def generate_self_signed(private_key: rsa.RSAPrivateKey, subject: x509.Name) -> x509.Certificate:
"""Generate a Self-Signed certificate for use with a CMS PKCS#10 request.
Args:
private_key (rsa.RSAPrivateKey): The private key to sign the certificate with.
subject (x509.Name): The subject used in the CSR, which must match this certificates subject.
Returns:
x509.Certificate: Self signed certificate for CMS envelope
"""
one_day = datetime.timedelta(1, 0, 0)
builder = x509.CertificateBuilder()
builder = builder.subject_name(subject)
builder = builder.issuer_name(subject)
builder = builder.not_valid_before(datetime.datetime.today() - one_day)
builder = builder.not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=365))
builder = builder.serial_number(x509.random_serial_number())
builder = builder.public_key(private_key.public_key())
# builder = builder.add_extension(
# x509.KeyUsage(digital_signature=True, key_encipherment=True), critical=True
# )
certificate = builder.sign(private_key=private_key, algorithm=hashes.SHA256(),
backend=default_backend())
return certificate
def generate_root_certificate(private_key: rsa.RSAPrivateKey) -> x509.Certificate:
backend = cryptography.hazmat.backends.default_backend()
subject = x509.Name(
[x509.NameAttribute(
x509.oid.NameOID.COMMON_NAME, 'root'
)]
)
builder = x509.CertificateBuilder()
return builder.subject_name(subject).issuer_name(subject) \
.not_valid_before(datetime.datetime.utcnow()) \
.not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=1)) \
.serial_number(1) \
.public_key(private_key.public_key()) \
.add_extension(extension=x509.BasicConstraints(ca=True, path_length=1), critical=True) \
.add_extension(extension=x509.KeyUsage(digital_signature=False,
content_commitment=False,
key_encipherment=False,
data_encipherment=False,
key_agreement=False,
key_cert_sign=True,
crl_sign=True,
encipher_only=False,
decipher_only=False,
), critical=True) \
.sign(private_key=private_key, algorithm=hashes.SHA256(), backend=backend)
def obtain_key_id(token: str, rsa_key: RSAPrivateKey, staging: bool = False) -> Response:
target = '/g_business/v1/authentication_keys'
key_encoding = Encoding.PEM
key_format = PublicFormat.SubjectPublicKeyInfo
public_key = rsa_key.public_key().public_bytes(key_encoding, key_format)
body = {'public_key': public_key.decode(), 'token': token}
with SatispayClient('PLACEHOLDER', rsa_key, staging) as client:
return client.post(target, json=body)
def check_certificate_against_private_key(
cert: Certificate,
private_key: RSAPrivateKey,
) -> None:
# Check if the public key of certificate matches the public key corresponding to the given
# private one
assert (_rsa_public_key_from_cert_or_csr(cert).public_numbers() ==
private_key.public_key().public_numbers())
def decode(cls, private_key: RSAPrivateKey, token_bytes: str) -> str:
public_bytes = private_key.public_key().public_bytes(
encoding=Encoding.PEM, format=PublicFormat.SubjectPublicKeyInfo)
token = jwt_decode(token_bytes,
public_bytes,
algorithms=['RS256'],
verify=False)
return token['sub']
def gen_self_signed(key: rsa.RSAPrivateKey, cert_opts: Dict,
crypto_opts: Dict) -> None: # noqa
# subject / issuer
subject = issuer = _subject(cert_opts)
# init builder
builder = x509.CertificateBuilder()
# set subject and issuer
builder = builder.subject_name(subject)
builder = builder.issuer_name(issuer)
# set public key
builder = builder.public_key(key.public_key())
# set serial number
serial = x509.random_serial_number()
builder = builder.serial_number(serial)
# set expiration
now = datetime.datetime.utcnow()
days = cert_opts['days']
builder = builder.not_valid_before(now)
builder = builder.not_valid_after(now + datetime.timedelta(days=days))
# add base extensions
for is_critical, ext in _extensions(key, cert_opts):
builder = builder.add_extension(ext, critical=is_critical)
# add AuthorityKeyIdentifier extension (experimental feature)
pkey = key.public_key()
key_identifier = x509.extensions._key_identifier_from_public_key(pkey)
authority_cert_issuer = [x509.DirectoryName(issuer)]
builder = builder.add_extension(x509.AuthorityKeyIdentifier(
key_identifier, authority_cert_issuer, serial),
critical=False)
# sign the certificate
md_alg = MD_ALGS[crypto_opts['md_alg']]
crt = builder.sign(key, md_alg)
# write to file
crt_out = crypto_opts['crt_out']
with open(str(crt_out), "wb") as fp:
fp.write(crt.public_bytes(serialization.Encoding.PEM))
fp.close()
def make_jwks(_private_key: RSAPrivateKey):
"""Returns JWKS."""
jwk = json.loads(
RSAAlgorithm.to_jwk(_private_key.public_key()),
)
jwk['kid'] = TEST_KID
return {
'keys': [jwk]
}
def attack_pubkey_deception_jwk(self,
pk: RSAPrivateKey,
kid: str,
jwt: TestJWT = None):
if jwt is None:
jwt = self.init_token()
pubkey: RSAPublicKey = pk.public_key()
jwk = utils.rsa_pubkey_to_jwk(pem_file=None, key_id=kid, pubkey=pubkey)
jwt.header['jwk'] = jwk
jwt.header['jwk']['use'] = "sig"
del (jwt.header['jwk']['alg'])
self.payloads['attack_pubkey_deception_jwk'] = utils.force_unicode(
jwt.build_token(pk))
def generate_cert(key: rsa.RSAPrivateKey,
server_name: str) -> x509.Certificate:
now = datetime.datetime.utcnow()
subject = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, "US"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "MN"),
x509.NameAttribute(NameOID.LOCALITY_NAME, "Minneapolis"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, "pcsd"),
x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, "pcsd"),
x509.NameAttribute(NameOID.COMMON_NAME, server_name),
])
return (x509.CertificateBuilder().subject_name(subject).issuer_name(
subject).public_key(key.public_key()).serial_number(
int(now.timestamp() * 1000)).not_valid_before(now).not_valid_after(
now + datetime.timedelta(days=3650)).sign(
key, hashes.SHA256(), default_backend()))
def _extensions(key: rsa.RSAPrivateKey,
cert_opts: Dict) -> List[Tuple[bool, x509.Extension]]: # noqa
sector = cert_opts['sector']
# certificate policies
policies = [
x509.PolicyInformation(x509.ObjectIdentifier('1.3.76.16'),
[x509.UserNotice(None, 'AgIDroot')]),
x509.PolicyInformation(x509.ObjectIdentifier('1.3.76.16.6'),
[x509.UserNotice(None, 'agIDcert')]),
]
if sector == 'private':
policies.append(
x509.PolicyInformation(x509.ObjectIdentifier('1.3.76.16.4.3.1'),
[x509.UserNotice(None, 'cert_SP_Priv')]))
elif sector == 'public':
policies.append(
x509.PolicyInformation(x509.ObjectIdentifier('1.3.76.16.4.2.1'),
[x509.UserNotice(None, 'cert_SP_Pub')]))
else:
emsg = 'Invalid value for sector (%s)' % sector
raise Exception(emsg)
# extensions list
return [
# basicCinstraints
(False, x509.BasicConstraints(ca=False, path_length=None)),
# keyUsage
(True,
x509.KeyUsage(
digital_signature=True,
content_commitment=True,
key_encipherment=False,
data_encipherment=False,
key_agreement=False,
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
decipher_only=False,
)),
# certifcatePolicies
(False, x509.CertificatePolicies(policies)),
# subjectKeyIdentifier
(False, x509.SubjectKeyIdentifier.from_public_key(key.public_key())),
]
def encode(self, private_key: RSAPrivateKey) -> bytes:
private_bytes = private_key.private_bytes(
encoding=Encoding.PEM,
format=PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=NoEncryption())
public_key = private_key.public_key()
numbers = public_key.public_numbers()
n = numbers.n.to_bytes(int(public_key.key_size / 8),
'big').lstrip(b'\x00')
kid = sha1(n).hexdigest()
payload = self.payload()
return jwt_encode(payload,
private_bytes,
algorithm='RS256',
headers={'kid': kid})
def ca_certificate(private_key: rsa.RSAPrivateKey) -> x509.Certificate:
b = x509.CertificateBuilder()
name = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"CA"),
x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"Commandment"),
x509.NameAttribute(NameOID.COMMON_NAME, u"CA-CERTIFICATE"),
])
cert = b.serial_number(1).issuer_name(name).subject_name(name).public_key(
private_key.public_key()).not_valid_before(
datetime.datetime.utcnow()).not_valid_after(
datetime.datetime.utcnow() +
datetime.timedelta(days=10)).add_extension(
x509.BasicConstraints(ca=True, path_length=None),
True).sign(private_key, hashes.SHA256(), default_backend())
return cert
def _save_key(namespace: str, identifier: str, key_pair: rsa.RSAPrivateKey):
key_dir = pathlib.Path(KEY_STORE_PATH) / namespace / identifier
os.makedirs(key_dir)
with open(key_dir / 'id_rsa', 'wb') as f:
key_binary = key_pair.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption()
)
f.write(key_binary)
with open(key_dir / 'id_rsa.pub', 'wb') as f:
key_binary = key_pair.public_key().public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo
)
f.write(key_binary)
def attack_pubkey_deception_jku(self,
pk: RSAPrivateKey,
jku_url,
jwt: TestJWT = None,
kid=None):
if jwt is None:
jwt = self.init_token()
print("jwt {}".format(jwt))
jwt.header['jku'] = jku_url
if kid is not None:
jwt.header['kid'] = kid
self.payloads['attack_pubkey_deception_jku'] = utils.force_unicode(
jwt.build_token(pk))
pubkey: RSAPublicKey = pk.public_key()
jwks = {}
jwks['keys'] = [
utils.rsa_pubkey_to_jwk(pem_file=None, key_id=kid, pubkey=pubkey)
]
self.payloads['attack_pubkey_deception_jku_jwks'] = json.dumps(
jwks, separators=(",", ":"))
def generate_root_certificate(
private_key: rsa.RSAPrivateKey) -> x509.Certificate:
backend = cryptography.hazmat.backends.default_backend()
subject = x509.Name(
[x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, 'root')])
builder = x509.CertificateBuilder()
return builder.subject_name(subject).issuer_name(subject) \
.not_valid_before(datetime.datetime.utcnow()) \
.not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=1)) \
.serial_number(x509.random_serial_number()) \
.public_key(private_key.public_key()) \
.add_extension(extension=x509.BasicConstraints(ca=True, path_length=1), critical=True) \
.add_extension(extension=x509.KeyUsage(digital_signature=False,
content_commitment=False,
key_encipherment=False,
data_encipherment=False,
key_agreement=False,
key_cert_sign=True,
crl_sign=True,
encipher_only=False,
decipher_only=False,
), critical=True) \
.sign(private_key=private_key, algorithm=hashes.SHA256(), backend=backend)
def generate_cert(path: Path, private_key: rsa.RSAPrivateKey, validity: int = 365, distinguished_name: DistinguishedName = None,
basicConstraints: Dict[str, Union[str, bool]] = None, keyUsage: Dict[str, bool] = None,
subjectAltName: [str, str] = None) -> x509.Certificate:
distinguished_name = distinguished_name or test_distinguished_name
subject = issuer = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, distinguished_name['C']),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, distinguished_name['ST']),
x509.NameAttribute(NameOID.LOCALITY_NAME, distinguished_name['L']),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, distinguished_name['O']),
x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, distinguished_name['O']),
x509.NameAttribute(NameOID.COMMON_NAME, distinguished_name['CN']),
x509.NameAttribute(NameOID.EMAIL_ADDRESS, distinguished_name['emailAddress'])
])
cert = x509.CertificateBuilder().subject_name(
subject
).issuer_name(
issuer
).public_key(
private_key.public_key()
).serial_number(
x509.random_serial_number()
).not_valid_before(
datetime.datetime.utcnow()
).not_valid_after(
datetime.datetime.utcnow() + datetime.timedelta(days=validity)
)
if basicConstraints:
basicConstraints = {key.lower(): True if value is True or value.lower() == 'true' else False for key, value in basicConstraints.items()}
for key in ('ca', 'path_length'):
if key not in basicConstraints:
basicConstraints[key] = None
cert.add_extension(
x509.BasicConstraints(**basicConstraints), critical=True,
)
if keyUsage:
key_usage = {
'crl_sign': keyUsage.get('crlSign', False),
'data_encipherment': keyUsage.get('dataEncipherment', False),
'digital_signature': keyUsage.get('digitalSignature', False),
'content_commitment': keyUsage.get('nonRepudiation', False),
'key_agreement': keyUsage.get('keyAgreement', False),
'key_cert_sign': keyUsage.get('keyCertSign', False),
'key_encipherment': keyUsage.get('keyEncipherment', False),
'encipher_only': keyUsage.get('encipherOnly', False),
'decipher_only': keyUsage.get('decipherOnly', False),
}
cert.add_extension(
x509.KeyUsage(**key_usage), critical=True,
)
if subjectAltName:
alt_names = []
for key, value in subjectAltName.items():
if key.startswith('IP'):
value = ipv4_or_ipv6(value)
san_type = get_name_type(key)
alt_names.append(san_type(value))
cert = cert.add_extension(
x509.SubjectAlternativeName(alt_names), critical=False,
)
cert = cert.sign(private_key, hashes.SHA256(), default_backend())
data = cert.public_bytes(serialization.Encoding.PEM)
Path(path).write_bytes(data)
return cert
def is_pareja(cer: x509.Certificate, private_key: rsa.RSAPrivateKey) -> bool:
encoding = serialization.Encoding.PEM
fmt = serialization.PublicFormat.PKCS1
return cer.public_key().public_bytes(encoding, fmt) == private_key.public_key().public_bytes(encoding, fmt)
async def node_id_from_private_key(key: rsa.RSAPrivateKey) -> bytes:
"""Wrapper to get the node id from the private key"""
return await node_id_from_public_key(key.public_key())
def __init__(self, privkey: cr_rsa.RSAPrivateKey) -> None:
self._privkey = privkey
self._pubkey = RsaPublicKey(privkey.public_key())
self._private_numbers = privkey.private_numbers()
def __init__(self, hostname: str, private_key: RSAPrivateKey):
self.hostname = hostname
self.unit = Unit(hostname, private_key.public_key(), private_key)
self.session = PwngridSession(
refresh_token_fn=self._refresh_session_token)
