def test_subject_alt_names(self, backend): private_key = RSA_KEY_2048.private_key(backend) csr = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ x509.NameAttribute(x509.OID_COMMON_NAME, u"SAN"), ])).add_extension( x509.SubjectAlternativeName([ x509.DNSName(u"example.com"), x509.DNSName(u"*.example.com"), ]), critical=False, ).sign(private_key, hashes.SHA256(), backend) assert len(csr.extensions) == 1 ext = csr.extensions.get_extension_for_oid( x509.OID_SUBJECT_ALTERNATIVE_NAME) assert not ext.critical assert ext.oid == x509.OID_SUBJECT_ALTERNATIVE_NAME assert list(ext.value) == [ x509.DNSName(u"example.com"), x509.DNSName(u"*.example.com"), ]
def __init__(self, initializer=None, common_name=None, private_key=None, age=None): super(CertificateSigningRequest, self).__init__( initializer=initializer, age=age) if self._value is None: if isinstance(initializer, x509.CertificateSigningRequest): self._value = initializer elif isinstance(initializer, bytes): self.ParseFromBytes(initializer) elif common_name and private_key: self._value = x509.CertificateSigningRequestBuilder().subject_name( x509.Name( [x509.NameAttribute(oid.NameOID.COMMON_NAME, str(common_name))])).sign( private_key.GetRawPrivateKey(), hashes.SHA256(), backend=openssl.backend) elif initializer is not None: raise rdfvalue.InitializeError("Cannot initialize %s from %s." % (self.__class__, initializer))
def enroll(self, enrollment_id, enrollment_secret): """Enroll a registered user in order to receive a signed X509 certificate Args: enrollment_id (str): The registered ID to use for enrollment enrollment_secret (str): The secret associated with the enrollment ID Returns: PEM-encoded X509 certificate Raises: RequestException: errors in requests.exceptions ValueError: Failed response, json parse error, args missing """ private_key = self._crypto.generate_private_key() csr = self._crypto.generate_csr(private_key, x509.Name( [x509.NameAttribute(NameOID.COMMON_NAME, six.u(enrollment_id))])) cert = self._ca_client.enroll( enrollment_id, enrollment_secret, csr.public_bytes(Encoding.PEM).decode("utf-8")) return Enrollment(private_key, cert)
def generate_certificate(private_key: PrivateKey, hostname: str, name: str, hash_algorithm: HashAlgorithm, lifespan: int = 14) -> x509.Certificate: x509_name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, name)]) x509_dns_name = x509.DNSName(f'{name}.{hostname}') san = x509.SubjectAlternativeName([x509_dns_name]) constraints = x509.BasicConstraints(ca=True, path_length=0) now = datetime.now() return (x509.CertificateBuilder().subject_name(x509_name).issuer_name( x509_name).public_key( private_key.public_key()).not_valid_before(now).not_valid_after( now + timedelta(days=lifespan)).serial_number(1000).add_extension( constraints, False).add_extension(san, False).sign(private_key, hash_algorithm, default_backend()))
def generate_server_cert(ca_cert, ca_key, common_names): private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend()) name = x509.Name(COMMON_SUBJECT_ATTRIB + [ x509.NameAttribute(NameOID.COMMON_NAME, name) for name in common_names ]) certificate = ( x509.CertificateBuilder().subject_name(name).issuer_name( ca_cert.subject).not_valid_before(datetime.datetime.today() - datetime.timedelta(days=1)). not_valid_after(datetime.datetime.today() + datetime.timedelta(days=365)).serial_number( x509.random_serial_number()).public_key( private_key.public_key()).add_extension( x509.KeyUsage( digital_signature=True, content_commitment=False, key_encipherment=True, data_encipherment=False, key_agreement=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False, ), critical=True, ).add_extension( x509.ExtendedKeyUsage([ ExtendedKeyUsageOID.CLIENT_AUTH, ExtendedKeyUsageOID.SERVER_AUTH ]), critical=True, ).sign(private_key=ca_key, algorithm=hashes.SHA256(), backend=default_backend())) return certificate, private_key
def makeCSR(self, identifiers): # Generate a CSR ''' csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),\ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"California"),\ x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"),\ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"),\ x509.NameAttribute(NameOID.COMMON_NAME, u"mysite.com"),\ ])).add_extension(x509.SubjectAlternativeName([\ x509.DNSName(u"mysite.com"),\ x509.DNSName(u"www.mysite.com"),\ x509.DNSName(u"subdomain.mysite.com"),\ ]), critical = False,).sign(self.private_key, hashes.SHA256(), default_backend()) csr.public_bytes(serialization.Encoding.DER) ''' print("IDENTIFIERS ARE: ", identifiers, "and are of type ", type(identifiers)) alternatives = [None] * len( identifiers) #create array to suit csr format for i in range(len(identifiers)): alternatives[i] = x509.DNSName(identifiers[i]) builder = x509.CertificateSigningRequestBuilder() builder = builder.subject_name( x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), ])) builder = builder.add_extension( x509.SubjectAlternativeName(alternatives), critical=False, ) request = builder.sign(self.private_key, hashes.SHA256(), default_backend()) csr = request.public_bytes(serialization.Encoding.DER) return csr
def _dummy_ca_cert(self, ca_key): ca_name = x509.Name([ x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, 'CA'), ]) nowtime = datetime.datetime.now(datetime.timezone.utc) cert = x509.CertificateBuilder().subject_name(ca_name).issuer_name( ca_name).public_key(ca_key.public_key()).serial_number( x509.random_serial_number()).not_valid_before( nowtime).not_valid_after(nowtime + datetime.timedelta( days=1)).add_extension( x509.BasicConstraints(ca=True, path_length=1), critical=True, ).add_extension( x509.KeyUsage( digital_signature=False, content_commitment=False, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=True, crl_sign=True, encipher_only=False, decipher_only=False, ), critical=False, ).add_extension( x509.SubjectKeyIdentifier.from_public_key( ca_key.public_key()), critical=False, ).add_extension( x509.AuthorityKeyIdentifier.from_issuer_public_key( ca_key.public_key()), critical=False, ).sign(ca_key, hashes.SHA256(), backend=default_backend()) return cert
def create_pair(self, algorithm): if algorithm == ALGORITHM.RSA_2048: private_key = rsa.generate_private_key( 0x10001, 2048, default_backend()) elif algorithm == ALGORITHM.RSA_3072: private_key = rsa.generate_private_key( 0x10001, 3072, default_backend()) elif algorithm == ALGORITHM.RSA_4096: private_key = rsa.generate_private_key( 0x10001, 4096, default_backend()) else: ec_curve = ALGORITHM.to_curve(algorithm) private_key = ec.generate_private_key(ec_curve, default_backend()) builder = x509.CertificateBuilder() name = x509.Name([x509.NameAttribute( NameOID.COMMON_NAME, u'Test Attestation Certificate')]) builder = builder.subject_name(name) builder = builder.issuer_name(name) one_day = datetime.timedelta(1, 0, 0) builder = builder.not_valid_before(datetime.datetime.today() - one_day) builder = builder.not_valid_after(datetime.datetime.today() + one_day) builder = builder.serial_number(int(uuid.uuid4())) builder = builder.public_key(private_key.public_key()) certificate = builder.sign( private_key, hashes.SHA256(), default_backend()) attkey = AsymmetricKey.put( self.session, 0, 'Test Create Pair', 0xffff, CAPABILITY.SIGN_ATTESTATION_CERTIFICATE, private_key) certobj = attkey.put_certificate('Test Create Pair', 0xffff, CAPABILITY.NONE, certificate) self.assertEqual(certificate.public_bytes(Encoding.DER), certobj.get()) return attkey, certobj, certificate
def cert_info(name, email, country, state, city, org_name): name = name.encode("utf-8") email = email.encode("utf-8") country = country.encode("utf-8") state = state.encode("utf-8") city = city.encode("utf-8") org_name = org_name.encode("utf-8") info = x509.Name([ # Provide various details about who we are. x509.NameAttribute(NameOID.COUNTRY_NAME, country), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, state), x509.NameAttribute(NameOID.LOCALITY_NAME, city), x509.NameAttribute(NameOID.ORGANIZATION_NAME, org_name), x509.NameAttribute(NameOID.COMMON_NAME, name), x509.NameAttribute(NameOID.EMAIL_ADDRESS, email) ]) return info
def generate_csr( private_key: rsa.RSAPrivateKey = None ) -> Tuple[rsa.RSAPrivateKey, x509.CertificateSigningRequest]: """Generate a Certificate Signing Request using a few defaults. Args: private_key (rsa.RSAPrivateKey): Optional. If not supplied a key will be generated Returns: Tuple of private_key, x509.CertificateSigningRequest """ if private_key is None: private_key = rsa.generate_private_key( public_exponent=65537, key_size=2048, backend=default_backend(), ) builder = x509.CertificateSigningRequestBuilder() builder = builder.subject_name( x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, u'scepy2 client'), ])) builder = builder.add_extension( # Absolutely critical for SCEP x509.KeyUsage(digital_signature=True, content_commitment=False, key_encipherment=True, data_encipherment=False, key_agreement=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False), True) csr = builder.sign(private_key, hashes.SHA512(), default_backend()) return private_key, csr
def def_certificate_subject(): return x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, input("Country Name (2 letter code) [AU] : ")), x509.NameAttribute( NameOID.STATE_OR_PROVINCE_NAME, input("State or Province Name (full name) [Some-State] : ")), x509.NameAttribute(NameOID.LOCALITY_NAME, input("Locality Name (eg, city) [] : ")), x509.NameAttribute( NameOID.ORGANIZATION_NAME, input( "Organization Name (eg, company) [Internet Widgits Pty Ltd] : " )), x509.NameAttribute( NameOID.ORGANIZATIONAL_UNIT_NAME, input("Organizational Unit Name (eg, section) [] : ")), x509.NameAttribute( NameOID.COMMON_NAME, input("Common Name (e.g. server FQDN or YOUR name) [] : ")), x509.NameAttribute(NameOID.EMAIL_ADDRESS, input("Email Address [] : ")) ])
def ca_create(self, key): subject = issuer = x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, u"CA"), ]) return x509.CertificateBuilder().subject_name( subject ).issuer_name( issuer ).public_key( key.public_key() ).serial_number( x509.random_serial_number() ).not_valid_before( datetime.datetime.utcnow() ).not_valid_after( # Our certificate will be valid for 10 years datetime.datetime.utcnow() + datetime.timedelta(days=10 * 365) ).add_extension( extension=x509.BasicConstraints(ca=True, path_length=None), critical=True ).sign( # Sign our certificate with our private key key, hashes.SHA256(), default_backend() )
def generate_certificate_signing_request(username, passphrase, key_file): """ Generate the certificate signing request for the new user in Kubernetes """ file_location = _ensure_cert_working_path() from cryptography import x509 from cryptography.x509.oid import NameOID from cryptography.hazmat.primitives import hashes key_bytes = None with open(key_file, "rb") as f: key_bytes = f.read() key = serialization.load_pem_private_key(key_bytes, bytes(passphrase, "utf-8"), default_backend()) csr = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ # Provide various details about who we are. x509.NameAttribute(NameOID.COMMON_NAME, u"{0}".format(username)), ])).sign(key, hashes.SHA256(), default_backend()) csr_file = Path(file_location).joinpath(f"{username}_csr.pem") # write CSR to file with open(csr_file, "wb") as f: f.write(csr.public_bytes(serialization.Encoding.PEM)) if csr_file.is_file(): return csr_file else: return None
def make_tls_cert(hostname: str) -> Tuple[x509.Certificate, rsa.RSAPrivateKey]: key = rsa.generate_private_key( public_exponent=65537, key_size=2048, backend=default_backend() ) subject = issuer = x509.Name( [ x509.NameAttribute(NameOID.COMMON_NAME, hostname), ] ) cert = ( x509.CertificateBuilder() .subject_name(subject) .issuer_name(issuer) .public_key(key.public_key()) .serial_number(x509.random_serial_number()) .not_valid_before(datetime.utcnow()) .not_valid_after(datetime.utcnow() + timedelta(days=10)) .add_extension( x509.SubjectAlternativeName([x509.DNSName(hostname)]), critical=False, ) .sign(key, hashes.SHA256(), default_backend()) ) return cert, key
def _generate_pem_cert_and_key(cn=None): import datetime from cryptography import x509 from cryptography.x509.oid import NameOID from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import rsa key = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend()) name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, cn or '127.0.0.1')]) now = datetime.datetime.utcnow() cert = (x509.CertificateBuilder(). subject_name(name). issuer_name(name). public_key(key.public_key()). serial_number(1000). not_valid_before(now). not_valid_after(now + datetime.timedelta(days=1)). sign(key, hashes.SHA256(), default_backend())) cert_pem = cert.public_bytes(encoding=serialization.Encoding.PEM) key_pem = key.private_bytes(encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption()) return cert_pem, key_pem
def new_cert_request(names, key, must_staple=False): primary_name = x509.Name([ x509.NameAttribute( NameOID.COMMON_NAME, names[0].decode('utf-8') if getattr( names[0], 'decode', None) else names[0]) ]) all_names = x509.SubjectAlternativeName([ x509.DNSName( name.decode('utf-8') if getattr(name, 'decode', None) else name) for name in names ]) req = x509.CertificateSigningRequestBuilder() req = req.subject_name(primary_name) req = req.add_extension(all_names, critical=False) if must_staple: if getattr(x509, 'TLSFeature', None): req = req.add_extension( x509.TLSFeature(features=[x509.TLSFeatureType.status_request]), critical=False) else: log('OCSP must-staple ignored as current version of cryptography does not support the flag.', warning=True) req = req.sign(key, hashes.SHA256(), default_backend()) return req
def test_sign_multiple_extensions_critical(self, backend): private_key = RSA_KEY_2048.private_key(backend) last_update = datetime.datetime(2002, 1, 1, 12, 1) next_update = datetime.datetime(2030, 1, 1, 12, 1) ian = x509.IssuerAlternativeName( [x509.UniformResourceIdentifier("https://cryptography.io")]) crl_number = x509.CRLNumber(13) builder = (x509.CertificateRevocationListBuilder().issuer_name( x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, "cryptography.io CA") ])).last_update(last_update).next_update( next_update).add_extension(crl_number, False).add_extension(ian, True)) crl = builder.sign(private_key, hashes.SHA256(), backend) assert len(crl) == 0 assert len(crl.extensions) == 2 ext1 = crl.extensions.get_extension_for_class(x509.CRLNumber) assert ext1.critical is False assert ext1.value == crl_number ext2 = crl.extensions.get_extension_for_class( x509.IssuerAlternativeName) assert ext2.critical is True assert ext2.value == ian
def test_freshestcrl_extension(self, backend): private_key = RSA_KEY_2048.private_key(backend) last_update = datetime.datetime(2002, 1, 1, 12, 1) next_update = datetime.datetime(2030, 1, 1, 12, 1) freshest = x509.FreshestCRL([ x509.DistributionPoint([ x509.UniformResourceIdentifier(u"http://d.om/delta"), ], None, None, None) ]) builder = x509.CertificateRevocationListBuilder().issuer_name( x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA") ])).last_update(last_update).next_update( next_update).add_extension(freshest, False) crl = builder.sign(private_key, hashes.SHA256(), backend) assert len(crl) == 0 assert len(crl.extensions) == 1 ext1 = crl.extensions.get_extension_for_class(x509.FreshestCRL) assert ext1.critical is False assert isinstance(ext1.value[0], x509.DistributionPoint) uri = ext1.value[0].full_name[0] assert isinstance(uri, x509.UniformResourceIdentifier) assert uri.value == u"http://d.om/delta"
def test_aware_next_update(self, backend): next_time = datetime.datetime(2022, 1, 16, 22, 43) tz = pytz.timezone("US/Pacific") next_time = tz.localize(next_time) utc_next = datetime.datetime(2022, 1, 17, 6, 43) last_time = datetime.datetime(2012, 1, 17, 6, 43) private_key = RSA_KEY_2048.private_key(backend) builder = ( x509.CertificateRevocationListBuilder() .issuer_name( x509.Name( [ x509.NameAttribute( NameOID.COMMON_NAME, "cryptography.io CA" ) ] ) ) .last_update(last_time) .next_update(next_time) ) crl = builder.sign(private_key, hashes.SHA256(), backend) assert crl.next_update == utc_next
def test_certificate(self): private_key = ec.generate_private_key(ALGORITHM.EC_P256.to_curve(), default_backend()) name = x509.Name([ x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, u"Test Certificate") ]) one_day = datetime.timedelta(1, 0, 0) certificate = (x509.CertificateBuilder( ).subject_name(name).issuer_name(name).not_valid_before( datetime.datetime.today() - one_day).not_valid_after(datetime.datetime.today() + one_day).serial_number(int( uuid.uuid4())).public_key( private_key.public_key()).sign( private_key, hashes.SHA256(), default_backend())) certobj = Opaque.put_certificate(self.session, 0, "Test certificate Opaque", 1, CAPABILITY.NONE, certificate) self.assertEqual(certificate, certobj.get_certificate()) certobj.delete()
def renew(conn, cert_id, pkey, sn, cn): print("Trying to renew certificate") new_request = CertificateRequest(cert_id=cert_id, ) # TODO change back to True when support for renew with csr use is deployed. conn.renew_cert(new_request, reuse_key=False) time.sleep(5) t = time.time() while time.time() - t < 300: new_cert = conn.retrieve_cert(new_request) if new_cert: break else: time.sleep(5) f = open("./renewed_cert.pem", "w") f.write(new_cert.full_chain) f.close() cert = x509.load_pem_x509_certificate(new_cert.cert.encode(), default_backend()) assert isinstance(cert, x509.Certificate) assert cert.subject.get_attributes_for_oid( NameOID.COMMON_NAME) == [x509.NameAttribute(NameOID.COMMON_NAME, cn)] assert cert.serial_number != sn private_key = serialization.load_pem_private_key(pkey.encode(), password=None, backend=default_backend()) private_key_public_key_pem = private_key.public_key().public_bytes( encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo) public_key_pem = cert.public_key().public_bytes( encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo) # TODO this assertion only works when the reuse key is set to true in the renew method # assert private_key_public_key_pem == public_key_pem return cert
def setup_certificate(workspace): """Generate a self-signed certificate for nginx. :param workspace: path of folder where to put the certificate :return: tuple containing the key path and certificate path :rtype: `tuple` """ # Generate key # See comment on cryptography import about type: ignore private_key = rsa.generate_private_key( # type: ignore public_exponent=65537, key_size=2048, backend=default_backend()) subject = issuer = x509.Name( [x509.NameAttribute(x509.NameOID.COMMON_NAME, u'nginx.wtf')]) certificate = x509.CertificateBuilder().subject_name(subject).issuer_name( issuer).public_key( private_key.public_key()).serial_number(1).not_valid_before( datetime.datetime.utcnow()).not_valid_after( datetime.datetime.utcnow() + datetime.timedelta(days=1)).sign(private_key, hashes.SHA256(), default_backend()) key_path = os.path.join(workspace, 'cert.key') with open(key_path, 'wb') as file_handle: file_handle.write( private_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption())) cert_path = os.path.join(workspace, 'cert.pem') with open(cert_path, 'wb') as file_handle: file_handle.write(certificate.public_bytes(serialization.Encoding.PEM)) return key_path, cert_path
def test_request(self, name): cn = '{0}.example.com'.format(name) # Provide python27 compatibility if not isinstance(cn, text_type): cn = cn.decode() ret = self.run_run_plus(fun='venafi.request', minion_id=cn, dns_name=cn, key_password='******', zone='fake') cert_output = ret['return'][0] assert cert_output is not None, 'venafi_certificate not found in `output_value`' cert = x509.load_pem_x509_certificate(cert_output.encode(), default_backend()) assert isinstance(cert, x509.Certificate) assert cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [ x509.NameAttribute(NameOID.COMMON_NAME, cn) ] pkey_output = ret['return'][1] assert pkey_output is not None, 'venafi_private key not found in output_value' pkey = serialization.load_pem_private_key(pkey_output.encode(), password=b'secretPassword', backend=default_backend()) pkey_public_key_pem = pkey.public_key().public_bytes( encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo) cert_public_key_pem = cert.public_key().public_bytes( encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo) assert pkey_public_key_pem == cert_public_key_pem
def gen_csr( csr_key: RSAPrivateKey, common_name: str = "some.engineering", san_dns_names: Optional[List[str]] = None, san_ip_addresses: Optional[List[str]] = None, include_loopback: bool = True, ) -> CertificateSigningRequest: if san_dns_names is None: san_dns_names = get_local_hostnames(include_loopback=include_loopback, args=ArgumentParser.args) if san_ip_addresses is None: san_ip_addresses = get_local_ip_addresses( include_loopback=include_loopback, args=ArgumentParser.args) csr_build = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, common_name)])) if len(san_dns_names) + len(san_ip_addresses) > 0: csr_build = csr_build.add_extension( x509.SubjectAlternativeName( [x509.DNSName(n) for n in san_dns_names] + [x509.IPAddress(make_ip(i)) for i in san_ip_addresses]), critical= False, # Optional extensions are not critical if unsupported ) return csr_build.sign(csr_key, hashes.SHA256(), default_backend())
def _generate_ca_cert(self): """ Generate a CA cert/key. """ if self._ca_key is None: self._ca_key = generate_private_key(u'rsa') self._ca_name = x509.Name( [x509.NameAttribute(NameOID.COMMON_NAME, u'ACME Snake Oil CA')]) self._ca_cert = ( x509.CertificateBuilder().subject_name(self._ca_name).issuer_name( self._ca_name).not_valid_before(self._now() - timedelta(seconds=3600)). not_valid_after(self._now() + timedelta(days=3650)).public_key( self._ca_key.public_key()).serial_number(int( uuid4())).add_extension( x509.BasicConstraints(ca=True, path_length=0), critical=True).add_extension( x509.SubjectKeyIdentifier.from_public_key( self._ca_key.public_key()), critical=False).sign(private_key=self._ca_key, algorithm=hashes.SHA256(), backend=default_backend())) self._ca_aki = x509.AuthorityKeyIdentifier.from_issuer_public_key( self._ca_key.public_key())
def generate(fqdn, write_dir, key_length, mode, owner_uid, group_gid): """Generate a key and CSR for headless operation. The private key is written out to the provided directory and the CSR is returned as a PEM encoded string. """ public_exp = 65537 priv_key = rsa.generate_private_key(public_exponent=public_exp, key_size=key_length, backend=default_backend()) for key_filename in (KEY_FILENAME, PKCS8_KEY_FILENAME): key_format = KEY_FILENAME_TO_FORMAT.get(key_filename) if not key_format: raise GenerationError( 'Invalid key format for file {}'.format(key_filename)) priv_key_filepath = os.path.join(write_dir, key_filename) try: with open(priv_key_filepath, 'w') as keyfile: keyfile.write( priv_key.private_bytes( encoding=serialization.Encoding.PEM, format=key_format, encryption_algorithm=serialization.NoEncryption())) os.chmod(priv_key_filepath, mode) os.chown(priv_key_filepath, owner_uid, group_gid) except IOError: raise GenerationError('Error writing key file {}'.format(keyfile)) builder = x509.CertificateSigningRequestBuilder() common_name = x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, six.u(fqdn)) builder = builder.subject_name(x509.Name([common_name])) builder = builder.add_extension(x509.BasicConstraints(ca=False, path_length=None), critical=True) csr = builder.sign(priv_key, hashes.SHA256(), default_backend()) csr_pem_encoded = csr.public_bytes(serialization.Encoding.PEM) return csr_pem_encoded
def create_test_cert(path, path_key, private_key_CA, CA_subject, test_subj_dict, serialization_format=serialization.Encoding.PEM, time_begin=datetime.datetime.now(), time_delta=datetime.timedelta(days=10)): '''Creating test cert test_subj_dict = {'Country':u'UK', etc}''' Test_subject = [ x509.NameAttribute(NameOID.COUNTRY_NAME, test_subj_dict['Country']), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, test_subj_dict['State']), x509.NameAttribute(NameOID.LOCALITY_NAME, test_subj_dict['Locality']), x509.NameAttribute(NameOID.ORGANIZATION_NAME, test_subj_dict['Organization']), x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, test_subj_dict['OU']), x509.NameAttribute(NameOID.COMMON_NAME, test_subj_dict['CN']) ] private_test_key = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend()) public_test_key = private_test_key.public_key() test_cert = x509.CertificateBuilder().subject_name(x509.Name(Test_subject)) test_cert = test_cert.issuer_name(x509.Name(CA_subject)) test_cert = test_cert.public_key(public_test_key) test_cert = test_cert.serial_number(x509.random_serial_number()) test_cert = test_cert.not_valid_before(time_begin) test_cert = test_cert.not_valid_after(time_begin + time_delta) test_cert = test_cert.sign(private_key_CA, hashes.SHA256(), default_backend()) with open(path_key, 'wb') as f: f.write( private_test_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.BestAvailableEncryption( b"test"))) with open(path, 'wb') as TestCert: TestCert.write(test_cert.public_bytes(serialization_format)) return private_test_key, test_cert
def generate_node_certificates(private_key, public_key): today = datetime.datetime.today() one_day = datetime.timedelta(1, 0, 0) address = node_public_address(public_key) builder = x509.CertificateBuilder() builder = builder.not_valid_before(today) # TODO: Where's documentation of the decision to make keys valid for 1 year only? builder = builder.not_valid_after(today + 365 * one_day) issuer = x509.Name( [ x509.NameAttribute(x509.NameOID.COUNTRY_NAME, "US"), x509.NameAttribute(x509.NameOID.STATE_OR_PROVINCE_NAME, "CA"), x509.NameAttribute(x509.NameOID.LOCALITY_NAME, "San-Diego"), x509.NameAttribute(x509.NameOID.ORGANIZATION_NAME, "CasperLabs, LLC"), x509.NameAttribute(x509.NameOID.ORGANIZATIONAL_UNIT_NAME, "IT Department"), x509.NameAttribute(x509.NameOID.COMMON_NAME, address), ] ) builder = builder.issuer_name(issuer) builder = builder.subject_name(issuer) builder = builder.public_key(public_key) builder = builder.serial_number(x509.random_serial_number()) ski = x509.SubjectKeyIdentifier.from_public_key(public_key) builder = builder.add_extension(ski, critical=False) builder = builder.add_extension( x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(ski), critical=False, ) builder = builder.add_extension( x509.BasicConstraints(ca=True, path_length=None), critical=True ) certificate = builder.sign( private_key=private_key, algorithm=hashes.SHA256(), backend=default_backend() ) cert_pem = certificate.public_bytes(encoding=serialization.Encoding.PEM) key_pem = private_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.PKCS8, encryption_algorithm=serialization.NoEncryption(), ) return cert_pem, key_pem
def create_CA(path, path_key, CA_subj_dict): '''Creating CA dirpath - path to directory, where CA will be placed CA_subj_dict - dict, like this CA_subj_dict={'Country':u'PL', ...}''' private_key_CA = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend()) public_key_CA = private_key_CA.public_key() with open(path_key, 'wb') as f: f.write( private_key_CA.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.BestAvailableEncryption( b"password"))) CA_subject = [ x509.NameAttribute(NameOID.COUNTRY_NAME, CA_subj_dict['Country']), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, CA_subj_dict['State']), x509.NameAttribute(NameOID.LOCALITY_NAME, CA_subj_dict['Locality']), x509.NameAttribute(NameOID.ORGANIZATION_NAME, CA_subj_dict['Organization']), x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, CA_subj_dict['OU']), x509.NameAttribute(NameOID.COMMON_NAME, CA_subj_dict['CN']) ] CA_cert = x509.CertificateBuilder().subject_name(x509.Name(CA_subject)) CA_cert = CA_cert.issuer_name(x509.Name(CA_subject)) CA_cert = CA_cert.public_key(public_key_CA) CA_cert = CA_cert.serial_number(x509.random_serial_number()) CA_cert = CA_cert.not_valid_before(datetime.datetime.utcnow()) CA_cert = CA_cert.not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=10)) CA_cert = CA_cert.add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True) CA_cert = CA_cert.sign(private_key_CA, hashes.SHA256(), default_backend()) with open(path, 'wb') as CAcert: CAcert.write(CA_cert.public_bytes(serialization.Encoding.PEM)) return private_key_CA, CA_subject, CA_cert
def generateCSR(username, key, country_name, state_name, locality_name, organization_name, unit_name, common_name): csr = x509.CertificateSigningRequestBuilder() csr = csr.subject_name( x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, country_name), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, state_name), x509.NameAttribute(NameOID.LOCALITY_NAME, locality_name), x509.NameAttribute(NameOID.ORGANIZATION_NAME, organization_name), x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, unit_name), x509.NameAttribute(NameOID.COMMON_NAME, common_name), ])) csr = csr.sign(key, hashes.SHA256(), default_backend()) path = getUserFilePath(username, 'csr') with open(path, 'wb') as f: f.write(csr.public_bytes(serialization.Encoding.PEM)) return csr.public_bytes(serialization.Encoding.PEM).decode()