def test_key_agreement_false_encipher_decipher_true(self): with pytest.raises(ValueError): x509.KeyUsage(digital_signature=False, content_commitment=False, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=False, crl_sign=False, encipher_only=True, decipher_only=False) with pytest.raises(ValueError): x509.KeyUsage(digital_signature=False, content_commitment=False, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=False, crl_sign=False, encipher_only=True, decipher_only=True) with pytest.raises(ValueError): x509.KeyUsage(digital_signature=False, content_commitment=False, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=True)
def new_certificate_signing_request( template: Template, rsa_key: rsa.RSAPrivateKey) -> x509.CertificateSigningRequest: csr = x509.CertificateSigningRequestBuilder(subject_name=x509.Name( tuple( x509.NameAttribute(SubjectAttributeOID[k].value, v) for k, v in template.subject))).add_extension( x509.BasicConstraints( ca=template.basic_constraints.ca, path_length=template.basic_constraints.path_length), critical=True) if template.subject_alt_names: csr = csr.add_extension(x509.SubjectAlternativeName( tuple(x509.DNSName(s) for s in template.subject_alt_names)), critical=False) if template.key_usage: csr = csr.add_extension(x509.KeyUsage( digital_signature=template.key_usage.digital_signature, content_commitment=template.key_usage.content_commitment, key_encipherment=template.key_usage.key_encipherment, data_encipherment=template.key_usage.data_encipherment, key_agreement=template.key_usage.key_agreement, key_cert_sign=template.key_usage.key_cert_sign, crl_sign=template.key_usage.crl_sign, encipher_only=template.key_usage.encipher_only, decipher_only=template.key_usage.decipher_only), critical=True) csr = csr.sign(rsa_key, getattr(hashes, template.hash_algorithm)(), backend) csr_errors = check_csr(csr=csr, template=template) assert csr_errors == '', csr_errors return csr
def santest_csr(request, santest_host_1, santest_host_2): backend = default_backend() pkey = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=backend) csr = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, santest_host_1.fqdn), x509.NameAttribute(NameOID.ORGANIZATION_NAME, api.env.realm) ])).add_extension( x509.SubjectAlternativeName([ x509.DNSName(santest_host_1.name), x509.DNSName(santest_host_2.name) ]), False).add_extension( x509.BasicConstraints(ca=False, path_length=None), True).add_extension( x509.KeyUsage(digital_signature=True, content_commitment=True, key_encipherment=True, data_encipherment=False, key_agreement=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False), False).sign(pkey, hashes.SHA256(), backend).public_bytes( serialization.Encoding.PEM) return csr.decode('ascii')
def create_client_cert(result_dir, client_name): # If the key exists, we assume there is a valid keypair and certificate. if os.path.isfile("{}/client-configs/{}.key".format( result_dir, client_name)): logging.info("Client key already exists, not creating a new one..") return key = create_RSA_keypair("{}/client-configs/{}.key".format( result_dir, client_name)) with open("{}/ca.crt".format(result_dir), "rb") as f: data = f.read() ca_cert = x509.load_pem_x509_certificate(data, default_backend()) with open("{}/ca.key".format(result_dir), "rb") as f: data = f.read() ca_key = load_pem_private_key(data, None, default_backend()) subject = x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u"BE"), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"East Flanders"), x509.NameAttribute(NameOID.LOCALITY_NAME, u"Ghent"), x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"Easy OpenVPN Server"), x509.NameAttribute(NameOID.COMMON_NAME, client_name), ]) cert = x509.CertificateBuilder().subject_name(subject).issuer_name( ca_cert.issuer ).public_key(key.public_key()).serial_number(x509.random_serial_number( )).not_valid_before(datetime.datetime.utcnow()).not_valid_after( # This certificate will be valid for about 100 years datetime.datetime.utcnow() + datetime.timedelta(days=36500) ).add_extension( x509.BasicConstraints(ca=False, path_length=None), critical=False, ).add_extension( # Make sure this key can only be used for clients # This is to prevent man-in-the-middle attack # with client certificate. # More info: # - https://openvpn.net/community-resources/how-to # - https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/ x509.KeyUsage( digital_signature=True, content_commitment=False, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False, ), critical=True, ).add_extension( x509.ExtendedKeyUsage([ExtendedKeyUsageOID.CLIENT_AUTH]), critical=True, # Sign the certificate with ca key ).sign(ca_key, hashes.SHA256(), default_backend()) # Write the certificate out to disk. with open("{}/client-configs/{}.crt".format(result_dir, client_name), "wb") as f: f.write(cert.public_bytes(serialization.Encoding.PEM))
def _decode_key_usage(backend, ext): bit_string = backend._lib.X509V3_EXT_d2i(ext) assert bit_string != backend._ffi.NULL bit_string = backend._ffi.cast("ASN1_BIT_STRING *", bit_string) bit_string = backend._ffi.gc( bit_string, backend._lib.ASN1_BIT_STRING_free ) get_bit = backend._lib.ASN1_BIT_STRING_get_bit digital_signature = get_bit(bit_string, 0) == 1 content_commitment = get_bit(bit_string, 1) == 1 key_encipherment = get_bit(bit_string, 2) == 1 data_encipherment = get_bit(bit_string, 3) == 1 key_agreement = get_bit(bit_string, 4) == 1 key_cert_sign = get_bit(bit_string, 5) == 1 crl_sign = get_bit(bit_string, 6) == 1 encipher_only = get_bit(bit_string, 7) == 1 decipher_only = get_bit(bit_string, 8) == 1 return x509.KeyUsage( digital_signature, content_commitment, key_encipherment, data_encipherment, key_agreement, key_cert_sign, crl_sign, encipher_only, decipher_only )
def ensure_end_entity_cert(output_dir, names, ca_private_key, ca_cert, end_entity_public_key, is_server=True): name = names[0] end_entity_cert_filename = os.path.join( output_dir, safe_filename(name) + '.' + CERT_EXT) if os.path.exists(end_entity_cert_filename): return ca_public_key = ca_private_key.public_key() end_entity_cert_builder = x509.CertificateBuilder().\ subject_name(x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, name), ])).\ issuer_name(ca_cert.subject).\ not_valid_before(datetime.datetime.today() - DAY).\ not_valid_after(datetime.datetime.today() + 3650 * DAY).\ serial_number(x509.random_serial_number()).\ public_key(end_entity_public_key).\ add_extension( x509.BasicConstraints(ca=False, path_length=None), critical=True).\ add_extension( x509.KeyUsage(digital_signature=True, content_commitment=False, key_encipherment=True, data_encipherment=False, key_agreement=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False), critical=True).\ add_extension( x509.ExtendedKeyUsage([ ExtendedKeyUsageOID.SERVER_AUTH if is_server else ExtendedKeyUsageOID.CLIENT_AUTH, ]), critical=False).\ add_extension( x509.AuthorityKeyIdentifier.from_issuer_public_key(ca_public_key), critical=False).\ add_extension( x509.SubjectKeyIdentifier.from_public_key(end_entity_public_key), critical=False) if is_server: end_entity_cert_builder.add_extension(x509.SubjectAlternativeName( [x509.DNSName(name) for name in names]), critical=False) end_entity_cert = end_entity_cert_builder.\ sign( private_key=ca_private_key, algorithm=hashes.SHA256(), backend=default_backend() ) with open(end_entity_cert_filename, "wb") as end_entity_cert_file: end_entity_cert_file.write( end_entity_cert.public_bytes(encoding=serialization.Encoding.PEM)) return end_entity_cert
def csr_sign(self, csr): return x509.CertificateBuilder().subject_name( csr.subject ).issuer_name( self.ca_cert.subject ).public_key( csr.public_key() ).serial_number( uuid.uuid4().int # pylint: disable=no-member ).not_valid_before( datetime.datetime.utcnow() ).not_valid_after( datetime.datetime.utcnow() + datetime.timedelta(days=365) ).add_extension( extension=x509.KeyUsage( digital_signature=True, key_encipherment=True, content_commitment=True, data_encipherment=False, key_agreement=False, encipher_only=False, decipher_only=False, key_cert_sign=False, crl_sign=False ), critical=True ).add_extension( extension=x509.BasicConstraints(ca=False, path_length=None), critical=True ).add_extension( extension=x509.AuthorityKeyIdentifier.from_issuer_public_key(self.ca_pk.public_key()), critical=False ).sign( private_key=self.ca_pk, algorithm=hashes.SHA256(), backend=default_backend() )
def prepare_certificate(hostname): # Mostly from: # https://www.programcreek.com/python/example/102792/ # cryptography.x509.CertificateBuilder return CertificateBuilder().subject_name( x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, hostname) ])).add_extension( extension=x509.SubjectAlternativeName([x509.DNSName(hostname) ]), critical=False).add_extension( extension=x509.KeyUsage(digital_signature=True, key_encipherment=True, content_commitment=True, data_encipherment=False, key_agreement=False, encipher_only=False, decipher_only=False, key_cert_sign=False, crl_sign=False), critical=True).add_extension( extension=x509.BasicConstraints(ca=False, path_length=None), critical=True).serial_number( uuid4().int).not_valid_before( datetime.utcnow()).not_valid_after( datetime.utcnow() + timedelta(days=365 * 10))
def mkcert(): """ Make a self-signed X.509 certificate. Make a self-signed X.509 certificate for signing new blocks. Returns ------- cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey The private key of the certificate cryptography.x509.Certificate The X.509 certificate string Fingerprint of the certificate in hex """ private_key = rsa.generate_private_key(public_exponent=65537, key_size = KEYSIZE,backend = default_backend()) public_key = private_key.public_key() builder = x509.CertificateBuilder() builder = builder.subject_name(x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, NODE_NAME),])) builder = builder.issuer_name(x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, NODE_NAME),])) builder = builder.not_valid_before(datetime.datetime.today()) builder = builder.not_valid_after(datetime.datetime(MAX_YEAR, 1, 1)) builder = builder.serial_number(x509.random_serial_number()) builder = builder.public_key(public_key) builder = builder.add_extension(x509.SubjectAlternativeName([x509.DNSName(NODE_NAME)]), critical = False) builder = builder.add_extension(x509.BasicConstraints(ca=False, path_length=None), critical = True) builder = builder.add_extension(x509.KeyUsage(digital_signature=True, content_commitment=True, key_encipherment = False, data_encipherment = False, key_agreement = False, key_cert_sign = False, crl_sign = False, encipher_only=False, decipher_only = False), critical = True) certificate = builder.sign(private_key = private_key, algorithm = hashes.SHA256(), backend = default_backend()) return private_key, certificate
def _build_extensions_as(subject_key: ec.EllipticCurvePrivateKey, issuer_key: ec.EllipticCurvePrivateKey) -> Extensions: """ Returns a list of Extension with the extension and its criticality """ return [ Extension(x509.KeyUsage(digital_signature=True, content_commitment=False, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False), critical=True), Extension(x509.SubjectKeyIdentifier.from_public_key( subject_key.public_key()), critical=False), Extension(x509.AuthorityKeyIdentifier.from_issuer_public_key( issuer_key.public_key()), critical=False), Extension(x509.ExtendedKeyUsage([ x509.ExtendedKeyUsageOID.SERVER_AUTH, x509.ExtendedKeyUsageOID.CLIENT_AUTH, x509.ExtendedKeyUsageOID.TIME_STAMPING ]), critical=False) ]
def _build_extensions_ca(subject_key: ec.EllipticCurvePrivateKey, issuer_key: ec.EllipticCurvePrivateKey) -> Extensions: """ Returns a list of Extension with the extension and its criticality """ return [ Extension(x509.BasicConstraints(ca=True, path_length=0), critical=True), Extension(x509.KeyUsage(digital_signature=False, content_commitment=False, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=True, crl_sign=True, encipher_only=False, decipher_only=False), critical=True), Extension(x509.SubjectKeyIdentifier.from_public_key( subject_key.public_key()), critical=False), Extension(x509.AuthorityKeyIdentifier.from_issuer_public_key( issuer_key.public_key()), critical=False) ]
def generate_ca_cert(self, cn, ou, o, expire_period=None, password=None): """CA 인증서 생성 Peer 인증서 발급 전용 인증서(ECC Key) :param cn: 주체 CommonName :param ou: 주체 OrganizationalUnitName :param o: 주체 OrganizationName :param expire_period: 인증서 유효기간(year) :param password: 개인키 암호화 비밀번호(8자리 이상) """ sign_pri_key = ec.generate_private_key(ec.SECP256K1(), default_backend()) sign_pub_key = sign_pri_key.public_key() subject_name = x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, cn), x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, ou), x509.NameAttribute(NameOID.ORGANIZATION_NAME, o), x509.NameAttribute(NameOID.COUNTRY_NAME, "kr") ]) serial_number = self.__LAST_CA_INDEX + 1 key_usage = x509.KeyUsage(digital_signature=True, content_commitment=False, key_encipherment=True, data_encipherment=False, key_agreement=False, key_cert_sign=True, crl_sign=False, encipher_only=False, decipher_only=False) if expire_period is None: expire_period = self.__ca_expired new_cert = self.__generate_cert(pub_key=sign_pub_key, subject_name=subject_name, issuer_name=subject_name, serial_number=serial_number, expire_period=expire_period, key_usage=key_usage, issuer_priv=sign_pri_key) cert_pem = new_cert.public_bytes(encoding=serialization.Encoding.PEM) if password is None: pri_pem = sign_pri_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.PKCS8, encryption_algorithm=serialization.NoEncryption()) else: pri_pem = sign_pri_key.private_bytes( encoding=serialization.Encoding.DER, format=serialization.PrivateFormat.PKCS8, encryption_algorithm=serialization.BestAvailableEncryption( password=password)) self.__save(self.__CA_PATH, cert_pem, pri_pem) self.__LAST_CA_INDEX += 1 self.__show_certificate(new_cert)
def make(pkey_pem, emails, usage): private_key = serialization.load_pem_private_key(pkey_pem, password=None) csr = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, emails[0]), x509.NameAttribute(NameOID.EMAIL_ADDRESS, emails[0]), ])).add_extension( x509.SubjectAlternativeName([x509.RFC822Name(e) for e in emails] + [x509.DNSName(e) for e in emails]), critical=False, ) if (usage): data_encipherment, key_cert_sign, crl_sign, encipher_only, decipher_only = ( False, ) * 5 digital_signature = 'digitalSignature' in usage content_commitment = 'contentCommitment' in usage key_encipherment = 'keyEncipherment' in usage key_agreement = 'keyAgreement' in usage csr = csr.add_extension( x509.KeyUsage( digital_signature=digital_signature, content_commitment=content_commitment, key_encipherment=key_encipherment, data_encipherment=data_encipherment, key_agreement=key_agreement, key_cert_sign=key_cert_sign, crl_sign=crl_sign, encipher_only=encipher_only, decipher_only=decipher_only, ), critical=True, ) csr_pem = csr.sign(private_key, hashes.SHA256()).public_bytes( serialization.Encoding.PEM) return csr_pem
def _make_cert(subject_name, subject_key, issuer_name, issuer_key, extended_key_usage_oid): return x509.CertificateBuilder().subject_name( _make_name(subject_name)).issuer_name(issuer_name).public_key( subject_key.public_key()).serial_number(x509.random_serial_number( )).not_valid_before(datetime.datetime.utcnow()).not_valid_after( datetime.datetime.utcnow() + datetime.timedelta( days=settings.VPN_KEYGEN_CONFIG.KEY_EXPIRE)).add_extension( x509.SubjectAlternativeName( [x509.DNSName(subject_name)]), critical=False, ).add_extension( x509.AuthorityKeyIdentifier.from_issuer_public_key( issuer_key.public_key()), critical=False, ).add_extension( x509.SubjectKeyIdentifier.from_public_key( subject_key.public_key()), critical=False, ).add_extension( # digital_signature x509.KeyUsage(True, False, False, False, False, False, False, False, False), critical=True, ).add_extension( x509.ExtendedKeyUsage([extended_key_usage_oid]), critical=True, ).add_extension( x509.BasicConstraints(ca=False, path_length=None), critical=True, ).sign(issuer_key, hashes.SHA256(), default_backend())
def csr(pk): private_key = load_pem_private_key(pk, password=None, backend=default_backend()) builder = x509.CertificateSigningRequestBuilder() builder = builder.subject_name( x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, u'PELO_MENOS_ISTO'), ])) builder = builder.add_extension( x509.BasicConstraints(ca=False, path_length=None), critical=True, ) ext = x509.KeyUsage(digital_signature=True, content_commitment=False, key_encipherment=True, data_encipherment=False, key_agreement=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False) # ku_args['digital_signature'] = True # ku_args['key_encipherment'] = True # ext = make_key_usage(**ku_args) builder = builder.add_extension(ext, critical=True) request = builder.sign(private_key, hashes.SHA256(), default_backend()) if (isinstance(request, x509.CertificateSigningRequest)): return request
def _create_ocsp_certificate(self, cert: CertificateType, private_key: Key, issuer_key: Key) -> x509.Certificate: Certificate._check_issuer_provided(cert) Certificate._check_policies(cert) self._builder = x509.CertificateBuilder() self._set_basic(cert, private_key, issuer_key) self._builder = self._builder.add_extension( x509.KeyUsage( digital_signature=True, content_commitment=False, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False, ), critical=True, ) self._builder = self._builder.add_extension( x509.ExtendedKeyUsage([ExtendedKeyUsageOID.OCSP_SIGNING]), critical=True, ) return self._sign_certificate(issuer_key)
def sign_csr(ca_cert, ca_key, csr): if not csr.is_signature_valid: raise ValueError("CSR has an invalid signature, not signing!") if len(csr.extensions) > 0: raise ValueError("CSR has extensions, we forbid this for simplicity") cb = (x509.CertificateBuilder().subject_name(csr.subject).issuer_name( ca_cert.subject).not_valid_before(datetime.datetime.today() - datetime.timedelta(days=1)). not_valid_after(datetime.datetime.today() + datetime.timedelta(days=365)).serial_number( x509.random_serial_number()).public_key( csr.public_key()).add_extension( x509.KeyUsage( digital_signature=True, content_commitment=False, key_encipherment=True, data_encipherment=False, key_agreement=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False, ), critical=True, ).add_extension( x509.ExtendedKeyUsage( [ExtendedKeyUsageOID.CLIENT_AUTH]), critical=True, )) # for extension in csr.extensions: # cb = cb.add_extension(extension.value, critical=extension.critical) certificate = cb.sign(private_key=ca_key, algorithm=hashes.SHA256(), backend=default_backend()) return certificate
def create_certificate_authority(common_name='xun-private-ca'): ca_key = rsa.generate_private_key(public_exponent=65537, key_size=2048) xun_name = x509.Name( [x509.NameAttribute(NameOID.COMMON_NAME, common_name)]) now = datetime.utcnow() ca_cert = (x509.CertificateBuilder().subject_name(xun_name).issuer_name( xun_name).public_key(ca_key.public_key()).serial_number( x509.random_serial_number()).add_extension( x509.SubjectAlternativeName([x509.DNSName(common_name)]), critical=False).add_extension( x509.BasicConstraints(ca=True, path_length=0), critical=True).add_extension( x509.KeyUsage(digital_signature=False, content_commitment=False, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=True, crl_sign=True, encipher_only=False, decipher_only=False), critical=True).not_valid_before(now).not_valid_after( now + timedelta(days=60)).sign( ca_key, hashes.SHA256())) return Identity(key=ca_key, cert=ca_cert)
def create_cert_builder(key, subject, issuer, serial_number, is_cacert = False): now = datetime.utcnow() return ( x509.CertificateBuilder() .subject_name(subject) .issuer_name(issuer) .public_key(key.public_key()) .serial_number(serial_number) .not_valid_before(now) .not_valid_after(now + timedelta(days=365)) .add_extension( x509.BasicConstraints(is_cacert, None), critical=True) .add_extension( x509.SubjectKeyIdentifier.from_public_key(key.public_key()), critical=False) .add_extension( x509.KeyUsage( digital_signature=not is_cacert, content_commitment=not is_cacert, key_encipherment=not is_cacert, data_encipherment=not is_cacert, key_agreement=not is_cacert, key_cert_sign=is_cacert, crl_sign=is_cacert, encipher_only=False, decipher_only=False), critical=True) )
def signer_csr(self, nom_fichier_csr, nom_signataire): with open('%s.key.pem' % nom_signataire, 'rb') as fichier: private_bytes = fichier.read() signing_key = serialization.load_pem_private_key( private_bytes, password=None, backend=default_backend()) with open('%s.cert.pem' % nom_signataire, 'rb') as fichier: public_bytes = fichier.read() signing_cert = x509.load_pem_x509_certificate( public_bytes, backend=default_backend()) with open('%s.csr.pem' % nom_fichier_csr, 'rb') as fichier: public_bytes = fichier.read() fichier_csr = x509.load_pem_x509_csr(public_bytes, backend=default_backend()) one_day = datetime.timedelta(1, 0, 0) builder = x509.CertificateBuilder() builder = builder.subject_name(fichier_csr.subject) builder = builder.issuer_name(signing_cert.subject) builder = builder.not_valid_before(datetime.datetime.today() - one_day) builder = builder.not_valid_after(datetime.datetime.today() + self.__duree_cert_noeud) builder = builder.serial_number(x509.random_serial_number()) builder = builder.public_key(fichier_csr.public_key()) builder = builder.add_extension(x509.SubjectAlternativeName( [x509.DNSName(u'mon_serveur.ca')]), critical=False) builder = builder.add_extension( x509.BasicConstraints(ca=False, path_length=None), critical=True, ) builder = builder.add_extension( x509.SubjectKeyIdentifier.from_public_key( fichier_csr.public_key()), critical=False) ski = signing_cert.extensions.get_extension_for_oid( x509.oid.ExtensionOID.SUBJECT_KEY_IDENTIFIER) builder = builder.add_extension(x509.AuthorityKeyIdentifier( ski.value.digest, None, None), critical=False) builder = builder.add_extension(x509.KeyUsage(digital_signature=True, content_commitment=True, key_encipherment=True, data_encipherment=True, key_agreement=True, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False), critical=False) certificate = builder.sign(private_key=signing_key, algorithm=hashes.SHA512(), backend=default_backend()) with open('%s.cert.pem' % nom_fichier_csr, 'wb') as fichier: fichier.write(certificate.public_bytes(serialization.Encoding.PEM))
def profile_ca(builder, ca_nick, ca): now = datetime.datetime.utcnow() builder = builder.not_valid_before(now) builder = builder.not_valid_after(now + 10 * YEAR) crl_uri = 'file://{}.crl'.format(os.path.join(DIR, ca_nick)) builder = builder.add_extension( x509.KeyUsage( digital_signature=True, content_commitment=True, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=True, crl_sign=True, encipher_only=False, decipher_only=False, ), critical=True, ) builder = builder.add_extension( x509.BasicConstraints(ca=True, path_length=None), critical=True, ) builder = builder.add_extension( x509.CRLDistributionPoints([ x509.DistributionPoint( full_name=[x509.UniformResourceIdentifier(crl_uri)], relative_name=None, crl_issuer=None, reasons=None, ), ]), critical=False, ) public_key = builder._public_key builder = builder.add_extension( x509.SubjectKeyIdentifier.from_public_key(public_key), critical=False, ) if not ca: builder = builder.add_extension( x509.AuthorityKeyIdentifier.from_issuer_public_key(public_key), critical=False, ) # here we get "ca" object only for "ca1/subca" else: ski = ca.cert.extensions.get_extension_for_class( x509.SubjectKeyIdentifier) builder = builder.add_extension( x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier( ski), critical=False, ) return builder
def certify_p10(request): # Load CA certificate and private key key = load_pem_private_key(ca_private.encode('ascii'), ca_password.encode('ascii'), default_backend()) cacert = x509.load_pem_x509_certificate(ca_cert.encode('ascii'), default_backend()) # Load Request x509req = x509.load_pem_x509_csr(request, default_backend()) # Create certificate for it sernum = x509.random_serial_number() cert = x509.CertificateBuilder()\ .issuer_name(cacert.subject)\ .subject_name(x509req.subject)\ .public_key(x509req.public_key())\ .serial_number(sernum)\ .not_valid_before(datetime.now())\ .not_valid_after(datetime.now() + timedelta(days=366))\ .add_extension(x509.KeyUsage(digital_signature=True , content_commitment=True , key_encipherment=False , data_encipherment=False , key_agreement=False , key_cert_sign=False , crl_sign=False , encipher_only=False , decipher_only = False), critical=True)\ .sign(key, hashes.SHA256(), default_backend()) pemCert = cert.public_bytes(serialization.Encoding.PEM).decode('ascii') return pemCert
def _create_self_signed_certificate(self, private_key, common_name): issuer = x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"CA"), x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"), x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"), x509.NameAttribute(NameOID.COMMON_NAME, common_name), ]) cert_builder = x509.CertificateBuilder( issuer_name=issuer, subject_name=issuer, public_key=private_key.public_key(), serial_number=x509.random_serial_number(), not_valid_before=datetime.utcnow(), not_valid_after=datetime.utcnow() + timedelta(days=10)).add_extension( x509.BasicConstraints(ca=True, path_length=1), critical=True).add_extension(x509.KeyUsage( digital_signature=True, content_commitment=True, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=True, crl_sign=False, encipher_only=False, decipher_only=False), critical=False) cert = cert_builder.sign(private_key, hashes.SHA256(), default_backend()) return cert
def sign_csr(csr, ca_crt, ca_pkey): crt = x509.CertificateBuilder().subject_name(csr.subject).issuer_name( ca_crt.subject).public_key(csr.public_key()).serial_number( uuid.uuid4().int).not_valid_before( datetime.utcnow()).not_valid_after( datetime.utcnow() + timedelta(days=365 * 10)).add_extension( extension=x509.KeyUsage(digital_signature=True, key_encipherment=True, content_commitment=True, data_encipherment=True, key_agreement=False, encipher_only=False, decipher_only=False, key_cert_sign=False, crl_sign=False), critical=True).add_extension( extension=x509.BasicConstraints(ca=False, path_length=None), critical=True).add_extension( extension=x509.AuthorityKeyIdentifier. from_issuer_public_key(ca_pkey.public_key()), critical=False).sign(private_key=ca_pkey, algorithm=hashes.SHA256(), backend=default_backend()) fingerprint = binascii.hexlify(crt.fingerprint(hashes.SHA1())).decode() return fingerprint, crt.public_bytes( encoding=serialization.Encoding.PEM).decode('ascii')
def generate_selfsigned_cert(cert_file: str, key_file: str, config: Config) -> None: """Generate self signed certificate compatible with Philips HUE.""" dec_serial = int(config.bridge_id, 16) root_key = ec.generate_private_key(ec.SECP256R1(), default_backend()) subject = issuer = x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u"NL"), x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"Philips Hue"), x509.NameAttribute(NameOID.COMMON_NAME, config.bridge_id), ]) root_cert = (x509.CertificateBuilder( ).subject_name(subject).issuer_name(issuer).public_key( root_key.public_key()).serial_number(dec_serial).not_valid_before( datetime.utcnow()).not_valid_after(datetime.utcnow() + timedelta( days=3650)).add_extension( x509.BasicConstraints(ca=False, path_length=None), critical=True).add_extension( x509.SubjectKeyIdentifier(b"hash").from_public_key( root_key.public_key()), critical=False, ).add_extension( x509.AuthorityKeyIdentifier( key_identifier=b"keyid,issuer", authority_cert_issuer=None, authority_cert_serial_number=None, ).from_issuer_public_key(root_key.public_key()), critical=False, ).add_extension( x509.KeyUsage( digital_signature=True, content_commitment=False, key_encipherment=True, data_encipherment=False, key_agreement=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False, ), critical=True, ).add_extension( x509.ExtendedKeyUsage([x509.OID_SERVER_AUTH]), critical=False).sign(root_key, hashes.SHA256(), default_backend())) cert_pem = root_cert.public_bytes(encoding=serialization.Encoding.PEM) key_pem = root_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption(), ) with open(cert_file, "w") as fileobj: fileobj.write(cert_pem.decode("utf-8")) with open(key_file, "w") as fileobj: fileobj.write(key_pem.decode("utf-8")) LOGGER.debug("Certificate generated")
def sign_csr(self, ipa_csr): """Sign certificate CSR. :param ipa_csr: CSR in PEM format. :type ipa_csr: bytes. :returns: bytes -- Signed CA in PEM format. """ csr_tbs = x509.load_pem_x509_csr(ipa_csr, default_backend()) csr_public_key = csr_tbs.public_key() csr_subject = csr_tbs.subject builder = x509.CertificateBuilder() builder = builder.public_key(csr_public_key) builder = builder.subject_name(csr_subject) builder = builder.serial_number(x509.random_serial_number()) builder = builder.issuer_name(self.issuer) builder = builder.not_valid_before(datetime.datetime.utcnow()) builder = builder.not_valid_after( datetime.datetime.utcnow() + datetime.timedelta(days=365)) builder = builder.add_extension( x509.KeyUsage( digital_signature=False, content_commitment=False, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=True, crl_sign=True, encipher_only=False, decipher_only=False, ), critical=True, ) builder = builder.add_extension( x509.SubjectKeyIdentifier.from_public_key(csr_public_key), critical=False, ) builder = builder.add_extension( x509.AuthorityKeyIdentifier.from_issuer_public_key( self.ca_public_key ), critical=False, ) builder = builder.add_extension( x509.BasicConstraints(ca=True, path_length=1), critical=True, ) cert = builder.sign( private_key=self.ca_key, algorithm=hashes.SHA256(), backend=default_backend(), ) return cert.public_bytes(serialization.Encoding.PEM)
def cert_key_usage(**kwargs): """ Helper to create x509.KeyUsage object. Function provide defaults (False) for unspecified KeyUsage arguments. Args: x509.KeyUsage keys. If not provided False is used for each arg. Return: x509.KeyUsage """ required = [ 'digital_signature', 'content_commitment', 'key_encipherment', 'data_encipherment', 'key_agreement', 'key_cert_sign', 'crl_sign', 'encipher_only', 'decipher_only', ] for name in required: kwargs.setdefault(name, False) return x509.KeyUsage(**kwargs)
def _generate_csr(cls, cn, private_key, passphrase=None): pk = serialization.load_pem_private_key( data=private_key, password=passphrase, backend=backends.default_backend()) csr = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, cn), ])) csr = csr.add_extension(x509.BasicConstraints(ca=False, path_length=None), critical=True) csr = csr.add_extension(x509.KeyUsage(digital_signature=True, key_encipherment=True, data_encipherment=True, key_agreement=True, content_commitment=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False), critical=True) csr = csr.add_extension(x509.SubjectAlternativeName([x509.DNSName(cn) ]), critical=False) signed_csr = csr.sign( pk, getattr(hashes, CONF.certificates.signing_digest.upper())(), backends.default_backend()) return signed_csr.public_bytes(serialization.Encoding.PEM)
def bootstrap_ca( days_valid: int = 3650, common_name: str = "Resoto Root CA", organization_name: str = "Some Engineering Inc.", path_length: int = 2, ) -> Tuple[RSAPrivateKey, Certificate]: ca_key = gen_rsa_key() subject = issuer = x509.Name([ x509.NameAttribute(NameOID.ORGANIZATION_NAME, organization_name), x509.NameAttribute(NameOID.COMMON_NAME, common_name), ]) ca_cert = ( x509.CertificateBuilder().subject_name(subject).issuer_name( issuer).public_key(ca_key.public_key()).serial_number( x509.random_serial_number()). not_valid_before(datetime.now(tz=timezone.utc)).not_valid_after( datetime.now(tz=timezone.utc) + timedelta(days=days_valid)).add_extension( x509.BasicConstraints(ca=True, path_length=path_length), critical=True).add_extension( x509.KeyUsage( digital_signature=False, key_encipherment=False, key_cert_sign= True, # CA Cert is only allowed to sign other certs key_agreement=False, content_commitment=False, data_encipherment=False, crl_sign=True, # and cert revocation lists encipher_only=False, decipher_only=False, ), critical=True, # KeyUsage extension is critical to support ).sign(ca_key, hashes.SHA256(), default_backend())) return ca_key, ca_cert
def create_root_ca_cert(path, key, name): print("... Creating Root CA Certificate") subject = issuer = x509.Name([ x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, name), ]) cert = (x509.CertificateBuilder().subject_name(subject).issuer_name( issuer).public_key(key.public_key()).serial_number( x509.random_serial_number()).not_valid_before( datetime.datetime.utcnow()).not_valid_after( datetime.datetime.utcnow() + datetime.timedelta(days=3650)).add_extension( x509.BasicConstraints(ca=True, path_length=0), critical=True).add_extension( x509.KeyUsage(digital_signature=True, content_commitment=False, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=True, crl_sign=False, encipher_only=False, decipher_only=False), critical=True).add_extension( x509.ExtendedKeyUsage([ x509.oid.ExtendedKeyUsageOID.SERVER_AUTH, x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH ]), critical=True).sign(key, hashes.SHA256(), default_backend())) with open(path, "wb") as f: f.write(cert.public_bytes(serialization.Encoding.PEM)) return cert