Python源码示例:cryptography.x509.BasicConstraints()
示例1
def build_csr(self, hostname, **kwargs):
realm = self.plugin.ipa.env.realm
builder = x509.CertificateSigningRequestBuilder()
builder = builder.subject_name(
x509.Name([
x509.NameAttribute(oid.NameOID.COMMON_NAME, hostname),
x509.NameAttribute(oid.NameOID.ORGANIZATION_NAME, realm),
])
)
build = builder.add_extension(
x509.BasicConstraints(ca=False, path_length=None), critical=True,
)
build = builder.add_extension(
x509.ExtendedKeyUsage([TLS_SERVERAUTH]), critical=True
)
builder = build.add_extension(
x509.SubjectAlternativeName([x509.DNSName(hostname)]),
critical=False
)
return builder
# pylint: disable=arguments-differ
示例2
def create_cert_builder(subject, issuer_name, public_key, days=365, is_ca=False):
"""
The method to create a builder for all types of certificates.
:param subject: The subject of the certificate.
:param issuer_name: The name of the issuer.
:param public_key: The public key of the certificate.
:param days: The number of days for which the certificate is valid. The default is 1 year or 365 days.
:param is_ca: Boolean to indicate if a cert is ca or non ca.
:return: The certificate builder.
:rtype: :class `x509.CertificateBuilder`
"""
builder = x509.CertificateBuilder()
builder = builder.subject_name(subject)
builder = builder.issuer_name(issuer_name)
builder = builder.public_key(public_key)
builder = builder.not_valid_before(datetime.today())
builder = builder.not_valid_after(datetime.today() + timedelta(days=days))
builder = builder.serial_number(int(uuid.uuid4()))
builder = builder.add_extension(
x509.BasicConstraints(ca=is_ca, path_length=None), critical=True
)
return builder
示例3
def create_self_signed_certificate(subject_name, private_key, days_valid=365):
subject = x509.Name([
x509.NameAttribute(x509.NameOID.ORGANIZATION_NAME, u"Test, Inc."),
x509.NameAttribute(x509.NameOID.COMMON_NAME, subject_name)
])
certificate = x509.CertificateBuilder().subject_name(
subject
).issuer_name(
subject
).public_key(
private_key.public_key()
).serial_number(
x509.random_serial_number()
).add_extension(
x509.BasicConstraints(ca=True, path_length=None), critical=True
).not_valid_before(
datetime.datetime.utcnow()
).not_valid_after(
datetime.datetime.utcnow() + datetime.timedelta(days=days_valid)
).sign(private_key, hashes.SHA256(), backends.default_backend())
return certificate
示例4
def certificate(private_key: rsa.RSAPrivateKey) -> x509.Certificate:
b = x509.CertificateBuilder()
name = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"CA"),
x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"Commandment"),
x509.NameAttribute(NameOID.COMMON_NAME, u"CA-CERTIFICATE"),
])
cer = b.subject_name(name).issuer_name(name).public_key(
private_key.public_key()
).serial_number(1).not_valid_before(
datetime.datetime.utcnow()
).not_valid_after(
datetime.datetime.utcnow() + datetime.timedelta(days=10)
).add_extension(
x509.BasicConstraints(ca=False, path_length=None), True
).sign(private_key, hashes.SHA256(), default_backend())
return cer
示例5
def ca_cert_builder(
public_key,
common_name="Root CA",
issuer=None,
basic_constraints=x509.BasicConstraints(
ca=True, path_length=None),
key_usage=cert_key_usage(
key_cert_sign=True),
subject_alternative_names=None,
not_valid_before=None,
not_valid_after=None,
valid_days=3650,
):
return cert_builder(
public_key=public_key,
common_name=common_name,
issuer=issuer,
basic_constraints=basic_constraints,
key_usage=key_usage,
subject_alternative_names=subject_alternative_names,
not_valid_before=not_valid_before,
not_valid_after=not_valid_after,
valid_days=valid_days,
)
示例6
def ca_cert_builder(
public_key,
common_name="Root CA",
issuer=None,
basic_constraints=x509.BasicConstraints(
ca=True, path_length=None),
key_usage=cert_key_usage(
key_cert_sign=True),
subject_alternative_names=None,
not_valid_before=None,
not_valid_after=None,
valid_days=3650,
):
return cert_builder(
public_key=public_key,
common_name=common_name,
issuer=issuer,
basic_constraints=basic_constraints,
key_usage=key_usage,
subject_alternative_names=subject_alternative_names,
not_valid_before=not_valid_before,
not_valid_after=not_valid_after,
valid_days=valid_days,
)
示例7
def _generate_csr(cls, cn, private_key, passphrase=None):
pk = serialization.load_pem_private_key(
data=private_key, password=passphrase,
backend=backends.default_backend())
csr = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, cn),
])
)
csr = csr.add_extension(
x509.BasicConstraints(
ca=False,
path_length=None
),
critical=True
)
csr = csr.add_extension(
x509.KeyUsage(
digital_signature=True,
key_encipherment=True,
data_encipherment=True,
key_agreement=True,
content_commitment=False,
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
decipher_only=False
),
critical=True
)
csr = csr.add_extension(
x509.SubjectAlternativeName([x509.DNSName(cn)]),
critical=False
)
signed_csr = csr.sign(
pk,
getattr(hashes, CONF.certificates.signing_digest.upper())(),
backends.default_backend())
return signed_csr.public_bytes(serialization.Encoding.PEM)
示例8
def test_sign_cert(self):
# Attempt sign a cert
signed_cert = self.cert_generator.sign_cert(
csr=self.certificate_signing_request,
validity=2 * 365 * 24 * 60 * 60,
ca_cert=self.ca_certificate,
ca_key=self.ca_private_key,
ca_key_pass=self.ca_private_key_passphrase,
ca_digest=self.signing_digest
)
self.assertIn("-----BEGIN CERTIFICATE-----",
signed_cert.decode('ascii'))
# Load the cert for specific tests
cert = x509.load_pem_x509_certificate(
data=signed_cert, backend=backends.default_backend())
# Make sure expiry time is accurate
should_expire = (datetime.datetime.utcnow() +
datetime.timedelta(seconds=2 * 365 * 24 * 60 * 60))
diff = should_expire - cert.not_valid_after
self.assertLess(diff, datetime.timedelta(seconds=10))
# Make sure this is a version 3 X509.
self.assertEqual('v3', cert.version.name)
# Make sure this cert is marked as Server and Client Cert via the
# extended Key Usage extension
self.assertIn(x509.oid.ExtendedKeyUsageOID.SERVER_AUTH,
cert.extensions.get_extension_for_class(
x509.ExtendedKeyUsage).value._usages)
self.assertIn(x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH,
cert.extensions.get_extension_for_class(
x509.ExtendedKeyUsage).value._usages)
# Make sure this cert can't sign other certs
self.assertFalse(cert.extensions.get_extension_for_class(
x509.BasicConstraints).value.ca)
示例9
def certificate_template(
subject: x509.name.Name,
issuer: x509.name.Name,
public_key: x509.name.Name,
certauthority: bool = False,
) -> x509.base.CertificateBuilder:
if certauthority:
not_valid_after = datetime.datetime.utcnow() + datetime.timedelta(days=365 * 10)
else: # shorter valid length for on-the-fly certificates
not_valid_after = datetime.datetime.utcnow() + datetime.timedelta(days=7)
return (
x509.CertificateBuilder()
.subject_name(subject)
.issuer_name(issuer)
.public_key(public_key)
.serial_number(x509.random_serial_number())
.not_valid_before(datetime.datetime.utcnow())
.not_valid_after(not_valid_after)
.add_extension(
x509.SubjectAlternativeName([x509.DNSName("localhost")]), critical=True
)
.add_extension(
x509.BasicConstraints(ca=certauthority, path_length=None), critical=True
)
)
示例10
def _decode_basic_constraints(backend, bc_st):
basic_constraints = backend._ffi.cast("BASIC_CONSTRAINTS *", bc_st)
basic_constraints = backend._ffi.gc(
basic_constraints, backend._lib.BASIC_CONSTRAINTS_free
)
# The byte representation of an ASN.1 boolean true is \xff. OpenSSL
# chooses to just map this to its ordinal value, so true is 255 and
# false is 0.
ca = basic_constraints.ca == 255
if basic_constraints.pathlen == backend._ffi.NULL:
path_length = None
else:
path_length = backend._asn1_integer_to_int(basic_constraints.pathlen)
return x509.BasicConstraints(ca, path_length)
示例11
def _decode_basic_constraints(backend, bc_st):
basic_constraints = backend._ffi.cast("BASIC_CONSTRAINTS *", bc_st)
basic_constraints = backend._ffi.gc(
basic_constraints, backend._lib.BASIC_CONSTRAINTS_free
)
# The byte representation of an ASN.1 boolean true is \xff. OpenSSL
# chooses to just map this to its ordinal value, so true is 255 and
# false is 0.
ca = basic_constraints.ca == 255
path_length = _asn1_integer_to_int_or_none(
backend, basic_constraints.pathlen
)
return x509.BasicConstraints(ca, path_length)
示例12
def _decode_basic_constraints(backend, bc_st):
basic_constraints = backend._ffi.cast("BASIC_CONSTRAINTS *", bc_st)
basic_constraints = backend._ffi.gc(
basic_constraints, backend._lib.BASIC_CONSTRAINTS_free
)
# The byte representation of an ASN.1 boolean true is \xff. OpenSSL
# chooses to just map this to its ordinal value, so true is 255 and
# false is 0.
ca = basic_constraints.ca == 255
path_length = _asn1_integer_to_int_or_none(
backend, basic_constraints.pathlen
)
return x509.BasicConstraints(ca, path_length)
示例13
def _decode_basic_constraints(backend, bc_st):
basic_constraints = backend._ffi.cast("BASIC_CONSTRAINTS *", bc_st)
basic_constraints = backend._ffi.gc(
basic_constraints, backend._lib.BASIC_CONSTRAINTS_free
)
# The byte representation of an ASN.1 boolean true is \xff. OpenSSL
# chooses to just map this to its ordinal value, so true is 255 and
# false is 0.
ca = basic_constraints.ca == 255
path_length = _asn1_integer_to_int_or_none(
backend, basic_constraints.pathlen
)
return x509.BasicConstraints(ca, path_length)
示例14
def _decode_basic_constraints(backend, bc_st):
basic_constraints = backend._ffi.cast("BASIC_CONSTRAINTS *", bc_st)
basic_constraints = backend._ffi.gc(
basic_constraints, backend._lib.BASIC_CONSTRAINTS_free
)
# The byte representation of an ASN.1 boolean true is \xff. OpenSSL
# chooses to just map this to its ordinal value, so true is 255 and
# false is 0.
ca = basic_constraints.ca == 255
path_length = _asn1_integer_to_int_or_none(
backend, basic_constraints.pathlen
)
return x509.BasicConstraints(ca, path_length)
示例15
def _generate_ca_cert(self):
"""
Generate a CA cert/key.
"""
if self._ca_key is None:
self._ca_key = generate_private_key(u'rsa')
self._ca_name = x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u'ACME Snake Oil CA')])
self._ca_cert = (
x509.CertificateBuilder()
.subject_name(self._ca_name)
.issuer_name(self._ca_name)
.not_valid_before(self._now() - timedelta(seconds=3600))
.not_valid_after(self._now() + timedelta(days=3650))
.public_key(self._ca_key.public_key())
.serial_number(int(uuid4()))
.add_extension(
x509.BasicConstraints(ca=True, path_length=0),
critical=True)
.add_extension(
x509.SubjectKeyIdentifier.from_public_key(
self._ca_key.public_key()),
critical=False)
.sign(
private_key=self._ca_key,
algorithm=hashes.SHA256(),
backend=default_backend()))
self._ca_aki = x509.AuthorityKeyIdentifier.from_issuer_public_key(
self._ca_key.public_key())
示例16
def _decode_basic_constraints(backend, bc_st):
basic_constraints = backend._ffi.cast("BASIC_CONSTRAINTS *", bc_st)
basic_constraints = backend._ffi.gc(
basic_constraints, backend._lib.BASIC_CONSTRAINTS_free
)
# The byte representation of an ASN.1 boolean true is \xff. OpenSSL
# chooses to just map this to its ordinal value, so true is 255 and
# false is 0.
ca = basic_constraints.ca == 255
path_length = _asn1_integer_to_int_or_none(
backend, basic_constraints.pathlen
)
return x509.BasicConstraints(ca, path_length)
示例17
def _deserialize(self, value, attr, data):
ca = value.get("ca", False)
path_length = value.get("path_length", None)
if ca:
if not isinstance(path_length, (type(None), int)):
raise ValidationError(
"A CA certificate path_length (for BasicConstraints) must be None or an integer."
)
return x509.BasicConstraints(ca=True, path_length=path_length)
else:
return x509.BasicConstraints(ca=False, path_length=None)
示例18
def generate_selfsigned_cert(hostname="/CN=Chia Blockchain CA", key=None):
"""Generates self signed certificate for a hostname, and optional IP addresses."""
# Generate our key
if key is None:
key = rsa.generate_private_key(
public_exponent=65537, key_size=2048, backend=default_backend(),
)
name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, hostname)])
# path_len=0 means this cert can only sign itself, not other certs.
basic_contraints = x509.BasicConstraints(ca=True, path_length=0)
now = datetime.utcnow()
cert = (
x509.CertificateBuilder()
.subject_name(name)
.issuer_name(name)
.public_key(key.public_key())
.serial_number(1000)
.not_valid_before(now)
.not_valid_after(now + timedelta(days=10 * 365))
.add_extension(basic_contraints, False)
.sign(key, hashes.SHA256(), default_backend())
)
cert_pem = cert.public_bytes(encoding=serialization.Encoding.PEM)
key_pem = key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
)
return cert_pem.decode(), key_pem.decode()
示例19
def generate_cert(service, namespace, private_key):
name = x509.Name([
x509.NameAttribute(x509.oid.NameOID.COMMON_NAME,
"{0}.{1}.svc".format(service, namespace))
])
subj_alternative_names = x509.SubjectAlternativeName([
x509.DNSName("{0}".format(service)),
x509.DNSName("{0}.{1}".format(service, namespace)),
x509.DNSName("{0}.{1}.svc".format(service, namespace)),
])
constraints = x509.BasicConstraints(ca=True, path_length=None)
now = datetime.now()
cert_builder = x509.CertificateBuilder()
cert_builder = (cert_builder.subject_name(name)
.issuer_name(name)
.add_extension(subj_alternative_names, False)
.add_extension(constraints, False)
.not_valid_before(now)
.not_valid_after(now + timedelta(days=36500))
.public_key(private_key.public_key())
.serial_number(x509.random_serial_number()))
cert = cert_builder.sign(private_key, hashes.SHA256(), default_backend())
return cert
示例20
def _build_basic_constraints(self, ca=False, critical=False):
bc = c_x509.BasicConstraints(ca, None)
return c_x509.Extension(bc.oid, critical, bc)
示例21
def assertInClientExtensions(self, cert):
key_usage = c_x509.KeyUsage(True, False, True, False, False, False,
False, False, False)
key_usage = c_x509.Extension(key_usage.oid, True, key_usage)
extended_key_usage = c_x509.ExtendedKeyUsage([c_x509.OID_CLIENT_AUTH])
extended_key_usage = c_x509.Extension(extended_key_usage.oid, False,
extended_key_usage)
basic_constraints = c_x509.BasicConstraints(ca=False, path_length=None)
basic_constraints = c_x509.Extension(basic_constraints.oid, True,
basic_constraints)
self.assertIn(key_usage, cert.extensions)
self.assertIn(extended_key_usage, cert.extensions)
self.assertIn(basic_constraints, cert.extensions)
示例22
def test_generate_ca_certificate_set_extentions_as_ca(self):
cert, _ = self._generate_ca_certificate(self.issuer_name)
key_usage = c_x509.KeyUsage(False, False, False, False, False, True,
False, False, False)
key_usage = c_x509.Extension(key_usage.oid, True, key_usage)
basic_constraints = c_x509.BasicConstraints(ca=True, path_length=0)
basic_constraints = c_x509.Extension(basic_constraints.oid, True,
basic_constraints)
self.assertIn(key_usage, cert.extensions)
self.assertIn(basic_constraints, cert.extensions)
示例23
def _disallow_ca_in_basic_constraints(basic_constraints):
if basic_constraints.value.ca:
if basic_constraints.critical:
raise exception.CertificateValidationError(
extension=basic_constraints)
bc = x509.BasicConstraints(False, None)
return x509.Extension(bc.oid, False, bc)
return basic_constraints
示例24
def _build_client_extentions():
# Digital Signature and Key Encipherment are enabled
key_usage = x509.KeyUsage(True, False, True, False, False, False, False,
False, False)
key_usage = x509.Extension(key_usage.oid, True, key_usage)
extended_key_usage = x509.ExtendedKeyUsage([x509.OID_CLIENT_AUTH])
extended_key_usage = x509.Extension(extended_key_usage.oid, False,
extended_key_usage)
basic_constraints = x509.BasicConstraints(ca=False, path_length=None)
basic_constraints = x509.Extension(basic_constraints.oid, True,
basic_constraints)
return [key_usage, extended_key_usage, basic_constraints]
示例25
def build_dep_token_certificate(dep_token):
private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend()
)
public_key = private_key.public_key()
builder = x509.CertificateBuilder()
builder = builder.subject_name(x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u'zentral-dep-token-{}'.format(dep_token.pk)),
]))
builder = builder.issuer_name(x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u'zentral'),
]))
now = timezone.now()
one_day = datetime.timedelta(days=1)
builder = builder.not_valid_before(now - one_day)
builder = builder.not_valid_after(now + 2 * one_day)
builder = builder.serial_number(x509.random_serial_number())
builder = builder.public_key(public_key)
builder = builder.add_extension(
x509.BasicConstraints(ca=False, path_length=None), critical=True,
)
certificate = builder.sign(
private_key=private_key, algorithm=hashes.SHA256(),
backend=default_backend()
)
return certificate, private_key
示例26
def create(cls, common_name: str = 'COMMANDMENT-CA', key_size=2048):
ca = cls()
ca.common_name = common_name
name = x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, common_name),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, 'commandment')
])
private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=key_size,
backend=default_backend(),
)
ca.rsa_private_key = RSAPrivateKey.from_crypto(private_key)
db.session.add(ca.rsa_private_key)
certificate = x509.CertificateBuilder().subject_name(
name
).issuer_name(
name
).public_key(
private_key.public_key()
).serial_number(
x509.random_serial_number()
).not_valid_before(
datetime.datetime.utcnow()
).not_valid_after(
datetime.datetime.utcnow() + datetime.timedelta(days=365)
).add_extension(
x509.BasicConstraints(ca=True, path_length=None), True
).sign(private_key, hashes.SHA256(), default_backend())
ca_certificate_model = CACertificate.from_crypto(certificate)
ca_certificate_model.rsa_private_key = ca.rsa_private_key
ca.certificate = ca_certificate_model
db.session.add(ca)
db.session.commit()
return ca
示例27
def generate_signing_request(cn: str, dnsname: Optional[str] = None) -> (rsa.RSAPrivateKey, x509.CertificateSigningRequest):
"""Generate a Private Key + Certificate Signing Request using the given dnsname as the CN and SAN dNSName.
Args:
cn (str): The certificate common name
dnsname (str): The public facing dns name of the MDM server.
Returns:
Tuple of rsa private key, csr
"""
private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend(),
)
name = x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, cn),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, 'commandment')
])
builder = x509.CertificateSigningRequestBuilder()
builder = builder.subject_name(name)
if dnsname is not None:
san = x509.SubjectAlternativeName([
x509.DNSName(dnsname)
])
builder = builder.add_extension(san, critical=True)
builder = builder.add_extension(x509.BasicConstraints(ca=False, path_length=None), critical=True)
request = builder.sign(
private_key,
hashes.SHA256(),
default_backend()
)
return private_key, request
示例28
def extension_type(self):
return x509.BasicConstraints(ca=self.value['ca'], path_length=self.value['pathlen'])
示例29
def test_from_extension(self):
ext = x509.Extension(oid=x509.ExtensionOID.BASIC_CONSTRAINTS, critical=True,
value=x509.BasicConstraints(ca=True, path_length=3))
with self.assertRaises(NotImplementedError):
Extension(ext)
示例30
def test_setters(self):
ext = BasicConstraints({'value': {'ca': False, 'pathlen': None}})
self.assertFalse(ext.ca)
self.assertIsNone(ext.pathlen)
ext.ca = True
ext.pathlen = 3
self.assertTrue(ext.ca)
self.assertEqual(ext.pathlen, 3)
