def MakeCertificate(
issuer_cn, subject_cn, serial, pubkey, privkey, ocsp_url = None,
ca_issuers_url = None, is_ca=False, path_len=None, ip_sans=None,
dns_sans=None):
'''MakeCertificate returns a DER encoded certificate, signed by privkey.'''
extensions = asn1.SEQUENCE([])
# Default subject name fields
c = "XX"
o = "Testing Org"
if is_ca:
# Root certificate.
c = None
o = None
extensions.children.append(
asn1.SEQUENCE([
BASIC_CONSTRAINTS,
True,
asn1.OCTETSTRING(asn1.ToDER(asn1.SEQUENCE([
True, # IsCA
] + ([path_len] if path_len is not None else []) # Path len
))),
]))
if ip_sans is not None or dns_sans is not None:
sans = []
if dns_sans is not None:
for dns_name in dns_sans:
sans.append(
asn1.Raw(asn1.TagAndLength(0x82, len(dns_name)) + dns_name))
if ip_sans is not None:
for ip_addr in ip_sans:
sans.append(
asn1.Raw(asn1.TagAndLength(0x87, len(ip_addr)) + ip_addr))
extensions.children.append(
asn1.SEQUENCE([
SUBJECT_ALTERNATIVE_NAME,
# There is implicitly a critical=False here. Since false is the
# default, encoding the value would be invalid DER.
asn1.OCTETSTRING(asn1.ToDER(asn1.SEQUENCE(sans)))
]))
if ocsp_url is not None or ca_issuers_url is not None:
aia_entries = []
if ocsp_url is not None:
aia_entries.append(
asn1.SEQUENCE([
AIA_OCSP,
asn1.Raw(asn1.TagAndLength(0x86, len(ocsp_url)) + ocsp_url),
]))
if ca_issuers_url is not None:
aia_entries.append(
asn1.SEQUENCE([
AIA_CA_ISSUERS,
asn1.Raw(asn1.TagAndLength(0x86,
len(ca_issuers_url)) + ca_issuers_url),
]))
extensions.children.append(
asn1.SEQUENCE([
AUTHORITY_INFORMATION_ACCESS,
# There is implicitly a critical=False here. Since false is the default,
# encoding the value would be invalid DER.
asn1.OCTETSTRING(asn1.ToDER(asn1.SEQUENCE(aia_entries))),
]))
extensions.children.append(
asn1.SEQUENCE([
CERT_POLICIES,
# There is implicitly a critical=False here. Since false is the default,
# encoding the value would be invalid DER.
asn1.OCTETSTRING(asn1.ToDER(asn1.SEQUENCE([
asn1.SEQUENCE([ # PolicyInformation
CERT_POLICY_OID,
]),
]))),
])
)
tbsCert = asn1.ToDER(asn1.SEQUENCE([
asn1.Explicit(0, 2), # Version
serial,
asn1.SEQUENCE([SHA256_WITH_RSA_ENCRYPTION, None]), # SignatureAlgorithm
Name(cn = issuer_cn), # Issuer
asn1.SEQUENCE([ # Validity
asn1.UTCTime("100101060000Z"), # NotBefore
asn1.UTCTime("321201060000Z"), # NotAfter
]),
Name(cn = subject_cn, c = c, o = o), # Subject
asn1.SEQUENCE([ # SubjectPublicKeyInfo
asn1.SEQUENCE([ # Algorithm
PUBLIC_KEY_RSA,
None,
]),
asn1.BitString(asn1.ToDER(pubkey)),
]),
asn1.Explicit(3, extensions),
]))
return asn1.ToDER(asn1.SEQUENCE([
asn1.Raw(tbsCert),
asn1.SEQUENCE([
SHA256_WITH_RSA_ENCRYPTION,
None,
]),
asn1.BitString(privkey.Sign(tbsCert)),
]))
def MakeCertificate(issuer_cn,
subject_cn,
serial,
pubkey,
privkey,
ocsp_url=None):
'''MakeCertificate returns a DER encoded certificate, signed by privkey.'''
extensions = asn1.SEQUENCE([])
# Default subject name fields
c = "XX"
o = "Testing Org"
if issuer_cn == subject_cn:
# Root certificate.
c = None
o = None
extensions.children.append(
asn1.SEQUENCE([
BASIC_CONSTRAINTS,
True,
asn1.OCTETSTRING(
asn1.ToDER(asn1.SEQUENCE([
True, # IsCA
0, # Path len
]))),
]))
if ocsp_url is not None:
extensions.children.append(
asn1.SEQUENCE([
AUTHORITY_INFORMATION_ACCESS,
# There is implicitly a critical=False here. Since false is the default,
# encoding the value would be invalid DER.
asn1.OCTETSTRING(
asn1.ToDER(
asn1.SEQUENCE([
asn1.SEQUENCE([
AIA_OCSP,
asn1.Raw(
asn1.TagAndLength(0x86, len(ocsp_url)) +
ocsp_url),
]),
]))),
]))
extensions.children.append(
asn1.SEQUENCE([
CERT_POLICIES,
# There is implicitly a critical=False here. Since false is the default,
# encoding the value would be invalid DER.
asn1.OCTETSTRING(
asn1.ToDER(
asn1.SEQUENCE([
asn1.SEQUENCE([ # PolicyInformation
CERT_POLICY_OID,
]),
]))),
]))
tbsCert = asn1.ToDER(
asn1.SEQUENCE([
asn1.Explicit(0, 2), # Version
serial,
asn1.SEQUENCE([SHA256_WITH_RSA_ENCRYPTION,
None]), # SignatureAlgorithm
Name(cn=issuer_cn), # Issuer
asn1.SEQUENCE([ # Validity
asn1.UTCTime("100101060000Z"), # NotBefore
asn1.UTCTime("321201060000Z"), # NotAfter
]),
Name(cn=subject_cn, c=c, o=o), # Subject
asn1.SEQUENCE([ # SubjectPublicKeyInfo
asn1.SEQUENCE([ # Algorithm
PUBLIC_KEY_RSA,
None,
]),
asn1.BitString(asn1.ToDER(pubkey)),
]),
asn1.Explicit(3, extensions),
]))
return asn1.ToDER(
asn1.SEQUENCE([
asn1.Raw(tbsCert),
asn1.SEQUENCE([
SHA256_WITH_RSA_ENCRYPTION,
None,
]),
asn1.BitString(privkey.Sign(tbsCert)),
]))