#import cryptography
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
import datetime
#c=u"GB"
#st=u"England"
#l=u"Manchester"
#o=u'Jisc'
#ou=u''
#servername = u"jadzia.mcc.ac.uk"
#crldp=u'http://somewhere.example.com/awebserver'
#passphrase=b'somethingsecure'
def gen_cakey():
key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend()
)
return key
def write_key_encrypted(filename,key,passphrase):
with open(filename, "wb") as f:
f.write(key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.BestAvailableEncryption(passphrase),
))
def output_key_encrypted(key,passphrase):
return key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.BestAvailableEncryption(passphrase),
)
def write_key(filename,key):
with open(filename, "wb") as f:
f.write(key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
))
def output_key(key):
return key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
)
def build_name(c,st,l,o,ou,cn):
array = []
if (c):
array.append(x509.NameAttribute(NameOID.COUNTRY_NAME,c))
if (st):
array.append(x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME,st))
if (l):
array.append(x509.NameAttribute(NameOID.LOCALITY_NAME,l))
if (o):
array.append(x509.NameAttribute(NameOID.ORGANIZATION_NAME,o))
if (ou):
array.append(x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME,ou))
if (cn):
array.append(x509.NameAttribute(NameOID.COMMON_NAME,cn))
return x509.Name(array)
def build_rootca(key,subject,issuer,duration):
cert = x509.CertificateBuilder().subject_name(
subject
).issuer_name(
issuer
).public_key(
key.public_key()
).serial_number(
x509.random_serial_number()
).not_valid_before(
datetime.datetime.utcnow()
).not_valid_after(
datetime.datetime.utcnow() + datetime.timedelta(days=duration)
).add_extension(
# x509.AuthorityKeyIdentifier(public_key,[x509.DirectoryName(caissuer)],caserial),
x509.AuthorityKeyIdentifier.from_issuer_public_key(key.public_key()),
critical=False,
).add_extension(
x509.SubjectKeyIdentifier.from_public_key(key.public_key()),
critical=False,
).add_extension(
x509.BasicConstraints(True,None),
critical=True,
).sign(key, hashes.SHA256(), default_backend())
return cert
def build_servercert(key,root,csr,name,crldp,duration):
builder = x509.CertificateBuilder().subject_name(
csr.subject
).issuer_name(
root.issuer
).public_key(
csr.public_key()
).serial_number(
x509.random_serial_number()
).not_valid_before(
datetime.datetime.utcnow()
).not_valid_after(
datetime.datetime.utcnow() + datetime.timedelta(days=duration)
).add_extension(
x509.KeyUsage(True,True,True,False,False,False,False,False,False),
critical=True,
).add_extension(
x509.SubjectAlternativeName([x509.DNSName(name)]),
critical=False,
).add_extension(
x509.BasicConstraints(False,None),
critical=True,
).add_extension(
x509.ExtendedKeyUsage([x509.ExtendedKeyUsageOID.SERVER_AUTH]),
critical=False,
).add_extension(
x509.AuthorityKeyIdentifier.from_issuer_public_key(root.public_key()),
critical=False,
).add_extension(
x509.SubjectKeyIdentifier.from_public_key(key.public_key()),
critical=False,
)
if ( crldp ):
builder = builder.add_extension(
x509.CRLDistributionPoints(
[x509.DistributionPoint(
[x509.UniformResourceIdentifier(crldp)],
None,
None,
None
)
]
),
critical=False,
)
cert = builder.sign(key, hashes.SHA256(), default_backend())
return cert
def build_csr(key,subject,name):
csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name(
subject
)).add_extension(
x509.SubjectAlternativeName([
x509.DNSName(name),
]),
critical=False,
# Sign the CSR with our private key.
).sign(key, hashes.SHA256(), default_backend())
return csr
def build_crl(key,issuer,duration):
builder = x509.CertificateRevocationListBuilder()
builder = builder.issuer_name(issuer)
builder = builder.last_update(datetime.datetime.today())
builder = builder.next_update(datetime.datetime.today() + datetime.timedelta(days=duration))
revoked_cert = x509.RevokedCertificateBuilder().serial_number(
x509.random_serial_number()
).revocation_date(
datetime.datetime.today()
).build(default_backend())
# builder = builder.add_revoked_certificate(revoked_cert)
crl = builder.sign(
private_key=key, algorithm=hashes.SHA256(),
backend=default_backend()
)
return crl
def write_cert(filename,cert):
with open(filename, "wb") as f:
f.write(cert.public_bytes(serialization.Encoding.PEM))
def output_cert(cert):
return cert.public_bytes(serialization.Encoding.PEM)