Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified0'),
x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified1'),
x509.NameAttribute(NameOID.SERIAL_NUMBER, u'789'),
x509.NameAttribute(NameOID.SERIAL_NUMBER, u'012'),
x509.NameAttribute(NameOID.TITLE, u'Title IX'),
x509.NameAttribute(NameOID.TITLE, u'Title X'),
x509.NameAttribute(NameOID.SURNAME, u'Last 0'),
x509.NameAttribute(NameOID.SURNAME, u'Last 1'),
x509.NameAttribute(NameOID.GIVEN_NAME, u'First 0'),
x509.NameAttribute(NameOID.GIVEN_NAME, u'First 1'),
x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 0'),
x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 1'),
x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'32X'),
x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Dreamcast'),
x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc2'),
x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc3'),
x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test2@test.local'),
x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test3@test.local'),
]
cert = _load_cert(
os.path.join(
"x509", "custom",
"all_supported_names.pem"
),
x509.load_pem_x509_certificate,
backend
)
issuer = cert.issuer
assert isinstance(issuer, x509.Name)
assert list(issuer) == [
x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
x509.NameAttribute(NameOID.COUNTRY_NAME, u'CA'),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Illinois'),
x509.NameAttribute(NameOID.LOCALITY_NAME, u'Chicago'),
x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Zero, LLC'),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'One, LLC'),
x509.NameAttribute(NameOID.COMMON_NAME, u'common name 0'),
x509.NameAttribute(NameOID.COMMON_NAME, u'common name 1'),
x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 0'),
x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 1'),
x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier0'),
x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier1'),
x509.NameAttribute(NameOID.SERIAL_NUMBER, u'123'),
x509.NameAttribute(NameOID.SERIAL_NUMBER, u'456'),
x509.NameAttribute(NameOID.TITLE, u'Title 0'),
x509.NameAttribute(NameOID.TITLE, u'Title 1'),
x509.NameAttribute(NameOID.SURNAME, u'Surname 0'),
x509.NameAttribute(NameOID.SURNAME, u'Surname 1'),
def test_revoked_extensions(self, backend):
crl = _load_cert(
os.path.join("x509", "custom", "crl_all_reasons.pem"),
x509.load_pem_x509_crl,
backend
)
exp_issuer = x509.GeneralNames([
x509.DirectoryName(x509.Name([
x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
x509.NameAttribute(x509.OID_COMMON_NAME, u"cryptography.io"),
]))
])
# First revoked cert doesn't have extensions, test if it is handled
# correctly.
rev0 = crl[0]
# It should return an empty Extensions object.
assert isinstance(rev0.extensions, x509.Extensions)
assert len(rev0.extensions) == 0
with pytest.raises(x509.ExtensionNotFound):
rev0.extensions.get_extension_for_oid(x509.OID_CRL_REASON)
with pytest.raises(x509.ExtensionNotFound):
rev0.extensions.get_extension_for_oid(x509.OID_CERTIFICATE_ISSUER)
with pytest.raises(x509.ExtensionNotFound):
rev0.extensions.get_extension_for_oid(x509.OID_INVALIDITY_DATE)
def _parse_nameattr(self, av):
"""Parse an X.509 name attribute/value pair"""
try:
attr, value = av.split('=', 1)
except ValueError:
raise ValueError('Invalid X.509 name attribute: ' + av) from None
try:
attr = attr.strip()
oid = self._to_oid.get(attr) or x509.ObjectIdentifier(attr)
except ValueError:
raise ValueError('Unknown X.509 attribute: ' + attr) from None
return x509.NameAttribute(oid, self._unescape.sub(r'\1', value))
def create_csr(**csr_config):
"""
Given a list of domains create the appropriate csr
for those domains
:param csr_config:
"""
private_key = generate_private_key(csr_config.get("key_type"))
builder = x509.CertificateSigningRequestBuilder()
name_list = [x509.NameAttribute(x509.OID_COMMON_NAME, csr_config["common_name"])]
if current_app.config.get("LEMUR_OWNER_EMAIL_IN_SUBJECT", True):
name_list.append(
x509.NameAttribute(x509.OID_EMAIL_ADDRESS, csr_config["owner"])
)
if "organization" in csr_config and csr_config["organization"].strip():
name_list.append(
x509.NameAttribute(x509.OID_ORGANIZATION_NAME, csr_config["organization"])
)
if (
"organizational_unit" in csr_config
and csr_config["organizational_unit"].strip()
):
name_list.append(
x509.NameAttribute(
x509.OID_ORGANIZATIONAL_UNIT_NAME, csr_config["organizational_unit"]
)
)
if "country" in csr_config and csr_config["country"].strip():
name_list.append(
def MakeCASignedCert(common_name,
private_key,
ca_cert,
ca_private_key,
serial_number=2):
"""Make a cert and sign it with the CA's private key."""
public_key = private_key.GetPublicKey()
builder = x509.CertificateBuilder()
builder = builder.issuer_name(ca_cert.GetIssuer())
subject = x509.Name(
[x509.NameAttribute(oid.NameOID.COMMON_NAME, common_name)])
builder = builder.subject_name(subject)
valid_from = rdfvalue.RDFDatetime.Now() - rdfvalue.Duration.From(
1, rdfvalue.DAYS)
valid_until = rdfvalue.RDFDatetime.Now() + rdfvalue.Duration.From(
3650, rdfvalue.DAYS)
builder = builder.not_valid_before(valid_from.AsDatetime())
builder = builder.not_valid_after(valid_until.AsDatetime())
builder = builder.serial_number(serial_number)
builder = builder.public_key(public_key.GetRawPublicKey())
builder = builder.add_extension(
x509.BasicConstraints(ca=False, path_length=None), critical=True)
certificate = builder.sign(
private_key=ca_private_key.GetRawPrivateKey(),
from cryptography.hazmat.primitives import hashes
with open("/tmp/acme.key", "rb") as key_file:
private_key = serialization.load_pem_private_key(
key_file.read(),
password=None,
backend=default_backend()
)
# Generate a CSR
csr = x509.CertificateSigningRequestBuilder()
csr = csr.subject_name(x509.Name([
# Provide various details about who we are.
x509.NameAttribute(NameOID.COUNTRY_NAME, "AR"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "BA"),
x509.NameAttribute(NameOID.LOCALITY_NAME, "Buenos Aires"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, "ACME CORP"),
x509.NameAttribute(NameOID.COMMON_NAME, "acme.com"),
])
)
# Sign the CSR with our private key.
csr = csr.sign(private_key, hashes.SHA256(), default_backend())
# Write our CSR out to disk.
with open("/tmp/acme.csr", "wb") as out:
out.write(csr.public_bytes(serialization.Encoding.PEM))
print('Created /tmp/acme.csr')
def generate_csr_and_key():
"""Return a dict with a new csr and key."""
key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend())
csr = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u"admin"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"system:masters")
])).sign(key, hashes.SHA256(), default_backend())
result = {
'csr': csr.public_bytes(
encoding=serialization.Encoding.PEM).decode("utf-8"),
'key': key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption()).decode("utf-8"),
}
return result
def __init__(self,
initializer=None,
common_name=None,
private_key=None,
age=None):
super(CertificateSigningRequest, self).__init__(
initializer=initializer, age=age)
if self._value is None:
if isinstance(initializer, x509.CertificateSigningRequest):
self._value = initializer
elif isinstance(initializer, string_types):
self.ParseFromString(initializer)
elif common_name and private_key:
self._value = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name(
[x509.NameAttribute(oid.NameOID.COMMON_NAME,
str(common_name))])).sign(
private_key.GetRawPrivateKey(),
hashes.SHA256(),
backend=openssl.backend)
elif initializer is not None:
raise rdfvalue.InitializeError("Cannot initialize %s from %s." %
(self.__class__, initializer))
unit (str): the unit for the CSR
name (str): the name for the CSR
key_usage (list): Key Usage parameters. Indices stand for:
[digital_signature, content_commitment, key_encipherment,
data_encipherment, key_agreement, key_cert_sign, crl_sign,
encipher_only, decipher_only]
Return:
ssl certificate object
"""
attributes = []
if country:
attributes.append(x509.NameAttribute(NameOID.COUNTRY_NAME, country))
if state_province:
attributes.append(x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME,
state_province))
if locality:
attributes.append(x509.NameAttribute(NameOID.LOCALITY_NAME, locality))
if orga:
attributes.append(x509.NameAttribute(NameOID.ORGANIZATION_NAME, orga))
if unit:
attributes.append(x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME,
unit))
if name:
attributes.append(x509.NameAttribute(NameOID.COMMON_NAME, name))
subject = x509.Name(attributes)
cert = x509.CertificateBuilder().subject_name(
subject
).issuer_name(