| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203 |
- #import cryptography
- from cryptography.hazmat.backends import default_backend
- from cryptography.hazmat.primitives import serialization
- from cryptography.hazmat.primitives.asymmetric import rsa
- from cryptography import x509
- from cryptography.x509.oid import NameOID
- from cryptography.hazmat.primitives import hashes
- import datetime
- #c=u"GB"
- #st=u"England"
- #l=u"Manchester"
- #o=u'Jisc'
- #ou=u''
- #servername = u"jadzia.mcc.ac.uk"
- #crldp=u'http://somewhere.example.com/awebserver'
- #passphrase=b'somethingsecure'
- def gen_cakey():
- key = rsa.generate_private_key(
- public_exponent=65537,
- key_size=2048,
- backend=default_backend()
- )
- return key
- def write_key_encrypted(filename,key,passphrase):
- with open(filename, "wb") as f:
- f.write(key.private_bytes(
- encoding=serialization.Encoding.PEM,
- format=serialization.PrivateFormat.TraditionalOpenSSL,
- encryption_algorithm=serialization.BestAvailableEncryption(passphrase),
- ))
- def output_key_encrypted(key,passphrase):
- return key.private_bytes(
- encoding=serialization.Encoding.PEM,
- format=serialization.PrivateFormat.TraditionalOpenSSL,
- encryption_algorithm=serialization.BestAvailableEncryption(passphrase),
- )
- def write_key(filename,key):
- with open(filename, "wb") as f:
- f.write(key.private_bytes(
- encoding=serialization.Encoding.PEM,
- format=serialization.PrivateFormat.TraditionalOpenSSL,
- encryption_algorithm=serialization.NoEncryption(),
- ))
- def output_key(key):
- return key.private_bytes(
- encoding=serialization.Encoding.PEM,
- format=serialization.PrivateFormat.TraditionalOpenSSL,
- encryption_algorithm=serialization.NoEncryption(),
- )
- def build_name(c,st,l,o,ou,cn):
- array = []
- if (c):
- array.append(x509.NameAttribute(NameOID.COUNTRY_NAME,c))
- if (st):
- array.append(x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME,st))
- if (l):
- array.append(x509.NameAttribute(NameOID.LOCALITY_NAME,l))
- if (o):
- array.append(x509.NameAttribute(NameOID.ORGANIZATION_NAME,o))
- if (ou):
- array.append(x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME,ou))
- if (cn):
- array.append(x509.NameAttribute(NameOID.COMMON_NAME,cn))
- return x509.Name(array)
- def build_rootca(key,subject,issuer,duration):
- cert = x509.CertificateBuilder().subject_name(
- subject
- ).issuer_name(
- issuer
- ).public_key(
- key.public_key()
- ).serial_number(
- x509.random_serial_number()
- ).not_valid_before(
- datetime.datetime.utcnow()
- ).not_valid_after(
- datetime.datetime.utcnow() + datetime.timedelta(days=duration)
- ).add_extension(
- # x509.AuthorityKeyIdentifier(public_key,[x509.DirectoryName(caissuer)],caserial),
- x509.AuthorityKeyIdentifier.from_issuer_public_key(key.public_key()),
- critical=False,
- ).add_extension(
- x509.SubjectKeyIdentifier.from_public_key(key.public_key()),
- critical=False,
- ).add_extension(
- x509.BasicConstraints(True,None),
- critical=True,
- ).sign(key, hashes.SHA256(), default_backend())
- return cert
- def build_servercert(key,root,csr,name,crldp,duration):
- builder = x509.CertificateBuilder().subject_name(
- csr.subject
- ).issuer_name(
- root.issuer
- ).public_key(
- csr.public_key()
- ).serial_number(
- x509.random_serial_number()
- ).not_valid_before(
- datetime.datetime.utcnow()
- ).not_valid_after(
- datetime.datetime.utcnow() + datetime.timedelta(days=duration)
- ).add_extension(
- x509.KeyUsage(True,True,True,False,False,False,False,False,False),
- critical=True,
- ).add_extension(
- x509.SubjectAlternativeName([x509.DNSName(name)]),
- critical=False,
- ).add_extension(
- x509.BasicConstraints(False,None),
- critical=True,
- ).add_extension(
- x509.ExtendedKeyUsage([x509.ExtendedKeyUsageOID.SERVER_AUTH]),
- critical=False,
- ).add_extension(
- x509.AuthorityKeyIdentifier.from_issuer_public_key(root.public_key()),
- critical=False,
- ).add_extension(
- x509.SubjectKeyIdentifier.from_public_key(key.public_key()),
- critical=False,
- )
-
- if ( crldp ):
- builder = builder.add_extension(
- x509.CRLDistributionPoints(
- [x509.DistributionPoint(
- [x509.UniformResourceIdentifier(crldp)],
- None,
- None,
- None
- )
- ]
- ),
- critical=False,
- )
-
- cert = builder.sign(key, hashes.SHA256(), default_backend())
- return cert
- def build_csr(key,subject,name):
- csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name(
- subject
- )).add_extension(
- x509.SubjectAlternativeName([
- x509.DNSName(name),
- ]),
- critical=False,
- # Sign the CSR with our private key.
- ).sign(key, hashes.SHA256(), default_backend())
-
- return csr
- def build_crl(key,issuer,duration):
- builder = x509.CertificateRevocationListBuilder()
- builder = builder.issuer_name(issuer)
- builder = builder.last_update(datetime.datetime.today())
- builder = builder.next_update(datetime.datetime.today() + datetime.timedelta(days=duration))
-
- revoked_cert = x509.RevokedCertificateBuilder().serial_number(
- x509.random_serial_number()
- ).revocation_date(
- datetime.datetime.today()
- ).build(default_backend())
- # builder = builder.add_revoked_certificate(revoked_cert)
- crl = builder.sign(
- private_key=key, algorithm=hashes.SHA256(),
- backend=default_backend()
- )
- return crl
-
- def write_cert(filename,cert):
- with open(filename, "wb") as f:
- f.write(cert.public_bytes(serialization.Encoding.PEM))
- def output_cert(cert):
- return cert.public_bytes(serialization.Encoding.PEM)
|
