def gen_cert(): """ Generate TLS certificate request for testing """ req, key = gen_req() pub_key = req.get_pubkey() subject = req.get_subject() cert = X509.X509() # noinspection PyTypeChecker cert.set_serial_number(1) cert.set_version(2) cert.set_subject(subject) t = int(time.time()) now = ASN1.ASN1_UTCTIME() now.set_time(t) now_plus_year = ASN1.ASN1_UTCTIME() now_plus_year.set_time(t + 60 * 60 * 24 * 365) cert.set_not_before(now) cert.set_not_after(now_plus_year) issuer = X509.X509_Name() issuer.C = 'US' issuer.CN = 'minifi-listen' cert.set_issuer(issuer) cert.set_pubkey(pub_key) cert.sign(key, 'sha256') return cert, key
def sign_request(self, request, ca=False): if not isinstance(request, X509.Request): request = X509.load_request_string(str(request)) ca_priv_evp = EVP.PKey() ca_priv_evp.assign_rsa(self.get_key()) cert = X509.X509() # X509 version field is 0-based cert.set_version(0x2) # set to X509v3 # Set Serial number serial = random.randrange(1, sys.maxint) cert.set_serial_number(serial) # Set Cert validity time cur_time = ASN1.ASN1_UTCTIME() cur_time.set_time(int(time.time())) expire_time = ASN1.ASN1_UTCTIME() expire_time.set_time( int(time.time()) + self.cert_exp_days * 24 * 60 * 60) cert.set_not_before(cur_time) cert.set_not_after(expire_time) if ca: cert.set_issuer_name(request.get_subject()) cert.add_ext(X509.new_extension('basicConstraints', 'CA:TRUE')) else: ca_cert = self.get_cert() cert.set_issuer_name(ca_cert.get_subject()) cert.set_subject(request.get_subject()) cert.set_pubkey(request.get_pubkey()) cert.sign(ca_priv_evp, md="sha256") return cert
def MakeCert(self, cn, req): """Make new cert for the client.""" # code inspired by M2Crypto unit tests cert = X509.X509() # Use the client CN for a cert serial_id. This will ensure we do # not have clashing cert id. cert.set_serial_number(int(cn.Basename().split(".")[1], 16)) cert.set_version(2) cert.set_subject(req.get_subject()) t = long(time.time()) - 10 now = ASN1.ASN1_UTCTIME() now.set_time(t) now_plus_year = ASN1.ASN1_UTCTIME() now_plus_year.set_time(t + 60 * 60 * 24 * 365) # TODO(user): Enforce certificate expiry time, and when close # to expiry force client re-enrolment cert.set_not_before(now) cert.set_not_after(now_plus_year) # Get the CA issuer: ca_cert = config_lib.CONFIG["CA.certificate"].GetX509Cert() cert.set_issuer(ca_cert.get_issuer()) cert.set_pubkey(req.get_pubkey()) ca_key = config_lib.CONFIG["PrivateKeys.ca_key"].GetPrivateKey() key_pair = EVP.PKey(md="sha256") key_pair.assign_rsa(ca_key) # Sign the certificate cert.sign(key_pair, "sha256") return cert
def sign_proxy_request(req, icert, ikey, lifetime): pkey = req.get_pubkey() subject = req.get_subject() cert = X509.X509() cert.set_serial_number(1) cert.set_version(2) t = long(time.time()) now = ASN1.ASN1_UTCTIME() now.set_time(t) expire = ASN1.ASN1_UTCTIME() expire.set_time(t + lifetime * 24 * 60 * 60) cert.set_not_before(now) cert.set_not_after(expire) cert.set_issuer(subject) cert.set_subject(subject) cert.set_pubkey(pkey) cert.add_ext(X509.new_extension('basicConstraints', 'CA:FALSE', True)) #cert.add_ext(X509.new_extension('subjectKeyIdentifier', cert.get_fingerprint())) cert.add_ext(X509.new_extension('authorityKeyIdentifier', "keyid")) cert.add_ext( X509.new_extension("proxyCertInfo", "critical,language:id-ppl-anyLanguage,pathlen:00", True)) cert.sign(issuer_key, 'sha1') return cert, pkey
def make_proxycert(self, eecert): proxycert = X509.X509() pk2 = EVP.PKey() proxykey = RSA.gen_key(1024, 65537, self.callback) pk2.assign_rsa(proxykey) proxycert.set_pubkey(pk2) proxycert.set_version(2) not_before = ASN1.ASN1_UTCTIME() not_after = ASN1.ASN1_UTCTIME() not_before.set_time(int(time.time())) offset = 12 * 3600 not_after.set_time(int(time.time()) + offset) proxycert.set_not_before(not_before) proxycert.set_not_after(not_after) proxycert.set_issuer_name(eecert.get_subject()) proxycert.set_serial_number(12345678) issuer_name_string = eecert.get_subject().as_text() seq = issuer_name_string.split(",") subject_name = X509.X509_Name() for entry in seq: l = entry.split("=") subject_name.add_entry_by_txt(field=l[0].strip(), type=ASN1.MBSTRING_ASC, entry=l[1], len=-1, loc=-1, set=0) subject_name.add_entry_by_txt(field="CN", type=ASN1.MBSTRING_ASC, entry="Proxy", len=-1, loc=-1, set=0) proxycert.set_subject_name(subject_name) # XXX leaks 8 bytes pci_ext = X509.new_extension("proxyCertInfo", "critical,language:Inherit all", 1) proxycert.add_ext(pci_ext) return proxycert
def _gen_certificate(type): from M2Crypto import EVP, RSA, X509, ASN1 import time # create a key pair k = EVP.PKey() k.assign_rsa(RSA.gen_key(2048, m2.RSA_F4, lambda: None)) # create a self-signed cert cert = X509.X509() cert.get_subject().C = "FR" cert.get_subject().O = "SFR" cert.get_subject().CN = _get_cn(type) cert.set_serial_number(1000) now = ASN1.ASN1_UTCTIME() now.set_time(long(time.time())) cert.set_not_before(now) expire = ASN1.ASN1_UTCTIME() expire.set_time(long(time.time()) + 10 * 365 * 24 * 60 * 60) cert.set_not_after(expire) cert.set_issuer(cert.get_subject()) cert.set_pubkey(k) cert.sign(k, 'sha256') return cert, k
def generate_certificate(csr, serial, cn): """Generate a certificate and sign it with CA. :param csr: Certificate Signing Request. See :class:`M2Crypto.X509.Request`. :param serial: Serial number of the certificate as long int. :param cn: Common Name of the certificate. :return: Generated + signed certificate. See :class:`M2Crypto.X509.X509`. """ ca_key = EVP.load_key(settings.PKI_CA_KEYFILE, lambda *args: None) ca_cert = X509.load_cert(settings.PKI_CA_CERTFILE) cert = X509.X509() cert.set_serial_number(serial) cert.set_version(2) csr_subject = csr.get_subject() subject = X509.X509_Name() for key in ('C', 'ST', 'L', 'O', 'OU'): original_value = getattr(csr_subject, key) if original_value: setattr(subject, key, original_value) subject.CN = cn cert.set_subject(subject) t = long(time.time()) + time.timezone now = ASN1.ASN1_UTCTIME() now.set_time(t) now_plus_year = ASN1.ASN1_UTCTIME() now_plus_year.set_time(t + 60 * 60 * 24 * 365) cert.set_not_before(now) cert.set_not_after(now_plus_year) cert.set_issuer(ca_cert.get_subject()) cert.set_pubkey(csr.get_pubkey()) cert.sign(ca_key, 'sha1') return cert
def generate_certificate( self, aca_cert, btc_address=None, pkey=None, ): if pkey is None and btc_address is None: pkey, btc_address = self.generate_keys() self.btc_address = btc_address issuer = aca_cert.get_issuer() # Creating a certificate cert = X509.X509() # Set issuer cert.set_issuer(issuer) # Generate CS information cert_name = X509.X509_Name() cert_name.C = 'CT' cert_name.ST = 'Barcelona' cert_name.L = 'Bellaterra' cert_name.O = 'UAB' cert_name.OU = 'DEIC' cert_name.CN = btc_address cert.set_subject_name(cert_name) # Set public_key cert.set_pubkey(pkey) # Time for certificate to stay valid cur_time = ASN1.ASN1_UTCTIME() cur_time.set_time(int(time())) # Expire certs in 1 year. expire_time = ASN1.ASN1_UTCTIME() expire_time.set_time(int(time()) + 60 * 60 * 24 * 365) # Set the validity cert.set_not_before(cur_time) cert.set_not_after(expire_time) # Sign the certificate using the same key type the CA is going to use later # The resulting signature will not be used, it is only for setting the corresponding field into the certificate rsa_keys = RSA.gen_key(2046, 65537, callback=lambda x, y, z: None) rsa_pkey = EVP.PKey() rsa_pkey.assign_rsa(rsa_keys) cert.sign(rsa_pkey, md='sha256') # Load the Certificate as a ASN.1 object and extract the TBS Certificate (special thanks to Alex <*****@*****.**>) asn1_cert = decoder.decode(cert.as_der(), asn1Spec=Certificate())[0] tbs = asn1_cert.getComponentByName("tbsCertificate") # Compute the sha256 of the TBS Certificate tbs_der = encoder.encode(tbs) digest = sha256() digest.update(tbs_der) cert_hash = digest.digest() return asn1_cert, cert_hash
def helper_generate_certificate(self, pkey): """Create a self-signed x509 certificate.""" name = X509.X509_Name() name.C = 'NO' name.ST = 'Oslo' name.L = 'Oslo' name.O = 'University of Oslo' name.OU = 'Cerebrumtesting' name.CN = '127.0.0.1' name.emailAddress = '*****@*****.**' cert = X509.X509() cert.set_version(2) cert.set_serial_number(1) cert.set_subject(name) t = long(time.time()) + time.timezone now = ASN1.ASN1_UTCTIME() now.set_time(t) end = ASN1.ASN1_UTCTIME() end.set_time(t + 60 * 60 * 24 * 365 * 10) cert.set_not_before(now) cert.set_not_after(end) cert.set_issuer(name) cert.set_pubkey(pkey) #ext = X509.new_extension('subjectAltName', 'DNS:localhost') #ext.set_critical(0) #cert.add_ext(ext) cert.sign(pkey, 'sha1') return cert
def create_self_signed_cert(rsa, subject={'CN': 'Testing'}, san=None): """ Creates a self-signed cert Pass in an RSA private key object Pass in a dictionary of subject name data, using C ST L O OU CN keys Pass in an optional san like 'DNS:example.com' Returns a X509.X509 object """ pk = EVP.PKey() pk.assign_rsa(rsa) name = X509.X509_Name() for key in ['C', 'ST', 'L', 'O', 'OU', 'CN']: if subject.get(key, None): setattr(name, key, subject[key]) cert = X509.X509() cert.set_serial_number(1) cert.set_version(2) t = long(time.time()) now = ASN1.ASN1_UTCTIME() now.set_time(t) expire = ASN1.ASN1_UTCTIME() expire.set_time(t + 365 * 24 * 60 * 60) cert.set_not_before(now) cert.set_not_after(expire) cert.set_issuer(name) cert.set_subject(name) cert.set_pubkey(pk) cert.add_ext(X509.new_extension('basicConstraints', 'CA:FALSE')) if san: cert.add_ext(X509.new_extension('subjectAltName', san)) cert.add_ext( X509.new_extension('subjectKeyIdentifier', cert.get_fingerprint())) cert.sign(pk, 'sha1') return cert
def _generate_ssl_ca(): ca_key_pem, ca_cert_pem, ca_key = _generate_rsa_keypair() t = long(time.time()) now = ASN1.ASN1_UTCTIME() now.set_time(t) expire = ASN1.ASN1_UTCTIME() expire.set_time(t + 365 * 24 * 60 * 60) pk = EVP.PKey() pk.assign_rsa(ca_key) cert = X509.X509() cert.get_subject().O = _generate_id(10) cert.set_serial_number(1) cert.set_version(3) cert.set_not_before(now) cert.set_not_after(expire) cert.set_issuer(cert.get_subject()) cert.set_pubkey(pk) cert.add_ext(X509.new_extension('basicConstraints', 'CA:TRUE')) cert.add_ext( X509.new_extension('subjectKeyIdentifier', str(cert.get_fingerprint()))) cert.sign(pk, 'sha256') return pk.as_pem(cipher=None), cert.as_pem(), pk, cert
def _generate_ssl_keypair(self, rsa_key, ca_key, ca_cert, role='CONTROL', client=False, serial=2): t = long(time.time()) now = ASN1.ASN1_UTCTIME() now.set_time(t) expire = ASN1.ASN1_UTCTIME() expire.set_time(t + 365 * 24 * 60 * 60) pk = EVP.PKey() pk.assign_rsa(rsa_key) cert = X509.X509() cert.get_subject().O = self._generate_id(10) cert.get_subject().OU = role cert.set_serial_number(serial) cert.set_version(3) cert.set_not_before(now) cert.set_not_after(expire) cert.set_issuer(ca_cert.get_subject()) cert.set_pubkey(pk) cert.add_ext(X509.new_extension('basicConstraints', 'critical,CA:FALSE')) cert.add_ext(X509.new_extension('subjectKeyIdentifier', cert.get_fingerprint())) if client: cert.add_ext(X509.new_extension('keyUsage', 'critical,digitalSignature')) cert.add_ext(X509.new_extension('nsCertType', 'client')) else: cert.add_ext(X509.new_extension('keyUsage', 'critical,keyEncipherment')) cert.add_ext(X509.new_extension('nsCertType', 'server')) cert.sign(ca_key, 'sha256') return pk.as_pem(cipher=None), cert.as_pem()
def _generate_apk_keypair(): priv, pub, key = _generate_rsa_keypair(2048) t = long(time.time()) now = ASN1.ASN1_UTCTIME() now.set_time(t) expire = ASN1.ASN1_UTCTIME() expire.set_time(t + 365 * 24 * 60 * 60 * 5) pk = EVP.PKey() pk.assign_rsa(key) cert = X509.X509() cert.get_subject().O = _generate_id(10) cert.set_serial_number(1337) cert.set_version(2) cert.set_not_before(now) cert.set_not_after(expire) cert.set_pubkey(pk) cert.set_issuer(cert.get_subject()) cert.add_ext( X509.new_extension('subjectKeyIdentifier', str(cert.get_fingerprint()))) cert.sign(pk, 'sha256') return { 'CONTROL_APK_PRIV_KEY': pk.as_pem(cipher=None), 'CONTROL_APK_PUB_KEY': cert.as_pem(), }
def set_validity_period(self, cert): now = long(time.time()) asn1 = ASN1.ASN1_UTCTIME() asn1.set_time(now) cert.set_not_before(asn1) asn1 = ASN1.ASN1_UTCTIME() asn1.set_time(now + self.settings['cert_validity_lifetime'] * 24 * 60 * 60) cert.set_not_after(asn1)
def mk_cert_valid(cert, days=180): t = long(time.time()) now = ASN1.ASN1_UTCTIME() now.set_time(t - 24 * 60 * 60) expire = ASN1.ASN1_UTCTIME() expire.set_time(t + days * 24 * 60 * 60) cert.set_not_before(now) cert.set_not_after(expire)
def validate_cert(self, cert, days=365): t = long(time.time()) now = ASN1.ASN1_UTCTIME() now.set_time(t) expire = ASN1.ASN1_UTCTIME() expire.set_time(t + days * 24 * 60 * 60) cert.set_not_before(now) cert.set_not_after(expire)
def SetCertValidityDate(cert, days=365): """Set validity on a cert to specific number of days.""" now_epoch = long(time.time()) now = ASN1.ASN1_UTCTIME() now.set_time(now_epoch) expire = ASN1.ASN1_UTCTIME() expire.set_time(now_epoch + days * 24 * 60 * 60) cert.set_not_before(now) cert.set_not_after(expire)
def _set_asn1_time(cert, days): now = int(time.time()) asn1 = ASN1.ASN1_UTCTIME() asn1.set_time(now) cert.set_not_before(asn1) asn1 = ASN1.ASN1_UTCTIME() asn1.set_time(now + 86400 * days) cert.set_not_after(asn1)
def generate_certificate(self, cr, uid, ids, issuer, ext=None, serial_number=1, version=2, date_begin=None, date_end=None, expiration=365, context=None): """ Generate certificate """ r_ids = [] for item in self.browse(cr, uid, ids): if item.status == 'valid_request': # Get request data pk = item.pairkey_id.as_pkey()[item.pairkey_id.id] req = item.get_request()[item.id] sub = req.get_subject() pkey = req.get_pubkey() # Building certificate cert = X509.X509() cert.set_serial_number(serial_number) cert.set_version(version) cert.set_subject(sub) now = ASN1.ASN1_UTCTIME() if date_begin is None: t = long(time.time()) + time.timezone now.set_time(t) else: now.set_datetime(date_begin) nowPlusYear = ASN1.ASN1_UTCTIME() if date_end is None: nowPlusYear.set_time(t + 60 * 60 * 24 * expiration) else: nowPlusYear.set_datetime(date_end) cert.set_not_before(now) cert.set_not_after(nowPlusYear) cert.set_issuer(issuer) cert.set_pubkey(pkey) cert.set_pubkey(cert.get_pubkey()) if ext: cert.add_ext(ext) cert.sign(pk, 'sha1') w = {'crt': cert.as_pem()} self.write(cr, uid, item.id, w) r_ids.append(item.id) return r_ids
def get_x509_proxy(self, request_pem, issuer=None, subject=None, private_key=None): """ Generate a X509 proxy based on the request Args: requestPEM: The request PEM encoded issuer: The issuer user subject: The subject of the proxy. If None, issuer/CN=proxy will be used Returns: A X509 proxy PEM encoded """ if issuer is None: issuer = [('DC', 'ch'), ('DC', 'cern'), ('CN', 'Test User')] if subject is None: subject = issuer + [('CN', 'proxy')] x509_request = X509.load_request_string(str(request_pem)) not_before = ASN1.ASN1_UTCTIME() not_before.set_datetime(datetime.now(UTC)) not_after = ASN1.ASN1_UTCTIME() not_after.set_datetime(datetime.now(UTC) + timedelta(hours=3)) issuer_subject = X509.X509_Name() for c in issuer: issuer_subject.add_entry_by_txt(c[0], 0x1000, c[1], -1, -1, 0) proxy_subject = X509.X509_Name() for c in subject: proxy_subject.add_entry_by_txt(c[0], 0x1000, c[1], -1, -1, 0) proxy = X509.X509() proxy.set_version(2) proxy.set_subject(proxy_subject) proxy.set_serial_number(int(time.time())) proxy.set_version(x509_request.get_version()) proxy.set_issuer(issuer_subject) proxy.set_pubkey(x509_request.get_pubkey()) proxy.set_not_after(not_after) proxy.set_not_before(not_before) if not private_key: proxy.sign(self.pkey, 'sha1') else: proxy.sign(private_key, 'sha1') return proxy.as_pem() + self.cert.as_pem()
def _set_times(self): """ Internal function that sets the time on the proxy certificate """ not_before = ASN1.ASN1_UTCTIME() not_after = ASN1.ASN1_UTCTIME() not_before.set_time(int(time.time())) offset = (self._valid[0] * 3600) + (self._valid[1] * 60) not_after.set_time(int(time.time()) + offset) self._proxycert.set_not_before(not_before) self._proxycert.set_not_after(not_after)
def test_mkcert(self): req, pk = self.mkreq(1024) pkey = req.get_pubkey() assert (req.verify(pkey)) sub = req.get_subject() assert len(sub) == 2, len(sub) cert = X509.X509() cert.set_serial_number(1) cert.set_version(2) cert.set_subject(sub) t = long(time.time()) + time.timezone now = ASN1.ASN1_UTCTIME() now.set_time(t) nowPlusYear = ASN1.ASN1_UTCTIME() nowPlusYear.set_time(t + 60 * 60 * 24 * 365) cert.set_not_before(now) cert.set_not_after(nowPlusYear) assert str(cert.get_not_before()) == str(now) assert str(cert.get_not_after()) == str(nowPlusYear) issuer = X509.X509_Name() issuer.CN = 'The Issuer Monkey' issuer.O = 'The Organization Otherwise Known as My CA, Inc.' cert.set_issuer(issuer) cert.set_pubkey(pkey) cert.set_pubkey(cert.get_pubkey()) # Make sure get/set work ext = X509.new_extension('subjectAltName', 'DNS:foobar.example.com') ext.set_critical(0) assert ext.get_critical() == 0 cert.add_ext(ext) cert.sign(pk, 'sha1') self.assertRaises(ValueError, cert.sign, pk, 'nosuchalgo') assert (cert.get_ext('subjectAltName').get_name() == 'subjectAltName') assert (cert.get_ext_at(0).get_name() == 'subjectAltName') assert (cert.get_ext_at(0).get_value() == 'DNS:foobar.example.com') assert cert.get_ext_count() == 1, cert.get_ext_count() self.assertRaises(IndexError, cert.get_ext_at, 1) assert cert.verify() assert cert.verify(pkey) assert cert.verify(cert.get_pubkey()) assert cert.get_version() == 2 assert cert.get_serial_number() == 1 assert cert.get_issuer().CN == 'The Issuer Monkey' if m2.OPENSSL_VERSION_NUMBER >= 0x90800f: assert not cert.check_ca() assert not cert.check_purpose(m2.X509_PURPOSE_SSL_SERVER, 1) assert not cert.check_purpose(m2.X509_PURPOSE_NS_SSL_SERVER, 1) assert cert.check_purpose(m2.X509_PURPOSE_SSL_SERVER, 0) assert cert.check_purpose(m2.X509_PURPOSE_NS_SSL_SERVER, 0) assert cert.check_purpose(m2.X509_PURPOSE_ANY, 0) else: self.assertRaises(AttributeError, cert.check_ca)
def make_eecert(self, cacert): eecert = X509.X509() eecert.set_serial_number(2) eecert.set_version(2) t = long(time.time()) + time.timezone now = ASN1.ASN1_UTCTIME() now.set_time(t) now_plus_year = ASN1.ASN1_UTCTIME() now_plus_year.set_time(t + 60 * 60 * 24 * 365) eecert.set_not_before(now) eecert.set_not_after(now_plus_year) eecert.set_issuer(cacert.get_subject()) return eecert
def mk_cert_valid(cert, days=3652): """Make a cert valid from now and til 'days' from now. :param cert: cert to make valid :param days: number of days cert is valid for from now. """ t = int(time.time()) now = ASN1.ASN1_UTCTIME() now.set_time(t) expire = ASN1.ASN1_UTCTIME() expire.set_time(t + days * 24 * 60 * 60) cert.set_not_before(now) cert.set_not_after(expire)
def mk_cert_valid(cert, days=365): """ Make a cert valid from now and til 'days' from now. Args: cert -- cert to make valid days -- number of days cert is valid for from now. """ t = long(time.time()) now = ASN1.ASN1_UTCTIME() now.set_time(t) expire = ASN1.ASN1_UTCTIME() expire.set_time(t + days * 24 * 60 * 60) cert.set_not_before(now) cert.set_not_after(expire)
def test_UTCTIME(self): asn1 = ASN1.ASN1_UTCTIME() assert str(asn1) == 'Bad time value' format = '%b %d %H:%M:%S %Y GMT' utcformat = '%y%m%d%H%M%SZ' s = '990807053011Z' asn1.set_string(s) #assert str(asn1) == 'Aug 7 05:30:11 1999 GMT' t1 = time.strptime(str(asn1), format) t2 = time.strptime(s, utcformat) self.assertEqual(t1, t2) asn1.set_time(500) #assert str(asn1) == 'Jan 1 00:08:20 1970 GMT' t1 = time.strftime(format, time.strptime(str(asn1), format)) t2 = time.strftime(format, time.gmtime(500)) self.assertEqual(t1, t2) t = long(time.time()) + time.timezone asn1.set_time(t) t1 = time.strftime(format, time.strptime(str(asn1), format)) t2 = time.strftime(format, time.gmtime(t)) self.assertEqual(t1, t2)
def _generate_mock_cert(): rsa_key = RSA.gen_key(512, 65537) pkey = EVP.PKey() pkey.assign_rsa(rsa_key) cert = X509.X509() cert.set_pubkey(pkey) not_before = ASN1.ASN1_UTCTIME() not_before.set_datetime(datetime.now(UTC)) not_after = ASN1.ASN1_UTCTIME() not_after.set_datetime(datetime.now(UTC) + timedelta(hours=24)) cert.set_not_before(not_before) cert.set_not_after(not_after) cert.sign(pkey, 'md5') return pkey, cert
def __createCertM2Crypto(self): """Create new certificate for user :return: S_OK(tuple)/S_ERROR() -- tuple contain certificate and pulic key as strings """ # Create public key userPubKey = EVP.PKey() userPubKey.assign_rsa( RSA.gen_key(self.bits, 65537, util.quiet_genparam_callback)) # Create certificate userCert = X509.X509() userCert.set_pubkey(userPubKey) userCert.set_version(2) userCert.set_subject(self.__X509Name) userCert.set_serial_number(int(random.random() * 10**10)) # Add extentionals userCert.add_ext( X509.new_extension("basicConstraints", "CA:" + str(False).upper())) userCert.add_ext( X509.new_extension("extendedKeyUsage", "clientAuth", critical=1)) # Set livetime validityTime = datetime.timedelta(days=400) notBefore = ASN1.ASN1_UTCTIME() notBefore.set_time(int(time.time())) notAfter = ASN1.ASN1_UTCTIME() notAfter.set_time(int(time.time()) + int(validityTime.total_seconds())) userCert.set_not_before(notBefore) userCert.set_not_after(notAfter) # Add subject from CA with open(self.parameters["CertFile"]) as cf: caCertStr = cf.read() caCert = X509.load_cert_string(caCertStr) userCert.set_issuer(caCert.get_subject()) # Use CA key with open(self.parameters["KeyFile"], "rb") as cf: caKeyStr = cf.read() pkey = EVP.PKey() pkey.assign_rsa( RSA.load_key_string(caKeyStr, callback=util.no_passphrase_callback)) # Sign userCert.sign(pkey, self.algoritm) userCertStr = userCert.as_pem().decode("ascii") userPubKeyStr = userPubKey.as_pem( cipher=None, callback=util.no_passphrase_callback).decode("ascii") return S_OK((userCertStr, userPubKeyStr))
def create_self_signed_RootCA_certificate(root_ca_info, sign_method="sha256", days=3650): # Setp 1: Create RSA-key pair (public/private key) rsa = generate_rsa_keypair(2048, 65537) private_key = EVP.PKey() private_key.assign_rsa(rsa) # Step 2-1: Prepare X.509 Certificate Signed Request req = X509.Request() req.set_pubkey(private_key) x509_name = req.get_subject() x509_name.C = root_ca_info["C"] x509_name.CN = root_ca_info["CN"] x509_name.ST = root_ca_info["ST"] x509_name.L = root_ca_info["L"] x509_name.O = root_ca_info["O"] x509_name.OU = root_ca_info["OU"] req.sign(private_key, sign_method) # Step 2-2: Prepare X.509 certificate root_ca_cert = X509.X509() serial = struct.unpack("<Q", os.urandom(8))[0] root_ca_cert.set_serial_number(serial) root_ca_cert.set_version(3) # Setp 2-3: Set required information of RootCA certificate root_ca_cert.set_issuer(x509_name) root_ca_cert.set_subject(root_ca_cert.get_issuer()) root_ca_cert.set_pubkey(req.get_pubkey()) # Get the CSR's public key # Step 2-4: Set Valid Date for RootCA certificate t = int(time.time()) now = ASN1.ASN1_UTCTIME() now.set_time(t) expire = ASN1.ASN1_UTCTIME() expire.set_time(t + days * 24 * 60 * 60) root_ca_cert.set_not_before(now) root_ca_cert.set_not_after(expire) # Step 3: Add Extensions for this Root CA certificate root_ca_cert.add_ext(X509.new_extension('basicConstraints', 'CA:TRUE')) root_ca_cert.add_ext( X509.new_extension('subjectKeyIdentifier', root_ca_cert.get_fingerprint())) # Step 4: Use Root CA's RSA private key to sign this certificate root_ca_cert.sign(private_key, sign_method) return root_ca_cert, private_key
def get_not_after(self): assert m2.x509_type_check(self.x509), "'x509' type error" out = ASN1.ASN1_UTCTIME(m2.x509_get_not_after(self.x509)) if 'Bad time value' in str(out): raise X509Error('''M2Crypto cannot handle dates after year 2050. See RFC 5280 4.1.2.5 for more information. ''') return out