1 from __future__
import print_function
6 from secure_element_common
import *
10 ''' ******************************************************************************************* ''' 11 def create_server_cert(hostname):
12 print(
'\nLoading server CA CSR')
13 if not os.path.isfile(CREDENTIAL_PATH(SERVER_CSR_FILENAME)):
14 generate_server_csr(hostname)
16 with open(CREDENTIAL_PATH(SERVER_CSR_FILENAME),
'rb')
as f:
17 print(
' Loading from ' + f.name)
18 server_csr = x509.load_pem_x509_csr(f.read(), crypto_be)
20 if not server_csr.is_signature_valid:
21 raise RuntimeError(
'Server CA CSR has invalid signature.')
23 print(
'\nLoading root CA key')
24 if not os.path.isfile(CREDENTIAL_PATH(ROOT_CA_KEY_FILENAME)):
25 raise Exception(
'Failed to find root CA key file, ' + ROOT_CA_KEY_FILENAME +
'. Have you run the script: ca_create_root.py first?')
27 with open(CREDENTIAL_PATH(ROOT_CA_KEY_FILENAME),
'rb')
as f:
28 print(
' Loading from ' + f.name)
29 root_ca_priv_key = serialization.load_pem_private_key(
34 print(
'\nLoading root CA certificate')
35 if not os.path.isfile(CREDENTIAL_PATH(ROOT_CA_CERT_FILENAME)):
36 raise Exception(
'Failed to find root CA certificate file, ' + ROOT_CA_CERT_FILENAME +
'. Have you run the script: ca_create_root.py first?')
38 with open(CREDENTIAL_PATH(ROOT_CA_CERT_FILENAME),
'rb')
as f:
39 print(
' Loading from ' + f.name)
40 root_ca_cert = x509.load_pem_x509_certificate(f.read(), crypto_be)
43 print(
'\nGenerating server certificate from CSR')
44 builder = x509.CertificateBuilder()
45 builder = builder.serial_number(random_cert_sn(16))
46 builder = builder.issuer_name(root_ca_cert.subject)
47 builder = builder.not_valid_before(datetime.datetime.now(tz=pytz.utc))
48 builder = builder.not_valid_after(builder._not_valid_before.replace(year=builder._not_valid_before.year + 10))
49 builder = builder.subject_name(server_csr.subject)
50 builder = builder.public_key(server_csr.public_key())
51 builder = add_extensions(
53 authority_cert=root_ca_cert)
55 server_cert = builder.sign(
56 private_key=root_ca_priv_key,
57 algorithm=hashes.SHA256(),
61 with open(CREDENTIAL_PATH(SERVER_CERT_FILENAME),
'wb')
as f:
62 print(
' Saving to ' + f.name)
63 f.write(server_cert.public_bytes(encoding=serialization.Encoding.PEM))
66 with open(CREDENTIAL_PATH(SERVER_CERT_CHAIN_FILENAME),
'wb')
as dst:
67 print(
' Saving certificate chain to ' + f.name)
68 with open(CREDENTIAL_PATH(ROOT_CA_CERT_FILENAME),
'rb')
as src:
70 with open(CREDENTIAL_PATH(SERVER_CERT_FILENAME),
'rb')
as src:
77 ''' ******************************************************************************************* ''' 78 def generate_server_csr(hostname):
80 print(
'\nLoading server cert key')
81 server_priv_key = load_or_create_key(SERVER_KEY_FILENAME)
83 print(
'\nGenerating server CSR')
86 x509.NameAttribute(x509.oid.NameOID.ORGANIZATION_NAME,
u'Example Inc'),
87 x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, unicode(hostname))
90 builder = x509.CertificateSigningRequestBuilder()
91 builder = builder.subject_name(name)
92 server_csr = builder.sign(
93 private_key=server_priv_key,
94 algorithm=hashes.SHA256(),
98 with open(CREDENTIAL_PATH(SERVER_CSR_FILENAME),
'wb')
as f:
99 print(
' Saving to ' + f.name)
100 f.write(server_csr.public_bytes(encoding=serialization.Encoding.PEM))
104 ''' ******************************************************************************************* ''' 105 def add_extensions(builder, public_key=None, authority_cert=None):
106 if public_key ==
None:
107 public_key = builder._public_key
109 builder = builder.add_extension(
110 x509.BasicConstraints(ca=
True, path_length=0),
113 builder = builder.add_extension(
115 digital_signature=
True,
116 content_commitment=
False,
117 key_encipherment=
False,
118 data_encipherment=
False,
123 decipher_only=
False),
126 builder = builder.add_extension(
127 x509.SubjectKeyIdentifier.from_public_key(public_key),
129 subj_key_id_ext = builder._extensions[-1]
133 builder = builder.add_extension(
134 x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
135 authority_cert.extensions.get_extension_for_class(x509.SubjectKeyIdentifier)),
139 builder = builder.add_extension(
140 x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(subj_key_id_ext),
149 ''' ******************************************************************************************* ''' 150 if __name__ ==
'__main__':
151 parser = optparse.OptionParser(description=
'Generates a server certificate for local testing')
152 parser.add_option(
'--hostname',
153 help=
"Required, Hostname of local testing server, typically this should be your computer's IP address. NOTE: You can also update your computer's 'hosts' file to use a domain")
155 options, _ = parser.parse_args()
157 if not options.hostname:
158 raise Exception(
'Must provide --hostname argument')
161 create_server_cert(options.hostname)
162 except Exception
as e:
163 traceback.print_exc()