def generate_certificate(subject: x509.Name,
issuer: x509.Name,
subject_public_key: RSAPublicKey,
issuer_private_key: RSAPrivateKey,
serial_number: int = None,
if_ca: bool = True,
duration: int = 3650,
path_length: int = 2) -> Certificate:
"""Generate certificate.
:param subject: subject name that the CA issues the certificate to
:param issuer: issuer name that issued the certificate
:param subject_public_key: RSA public key of subject
:param issuer_private_key: RSA private key of issuer
:param serial_number: certificate serial number, if not specified, random serial number will be set
:param if_ca: true if the certificate can sign certificates, none otherwise
:param duration: how long the certificate will be valid (in days)
:param path_length: The maximum path length for certificates subordinate to this certificate.
:return: certificate
"""
crt = x509.CertificateBuilder(
subject_name=subject,
issuer_name=issuer,
not_valid_before=datetime.utcnow(),
not_valid_after=datetime.utcnow() + timedelta(days=duration),
public_key=subject_public_key,
extensions=[],
serial_number=serial_number or x509.random_serial_number())
crt = crt.add_extension(x509.BasicConstraints(
ca=if_ca, path_length=path_length if if_ca else None),
critical=True)
return crt.sign(issuer_private_key, hashes.SHA256(), default_backend())
def validate_certificate(subject_certificate: Certificate, issuer_certificate: Certificate) -> bool:
"""Validate certificate.
:param subject_certificate: subject's certificate
:param issuer_certificate: issuer's certificate
:raises SPSDKError: Unsupported key type in Certificate
:return: true/false whether certificate is valid or not
"""
issuer_pub_key = get_public_key_from_certificate(issuer_certificate)
cert_to_check = x509.load_pem_x509_certificate(
convert_certificate_into_bytes(subject_certificate), default_backend()
)
try:
if isinstance(issuer_pub_key, rsa.RSAPublicKey):
assert cert_to_check.signature_hash_algorithm
issuer_pub_key.verify(
cert_to_check.signature,
cert_to_check.tbs_certificate_bytes,
padding.PKCS1v15(),
cert_to_check.signature_hash_algorithm,
)
return True
raise SPSDKError(f"Certificate validation for {type(issuer_pub_key)} is not supported")
except InvalidSignature:
return False
def generate_rsa_private_key(key_size: int = 2048, exponent: int = 65537) -> RSAPrivateKeyWithSerialization:
"""Generate RSA private key.
:param key_size: key size in bits; must be >= 512
:param exponent: public exponent; must be >= 3 and odd
:return: RSA private key with serialization
"""
return rsa.generate_private_key(backend=default_backend(), public_exponent=exponent, key_size=key_size)
def generate_ecc_private_key(curve_name: str) -> EllipticCurvePrivateKeyWithSerialization:
"""Generate ECC private key.
:param curve_name: name of curve
:return: ECC private key
"""
curve_obj = get_ec_curve_object(curve_name)
return ec.generate_private_key(curve_obj, default_backend()) # type: ignore
def solve(certificate_data: bytes) -> Certificate:
"""Determine the type of data and perform loading based on data type.
:param certificate_data: given certificate data
:return: loaded certificate
"""
return {
Encoding.PEM: load_pem_x509_certificate,
Encoding.DER: load_der_x509_certificate
}[real_encoding](certificate_data, default_backend())
def solve(key_data: bytes) -> PublicKey:
"""Determine the type of data and perform loading based on data type.
:param key_data: given public keys data
:return: loaded public key
"""
return {
Encoding.PEM: load_pem_public_key,
Encoding.DER: load_der_public_key
}[real_encoding](key_data, default_backend())
def solve(key_data: bytes) -> PrivateKey:
"""Determine the type of data and perform loading based on data type.
:param key_data: given private keys data
:return: loaded private key
"""
return { # type: ignore
Encoding.PEM: load_pem_private_key,
Encoding.DER: load_der_private_key,
}[real_encoding](key_data, password, default_backend())
def generate_ecc_private_key(curve_name: str = 'P-256') -> EllipticCurvePrivateKeyWithSerialization:
"""Generate ECC private key.
:param curve_name: name of curve; currently supported: P-256, P-384, P-521
:return: ECC private key
"""
curve_obj = {
'P-256': ec.SECP256R1(),
'P-384': ec.SECP384R1(),
'P-521': ec.SECP521R1()
}[curve_name]
return ec.generate_private_key(curve_obj, default_backend()) # type: ignore
def validate_certificate(subject_certificate: Certificate,
issuer_certificate: Certificate) -> bool:
"""Validate certificate.
:param subject_certificate: subject's certificate
:param issuer_certificate: issuer's certificate
:return: true/false whether certificate is valid or not
"""
issuer_pub_key = get_public_key_from_certificate(issuer_certificate)
cert_to_check = x509.load_pem_x509_certificate(
convert_certificate_into_bytes(subject_certificate), default_backend())
try:
issuer_pub_key.verify(cert_to_check.signature,
cert_to_check.tbs_certificate_bytes,
padding.PKCS1v15(),
cert_to_check.signature_hash_algorithm)
except InvalidSignature:
return False
else:
return True
