demo/secure_element/resources/generation_scripts/create_server

 from __future__ import print_function
 import datetime
 import traceback
 import optparse
 
 from secure_element_common import *
 
 
 
 ''' ******************************************************************************************* '''
 def create_server_cert(hostname):
     print('\nLoading server CA CSR')
     if not os.path.isfile(CREDENTIAL_PATH(SERVER_CSR_FILENAME)):
         generate_server_csr(hostname)
     
     with open(CREDENTIAL_PATH(SERVER_CSR_FILENAME), 'rb') as f:
         print('    Loading from ' + f.name)
         server_csr = x509.load_pem_x509_csr(f.read(), crypto_be)
     
     if not server_csr.is_signature_valid:
         raise RuntimeError('Server CA CSR has invalid signature.')
 
     print('\nLoading root CA key')
     if not os.path.isfile(CREDENTIAL_PATH(ROOT_CA_KEY_FILENAME)):
         raise Exception('Failed to find root CA key file, ' + ROOT_CA_KEY_FILENAME + '. Have you run the script: ca_create_root.py first?')
    
     with open(CREDENTIAL_PATH(ROOT_CA_KEY_FILENAME), 'rb') as f:
         print('    Loading from ' + f.name)
         root_ca_priv_key = serialization.load_pem_private_key(
             data=f.read(),
             password=None,
             backend=crypto_be)
 
     print('\nLoading root CA certificate')
     if not os.path.isfile(CREDENTIAL_PATH(ROOT_CA_CERT_FILENAME)):
         raise Exception('Failed to find root CA certificate file, ' + ROOT_CA_CERT_FILENAME + '. Have you run the script: ca_create_root.py first?')
     
     with open(CREDENTIAL_PATH(ROOT_CA_CERT_FILENAME), 'rb') as f:
         print('    Loading from ' + f.name)
         root_ca_cert = x509.load_pem_x509_certificate(f.read(), crypto_be)
 
     # Create signer CA certificate
     print('\nGenerating server certificate from CSR')
     builder = x509.CertificateBuilder()
     builder = builder.serial_number(random_cert_sn(16))
     builder = builder.issuer_name(root_ca_cert.subject)
     builder = builder.not_valid_before(datetime.datetime.now(tz=pytz.utc))
     builder = builder.not_valid_after(builder._not_valid_before.replace(year=builder._not_valid_before.year + 10))
     builder = builder.subject_name(server_csr.subject)
     builder = builder.public_key(server_csr.public_key())
     builder = add_extensions(
         builder=builder,
         authority_cert=root_ca_cert)
     # Sign signer certificate with root
     server_cert = builder.sign(
         private_key=root_ca_priv_key,
         algorithm=hashes.SHA256(),
         backend=crypto_be)
 
     # Write server certificate to file
     with open(CREDENTIAL_PATH(SERVER_CERT_FILENAME), 'wb') as f:
         print('    Saving to ' + f.name)
         f.write(server_cert.public_bytes(encoding=serialization.Encoding.PEM))
         
         
     with open(CREDENTIAL_PATH(SERVER_CERT_CHAIN_FILENAME), 'wb') as dst:
         print('    Saving certificate chain to ' + f.name)
         with open(CREDENTIAL_PATH(ROOT_CA_CERT_FILENAME), 'rb') as src:
             dst.write(src.read())
         with open(CREDENTIAL_PATH(SERVER_CERT_FILENAME), 'rb') as src:
             dst.write(src.read())
 
 
     print('\nDone')
 
 
 ''' ******************************************************************************************* '''
 def generate_server_csr(hostname):
     # Load or create a server cert key pair
     print('\nLoading server cert key')
     server_priv_key = load_or_create_key(SERVER_KEY_FILENAME)
 
     print('\nGenerating server CSR')
     
     name = x509.Name([
         x509.NameAttribute(x509.oid.NameOID.ORGANIZATION_NAME, u'Example Inc'),
         x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, unicode(hostname))
     ])
     
     builder = x509.CertificateSigningRequestBuilder()
     builder = builder.subject_name(name)
     server_csr = builder.sign(
         private_key=server_priv_key,
         algorithm=hashes.SHA256(),
         backend=crypto_be)
 
     # Save CSR
     with open(CREDENTIAL_PATH(SERVER_CSR_FILENAME), 'wb') as f:
         print('    Saving to ' + f.name)
         f.write(server_csr.public_bytes(encoding=serialization.Encoding.PEM))
 
 
 
 ''' ******************************************************************************************* '''
 def add_extensions(builder, public_key=None, authority_cert=None):
     if public_key == None:
         public_key = builder._public_key # Public key not specified, assume its in the builder (cert builder)
     
     builder = builder.add_extension(
         x509.BasicConstraints(ca=True, path_length=0),
         critical=True)
 
     builder = builder.add_extension(
         x509.KeyUsage(
             digital_signature=True,
             content_commitment=False,
             key_encipherment=False,
             data_encipherment=False,
             key_agreement=False,
             key_cert_sign=True,
             crl_sign=True,
             encipher_only=False,
             decipher_only=False),
         critical=True)
 
     builder = builder.add_extension(
         x509.SubjectKeyIdentifier.from_public_key(public_key),
         critical=False)
     subj_key_id_ext = builder._extensions[-1] # Save newly created subj key id extension
 
     if authority_cert:
         # We have an authority certificate, use its subject key id
         builder = builder.add_extension(
             x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
                 authority_cert.extensions.get_extension_for_class(x509.SubjectKeyIdentifier)),
             critical=False)
     else:
         # No authority cert, assume this is a CSR and just use its own subject key id
         builder = builder.add_extension(
             x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(subj_key_id_ext),
             critical=False)
     
     return builder
 
 
 
 
 
 ''' ******************************************************************************************* '''
 if __name__ == '__main__':
     parser = optparse.OptionParser(description='Generates a server certificate for local testing')
     parser.add_option('--hostname',
                       help="Required, Hostname of local testing server, typically this should be your computer's IP address. NOTE: You can also update your computer's 'hosts' file to use a domain")
 
     options, _ = parser.parse_args()
     
     if not options.hostname:
         raise Exception('Must provide --hostname argument')
     
     try:
         create_server_cert(options.hostname)
     except Exception as e:
         traceback.print_exc()
         print(e)
 
 
demo/secure_element/resources/generation_scripts/create_server_cert.py
