def make_ca(subject_name, valid_days): """ Create a CA root certificate. """ private_key = rsa.generate_private_key( public_exponent=65537, key_size=2048, backend=default_backend(), ) public_key = private_key.public_key() default_keyusage = { "digital_signature": True, "content_commitment": False, "key_encipherment": False, "data_encipherment": False, "key_agreement": False, "key_cert_sign": True, "crl_sign": True, "encipher_only": False, "decipher_only": False, } extensions = [ Extension( ExtensionOID.KEY_USAGE, True, x509.KeyUsage(**default_keyusage), ), Extension( ExtensionOID.BASIC_CONSTRAINTS, True, x509.BasicConstraints(ca=True, path_length=None), ), Extension( ExtensionOID.SUBJECT_KEY_IDENTIFIER, False, x509.SubjectKeyIdentifier.from_public_key(public_key), ), Extension( ExtensionOID.AUTHORITY_KEY_IDENTIFIER, False, x509.AuthorityKeyIdentifier.from_issuer_public_key(public_key), ), ] csr_builder = x509.CertificateSigningRequestBuilder( subject_name, extensions, ) csr = csr_builder.sign( private_key=private_key, algorithm=hashes.SHA256(), backend=default_backend(), ) signer = CASigner(private_key, csr.subject) cert = signer.sign(csr, valid_days) return private_key, cert
def generate_android_extensions(data: bytes) -> List[Extension]: android_key_oid = ObjectIdentifier('1.3.6.1.4.1.11129.2.1.17') android_key_description = KeyDescription() android_key_description['attestationVersion'] = 0 android_key_description['attestationSecurityLevel'] = 0 android_key_description['keymasterVersion'] = 0 android_key_description['keymasterSecurityLevel'] = 0 android_key_description['attestationChallenge'] = data android_key_description['uniqueId'] = b'unique' software_enforced = AuthorizationList() software_enforced['origin'] = KM_ORIGIN_GENERATED software_enforced['purpose'].append(KM_PURPOSE_SIGN) android_key_description['softwareEnforced'] = software_enforced tee_enforced = AuthorizationList() tee_enforced['origin'] = KM_ORIGIN_GENERATED tee_enforced['purpose'].append(KM_PURPOSE_SIGN) android_key_description['teeEnforced'] = tee_enforced der_key = encode(android_key_description) extensions = [ Extension(android_key_oid, False, UnrecognizedExtension(android_key_oid, der_key)) ] return extensions
def add_extension(self, extval: ExtensionType, critical: bool): if not isinstance(extval, ExtensionType): raise TypeError("extension must be an ExtensionType") extension = Extension(extval.oid, critical, extval) _reject_duplicate_extension(extension, self._extensions) return RevokedCertificateBuilder(self._serial_number, self._revocation_date, self._extensions + [extension])
def add_extension(self, extension, critical): """ Adds an X.509 extension to the certificate request. """ if not isinstance(extension, ExtensionType): raise TypeError("extension must be an ExtensionType") extension = Extension(extension.oid, critical, extension) _reject_duplicate_extension(extension, self._extensions) return CertificateSigningRequestBuilder(self._subject_name, self._extensions + [extension])
def my_fix_add_extension_cryptography(builder, extension, critical): from cryptography.x509.extensions import Extension, ExtensionType if not isinstance(extension, ExtensionType): raise TypeError("extension must be an ExtensionType") ext = Extension(extension.oid, critical, extension) return x509.CertificateBuilder(builder._issuer_name, builder._subject_name, builder._public_key, builder._serial_number, builder._not_valid_before, builder._not_valid_after, builder._extensions + [ext])
def add_extension(self, extension, critical): if not isinstance(extension, ExtensionType): raise TypeError("extension must be an ExtensionType") extension = Extension(extension.oid, critical, extension) # TODO: This is quadratic in the number of extensions for e in self._extensions: if e.oid == extension.oid: raise ValueError('This extension has already been set.') return RevokedCertificateBuilder(self._serial_number, self._revocation_date, self._extensions + [extension])
def add_extension(self, extension, critical): """ Adds an X.509 extension to the certificate revocation list. """ if not isinstance(extension, ExtensionType): raise TypeError("extension must be an ExtensionType") extension = Extension(extension.oid, critical, extension) _reject_duplicate_extension(extension, self._extensions) return CertificateRevocationListBuilder(self._issuer_name, self._last_update, self._next_update, self._extensions + [extension], self._revoked_certificates)
def add_extension(self, extension, critical): """ Adds an X.509 extension to the certificate request. """ if not isinstance(extension, ExtensionType): raise TypeError("extension must be an ExtensionType") extension = Extension(extension.oid, critical, extension) # TODO: This is quadratic in the number of extensions for e in self._extensions: if e.oid == extension.oid: raise ValueError('This extension has already been set.') return CertificateSigningRequestBuilder(self._subject_name, self._extensions + [extension])
def add_extension(self, extension, critical): """ Adds an X.509 extension to the certificate. """ if not isinstance(extension, ExtensionType): raise TypeError("extension must be an ExtensionType") extension = Extension(extension.oid, critical, extension) _reject_duplicate_extension(extension, self._extensions) return CertificateBuilder(self._issuer_name, self._subject_name, self._public_key, self._serial_number, self._not_valid_before, self._not_valid_after, self._extensions + [extension])
def generate_elliptic_curve_x509_certificate_android_raw( curve: EllipticCurve, data: bytes) -> Tuple[x509.Certificate, EC2PrivateKey, EC2PublicKey]: android_key_oid = ObjectIdentifier('1.3.6.1.4.1.11129.2.1.17') extensions = [ Extension(android_key_oid, False, UnrecognizedExtension(android_key_oid, data)) ] private_key = generate_private_key(curve, default_backend()) public_key = private_key.public_key() return generate_x509_certificate( public_key, private_key, hashes.SHA256(), extensions=extensions), private_key, public_key
def add_extension(self, extension, critical): """ Adds an X.509 extension to the certificate revocation list. """ if not isinstance(extension, ExtensionType): raise TypeError("extension must be an ExtensionType") extension = Extension(extension.oid, critical, extension) # TODO: This is quadratic in the number of extensions for e in self._extensions: if e.oid == extension.oid: raise ValueError('This extension has already been set.') return CertificateRevocationListBuilder( self._issuer_name, self._last_update, self._next_update, self._extensions + [extension], self._revoked_certificates )
def add_extension(self, extension, critical): """ Adds an X.509 extension to the certificate. """ if not isinstance(extension, ExtensionType): raise TypeError("extension must be an ExtensionType") extension = Extension(extension.oid, critical, extension) # TODO: This is quadratic in the number of extensions for e in self._extensions: if e.oid == extension.oid: raise ValueError('This extension has already been set.') return CertificateBuilder(self._issuer_name, self._subject_name, self._public_key, self._serial_number, self._not_valid_before, self._not_valid_after, self._extensions + [extension])
def get_extension_keyusage(ext_attr): all_keyusage = [ "digital_signature", "content_commitment", "key_encipherment", "data_encipherment", "key_agreement", "key_cert_sign", "crl_sign", "encipher_only", "decipher_only", ] keyusage = {} for k in all_keyusage: if k in ext_attr: keyusage[k] = True else: keyusage[k] = False return Extension(ExtensionOID.KEY_USAGE, True, x509.KeyUsage(**keyusage))