem_pkcs12 = urlsafe_b64encode( serialize_key_and_certificates( name=username.encode('utf-8'), key=private_key, cert=cert, cas=None, encryption_algorithm=serialization.NoEncryption())).decode( 'utf-8') f = open("/home/ubuntu/example.p12", "wb") f.write(urlsafe_b64decode(pem_pkcs12.encode())) f.close() f = open("/home/ubuntu/example.pem", "w") f.write(cert.public_bytes(serialization.Encoding.PEM).decode()) f.close() raw_cert = urlsafe_b64encode(raw_cert).decode() res = session.post("https://ca_server:10443/certs/check", cert=('/etc/Flask/certs/core_cert.pem', '/etc/Flask/private/core_key.pem'), data={'crt': raw_cert}) # print(res.text) res = session.delete("https://ca_server:10443/certs", cert=('/etc/Flask/certs/core_cert.pem', '/etc/Flask/private/core_key.pem'), data={'crt': raw_cert}) # print(res.text) res = session.post("https://ca_server:10443/certs/check", cert=('/etc/Flask/certs/core_cert.pem', '/etc/Flask/private/core_key.pem'), data={'crt': raw_cert}) # print(res.text) res = session.get("https://ca_server:10443/certs/serial", cert=('/etc/Flask/certs/core_cert.pem', '/etc/Flask/private/core_key.pem'))
def test_generate_cas_friendly_names(self, backend): cert, key = _load_ca(backend) cert2 = _load_cert( backend, os.path.join("x509", "custom", "dsa_selfsigned_ca.pem")) cert3 = _load_cert(backend, os.path.join("x509", "letsencryptx3.pem")) encryption = serialization.NoEncryption() p12 = serialize_key_and_certificates( b"test", key, cert, [ PKCS12Certificate(cert2, b"cert2"), PKCS12Certificate(cert3, None), ], encryption, ) p12_cert = load_pkcs12(p12, None, backend) cas = p12_cert.additional_certs assert cas[0].friendly_name == b"cert2" assert cas[1].friendly_name is None
def as_pkcs12(self, passphrase=None): """ :param str passphrase: :rtype: str """ if not self.cert or not self.key: get_logger().error( "PKCS12 output: Certificate or Private Key is None.") raise VenafiError( "Certificate and Private Key are required for PKCS12 output.") certificate = x509.load_pem_x509_certificate(self.cert.encode(), default_backend()) cas = [] if self.chain: for x in self.chain: chain_x509 = x509.load_pem_x509_certificate( x.encode(), default_backend()) cas.append(chain_x509) if passphrase: b_pass = passphrase.encode() encryption = serialization.BestAvailableEncryption(b_pass) else: encryption = serialization.NoEncryption() b_pass = None try: p_key = serialization.load_pem_private_key( data=self.key.encode(), password=b_pass, backend=default_backend()) except Exception as e: get_logger().error(msg=f"Error parsing Private Key: {e.message}") return name = random_word(10).encode() output = pkcs12.serialize_key_and_certificates(name, p_key, certificate, cas, encryption) return output
def setUpClass(cls): super().setUpClass() cls.certificate_password = b"794613" private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048) public_key = private_key.public_key() builder = x509.CertificateBuilder() cls.certificate_name = "Test Certificate" one_day = timedelta(1, 0, 0) builder = ( builder.subject_name( x509.Name( [x509.NameAttribute(oid.NameOID.COMMON_NAME, cls.certificate_name)] ) ) .issuer_name( x509.Name( [ x509.NameAttribute(oid.NameOID.COMMON_NAME, "cryptography.io"), ] ) ) .not_valid_before(datetime.today() - one_day) .not_valid_after(datetime.today() + (one_day * 30)) .serial_number(x509.random_serial_number()) .public_key(public_key) ) certificate = builder.sign(private_key=private_key, algorithm=hashes.SHA256()) content = pkcs12.serialize_key_and_certificates( None, private_key, certificate, None, BestAvailableEncryption(cls.certificate_password), ) cls.sii_cert = cls.env["l10n.es.aeat.certificate"].create( { "folder": "Test folder", "file": base64.b64encode(content), } )
def generate_p12(common_name, organization_name, country, password): # Load CA certificate and private key cakey = load_pem_private_key(ca_private.encode('ascii'), ca_password.encode('ascii'), default_backend()) cacert = x509.load_pem_x509_certificate(ca_cert.encode('ascii'), default_backend()) subject = x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, common_name), x509.NameAttribute(NameOID.ORGANIZATION_NAME, organization_name), x509.NameAttribute(NameOID.COUNTRY_NAME, country),]) sernum = x509.random_serial_number() key = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend()) cert = x509.CertificateBuilder().subject_name(subject) \ .issuer_name(cacert.subject) \ .serial_number(sernum) \ .public_key(key.public_key()) \ .not_valid_before(datetime.now())\ .not_valid_after(datetime.now() + timedelta(days=366))\ .add_extension(x509.KeyUsage(digital_signature=False , content_commitment=False , key_encipherment=True , data_encipherment=True , key_agreement=False , key_cert_sign=False , crl_sign=False , encipher_only=False , decipher_only = False), critical=True)\ .sign(cakey, hashes.SHA256(), default_backend()) cas = [cacert] p12 = pkcs12.serialize_key_and_certificates(common_name.encode('utf-8'), key, cert, cas, serialization.BestAvailableEncryption(password.encode('ascii'))) return p12
def test_generate_rsa(self, backend): cert = _load_cert( backend, os.path.join("x509", "custom", "ca", "rsa_ca.pem") ) key = load_vectors_from_file( os.path.join("x509", "custom", "ca", "rsa_key.pem"), lambda pemfile: load_pem_private_key( pemfile.read(), None, backend ), mode="rb", ) assert isinstance(key, rsa.RSAPrivateKey) p12 = serialize_key_and_certificates( None, key, cert, None, serialization.NoEncryption() ) parsed_key, parsed_cert, parsed_more_certs = load_key_and_certificates( p12, None, backend ) assert parsed_cert == cert assert isinstance(parsed_key, rsa.RSAPrivateKey) assert parsed_key.private_numbers() == key.private_numbers() assert parsed_more_certs == []
def generate_X509(workspace_contract, password, mode): did = helpers.ethereum_pvk_to_DID(session['private_key_value'], session['method']) talao_issuer = x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, "FR"), x509.NameAttribute(NameOID.LOCALITY_NAME, "Paris"), x509.NameAttribute(NameOID.ORGANIZATION_NAME, "Talao"), x509.NameAttribute(NameOID.DOMAIN_COMPONENT, "talao.io"), #x509.NameAttribute(NameOID.POSTAL_ADDRESS, "16 rue de wattignies, 75012 Paris"), x509.NameAttribute(NameOID.COMMON_NAME, "talao"), x509.NameAttribute(NameOID.USER_ID, did), ]) # upload the Talao private rsa key talao_rsa_private_key = privatekey.get_key(mode.owner_talao, 'rsa_key', mode) if type(talao_rsa_private_key) == bytes: talao_rsa_key = serialization.load_pem_private_key( talao_rsa_private_key, password=None, ) else: talao_rsa_key = serialization.load_pem_private_key( bytes(talao_rsa_private_key, 'utf-8'), password=None, ) # get identity data address = contractsToOwners(workspace_contract, mode) rsa_privatekey = privatekey.get_key(address, 'rsa_key', mode) if type(rsa_privatekey) == bytes: subject_key = serialization.load_pem_private_key( rsa_privatekey, password=None, ) else: subject_key = serialization.load_pem_private_key( bytes(rsa_privatekey, 'utf-8'), password=None, ) #profil = read_profil(workspace_contract, mode, 'full')[0] #name = profil['firstname'] + ' ' + profil['lastname'] username = ns.get_username_from_resolver(workspace_contract, mode) email = ns.get_data_from_username(username, mode)['email'] subject = x509.Name([ #x509.NameAttribute(NameOID.COUNTRY_NAME, "FR"), #x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, ""), #x509.NameAttribute(NameOID.LOCALITY_NAME, "Paris"), #x509.NameAttribute(NameOID.ORGANIZATION_NAME, ""), x509.NameAttribute(NameOID.COMMON_NAME, session['name']), x509.NameAttribute(NameOID.EMAIL_ADDRESS, email), x509.NameAttribute(NameOID.USER_ID, did), ]) cert = x509.CertificateBuilder() cert = cert.subject_name(subject) # talao as CA cert = cert.issuer_name(talao_issuer) cert = cert.public_key(subject_key.public_key()) cert = cert.serial_number(x509.random_serial_number()) cert = cert.not_valid_before(datetime.datetime.utcnow() - datetime.timedelta(days=1)) cert = cert.not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=3650)) cert = cert.add_extension(x509.BasicConstraints(ca=False, path_length=None), critical=True) cert = cert.add_extension(x509.ExtendedKeyUsage([ x509.oid.ExtendedKeyUsageOID.EMAIL_PROTECTION, x509.oid.ExtendedKeyUsageOID.CODE_SIGNING, x509.oid.ExtendedKeyUsageOID.TIME_STAMPING ]), critical=True) #cert=cert.add_extension(x509.SubjectAlternativeName([x509.RFC822Name(email), x509.OtherName(NameOID.COMMON_NAME, bytes(did, 'utf-8'))]),critical=True,) #cert=cert.add_extension(x509.SubjectAlternativeName([x509.OtherName(NameOID.COMMON_NAME, bytes(did, 'utf-8'))]),critical=True,) cert = cert.add_extension(x509.KeyUsage(digital_signature=True, key_encipherment=True, data_encipherment=True, key_agreement=True, content_commitment=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False), critical=True) cert = cert.sign(talao_rsa_key, hashes.SHA256()) # Write our certificate out to disk. filename = mode.uploads_path + workspace_contract + ".pem" with open(filename, "wb") as f: f.write(cert.public_bytes(serialization.Encoding.PEM)) certificate = pkcs12.serialize_key_and_certificates( bytes(did, 'utf-8'), subject_key, cert, None, serialization.BestAvailableEncryption(bytes(password, 'utf-8'))) filename = mode.uploads_path + workspace_contract + ".p12" with open(filename, "wb") as f: f.write(certificate) return True
def signPDF(docdata, page, email, name, shape, style, font, region, x1,y1,x2,y2): try: res = getHankoImage(name, shape, style, font) if "Message" in res[0]: return res else: _fr, fname = tempfile.mkstemp(".pdf") one_day = datetime.timedelta(1, 0, 0) private_key = rsa.generate_private_key( public_exponent=65537, key_size=2048, backend=default_backend() ) public_key = private_key.public_key() builder = x509.CertificateBuilder() builder = builder.subject_name(x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, name), ])) builder = builder.issuer_name(x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, u'inkantan'), ])) builder = builder.not_valid_before(datetime.datetime.today() - one_day) builder = builder.not_valid_after(datetime.datetime.today() + (one_day * 365)) builder = builder.serial_number(x509.random_serial_number()) builder = builder.public_key(public_key) builder = builder.add_extension( x509.SubjectAlternativeName( [x509.DNSName("@inkantan")] ), critical=False ) builder = builder.add_extension( x509.BasicConstraints(ca=False, path_length=None), critical=True, ) certificate = builder.sign( private_key=private_key, algorithm=hashes.SHA256(), backend=default_backend() ) p12 = pkcs12.serialize_key_and_certificates(b'test', private_key, certificate, [certificate], serialization.BestAvailableEncryption(b'1234')) y = pkcs12.load_key_and_certificates(p12, b'1234', default_backend()) date = datetime.datetime.utcnow() - datetime.timedelta(hours=12) date = date.strftime("D:%Y%m%d%H%M%S+00'00'") dct = { "aligned": 0, "sigflags": 1, "sigflagsft": 132, "sigpage": int(page)-1, "sigbutton": True, "sigfield": "Signature1", "sigandcertify": True, "signaturebox": (0,0,0,0), #(x1, y1, x2, y2), "signature": "Contract with Hanko seal applied", "contact": email, "location": region, "signingdate": date, "reason": "To execute/formalize/affirm the contract", #目的:契約書に署名する "password": "******", } with open(fname, 'wb') as fx: fx.write(docdata) img_rect = fitz.Rect(min(x1,x2), min(y1,y2), max(x1,x2), max(y1,y2)) document = fitz.open(fname) pg = document[int(page)-1] pg.insertImage(img_rect, filename=res[0]) if document.can_save_incrementally(): document.save(fname, garbage=0, deflate=True, incremental=True, encryption=0) document.close() else: os.close(res[1]) os.remove(res[0]) os.close(_fr) os.remove(fname) return ["Fitz Issue: Cannot incrementally save document", "Continuing may lead to loss of data"] datau = open(fname, "rb").read() try: datas = cms.sign(datau, dct, y[0], y[1], y[2], "sha256") except Exception as x: return errHandler(x, [res[0], fname], [res[1], _fr]) with open(fname, "wb") as fp: fp.write(datau) fp.write(datas) os.close(res[1]) os.remove(res[0]) os.close(_fr) return fname except Exception as e: return errHandler(e, [res[0], fname], [res[1], _fr])
def lambda_handler(event, context): now = datetime.datetime.now() expire_date = now + datetime.timedelta(days=3650) # PARAMETER ssm = boto3.client('ssm', region_name=os.environ['REGION']) nifi_secret = ssm.get_parameter( Name=os.environ['PREFIX']+'-nifi-secret-'+os.environ['SUFFIX'], WithDecryption=True ) s3 = boto3.resource('s3') s3_object = list(s3.Bucket(os.environ['BUCKET']).objects.filter(Prefix='nifi/certificates/')) if len(s3_object) == 5: print('Certificates found, skipping.') else: print('Certificates not found, generating.') # Valid dates now = datetime.datetime.now() expire_date = now + datetime.timedelta(days=3650) # CA ca_private_key = rsa.generate_private_key( public_exponent=65537, key_size=2048, backend=backends.default_backend() ) ca_public_key = ca_private_key.public_key() builder = x509.CertificateBuilder() builder = builder.subject_name(x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, u"NIFICA"), ])) builder = builder.issuer_name(x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, u"NIFICA"), ])) builder = builder.not_valid_before(now) builder = builder.not_valid_after(expire_date) builder = builder.serial_number(x509.random_serial_number()) builder = builder.public_key(ca_public_key) builder = builder.add_extension( x509.BasicConstraints(ca=True, path_length=None), critical=True) ca_certificate = builder.sign( private_key=ca_private_key, algorithm=hashes.SHA256(), backend=backends.default_backend() ) ca_private_bytes = ca_private_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.BestAvailableEncryption(str.encode(nifi_secret['Parameter']['Value']))) ca_public_bytes = ca_certificate.public_bytes( encoding=serialization.Encoding.PEM) # ADMIN admin_private_key = rsa.generate_private_key( public_exponent=65537, key_size=2048, backend=backends.default_backend() ) admin_public_key = admin_private_key.public_key() builder2 = x509.CertificateBuilder() builder2 = builder2.subject_name(x509.Name([ x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u"NIFI"), x509.NameAttribute(NameOID.COMMON_NAME, u"admin") ])) builder2 = builder2.issuer_name(x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, u"NIFICA"), ])) builder2 = builder2.not_valid_before(now) builder2 = builder2.not_valid_after(expire_date) builder2 = builder2.serial_number(x509.random_serial_number()) builder2 = builder2.public_key(admin_public_key) builder2 = builder2.add_extension( x509.KeyUsage(digital_signature=True, content_commitment=False, key_encipherment=True, data_encipherment=True, key_agreement=True, key_cert_sign=True, crl_sign=False, encipher_only=False, decipher_only=False), critical=True) builder2 = builder2.add_extension( x509.ExtendedKeyUsage([x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH]), critical=True) admin_certificate = builder2.sign( private_key=ca_private_key, algorithm=hashes.SHA256(), backend=backends.default_backend() ) admin_private_bytes = admin_private_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.BestAvailableEncryption(str.encode(nifi_secret['Parameter']['Value']))) admin_public_bytes = admin_certificate.public_bytes( encoding=serialization.Encoding.PEM) # ADMIN PKCS12 admin_p12 = pkcs12.serialize_key_and_certificates( b"admin", admin_private_key, admin_certificate, None, serialization.BestAvailableEncryption(str.encode(nifi_secret['Parameter']['Value'])) ) # UPLOAD files = { 'nifi/certificates/ca/ca.pem': io.BytesIO(ca_public_bytes), 'nifi/certificates/ca/ca.key': io.BytesIO(ca_private_bytes), 'nifi/certificates/admin/admin_cert.pem': io.BytesIO(admin_public_bytes), 'nifi/certificates/admin/private_key.key': io.BytesIO(admin_private_bytes), 'nifi/certificates/admin/keystore.p12': io.BytesIO(admin_p12) } for key in files: s3.meta.client.upload_fileobj( files[key], os.environ['BUCKET'], key, ExtraArgs={'ServerSideEncryption':'aws:kms','SSEKMSKeyId':os.environ['KEY']}) print(key + ' put to s3.') return { 'statusCode': 200, 'body': json.dumps('Complete') }
async def amain(url, service, template, altname, onbehalf, cn = None, pfx_file = None, pfx_password = None, enroll_cert = None, enroll_password = None): try: if pfx_file is None: pfx_file = 'cert_%s.pfx' % os.urandom(4).hex() if pfx_password is None: pfx_password = '******' print('[+] Parsing connection parameters...') su = SMBConnectionURL(url) ip = su.get_target().get_hostname_or_ip() if cn is None: cn = '%s@%s' % (su.username, su.domain) print('[*] Using CN: %s' % cn) print('[+] Generating RSA privat key...') key = rsa.generate_private_key(0x10001, 2048) print('[+] Building certificate request...') attributes = { "CertificateTemplate": template, } csr = x509.CertificateSigningRequestBuilder() csr = csr.subject_name( x509.Name( [ x509.NameAttribute(NameOID.COMMON_NAME, cn), ] ) ) if altname: altname = core.UTF8String(altname).dump() csr = csr.add_extension( x509.SubjectAlternativeName( [ x509.OtherName(PRINCIPAL_NAME, altname), ] ), critical=False, ) csr = csr.sign(key, hashes.SHA256()) if onbehalf is not None: agent_key = None agent_cert = None with open(enroll_cert, 'rb') as f: agent_key, agent_cert, _ = pkcs12.load_key_and_certificates(f.read(), enroll_password) pkcs7builder = pkcs7.PKCS7SignatureBuilder().set_data(csr).add_signer(agent_key, agent_cert, hashes.SHA1()) csr = pkcs7builder.sign(Encoding.DER, options=[pkcs7.PKCS7Options.Binary]) else: csr = csr.public_bytes(Encoding.DER) print('[+] Connecting to EPM...') target, err = await EPM.create_target(ip, ICPRRPC().service_uuid, dc_ip = su.get_target().dc_ip, domain = su.get_target().domain) if err is not None: raise err print('[+] Connecting to ICRPR service...') gssapi = AuthenticatorBuilder.to_spnego_cred(su.get_credential(), target) auth = DCERPCAuth.from_smb_gssapi(gssapi) connection = DCERPC5Connection(auth, target) rpc, err = await ICPRRPC.from_rpcconnection(connection, perform_dummy=True) if err is not None: raise err logger.debug('DCE Connected!') print('[+] Requesting certificate from the service...') res, err = await rpc.request_certificate(service, csr, attributes) if err is not None: print('[-] Request failed!') raise err if res['encodedcert'] in [None, b'']: raise Exception('No certificate was returned from server!. Full message: %s' % res) print('[+] Got certificate!') cert = x509.load_der_x509_certificate(res['encodedcert']) print("[*] Cert subject: {}".format(cert.subject.rfc4514_string())) print("[*] Cert issuer: {}".format(cert.issuer.rfc4514_string())) print("[*] Cert Serial: {:X}".format(cert.serial_number)) try: ext = cert.extensions.get_extension_for_oid(ExtensionOID.EXTENDED_KEY_USAGE) for oid in ext.value: print("[*] Cert Extended Key Usage: {}".format(EKUS_NAMES.get(oid.dotted_string, oid.dotted_string))) except: print('[-] Could not verify extended key usage') try: ext = cert.extensions.get_extension_for_oid(ExtensionOID.SUBJECT_ALTERNATIVE_NAME) for name in ext.value.get_values_for_type(x509.OtherName): if name.type_id == x509.ObjectIdentifier("1.3.6.1.4.1.311.20.2.3"): print('[*] Certificate ALT NAME: %s' % core.UTF8String.load(name.value).native) break else: print('[-] Certificate doesnt have ALT NAME') except: print('[-] Certificate doesnt have ALT NAME') print('[+] Writing certificate to disk (file:"%s" pass: "******")...' % (pfx_file, pfx_password)) # Still waiting for the day oscrypto will have a pfx serializer :( # Until that we'd need to use cryptography with open(pfx_file, 'wb') as f: data = pkcs12.serialize_key_and_certificates( name=b"", key=key, cert=cert, cas=None, encryption_algorithm=BestAvailableEncryption(pfx_password.encode()) ) f.write(data) print('[+] Finished!') return True, None except Exception as e: traceback.print_exc() return False, e
def convert_cert_to_p12(cert, root_cert_key, password="******"): return serialize_key_and_certificates(b'cert', root_cert_key, cert, None, serialization.BestAvailableEncryption(bytes(password, "utf-8")))