def sign(self, name: str, cb: x509.CertificateBuilder) -> x509.Certificate:
backend = cryptography.hazmat.backends.default_backend()
cert = cb.issuer_name(self._root_ca.subject) \
.sign(private_key=self._root_key, algorithm=hashes.SHA256(), backend=backend)
cert_path = self.cert_path(name)
pathlib.Path(cert_path).write_bytes(cert.public_bytes(serialization.Encoding.PEM))
return cert
def _make_cert_builder(
subject_name: Name,
days_valid: int,
public_key: RSAPublicKey,
) -> CertificateBuilder:
return (CertificateBuilder().subject_name(subject_name).public_key(
public_key).serial_number(random_serial_number()).not_valid_before(
datetime.utcnow()).not_valid_after(datetime.utcnow() +
timedelta(days=days_valid)))
def cert(issuer, subject, pubkey, privkey, ca):
builder = CertificateBuilder().issuer_name(
Name([NameAttribute(NameOID.COMMON_NAME, issuer)]), ).subject_name(
Name([NameAttribute(NameOID.COMMON_NAME,
subject)]), ).add_extension(
SubjectAlternativeName([DNSName(subject)]),
critical=False,
)
if ca:
builder = builder.add_extension(
BasicConstraints(True, None),
critical=True,
)
return builder.public_key(
pubkey, ).serial_number(random_serial_number(), ).not_valid_before(
datetime.utcnow(), ).not_valid_after(
datetime.utcnow() + timedelta(seconds=1), ).sign(
privkey,
SHA256(),
default_backend(),
)
def sign_csr(
csr: CertificateSigningRequest, ca_cert: Certificate,
key: EllipticCurvePrivateKey, expiration_date: date,
custom_extensions: Iterable[Union[KeyUsage, UnrecognizedExtension,
BasicConstraints]]
) -> Certificate:
"""
Sign a CSR with CA credentials.
:param csr: the CSR
:param ca_cert: the CA certificate
:param key: the CA private key
:param expiration_date: expiration date
:param custom_extensions: custom extensions to be added to the certificate
:return: a certificate object
"""
issuer = ca_cert.subject
now = datetime.utcnow()
cert_builder = CertificateBuilder().issuer_name(issuer).subject_name(
csr.subject).public_key(csr.public_key()).serial_number(
x509.random_serial_number()).not_valid_before(now).not_valid_after(
datetime.combine(expiration_date, time(), None)).add_extension(
extension=AuthorityKeyIdentifier.from_issuer_public_key(
ca_cert.public_key()),
critical=False)
try:
cert_builder = cert_builder.add_extension(
csr.extensions.get_extension_for_class(
SubjectAlternativeName).value,
critical=False)
except ExtensionNotFound:
pass
for extension in custom_extensions:
if isinstance(extension, UnrecognizedExtension):
critical = False
else:
critical = True
# pyre-fixme[6]: Expected `ExtensionType` for 1st param but got
# `Union[BasicConstraints, KeyUsage, UnrecognizedExtension]`.
cert_builder = cert_builder.add_extension(extension, critical=critical)
return cert_builder.sign(key, SHA256(), backends.default_backend())
def server_cert(server_key, backend):
"""Generate server certificate."""
subject = issuer = Name([
NameAttribute(NameOID.COMMON_NAME, six.u('localhost')),
NameAttribute(NameOID.ORGANIZATION_NAME, six.u('Bob B. Server'))
])
return CertificateBuilder().subject_name(subject).issuer_name(
issuer).serial_number(random_serial_number()).public_key(
server_key.public_key()).not_valid_before(datetime(
2008, 1,
1)).not_valid_after(datetime(3020, 1, 1)).add_extension(
SubjectAlternativeName([DNSName(six.u('localhost'))]),
critical=False).sign(server_key, SHA256(), backend)
def client_cert(client_key, backend):
"""Generate client certificate."""
subject = issuer = Name([
NameAttribute(NameOID.COMMON_NAME, six.u('example.org')),
NameAttribute(NameOID.ORGANIZATION_NAME, six.u('Alice A. Client'))
])
return CertificateBuilder().subject_name(subject).issuer_name(
issuer).serial_number(random_serial_number()).public_key(
client_key.public_key()).not_valid_before(datetime(
3019, 1,
1)).not_valid_after(datetime(3019, 1, 10)).add_extension(
SubjectAlternativeName([DNSName(six.u('localhost'))]),
critical=False).sign(client_key, SHA256(), backend)
def generate(identifier, path):
debug("Generating private key")
key = generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend())
with open(join(path, Certificate.PRIVATE_KEY_FILE), "wb+") as pem:
pem.write(key.private_bytes(Encoding.PEM, PrivateFormat.TraditionalOpenSSL, NoEncryption()))
name = Name([
NameAttribute(NameOID.COMMON_NAME, identifier),
NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, "KDE Connect"),
NameAttribute(NameOID.ORGANIZATION_NAME, "KDE"),
])
before = datetime.utcnow() - timedelta(days=365)
after = before + timedelta(days=3650)
debug("Generating certificate")
cert = CertificateBuilder().subject_name(name).issuer_name(name).\
public_key(key.public_key()).serial_number(1).not_valid_before(before).\
not_valid_after(after).sign(key, SHA256(), default_backend())
with open(join(path, Certificate.CERTIFICATE_FILE), "wb+") as pem:
pem.write(cert.public_bytes(Encoding.PEM))
def _generate_certs(path: Union[Path, str],
days: int = 3652,
key_size: int = 2048,
separate_key: bool = False) -> None:
# DO NOT USE THIS FOR ANYTHING PRODUCTION RELATED, EVER!
# Generate private key
# 2048 is the minimum that works as of 3.9
key = rsa.generate_private_key(public_exponent=65537, key_size=key_size)
key_file = "key.pem" if separate_key else "cert.pem"
key_path = Path(path).joinpath(key_file)
with open(key_path, "ab") as f:
f.write(key.private_bytes(
encoding=serialization.Encoding.PEM,
encryption_algorithm=serialization.NoEncryption(),
format=serialization.PrivateFormat.TraditionalOpenSSL
))
log.debug("Private key generated")
# Generate public certificate
hostname = socket.gethostname()
ip = socket.gethostbyname(hostname)
subject = Name([NameAttribute(NameOID.COMMON_NAME, "smtpdfix_cert")])
alt_names = [
DNSName("localhost"),
DNSName("localhost.localdomain"),
DNSName(hostname),
IPAddress(ip_address("127.0.0.1")),
IPAddress(ip_address("0.0.0.1")),
IPAddress(ip_address("::1")),
IPAddress(ip_address(ip)),
]
# Set it so the certificate can be a root certificate with
# ca=true, path_length=0 means it can only sign itself.
constraints = BasicConstraints(ca=True, path_length=0)
cert = (CertificateBuilder()
.issuer_name(subject)
.subject_name(subject)
.serial_number(random_serial_number())
.not_valid_before(datetime.utcnow())
.not_valid_after(datetime.utcnow() + timedelta(days=days))
.add_extension(SubjectAlternativeName(alt_names), critical=False)
.public_key(key.public_key())
.add_extension(constraints, critical=False)
.sign(private_key=key, algorithm=hashes.SHA256()))
cert_path = Path(path).joinpath("cert.pem")
with open(cert_path, "ab") as f:
f.write(cert.public_bytes(serialization.Encoding.PEM))
log.debug("Certificate generated")
def _create_x509_certificate(key_der, subject_name): #type(Union[EllipticCurvePrivateKey,RSAPrivateKey], str) -> Certificate
signing_key = serialization.load_der_private_key(key_der, password=None, backend=default_backend())
builder = CertificateBuilder()
builder = builder.subject_name(x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, subject_name),
]))
builder = builder.issuer_name(x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, subject_name),
]))
one_day = datetime.timedelta(1, 0, 0)
builder = builder.not_valid_before(datetime.datetime.today() - one_day)
builder = builder.not_valid_after(datetime.datetime.today() + (one_day * 30))
builder = builder.serial_number(x509.random_serial_number())
builder = builder.public_key(signing_key.public_key())
builder = builder.add_extension(SubjectAlternativeName([x509.DNSName(subject_name)]), critical=False)
builder = builder.add_extension(BasicConstraints(ca=False, path_length=None), critical=True)
return builder.sign(private_key=signing_key, algorithm=hashes.SHA256(), backend=default_backend()).public_bytes(serialization.Encoding.DER)
def self_signed_certificate(*hostname, **oid):
"""
Generates a self signed ssl_cert_key.
Args:
hostname (str): host name or IP address.
oid (str): Object Identifiers. See "cryptography.x509.oid.NameOID"
Returns:
tuple of bytes: certificate and private key in PEM format.
"""
# Python 2: Unicode are required
if version_info[0] == 2:
oid = {key: unicode(value) for key, value in oid.items()}
hostname = [unicode(value) for value in hostname]
# Requester information
name = Name([
NameAttribute(getattr(NameOID, key.upper()), value)
for key, value in oid.items()
])
# IP addresses
alternatives_names = []
for host in hostname:
# DNS host name
alternatives_names.append(DNSName(host))
# Host IP address
try:
alternatives_names.append(IPAddress(ip_address(host)))
except ValueError:
pass
# Validity start date
valid_from = datetime.utcnow()
# Generates private RSA key
private_key = generate_private_key(public_exponent=65537,
key_size=2048,
backend=default_backend())
# Generates ssl_cert_key
certificate = (
CertificateBuilder()
# Requester information
# Subject = Issuer on self signed certificates
.subject_name(name).issuer_name(name)
# Public key and serial number
.public_key(private_key.public_key()).serial_number(
random_serial_number())
# Validity
.not_valid_before(valid_from).not_valid_after(valid_from +
timedelta(days=VALIDITY))
# This ssl_cert_key can only sign itself
.add_extension(BasicConstraints(ca=True, path_length=0),
critical=False)
# IP addresses
.add_extension(SubjectAlternativeName(alternatives_names),
critical=False)
# Sign ssl_cert_key with private key
.sign(private_key, SHA256(), default_backend()))
# Generates public ssl_cert_key file
certificate_bytes = certificate.public_bytes(encoding=Encoding.PEM)
# Generates private key file
private_key_bytes = private_key.private_bytes(
encoding=Encoding.PEM,
format=PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=NoEncryption())
return certificate_bytes, private_key_bytes
def create_x509_certificate(key_pem, subject_name): # type: (str, str) -> str
"""
Given an RSA or ECDS private key, create a self-signed X.509 certificate
with the specified subject name signed with that key.
"""
signing_key = serialization.load_pem_private_key(key_pem.encode("ascii"),
password=None,
backend=default_backend())
builder = CertificateBuilder()
builder = builder.subject_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, subject_name),
]))
builder = builder.issuer_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, subject_name),
]))
one_day = datetime.timedelta(1, 0, 0)
builder = builder.not_valid_before(datetime.datetime.today() - one_day)
builder = builder.not_valid_after(datetime.datetime.today() +
(one_day * 30))
builder = builder.serial_number(x509.random_serial_number())
builder = builder.public_key(signing_key.public_key())
builder = builder.add_extension(SubjectAlternativeName(
[x509.DNSName(subject_name)]),
critical=False)
builder = builder.add_extension(BasicConstraints(ca=False,
path_length=None),
critical=True)
return (builder.sign(
private_key=signing_key,
algorithm=hashes.SHA256(),
backend=default_backend(),
).public_bytes(serialization.Encoding.PEM).decode("ascii"))