def generate_certificate(subject: x509.Name, issuer: x509.Name, subject_public_key: RSAPublicKey, issuer_private_key: RSAPrivateKey, serial_number: int = None, if_ca: bool = True, duration: int = 3650, path_length: int = 2) -> Certificate: """Generate certificate. :param subject: subject name that the CA issues the certificate to :param issuer: issuer name that issued the certificate :param subject_public_key: RSA public key of subject :param issuer_private_key: RSA private key of issuer :param serial_number: certificate serial number, if not specified, random serial number will be set :param if_ca: true if the certificate can sign certificates, none otherwise :param duration: how long the certificate will be valid (in days) :param path_length: The maximum path length for certificates subordinate to this certificate. :return: certificate """ crt = x509.CertificateBuilder( subject_name=subject, issuer_name=issuer, not_valid_before=datetime.utcnow(), not_valid_after=datetime.utcnow() + timedelta(days=duration), public_key=subject_public_key, extensions=[], serial_number=serial_number or x509.random_serial_number()) crt = crt.add_extension(x509.BasicConstraints( ca=if_ca, path_length=path_length if if_ca else None), critical=True) return crt.sign(issuer_private_key, hashes.SHA256(), default_backend())
def validate_certificate(subject_certificate: Certificate, issuer_certificate: Certificate) -> bool: """Validate certificate. :param subject_certificate: subject's certificate :param issuer_certificate: issuer's certificate :raises SPSDKError: Unsupported key type in Certificate :return: true/false whether certificate is valid or not """ issuer_pub_key = get_public_key_from_certificate(issuer_certificate) cert_to_check = x509.load_pem_x509_certificate( convert_certificate_into_bytes(subject_certificate), default_backend() ) try: if isinstance(issuer_pub_key, rsa.RSAPublicKey): assert cert_to_check.signature_hash_algorithm issuer_pub_key.verify( cert_to_check.signature, cert_to_check.tbs_certificate_bytes, padding.PKCS1v15(), cert_to_check.signature_hash_algorithm, ) return True raise SPSDKError(f"Certificate validation for {type(issuer_pub_key)} is not supported") except InvalidSignature: return False
def generate_rsa_private_key(key_size: int = 2048, exponent: int = 65537) -> RSAPrivateKeyWithSerialization: """Generate RSA private key. :param key_size: key size in bits; must be >= 512 :param exponent: public exponent; must be >= 3 and odd :return: RSA private key with serialization """ return rsa.generate_private_key(backend=default_backend(), public_exponent=exponent, key_size=key_size)
def generate_ecc_private_key(curve_name: str) -> EllipticCurvePrivateKeyWithSerialization: """Generate ECC private key. :param curve_name: name of curve :return: ECC private key """ curve_obj = get_ec_curve_object(curve_name) return ec.generate_private_key(curve_obj, default_backend()) # type: ignore
def solve(certificate_data: bytes) -> Certificate: """Determine the type of data and perform loading based on data type. :param certificate_data: given certificate data :return: loaded certificate """ return { Encoding.PEM: load_pem_x509_certificate, Encoding.DER: load_der_x509_certificate }[real_encoding](certificate_data, default_backend())
def solve(key_data: bytes) -> PublicKey: """Determine the type of data and perform loading based on data type. :param key_data: given public keys data :return: loaded public key """ return { Encoding.PEM: load_pem_public_key, Encoding.DER: load_der_public_key }[real_encoding](key_data, default_backend())
def solve(key_data: bytes) -> PrivateKey: """Determine the type of data and perform loading based on data type. :param key_data: given private keys data :return: loaded private key """ return { # type: ignore Encoding.PEM: load_pem_private_key, Encoding.DER: load_der_private_key, }[real_encoding](key_data, password, default_backend())
def generate_ecc_private_key(curve_name: str = 'P-256') -> EllipticCurvePrivateKeyWithSerialization: """Generate ECC private key. :param curve_name: name of curve; currently supported: P-256, P-384, P-521 :return: ECC private key """ curve_obj = { 'P-256': ec.SECP256R1(), 'P-384': ec.SECP384R1(), 'P-521': ec.SECP521R1() }[curve_name] return ec.generate_private_key(curve_obj, default_backend()) # type: ignore
def validate_certificate(subject_certificate: Certificate, issuer_certificate: Certificate) -> bool: """Validate certificate. :param subject_certificate: subject's certificate :param issuer_certificate: issuer's certificate :return: true/false whether certificate is valid or not """ issuer_pub_key = get_public_key_from_certificate(issuer_certificate) cert_to_check = x509.load_pem_x509_certificate( convert_certificate_into_bytes(subject_certificate), default_backend()) try: issuer_pub_key.verify(cert_to_check.signature, cert_to_check.tbs_certificate_bytes, padding.PKCS1v15(), cert_to_check.signature_hash_algorithm) except InvalidSignature: return False else: return True