示例#1
0
def _gen_ca():
    public, private = _gen_key()
    builder = CertificateBuilder(
        {"organization_name": "Fake Certificate Authority"}, public)
    builder.self_signed = True
    builder.ca = True
    return (_dump_cert(builder.build(private)), _dump_private(private))
def generate_cert_and_key(cn, filename, keysize, keytype='rsa'):
    ca_key_name = '%s.key' % filename
    ca_cert_name = '%s.crt' % filename

    curdir = pathlib.Path(__file__).parent

    # Generate and save the key and certificate for the root CA
    root_ca_public_key, root_ca_private_key = asymmetric.generate_pair(
        keytype, bit_size=keysize)

    with open(curdir.joinpath(ca_key_name), 'wb') as f:
        f.write(asymmetric.dump_private_key(root_ca_private_key, None))

    builder = CertificateBuilder(
        {
            'country_name': 'US',
            'state_or_province_name': 'Massachusetts',
            'locality_name': 'Newbury',
            'organization_name': 'Codex Non Sufficit LC',
            'common_name': cn,
        }, root_ca_public_key)
    builder.self_signed = True
    builder.ca = True
    root_ca_certificate = builder.build(root_ca_private_key)

    with open(curdir.joinpath(ca_cert_name), 'wb') as f:
        f.write(pem_armor_certificate(root_ca_certificate))
示例#3
0
def generate_no_san_cert(domain, base_year, quiet=False):
    if not quiet:
        write('Generating domain-match cert ... ', end='')

    ca_private_key = load_private('ca')
    ca_cert = load_cert('ca')
    public_key = load_public('host')

    builder = CertificateBuilder(
        {
            'country_name': 'US',
            'state_or_province_name': 'Massachusetts',
            'locality_name': 'Newbury',
            'organization_name': 'Bad TLS Limited',
            'common_name': 'no-san.{}'.format(domain),
        },
        public_key
    )
    builder.issuer = ca_cert
    builder.begin_date = datetime(base_year, 1, 1, 0, 0, 0, tzinfo=timezone.utc)
    builder.end_date = datetime(base_year + 3, 1, 1, 0, 0, 0, tzinfo=timezone.utc)
    certificate = builder.build(ca_private_key)

    dump_cert('no-san', certificate)

    if not quiet:
        write('done')
示例#4
0
def gencert(name):
    ca_cert_data, ca_private_data = _gen_ca()
    public_data, private_data = _cert_key()

    builder = CertificateBuilder({"common_name": name},
                                 _load_public(public_data))
    builder.issuer = _load_cert(ca_cert_data)
    builder.subject_alt_domains = [name]
    cert = builder.build(_load_private(ca_private_data))
    return (_dump_cert(cert), private_data, ca_cert_data)
示例#5
0
    def generate_self_signed(cls, cn, key_usage, private_key=None):
        if private_key is None:
            private_key = cls.generate_pair()

        builder = CertificateBuilder({
            u'common_name': six.text_type(cn),
        }, private_key.public_key.to_asn1_public_key())
        builder.key_usage = key_usage  #[u'digital_signature', u'key_encipherment']
        builder.self_signed = True
        certificate = builder.build(private_key.to_asn1_private_key())
        return Certificate(certificate=certificate), private_key
    def test_build_end_entity_cert(self):
        public_key, private_key = self.ec_secp256r1

        builder = CertificateBuilder(
            {
                'country_name': 'US',
                'state_or_province_name': 'Massachusetts',
                'locality_name': 'Newbury',
                'organization_name': 'Codex Non Sufficit LC',
                'common_name': 'Will Bond',
            },
            public_key
        )
        builder.self_signed = True
        builder.subject_alt_domains = ['example.com']
        certificate = builder.build(private_key)
        der_bytes = certificate.dump()

        new_certificate = asn1crypto.x509.Certificate.load(der_bytes)

        self.assertEqual('sha256', new_certificate.hash_algo)
        self.assertEqual(
            {
                'country_name': 'US',
                'state_or_province_name': 'Massachusetts',
                'locality_name': 'Newbury',
                'organization_name': 'Codex Non Sufficit LC',
                'common_name': 'Will Bond',
            },
            new_certificate.issuer.native
        )
        self.assertEqual(
            {
                'country_name': 'US',
                'state_or_province_name': 'Massachusetts',
                'locality_name': 'Newbury',
                'organization_name': 'Codex Non Sufficit LC',
                'common_name': 'Will Bond',
            },
            new_certificate.subject.native
        )
        self.assertEqual('ecdsa', new_certificate.signature_algo)
        self.assertEqual(set(['key_usage']), new_certificate.critical_extensions)
        self.assertEqual(set(['digital_signature', 'key_encipherment']), new_certificate.key_usage_value.native)
        self.assertEqual(['server_auth', 'client_auth'], new_certificate.extended_key_usage_value.native)
        self.assertEqual(None, new_certificate.authority_key_identifier)
        self.assertEqual(False, new_certificate.ca)
        self.assertEqual(True, new_certificate.self_issued)
        self.assertEqual('yes', new_certificate.self_signed)
        self.assertEqual(certificate.public_key.sha1, new_certificate.key_identifier)
        self.assertEqual(['example.com'], new_certificate.valid_domains)
    def test_build_ca_cert(self):
        public_key, private_key = self.ec_secp256r1

        builder = CertificateBuilder(
            {
                'country_name': 'US',
                'state_or_province_name': 'Massachusetts',
                'locality_name': 'Newbury',
                'organization_name': 'Codex Non Sufficit LC',
                'common_name': 'Will Bond',
            },
            public_key
        )
        builder.hash_algo = 'sha512'
        builder.self_signed = True
        builder.ca = True
        certificate = builder.build(private_key)
        der_bytes = certificate.dump()

        new_certificate = asn1crypto.x509.Certificate.load(der_bytes)

        self.assertEqual('sha512', new_certificate.hash_algo)
        self.assertEqual(
            {
                'country_name': 'US',
                'state_or_province_name': 'Massachusetts',
                'locality_name': 'Newbury',
                'organization_name': 'Codex Non Sufficit LC',
                'common_name': 'Will Bond',
            },
            new_certificate.issuer.native
        )
        self.assertEqual(
            {
                'country_name': 'US',
                'state_or_province_name': 'Massachusetts',
                'locality_name': 'Newbury',
                'organization_name': 'Codex Non Sufficit LC',
                'common_name': 'Will Bond',
            },
            new_certificate.subject.native
        )
        self.assertEqual('ecdsa', new_certificate.signature_algo)
        self.assertEqual(set(['key_usage', 'basic_constraints']), new_certificate.critical_extensions)
        self.assertEqual(set(['key_cert_sign', 'crl_sign']), new_certificate.key_usage_value.native)
        self.assertEqual(None, new_certificate.extended_key_usage_value)
        self.assertEqual(None, new_certificate.authority_key_identifier)
        self.assertEqual(True, new_certificate.ca)
        self.assertEqual(True, new_certificate.self_issued)
        self.assertEqual('yes', new_certificate.self_signed)
        self.assertEqual(certificate.public_key.sha1, new_certificate.key_identifier)
    def test_build_end_entity_cert(self):
        public_key, private_key = self.ec_secp256r1

        builder = CertificateBuilder(
            {
                'country_name': 'US',
                'state_or_province_name': 'Massachusetts',
                'locality_name': 'Newbury',
                'organization_name': 'Codex Non Sufficit LC',
                'common_name': 'Will Bond',
            },
            public_key
        )
        builder.self_signed = True
        builder.subject_alt_domains = ['example.com']
        certificate = builder.build(private_key)
        der_bytes = certificate.dump()

        new_certificate = asn1crypto.x509.Certificate.load(der_bytes)

        self.assertEqual('sha256', new_certificate.hash_algo)
        self.assertEqual(
            {
                'country_name': 'US',
                'state_or_province_name': 'Massachusetts',
                'locality_name': 'Newbury',
                'organization_name': 'Codex Non Sufficit LC',
                'common_name': 'Will Bond',
            },
            new_certificate.issuer.native
        )
        self.assertEqual(
            {
                'country_name': 'US',
                'state_or_province_name': 'Massachusetts',
                'locality_name': 'Newbury',
                'organization_name': 'Codex Non Sufficit LC',
                'common_name': 'Will Bond',
            },
            new_certificate.subject.native
        )
        self.assertEqual('ecdsa', new_certificate.signature_algo)
        self.assertEqual(set(['key_usage']), new_certificate.critical_extensions)
        self.assertEqual(set(['digital_signature', 'key_encipherment']), new_certificate.key_usage_value.native)
        self.assertEqual(['server_auth', 'client_auth'], new_certificate.extended_key_usage_value.native)
        self.assertEqual(None, new_certificate.authority_key_identifier)
        self.assertEqual(False, new_certificate.ca)
        self.assertEqual(True, new_certificate.self_issued)
        self.assertEqual('yes', new_certificate.self_signed)
        self.assertEqual(certificate.public_key.sha1, new_certificate.key_identifier)
        self.assertEqual(['example.com'], new_certificate.valid_domains)
示例#9
0
def generate_weak_sig_cert(domain, base_year, quiet=False):
    if not quiet:
        write('Generating weak-sig cert ... ', end='')

    full_domain = 'weak-sig.{}'.format(domain)
    ca_private_key = load_private('ca')
    ca_cert = load_cert('ca')
    public_key = load_public('host')

    builder = CertificateBuilder(
        {
            'country_name': 'US',
            'state_or_province_name': 'Massachusetts',
            'locality_name': 'Newbury',
            'organization_name': 'Bad TLS Limited',
            'common_name': full_domain,
        },
        public_key
    )
    builder.issuer = ca_cert
    builder.subject_alt_domains = [full_domain]
    # Hack since API doesn't allow selection of weak algo
    builder._hash_algo = 'md5'
    builder.begin_date = datetime(base_year, 1, 1, 0, 0, 0, tzinfo=timezone.utc)
    builder.end_date = datetime(base_year + 3, 1, 1, 0, 0, 0, tzinfo=timezone.utc)
    certificate = builder.build(ca_private_key)

    dump_cert('weak-sig', certificate)

    if not quiet:
        write('done')
示例#10
0
def generate_bad_key_usage_cert(domain, base_year, quiet=False):
    if not quiet:
        write('Generating bad-key-usage cert ... ', end='')

    full_domain = 'bad-key-usage.{}'.format(domain)
    ca_private_key = load_private('ca')
    ca_cert = load_cert('ca')
    public_key = load_public('host')

    builder = CertificateBuilder(
        {
            'country_name': 'US',
            'state_or_province_name': 'Massachusetts',
            'locality_name': 'Newbury',
            'organization_name': 'Bad TLS Limited',
            'common_name': full_domain,
        },
        public_key
    )
    builder.issuer = ca_cert
    builder.subject_alt_domains = [full_domain]
    builder.begin_date = datetime(base_year, 1, 1, 0, 0, 0, tzinfo=timezone.utc)
    builder.end_date = datetime(base_year + 3, 1, 1, 0, 0, 0, tzinfo=timezone.utc)
    builder.key_usage = set(['crl_sign'])
    builder.extended_key_usage = set(['email_protection'])
    certificate = builder.build(ca_private_key)

    dump_cert('bad-key-usage', certificate)

    if not quiet:
        write('done')
示例#11
0
def build_ca():
    if not os.path.exists(settings.CA_PATH):
        os.makedirs(settings.CA_PATH)

    root_ca_public_key, root_ca_private_key = asymmetric.generate_pair(
        'rsa', bit_size=4096)

    with open(settings.CA_KEY, 'wb') as f:
        f.write(
            asymmetric.dump_private_key(root_ca_private_key,
                                        settings.CA_KEY_PASSWD))

    builder = CertificateBuilder(
        {
            'country_name': 'CR',
            'state_or_province_name': 'San Jose',
            'locality_name': 'Costa Rica',
            'organization_name': 'DFVA Independiente',
            'common_name': 'DFVA Root CA 1',
        }, root_ca_public_key)
    now = timezone.now()
    builder.self_signed = True
    builder.ca = True
    builder.end_date = now + timedelta(settings.CA_CERT_DURATION * 10)
    root_ca_certificate = builder.build(root_ca_private_key)

    with open(settings.CA_CERT, 'wb') as f:
        f.write(pem_armor_certificate(root_ca_certificate))

    builder = CertificateListBuilder('http://crl.dfva.info',
                                     root_ca_certificate, 1000)
    crl_list = builder.build(root_ca_private_key)

    with open(settings.CA_CRL, 'wb') as f:
        f.write(crl_list.dump())
示例#12
0
def create_certificate_for_client(client_details):

    # load client public key
    path_for_client_public_key = PUBLIC_KEY_STORE + file_names.get_public_key_name(
        client_details['domain_name'])

    client_public_key = asymmetric.load_public_key\
                (get_byte_stream_for_file(path_for_client_public_key))

    root_ca_private_key = asymmetric.load_private_key\
                (get_byte_stream_for_file(ROOT_CA_PRIVATE_KEY_PATH), ROOT_CA_PRIVATE_KEY_PASSWORD)

    root_ca_public_key = asymmetric.load_public_key\
                (get_byte_stream_for_file(ROOT_CA_PUBLIC_KEY))

    root_ca_certificate = asymmetric.load_certificate\
                (get_byte_stream_for_file(ROOT_CA_CERTIFICATE))

    builder = CertificateBuilder(
        {
            u'country_name': client_details['country'],  #.decode('utf-8'),
            u'state_or_province_name':
            client_details['state'],  #.decode('utf-8'),
            u'locality_name': client_details['city'],  #.decode('utf-8'),
            u'organization_name': client_details['name'],  #.decode('utf-8'),
            u'common_name': get_dns_formatted_name(
                client_details['domain_name']),  #.decode('utf-8'),
        },
        client_public_key)

    dns_name = []
    dns_name.append(u'opengns.com')
    builder.issuer = root_ca_certificate

    builder.subject_alt_domains = dns_name
    #builder.set_extension(u'authority_information_access', u'1.3.6.1.5.5.7.1.1')

    client_certificate = builder.build(root_ca_private_key)
    client_certificate_name = file_names.get_certificate_name(
        client_details['domain_name'])

    total_path = CERTIFICATE_OUTPUT_DIRECTORY + client_certificate_name

    with open(total_path, 'wb') as f:
        f.write(pem_armor_certificate(client_certificate))

    return client_certificate_name
示例#13
0
def generate_expired_cert(domain, base_year, quiet=False):
    if not quiet:
        write('Generating expired cert ... ', end='')

    full_domain = 'expired.{}'.format(domain)
    ca_private_key = load_private('ca')
    ca_cert = load_cert('ca')
    public_key = load_public('host')

    builder = CertificateBuilder(
        {
            'country_name': 'US',
            'state_or_province_name': 'Massachusetts',
            'locality_name': 'Newbury',
            'organization_name': 'Bad TLS Limited',
            'common_name': full_domain,
        }, public_key)
    builder.issuer = ca_cert
    builder.subject_alt_domains = [full_domain]
    builder.begin_date = datetime(base_year - 1,
                                  1,
                                  1,
                                  0,
                                  0,
                                  0,
                                  tzinfo=timezone.utc)
    builder.end_date = datetime(base_year, 1, 1, 0, 0, 0, tzinfo=timezone.utc)
    certificate = builder.build(ca_private_key)

    dump_cert('expired', certificate)

    if not quiet:
        write('done')
示例#14
0
def generate_ca2_cert(base_year, quiet=False):
    if not quiet:
        write('Generating ca2 cert ... ', end='')

    public_key = load_public('ca2')
    private_key = load_private('ca2')

    builder = CertificateBuilder(
        {
            'country_name': 'US',
            'state_or_province_name': 'Massachusetts',
            'locality_name': 'Newbury',
            'organization_name': 'Good TLS Limited',
            'common_name': 'Good TLS Limited RSA CA',
        },
        public_key
    )
    builder.self_signed = True
    builder.ca = True
    builder.begin_date = datetime(base_year, 1, 1, 0, 0, 0, tzinfo=timezone.utc)
    builder.end_date = datetime(base_year + 10, 1, 1, 0, 0, 0, tzinfo=timezone.utc)
    certificate = builder.build(private_key)

    dump_cert('ca2', certificate)

    if not quiet:
        write('done')
示例#15
0
    def retrieve_cert(self, certificate_request):
        log.debug("Getting certificate status for id %s" %
                  certificate_request.id)

        time.sleep(0.1)
        end_entity_public_key, end_entity_private_key = asymmetric.generate_pair(
            'rsa', bit_size=2048)
        builder = CertificateBuilder(
            {
                'common_name': certificate_request.common_name,
            }, end_entity_public_key)

        root_ca_certificate = asymmetric.load_certificate(ROOT_CA)
        root_ca_private_key = asymmetric.load_private_key(ROOT_CA_KEY)

        builder.issuer = root_ca_certificate
        end_entity_certificate = builder.build(root_ca_private_key)
        return (pem_armor_certificate(end_entity_certificate).decode())
示例#16
0
def create_certificate():
    root_ca_public_key, root_ca_private_key = asymmetric.generate_pair(
        'rsa', bit_size=2048)

    with open('root_ca.key', 'wb') as f:
        f.write(asymmetric.dump_private_key(root_ca_private_key, u'p'))

    with open('root_ca_public.key', 'wb') as f:
        f.write(asymmetric.dump_public_key(root_ca_public_key, 'pem'))

    builder = CertificateBuilder(
        {
            u'country_name': u'US',
            u'state_or_province_name': u'Massachusetts',
            u'locality_name': u'Amherst',
            u'organization_name': u'Name Certifying service',
            u'common_name': u'NCS Root CA',
        }, root_ca_public_key)
    builder.self_signed = True
    builder.ca = True
    root_ca_certificate = builder.build(root_ca_private_key)

    with open('root_ca.crt', 'wb') as f:
        f.write(pem_armor_certificate(root_ca_certificate))

    # Generate an end-entity key and certificate, signed by the root
    end_entity_public_key, end_entity_private_key = asymmetric.generate_pair(
        'rsa', bit_size=2048)

    with open('ramteja_tadishetti_private.key', 'wb') as f:
        f.write(asymmetric.dump_private_key(end_entity_private_key, u'p'))

    with open('ramteja_tadishetti_public.key', 'wb') as f:
        f.write(asymmetric.dump_public_key(end_entity_public_key, 'pem'))

    builder = CertificateBuilder(
        {
            u'country_name': u'US',
            u'state_or_province_name': u'Massachusetts',
            u'locality_name': u'Amherst',
            u'organization_name': u'Ramteja Tadishetti Corp',
            u'common_name': u'ramtejatadishetti',
        }, end_entity_public_key)
    builder.issuer = root_ca_certificate
    #builder.set_extension( u'1.2.840.113549.1.1.1', 'ramteja', allow_deprecated=False)
    end_entity_certificate = builder.build(root_ca_private_key)

    with open('ramteja_tadishetti.crt', 'wb') as f:
        f.write(pem_armor_certificate(end_entity_certificate))
    def test_tsa_certificate_extended_key_usage(self):
        public_key, private_key = self.ec_secp256r1

        builder = CertificateBuilder(
            {
                'country_name': 'US',
                'state_or_province_name': 'Massachusetts',
                'locality_name': 'Newbury',
                'organization_name': 'Codex Non Sufficit LC',
                'common_name': 'Will Bond',
            },
            public_key
        )
        builder.self_signed = True
        builder.extended_key_usage = set(('time_stamping',))
        certificate = builder.build(private_key)
        der_bytes = certificate.dump()

        new_certificate = asn1crypto.x509.Certificate.load(der_bytes)
        self.assertEqual(set(['key_usage', 'extended_key_usage']), new_certificate.critical_extensions)
    def test_validity_general_times(self):
        public_key, private_key = self.ec_secp256r1

        builder = CertificateBuilder(
            {
                'country_name': 'US',
                'state_or_province_name': 'Massachusetts',
                'locality_name': 'Newbury',
                'organization_name': 'Codex Non Sufficit LC',
                'common_name': 'Will Bond',
            }, public_key)
        builder.self_signed = True
        builder.begin_date = datetime(2050, 1, 1, tzinfo=timezone.utc)
        builder.end_date = datetime(2052, 1, 1, tzinfo=timezone.utc)
        certificate = builder.build(private_key)
        der_bytes = certificate.dump()

        new_certificate = asn1crypto.x509.Certificate.load(der_bytes)

        self.assertEqual(
            new_certificate['tbs_certificate']['validity']['not_before'].name,
            'general_time')
        self.assertEqual(
            new_certificate['tbs_certificate']['validity']['not_after'].name,
            'general_time')
示例#19
0
def generate_expired_1963_cert(domain, quiet=False):
    if not quiet:
        write('Generating expired-1963 cert ... ', end='')

    full_domain = 'expired-1963.{}'.format(domain)
    ca_private_key = load_private('ca')
    ca_cert = load_cert('ca')
    public_key = load_public('host')

    builder = CertificateBuilder(
        {
            'country_name': 'US',
            'state_or_province_name': 'Massachusetts',
            'locality_name': 'Newbury',
            'organization_name': 'Bad TLS Limited',
            'common_name': full_domain,
        },
        public_key
    )
    builder.issuer = ca_cert
    builder.subject_alt_domains = [full_domain]
    builder.begin_date = datetime(1962, 1, 1, 0, 0, 0, tzinfo=timezone.utc)
    builder.end_date = datetime(1963, 1, 1, 0, 0, 0, tzinfo=timezone.utc)
    certificate = builder.build(ca_private_key)

    dump_cert('expired-1963', certificate)

    if not quiet:
        write('done')
示例#20
0
def generate_ca_cert(base_year, quiet=False):
    if not quiet:
        write('Generating ca cert ... ', end='')

    public_key = load_public('ca')
    private_key = load_private('ca')

    builder = CertificateBuilder(
        {
            'country_name': 'US',
            'state_or_province_name': 'Massachusetts',
            'locality_name': 'Newbury',
            'organization_name': 'Bad TLS Limited',
            'common_name': 'Bad TLS Limited RSA CA',
        },
        public_key
    )
    builder.self_signed = True
    builder.ca = True
    builder.begin_date = datetime(base_year, 1, 1, 0, 0, 0, tzinfo=timezone.utc)
    builder.end_date = datetime(base_year + 10, 1, 1, 0, 0, 0, tzinfo=timezone.utc)
    certificate = builder.build(private_key)

    dump_cert('ca', certificate)

    if not quiet:
        write('done')
示例#21
0
    def generate_certificate(self, domain, save_model):
        """This function takes a domain name as a parameter and then creates
        a certificate and key with the domain name (replacing dots
        by underscores), finally signing the certificate using specified CA and
        returns the path of key and cert files. If you are yet to generate a CA
        then check the top comments"""

        logger.info("SimpleCA: certificate creation request %s" % (domain,))

        ca_private_key = asymmetric.load_private_key(
            self.ca_key,
            password=settings.CA_KEY_PASSWD)
        ca_certificate = asymmetric.load_certificate(self.ca_crt)

        end_entity_public_key, end_entity_private_key = \
            asymmetric.generate_pair('rsa', bit_size=2048)

        builder = CertificateBuilder(
            {
                'country_name': 'CR',
                'state_or_province_name': 'San Jose',
                'locality_name': 'Costa Rica',
                'organization_name': save_model.name,
                "organizational_unit_name": save_model.institution_unit,
                'common_name': domain,
            },
            end_entity_public_key
        )
        now = timezone.now()
        builder.issuer = ca_certificate
        builder.begin_date = now
        builder.end_date = now+timedelta(settings.CA_CERT_DURATION)
        builder.key_usage = set(['digital_signature'])
        end_entity_certificate = builder.build(ca_private_key)
        # settings.CA_CERT_DURATION

        server_public_key, server_private_key = \
            asymmetric.generate_pair('rsa', bit_size=2048)

        save_model.private_key = asymmetric.dump_private_key(
            end_entity_private_key, None)
        save_model.public_key = asymmetric.dump_public_key(
            end_entity_public_key)
        save_model.public_certificate = pem_armor_certificate(
            end_entity_certificate)

        save_model.server_sign_key = asymmetric.dump_private_key(
            server_private_key, None)
        save_model.server_public_key = asymmetric.dump_public_key(
            server_public_key)

        logger.debug("SimpleCA: New certificate for %s is %r" %
                     (domain, save_model.public_certificate))
        return save_model
示例#22
0
    def issue_cert(self, csr: CsrBuilder) -> (PrivateKey, Cert):
        public_key, private_key = asymmetric.generate_pair('rsa',
                                                           bit_size=4096)
        builder = CertificateBuilder(
            {
                'country_name': 'US',
                'state_or_province_name': 'Massachusetts',
                'locality_name': 'Newbury',
                'organization_name': 'Codex Non Sufficit LC',
                'common_name': 'Will Bond',
            }, public_key)
        builder.self_signed = True
        cert = builder.build(private_key)
        serial = SerialNumber.from_int(cert.serial_number).as_hex()

        keypath = self._cert_dir / (serial + '.key')
        with keypath.open('wb') as f:
            f.write(asymmetric.dump_private_key(private_key, 'password'))

        certpath = self._cert_dir / (serial + '.pem')
        with certpath.open('wb') as f:
            f.write(pem_armor_certificate(cert))
    def test_validity_general_times(self):
        public_key, private_key = self.ec_secp256r1

        builder = CertificateBuilder(
            {
                'country_name': 'US',
                'state_or_province_name': 'Massachusetts',
                'locality_name': 'Newbury',
                'organization_name': 'Codex Non Sufficit LC',
                'common_name': 'Will Bond',
            },
            public_key
        )
        builder.self_signed = True
        builder.begin_date = datetime(2050, 1, 1, tzinfo=timezone.utc)
        builder.end_date = datetime(2052, 1, 1, tzinfo=timezone.utc)
        certificate = builder.build(private_key)
        der_bytes = certificate.dump()

        new_certificate = asn1crypto.x509.Certificate.load(der_bytes)

        self.assertEqual(new_certificate['tbs_certificate']['validity']['not_before'].name, 'general_time')
        self.assertEqual(new_certificate['tbs_certificate']['validity']['not_after'].name, 'general_time')
示例#24
0
def create_certificate():
    root_ca_public_key, root_ca_private_key = asymmetric.generate_pair(
        'rsa', bit_size=2048)

    with open('root_ca.key', 'wb') as f:
        f.write(asymmetric.dump_private_key(root_ca_private_key, u'p'))

    with open('root_ca_public.key', 'wb') as f:
        f.write(asymmetric.dump_public_key(root_ca_public_key, 'pem'))

    builder = CertificateBuilder(
        {
            u'country_name': u'US',
            u'state_or_province_name': u'Massachusetts',
            u'locality_name': u'Amherst',
            u'organization_name': u'Name Certifying service',
            u'common_name': u'NCS Root CA',
        }, root_ca_public_key)
    builder.self_signed = True
    builder.ca = True
    root_ca_certificate = builder.build(root_ca_private_key)

    with open('root_ca.crt', 'wb') as f:
        f.write(pem_armor_certificate(root_ca_certificate))
    def test_build_ca_cert(self):
        public_key, private_key = self.ec_secp256r1

        builder = CertificateBuilder(
            {
                'country_name': 'US',
                'state_or_province_name': 'Massachusetts',
                'locality_name': 'Newbury',
                'organization_name': 'Codex Non Sufficit LC',
                'common_name': 'Will Bond',
            },
            public_key
        )
        builder.hash_algo = 'sha512'
        builder.self_signed = True
        builder.ca = True
        certificate = builder.build(private_key)
        der_bytes = certificate.dump()

        new_certificate = asn1crypto.x509.Certificate.load(der_bytes)

        self.assertEqual('sha512', new_certificate.hash_algo)
        self.assertEqual(
            {
                'country_name': 'US',
                'state_or_province_name': 'Massachusetts',
                'locality_name': 'Newbury',
                'organization_name': 'Codex Non Sufficit LC',
                'common_name': 'Will Bond',
            },
            new_certificate.issuer.native
        )
        self.assertEqual(
            {
                'country_name': 'US',
                'state_or_province_name': 'Massachusetts',
                'locality_name': 'Newbury',
                'organization_name': 'Codex Non Sufficit LC',
                'common_name': 'Will Bond',
            },
            new_certificate.subject.native
        )
        self.assertEqual('ecdsa', new_certificate.signature_algo)
        self.assertEqual(set(['key_usage', 'basic_constraints']), new_certificate.critical_extensions)
        self.assertEqual(set(['key_cert_sign', 'crl_sign']), new_certificate.key_usage_value.native)
        self.assertEqual(None, new_certificate.extended_key_usage_value)
        self.assertEqual(None, new_certificate.authority_key_identifier)
        self.assertEqual(True, new_certificate.ca)
        self.assertEqual(True, new_certificate.self_issued)
        self.assertEqual('yes', new_certificate.self_signed)
        self.assertEqual(certificate.public_key.sha1, new_certificate.key_identifier)
    def test_subject_alt_name_shortcuts(self):
        public_key, private_key = self.ec_secp256r1

        builder = CertificateBuilder(
            {'country_name': 'US', 'common_name': 'Test'},
            public_key
        )
        builder.self_signed = True

        self.assertEqual(builder.subject_alt_domains, [])

        builder.subject_alt_domains = ['example.com', 'example.org']
        builder.subject_alt_emails = ['*****@*****.**', '*****@*****.**']
        builder.subject_alt_ips = ['127.0.0.1']
        builder.subject_alt_uris = ['http://example.com', 'https://bücher.ch']

        self.assertEqual(builder.subject_alt_domains, ['example.com', 'example.org'])
        self.assertEqual(builder.subject_alt_emails, ['*****@*****.**', '*****@*****.**'])
        self.assertEqual(builder.subject_alt_ips, ['127.0.0.1'])
        self.assertEqual(builder.subject_alt_uris, ['http://example.com', 'https://bücher.ch'])

        builder.subject_alt_domains = []
        self.assertEqual(builder.subject_alt_domains, [])

        builder.subject_alt_emails = []
        self.assertEqual(builder.subject_alt_emails, [])

        builder.subject_alt_ips = []
        self.assertEqual(builder.subject_alt_ips, [])

        builder.subject_alt_uris = []
        self.assertEqual(builder.subject_alt_uris, [])

        builder.subject_alt_uris = ['https://bücher.ch']

        certificate = builder.build(private_key)

        self.assertEqual(b'\x86\x18https://xn--bcher-kva.ch', certificate.subject_alt_name_value[0].contents)
    def test_build_chain_of_certs(self):
        ca_public_key, ca_private_key = self.ec_secp521r1
        ee_public_key, _ = self.ec_secp256r1

        ca_builder = CertificateBuilder(
            {
                'country_name': 'US',
                'state_or_province_name': 'Massachusetts',
                'locality_name': 'Newbury',
                'organization_name': 'Codex Non Sufficit LC',
                'common_name': 'Codex Non Sufficit LC - Primary CA',
            },
            ca_public_key
        )
        ca_builder.hash_algo = 'sha512'
        ca_builder.self_signed = True
        ca_builder.ca = True
        ca_certificate = ca_builder.build(ca_private_key)

        ee_builder = CertificateBuilder(
            {
                'country_name': 'US',
                'state_or_province_name': 'Massachusetts',
                'locality_name': 'Newbury',
                'organization_name': 'Codex Non Sufficit LC',
                'common_name': 'Will Bond',
            },
            ee_public_key
        )
        ee_builder.issuer = ca_certificate
        ee_builder.serial_number = 1
        ee_certificate = ee_builder.build(ca_private_key)
        der_bytes = ee_certificate.dump()

        new_certificate = asn1crypto.x509.Certificate.load(der_bytes)

        self.assertEqual('sha256', new_certificate.hash_algo)
        self.assertEqual(
            {
                'country_name': 'US',
                'state_or_province_name': 'Massachusetts',
                'locality_name': 'Newbury',
                'organization_name': 'Codex Non Sufficit LC',
                'common_name': 'Codex Non Sufficit LC - Primary CA',
            },
            new_certificate.issuer.native
        )
        self.assertEqual(
            {
                'country_name': 'US',
                'state_or_province_name': 'Massachusetts',
                'locality_name': 'Newbury',
                'organization_name': 'Codex Non Sufficit LC',
                'common_name': 'Will Bond',
            },
            new_certificate.subject.native
        )
        self.assertEqual('ecdsa', new_certificate.signature_algo)
        self.assertEqual(set(['key_usage']), new_certificate.critical_extensions)
        self.assertEqual(set(['digital_signature', 'key_encipherment']), new_certificate.key_usage_value.native)
        self.assertEqual(['server_auth', 'client_auth'], new_certificate.extended_key_usage_value.native)
        self.assertEqual(ca_certificate.key_identifier, new_certificate.authority_key_identifier)
        self.assertEqual(False, new_certificate.ca)
        self.assertEqual(False, new_certificate.self_issued)
        self.assertEqual('no', new_certificate.self_signed)
示例#28
0
def _sign(csr,
          buf,
          skip_notify=False,
          skip_push=False,
          overwrite=False,
          profile="default",
          signer=None):
    # TODO: CRLDistributionPoints, OCSP URL, Certificate URL
    if profile not in config.PROFILES:
        raise ValueError("Invalid profile supplied '%s'" % profile)

    assert buf.startswith(b"-----BEGIN ")
    assert isinstance(csr, CertificationRequest)
    csr_pubkey = asymmetric.load_public_key(
        csr["certification_request_info"]["subject_pk_info"])
    common_name = csr["certification_request_info"]["subject"].native[
        "common_name"]
    cert_path = os.path.join(config.SIGNED_DIR, "%s.pem" % common_name)
    renew = False

    attachments = [
        (buf, "application/x-pem-file", common_name + ".csr"),
    ]

    revoked_path = None
    overwritten = False

    # Move existing certificate if necessary
    if os.path.exists(cert_path):
        with open(cert_path, "rb") as fh:
            prev_buf = fh.read()
            header, _, der_bytes = pem.unarmor(prev_buf)
            prev = x509.Certificate.load(der_bytes)

            # TODO: assert validity here again?
            renew = \
                asymmetric.load_public_key(prev["tbs_certificate"]["subject_public_key_info"]) == \
                csr_pubkey
            # BUGBUG: is this enough?

        if overwrite:
            # TODO: is this the best approach?
            prev_serial_hex = "%x" % prev.serial_number
            revoked_path = os.path.join(config.REVOKED_DIR,
                                        "%s.pem" % prev_serial_hex)
            os.rename(cert_path, revoked_path)
            attachments += [(prev_buf, "application/x-pem-file",
                             "deprecated.crt" if renew else "overwritten.crt")]
            overwritten = True
        else:
            raise FileExistsError("Will not overwrite existing certificate")

    # Sign via signer process
    dn = {u'common_name': common_name}
    profile_server_flags, lifetime, dn[
        "organizational_unit_name"], _ = config.PROFILES[profile]
    lifetime = int(lifetime)

    builder = CertificateBuilder(dn, csr_pubkey)
    builder.serial_number = random.randint(
        0x1000000000000000000000000000000000000000,
        0x7fffffffffffffffffffffffffffffffffffffff)

    now = datetime.utcnow()
    builder.begin_date = now - timedelta(minutes=5)
    builder.end_date = now + timedelta(days=lifetime)
    builder.issuer = certificate
    builder.ca = False
    builder.key_usage = set(["digital_signature", "key_encipherment"])

    # If we have FQDN and profile suggests server flags, enable them
    if server_flags(common_name) and profile_server_flags:
        builder.subject_alt_domains = [
            common_name
        ]  # OpenVPN uses CN while StrongSwan uses SAN to match hostname of the server
        builder.extended_key_usage = set(
            ["server_auth", "1.3.6.1.5.5.8.2.2", "client_auth"])
    else:
        builder.subject_alt_domains = [common_name
                                       ]  # iOS demands SAN also for clients
        builder.extended_key_usage = set(["client_auth"])

    end_entity_cert = builder.build(private_key)
    end_entity_cert_buf = asymmetric.dump_certificate(end_entity_cert)
    with open(cert_path + ".part", "wb") as fh:
        fh.write(end_entity_cert_buf)

    os.rename(cert_path + ".part", cert_path)
    attachments.append(
        (end_entity_cert_buf, "application/x-pem-file", common_name + ".crt"))
    cert_serial_hex = "%x" % end_entity_cert.serial_number

    # Create symlink
    link_name = os.path.join(config.SIGNED_BY_SERIAL_DIR,
                             "%x.pem" % end_entity_cert.serial_number)
    assert not os.path.exists(
        link_name
    ), "Certificate with same serial number already exists: %s" % link_name
    os.symlink("../%s.pem" % common_name, link_name)

    # Copy filesystem attributes to newly signed certificate
    if revoked_path:
        for key in listxattr(revoked_path):
            if not key.startswith(b"user."):
                continue
            setxattr(cert_path, key, getxattr(revoked_path, key))

    # Attach signer username
    if signer:
        setxattr(cert_path, "user.signature.username", signer)

    if not skip_notify:
        # Send mail
        if renew:  # Same keypair
            mailer.send("certificate-renewed.md", **locals())
        else:  # New keypair
            mailer.send("certificate-signed.md", **locals())

    if not skip_push:
        url = config.LONG_POLL_PUBLISH % hashlib.sha256(buf).hexdigest()
        click.echo("Publishing certificate at %s ..." % url)
        requests.post(url,
                      data=end_entity_cert_buf,
                      headers={
                          "User-Agent": "Certidude API",
                          "Content-Type": "application/x-x509-user-cert"
                      })

        push.publish("request-signed", common_name)
    return end_entity_cert, end_entity_cert_buf
示例#29
0
def _sign(csr,
          buf,
          profile,
          skip_notify=False,
          skip_push=False,
          overwrite=False,
          signer=None):
    # TODO: CRLDistributionPoints, OCSP URL, Certificate URL
    assert buf.startswith(b"-----BEGIN ")
    assert isinstance(csr, CertificationRequest)
    csr_pubkey = asymmetric.load_public_key(
        csr["certification_request_info"]["subject_pk_info"])
    common_name = csr["certification_request_info"]["subject"].native[
        "common_name"]
    cert_path = os.path.join(config.SIGNED_DIR, "%s.pem" % common_name)
    renew = False

    attachments = [
        (buf, "application/x-pem-file", common_name + ".csr"),
    ]

    revoked_path = None
    overwritten = False

    # Move existing certificate if necessary
    if os.path.exists(cert_path):
        with open(cert_path, "rb") as fh:
            prev_buf = fh.read()
            header, _, der_bytes = pem.unarmor(prev_buf)
            prev = x509.Certificate.load(der_bytes)

            # TODO: assert validity here again?
            renew = \
                asymmetric.load_public_key(prev["tbs_certificate"]["subject_public_key_info"]) == \
                csr_pubkey
            # BUGBUG: is this enough?

        if overwrite:
            # TODO: is this the best approach?
            # TODO: why didn't unittest detect bugs here?
            prev_serial_hex = "%x" % prev.serial_number
            revoked_path = os.path.join(config.REVOKED_DIR,
                                        "%040x.pem" % prev.serial_number)
            os.rename(cert_path, revoked_path)
            attachments += [(prev_buf, "application/x-pem-file",
                             "deprecated.crt" if renew else "overwritten.crt")]
            overwritten = True
        else:
            raise FileExistsError("Will not overwrite existing certificate")

    builder = CertificateBuilder(
        cn_to_dn(common_name,
                 const.FQDN,
                 o=certificate["tbs_certificate"]["subject"].native.get(
                     "organization_name"),
                 ou=profile.ou), csr_pubkey)
    builder.serial_number = generate_serial()

    now = datetime.utcnow()
    builder.begin_date = now - const.CLOCK_SKEW_TOLERANCE
    builder.end_date = now + timedelta(days=profile.lifetime)
    builder.issuer = certificate
    builder.ca = profile.ca
    builder.key_usage = profile.key_usage
    builder.extended_key_usage = profile.extended_key_usage
    builder.subject_alt_domains = [common_name]
    builder.ocsp_url = profile.responder_url
    builder.crl_url = profile.revoked_url

    end_entity_cert = builder.build(private_key)
    end_entity_cert_buf = asymmetric.dump_certificate(end_entity_cert)
    with open(cert_path + ".part", "wb") as fh:
        fh.write(end_entity_cert_buf)

    os.rename(cert_path + ".part", cert_path)
    attachments.append(
        (end_entity_cert_buf, "application/x-pem-file", common_name + ".crt"))
    cert_serial_hex = "%x" % end_entity_cert.serial_number

    # Create symlink
    link_name = os.path.join(config.SIGNED_BY_SERIAL_DIR,
                             "%040x.pem" % end_entity_cert.serial_number)
    assert not os.path.exists(
        link_name
    ), "Certificate with same serial number already exists: %s" % link_name
    os.symlink("../%s.pem" % common_name, link_name)

    # Copy filesystem attributes to newly signed certificate
    if revoked_path:
        for key in listxattr(revoked_path):
            if not key.startswith(b"user."):
                continue
            setxattr(cert_path, key, getxattr(revoked_path, key))

    # Attach signer username
    if signer:
        setxattr(cert_path, "user.signature.username", signer)

    if not skip_notify:
        # Send mail
        if renew:  # Same keypair
            mailer.send("certificate-renewed.md", **locals())
        else:  # New keypair
            mailer.send("certificate-signed.md", **locals())

    if not skip_push:
        url = config.LONG_POLL_PUBLISH % hashlib.sha256(buf).hexdigest()
        click.echo("Publishing certificate at %s ..." % url)
        requests.post(url,
                      data=end_entity_cert_buf,
                      headers={
                          "User-Agent": "Certidude API",
                          "Content-Type": "application/x-x509-user-cert"
                      })
        if renew:
            # TODO: certificate-renewed event
            push.publish("certificate-revoked", common_name)
            push.publish("request-signed", common_name)
        else:
            push.publish("request-signed", common_name)
    return end_entity_cert, end_entity_cert_buf
    def test_build_chain_of_certs(self):
        ca_public_key, ca_private_key = self.ec_secp521r1
        ee_public_key, _ = self.ec_secp256r1

        ca_builder = CertificateBuilder(
            {
                'country_name': 'US',
                'state_or_province_name': 'Massachusetts',
                'locality_name': 'Newbury',
                'organization_name': 'Codex Non Sufficit LC',
                'common_name': 'Codex Non Sufficit LC - Primary CA',
            }, ca_public_key)
        ca_builder.hash_algo = 'sha512'
        ca_builder.self_signed = True
        ca_builder.ca = True
        ca_certificate = ca_builder.build(ca_private_key)

        ee_builder = CertificateBuilder(
            {
                'country_name': 'US',
                'state_or_province_name': 'Massachusetts',
                'locality_name': 'Newbury',
                'organization_name': 'Codex Non Sufficit LC',
                'common_name': 'Will Bond',
            }, ee_public_key)
        ee_builder.issuer = ca_certificate
        ee_builder.serial_number = 1
        ee_certificate = ee_builder.build(ca_private_key)
        der_bytes = ee_certificate.dump()

        new_certificate = asn1crypto.x509.Certificate.load(der_bytes)

        self.assertEqual('sha256', new_certificate.hash_algo)
        self.assertEqual(
            {
                'country_name': 'US',
                'state_or_province_name': 'Massachusetts',
                'locality_name': 'Newbury',
                'organization_name': 'Codex Non Sufficit LC',
                'common_name': 'Codex Non Sufficit LC - Primary CA',
            }, new_certificate.issuer.native)
        self.assertEqual(
            {
                'country_name': 'US',
                'state_or_province_name': 'Massachusetts',
                'locality_name': 'Newbury',
                'organization_name': 'Codex Non Sufficit LC',
                'common_name': 'Will Bond',
            }, new_certificate.subject.native)
        self.assertEqual('ecdsa', new_certificate.signature_algo)
        self.assertEqual(set(['key_usage']),
                         new_certificate.critical_extensions)
        self.assertEqual(set(['digital_signature', 'key_encipherment']),
                         new_certificate.key_usage_value.native)
        self.assertEqual(['server_auth', 'client_auth'],
                         new_certificate.extended_key_usage_value.native)
        self.assertEqual(ca_certificate.key_identifier,
                         new_certificate.authority_key_identifier)
        self.assertEqual(False, new_certificate.ca)
        self.assertEqual(False, new_certificate.self_issued)
        self.assertEqual('no', new_certificate.self_signed)
示例#31
0
def generate_client_certs(domain, base_year, quiet=False):
    ca_private_key = load_private('ca')
    ca_cert = load_cert('ca')
    ca2_private_key = load_private('ca2')
    ca2_cert = load_cert('ca2')
    public_key = load_public('client')
    crl_url = 'http://crls.{}:9991/client.crl'.format(domain)

    # Certificate that is valid
    if not quiet:
        write('Generating good client cert ... ', end='')

    builder = CertificateBuilder(
        {
            'country_name': 'US',
            'state_or_province_name': 'Massachusetts',
            'locality_name': 'Newbury',
            'organization_name': 'TLS Client Certificates Limited',
            'common_name': 'Good TLS Client Certificate',
        }, public_key)
    builder.issuer = ca_cert
    builder.crl_url = crl_url
    builder.begin_date = datetime(base_year,
                                  1,
                                  1,
                                  0,
                                  0,
                                  0,
                                  tzinfo=timezone.utc)
    builder.end_date = datetime(base_year + 3,
                                1,
                                1,
                                0,
                                0,
                                0,
                                tzinfo=timezone.utc)
    certificate = builder.build(ca_private_key)

    dump_cert('client-good', certificate)

    if not quiet:
        write('done')

    # Certificate that has expired
    if not quiet:
        write('Generating expired client cert ... ', end='')

    builder = CertificateBuilder(
        {
            'country_name': 'US',
            'state_or_province_name': 'Massachusetts',
            'locality_name': 'Newbury',
            'organization_name': 'TLS Client Certificates Limited',
            'common_name': 'Expired TLS Client Certificate',
        }, public_key)
    builder.issuer = ca_cert
    builder.crl_url = crl_url
    builder.begin_date = datetime(base_year - 1,
                                  1,
                                  1,
                                  0,
                                  0,
                                  0,
                                  tzinfo=timezone.utc)
    builder.end_date = datetime(base_year, 1, 1, 0, 0, 0, tzinfo=timezone.utc)
    certificate = builder.build(ca_private_key)

    dump_cert('client-expired', certificate)

    if not quiet:
        write('done')

    # Certificate that is not yet valid
    if not quiet:
        write('Generating future client cert ... ', end='')

    builder = CertificateBuilder(
        {
            'country_name': 'US',
            'state_or_province_name': 'Massachusetts',
            'locality_name': 'Newbury',
            'organization_name': 'TLS Client Certificates Limited',
            'common_name': 'Future TLS Client Certificate',
        }, public_key)
    builder.issuer = ca_cert
    builder.crl_url = crl_url
    builder.begin_date = datetime(base_year + 3,
                                  1,
                                  1,
                                  0,
                                  0,
                                  0,
                                  tzinfo=timezone.utc)
    builder.end_date = datetime(base_year + 4,
                                1,
                                1,
                                0,
                                0,
                                0,
                                tzinfo=timezone.utc)
    certificate = builder.build(ca_private_key)

    dump_cert('client-future', certificate)

    if not quiet:
        write('done')

    # Certificate issued by untrusted CA
    if not quiet:
        write('Generating untrusted client cert ... ', end='')

    builder = CertificateBuilder(
        {
            'country_name': 'US',
            'state_or_province_name': 'Massachusetts',
            'locality_name': 'Newbury',
            'organization_name': 'TLS Client Certificates Limited',
            'common_name': 'Untrusted TLS Client Certificate',
        }, public_key)
    builder.issuer = ca2_cert
    builder.begin_date = datetime(base_year,
                                  1,
                                  1,
                                  0,
                                  0,
                                  0,
                                  tzinfo=timezone.utc)
    builder.end_date = datetime(base_year + 3,
                                1,
                                1,
                                0,
                                0,
                                0,
                                tzinfo=timezone.utc)
    certificate = builder.build(ca2_private_key)

    dump_cert('client-untrusted', certificate)

    if not quiet:
        write('done')

    # Certificate that has a weak signature
    if not quiet:
        write('Generating weak client cert ... ', end='')

    builder = CertificateBuilder(
        {
            'country_name': 'US',
            'state_or_province_name': 'Massachusetts',
            'locality_name': 'Newbury',
            'organization_name': 'TLS Client Certificates Limited',
            'common_name': 'Weak TLS Client Certificate',
        }, public_key)
    builder.issuer = ca_cert
    builder.crl_url = crl_url
    # Hack since API doesn't allow selection of weak algo
    builder._hash_algo = 'md5'
    builder.begin_date = datetime(base_year,
                                  1,
                                  1,
                                  0,
                                  0,
                                  0,
                                  tzinfo=timezone.utc)
    builder.end_date = datetime(base_year + 3,
                                1,
                                1,
                                0,
                                0,
                                0,
                                tzinfo=timezone.utc)
    certificate = builder.build(ca_private_key)

    dump_cert('client-weak', certificate)

    if not quiet:
        write('done')

    # Certificate that has bad key usage
    if not quiet:
        write('Generating bad key usage client cert ... ', end='')

    builder = CertificateBuilder(
        {
            'country_name': 'US',
            'state_or_province_name': 'Massachusetts',
            'locality_name': 'Newbury',
            'organization_name': 'TLS Client Certificates Limited',
            'common_name': 'Bad Key Usage TLS Client Certificate',
        }, public_key)
    builder.issuer = ca_cert
    builder.crl_url = crl_url
    builder.begin_date = datetime(base_year,
                                  1,
                                  1,
                                  0,
                                  0,
                                  0,
                                  tzinfo=timezone.utc)
    builder.end_date = datetime(base_year + 3,
                                1,
                                1,
                                0,
                                0,
                                0,
                                tzinfo=timezone.utc)
    builder.key_usage = set(['crl_sign'])
    builder.extended_key_usage = set(['email_protection'])
    certificate = builder.build(ca_private_key)

    dump_cert('client-bad-key-usage', certificate)

    if not quiet:
        write('done')

    # Certificate that has been revoked
    if not quiet:
        write('Generating revoked client cert ... ', end='')

    builder = CertificateBuilder(
        {
            'country_name': 'US',
            'state_or_province_name': 'Massachusetts',
            'locality_name': 'Newbury',
            'organization_name': 'TLS Client Certificates Limited',
            'common_name': 'Revoked TLS Client Certificate',
        }, public_key)
    builder.issuer = ca_cert
    builder.crl_url = crl_url
    builder.begin_date = datetime(base_year,
                                  1,
                                  1,
                                  0,
                                  0,
                                  0,
                                  tzinfo=timezone.utc)
    builder.end_date = datetime(base_year + 3,
                                1,
                                1,
                                0,
                                0,
                                0,
                                tzinfo=timezone.utc)
    revoked_certificate = builder.build(ca_private_key)

    dump_cert('client-revoked', revoked_certificate)

    if not quiet:
        write('done')

    crl_number = 1000
    crl_builder = CertificateListBuilder(crl_url, ca_cert, crl_number)

    crl_builder.add_certificate(
        revoked_certificate.serial_number,
        datetime(base_year, 1, 2, 0, 0, 0, tzinfo=timezone.utc),
        'key_compromise')

    certificate_list = crl_builder.build(ca_private_key)
    dump_crl('client', certificate_list)
示例#32
0
import json
import sys

f = open("orqIp.txt", "r")
orq_ip = f.read()
f.close()

keyId = sys.argv[1]

r = requests.get("http://" + orq_ip + ":5000/getKey/" + keyId)
response = dict(json.loads(r.text))
pub_key = response["pubKey"]
asn1PublicKey = core.Asn1Value.load(unhexlify(pub_key))
publicKey = keys.PublicKeyInfo.wrap(asn1PublicKey, u'rsa')

builder = CertificateBuilder(
    {
        u'country_name': u'SP',
        u'state_or_province_name': u'Malaga',
        u'locality_name': u'Malaga',
        u'organization_name': u'NICS Lab',
        u'common_name': u'Certificacion Raiz'
    }, publicKey)
builder.self_signed = True
builder.ca = True

root_ca_certificate = builder.build_mpc(int(keyId), orq_ip, "5000")

with open('certificado_raiz.crt', 'wb') as f:
    f.write(pem_armor_certificate(root_ca_certificate))
示例#33
0

fixtures_dir = os.path.join(os.path.dirname(__file__), '..', 'tests', 'fixtures')


root_ca_private_key = asymmetric.load_private_key(os.path.join(fixtures_dir, 'test.key'))
root_ca_certificate = asymmetric.load_certificate(os.path.join(fixtures_dir, 'test.crt'))

root_ocsp_public_key, root_ocsp_private_key = asymmetric.generate_pair('rsa', bit_size=2048)

with open(os.path.join(fixtures_dir, 'test-ocsp.key'), 'wb') as f:
    f.write(asymmetric.dump_private_key(root_ocsp_private_key, 'password', target_ms=20))

builder = CertificateBuilder(
    {
        'country_name': 'US',
        'state_or_province_name': 'Massachusetts',
        'locality_name': 'Newbury',
        'organization_name': 'Codex Non Sufficit LC',
        'organization_unit_name': 'Testing',
        'common_name': 'CodexNS OCSP Responder',
    },
    root_ocsp_public_key
)
builder.extended_key_usage = set(['ocsp_signing'])
builder.issuer = root_ca_certificate
root_ocsp_certificate = builder.build(root_ca_private_key)

with open(os.path.join(fixtures_dir, 'test-ocsp.crt'), 'wb') as f:
    f.write(asymmetric.dump_certificate(root_ocsp_certificate))
    def test_subject_alt_name_shortcuts(self):
        public_key, private_key = self.ec_secp256r1

        builder = CertificateBuilder(
            {
                'country_name': 'US',
                'common_name': 'Test'
            }, public_key)
        builder.self_signed = True

        self.assertEqual(builder.subject_alt_domains, [])

        builder.subject_alt_domains = ['example.com', 'example.org']
        builder.subject_alt_emails = ['*****@*****.**', '*****@*****.**']
        builder.subject_alt_ips = ['127.0.0.1']
        builder.subject_alt_uris = ['http://example.com', 'https://bücher.ch']

        self.assertEqual(builder.subject_alt_domains,
                         ['example.com', 'example.org'])
        self.assertEqual(builder.subject_alt_emails,
                         ['*****@*****.**', '*****@*****.**'])
        self.assertEqual(builder.subject_alt_ips, ['127.0.0.1'])
        self.assertEqual(builder.subject_alt_uris,
                         ['http://example.com', 'https://bücher.ch'])

        builder.subject_alt_domains = []
        self.assertEqual(builder.subject_alt_domains, [])

        builder.subject_alt_emails = []
        self.assertEqual(builder.subject_alt_emails, [])

        builder.subject_alt_ips = []
        self.assertEqual(builder.subject_alt_ips, [])

        builder.subject_alt_uris = []
        self.assertEqual(builder.subject_alt_uris, [])

        builder.subject_alt_uris = ['https://bücher.ch']

        certificate = builder.build(private_key)

        self.assertEqual(b'\x86\x18https://xn--bcher-kva.ch',
                         certificate.subject_alt_name_value[0].contents)
示例#35
0
from oscrypto import asymmetric
from certbuilder import CertificateBuilder


fixtures_dir = os.path.join(os.path.dirname(__file__), "..", "tests", "fixtures")

root_ca_public_key, root_ca_private_key = asymmetric.generate_pair("rsa", bit_size=2048)

with open(os.path.join(fixtures_dir, "root.key"), "wb") as f:
    f.write(asymmetric.dump_private_key(root_ca_private_key, "password123", target_ms=20))

builder = CertificateBuilder(
    {
        "country_name": "US",
        "state_or_province_name": "Massachusetts",
        "locality_name": "Newbury",
        "organization_name": "Codex Non Sufficit LC",
        "common_name": "CodexNS Root CA 1",
    },
    root_ca_public_key,
)
builder.self_signed = True
builder.end_entity = False
root_ca_certificate = builder.build(root_ca_private_key)

with open(os.path.join(fixtures_dir, "root.crt"), "wb") as f:
    f.write(asymmetric.dump_certificate(root_ca_certificate))


root_crl_public_key, root_crl_private_key = asymmetric.generate_pair("rsa", bit_size=2048)

with open(os.path.join(fixtures_dir, "crl_issuer.key"), "wb") as f:
示例#36
0
fixtures_dir = os.path.join(os.path.dirname(__file__), '..', 'tests',
                            'fixtures')

root_ca_public_key, root_ca_private_key = asymmetric.generate_pair(
    'rsa', bit_size=2048)

with open(os.path.join(fixtures_dir, 'root.key'), 'wb') as f:
    f.write(
        asymmetric.dump_private_key(root_ca_private_key,
                                    'password123',
                                    target_ms=20))

builder = CertificateBuilder(
    {
        'country_name': 'US',
        'state_or_province_name': 'Massachusetts',
        'locality_name': 'Newbury',
        'organization_name': 'Codex Non Sufficit LC',
        'common_name': 'CodexNS Root CA 1',
    }, root_ca_public_key)
builder.self_signed = True
builder.end_entity = False
root_ca_certificate = builder.build(root_ca_private_key)

with open(os.path.join(fixtures_dir, 'root.crt'), 'wb') as f:
    f.write(asymmetric.dump_certificate(root_ca_certificate))

root_crl_public_key, root_crl_private_key = asymmetric.generate_pair(
    'rsa', bit_size=2048)

with open(os.path.join(fixtures_dir, 'crl_issuer.key'), 'wb') as f:
    f.write(
示例#37
0
root_ca_private_key = asymmetric.load_private_key(
    os.path.join(fixtures_dir, 'test.key'))
root_ca_certificate = asymmetric.load_certificate(
    os.path.join(fixtures_dir, 'test.crt'))

root_ocsp_public_key, root_ocsp_private_key = asymmetric.generate_pair(
    'rsa', bit_size=2048)

with open(os.path.join(fixtures_dir, 'test-ocsp.key'), 'wb') as f:
    f.write(
        asymmetric.dump_private_key(root_ocsp_private_key,
                                    'password',
                                    target_ms=20))

builder = CertificateBuilder(
    {
        'country_name': 'US',
        'state_or_province_name': 'Massachusetts',
        'locality_name': 'Newbury',
        'organization_name': 'Codex Non Sufficit LC',
        'organization_unit_name': 'Testing',
        'common_name': 'CodexNS OCSP Responder',
    }, root_ocsp_public_key)
builder.extended_key_usage = set(['ocsp_signing'])
builder.issuer = root_ca_certificate
root_ocsp_certificate = builder.build(root_ca_private_key)

with open(os.path.join(fixtures_dir, 'test-ocsp.crt'), 'wb') as f:
    f.write(asymmetric.dump_certificate(root_ocsp_certificate))
示例#38
0
def _sign(csr, buf, overwrite=False):
    # TODO: CRLDistributionPoints, OCSP URL, Certificate URL

    assert buf.startswith("-----BEGIN CERTIFICATE REQUEST-----\n")
    assert isinstance(csr, CertificationRequest)
    csr_pubkey = asymmetric.load_public_key(
        csr["certification_request_info"]["subject_pk_info"])
    common_name = csr["certification_request_info"]["subject"].native[
        "common_name"]
    cert_path = os.path.join(config.SIGNED_DIR, "%s.pem" % common_name)
    renew = False

    attachments = [
        (buf, "application/x-pem-file", common_name + ".csr"),
    ]

    revoked_path = None
    overwritten = False

    # Move existing certificate if necessary
    if os.path.exists(cert_path):
        with open(cert_path) as fh:
            prev_buf = fh.read()
            header, _, der_bytes = pem.unarmor(prev_buf)
            prev = x509.Certificate.load(der_bytes)

            # TODO: assert validity here again?
            renew = \
                asymmetric.load_public_key(prev["tbs_certificate"]["subject_public_key_info"]) == \
                csr_pubkey
            # BUGBUG: is this enough?

        if overwrite:
            # TODO: is this the best approach?
            prev_serial_hex = "%x" % prev.serial_number
            revoked_path = os.path.join(config.REVOKED_DIR,
                                        "%s.pem" % prev_serial_hex)
            os.rename(cert_path, revoked_path)
            attachments += [(prev_buf, "application/x-pem-file",
                             "deprecated.crt" if renew else "overwritten.crt")]
            overwritten = True
        else:
            raise EnvironmentError("Will not overwrite existing certificate")

    # Sign via signer process
    builder = CertificateBuilder({u'common_name': common_name}, csr_pubkey)
    builder.serial_number = random.randint(
        0x1000000000000000000000000000000000000000,
        0xffffffffffffffffffffffffffffffffffffffff)

    now = datetime.utcnow()
    builder.begin_date = now - timedelta(minutes=5)
    builder.end_date = now + timedelta(
        days=config.SERVER_CERTIFICATE_LIFETIME
        if server_flags(common_name) else config.CLIENT_CERTIFICATE_LIFETIME)
    builder.issuer = certificate
    builder.ca = False
    builder.key_usage = set([u"digital_signature", u"key_encipherment"])

    # OpenVPN uses CN while StrongSwan uses SAN
    if server_flags(common_name):
        builder.subject_alt_domains = [common_name]
        builder.extended_key_usage = set(
            [u"server_auth", u"1.3.6.1.5.5.8.2.2", u"client_auth"])
    else:
        builder.extended_key_usage = set([u"client_auth"])

    end_entity_cert = builder.build(private_key)
    end_entity_cert_buf = asymmetric.dump_certificate(end_entity_cert)
    with open(cert_path + ".part", "wb") as fh:
        fh.write(end_entity_cert_buf)

    os.rename(cert_path + ".part", cert_path)
    attachments.append(
        (end_entity_cert_buf, "application/x-pem-file", common_name + ".crt"))
    cert_serial_hex = "%x" % end_entity_cert.serial_number

    # Create symlink
    link_name = os.path.join(config.SIGNED_BY_SERIAL_DIR,
                             "%x.pem" % end_entity_cert.serial_number)
    assert not os.path.exists(
        link_name
    ), "Certificate with same serial number already exists: %s" % link_name
    os.symlink("../%s.pem" % common_name, link_name)

    # Copy filesystem attributes to newly signed certificate
    if revoked_path:
        for key in listxattr(revoked_path):
            if not key.startswith("user."):
                continue
            setxattr(cert_path, key, getxattr(revoked_path, key))

    # Send mail
    if renew:  # Same keypair
        mailer.send("certificate-renewed.md", **locals())
    else:  # New keypair
        mailer.send("certificate-signed.md", **locals())

    url = config.LONG_POLL_PUBLISH % hashlib.sha256(buf).hexdigest()
    click.echo("Publishing certificate at %s ..." % url)
    requests.post(url,
                  data=end_entity_cert_buf,
                  headers={
                      "User-Agent": "Certidude API",
                      "Content-Type": "application/x-x509-user-cert"
                  })

    push.publish("request-signed", common_name)
    return end_entity_cert, end_entity_cert_buf