mirror of https://github.com/OpenKMIP/PyKMIP.git
206 lines
6.4 KiB
Python
Executable File
206 lines
6.4 KiB
Python
Executable File
#!/usr/bin/env python
|
|
|
|
from cryptography import x509
|
|
from cryptography.hazmat import backends
|
|
from cryptography.hazmat.primitives import hashes
|
|
from cryptography.hazmat.primitives import serialization
|
|
from cryptography.hazmat.primitives.asymmetric import rsa
|
|
|
|
import datetime
|
|
|
|
|
|
def create_rsa_private_key(key_size=2048, public_exponent=65537):
|
|
private_key = rsa.generate_private_key(
|
|
public_exponent=public_exponent,
|
|
key_size=key_size,
|
|
backend=backends.default_backend()
|
|
)
|
|
return private_key
|
|
|
|
|
|
def create_self_signed_certificate(subject_name, private_key, days_valid=365):
|
|
subject = x509.Name([
|
|
x509.NameAttribute(x509.NameOID.ORGANIZATION_NAME, u"Test, Inc."),
|
|
x509.NameAttribute(x509.NameOID.COMMON_NAME, subject_name)
|
|
])
|
|
certificate = x509.CertificateBuilder().subject_name(
|
|
subject
|
|
).issuer_name(
|
|
subject
|
|
).public_key(
|
|
private_key.public_key()
|
|
).serial_number(
|
|
x509.random_serial_number()
|
|
).add_extension(
|
|
x509.BasicConstraints(ca=True, path_length=None), critical=True
|
|
).not_valid_before(
|
|
datetime.datetime.utcnow()
|
|
).not_valid_after(
|
|
datetime.datetime.utcnow() + datetime.timedelta(days=days_valid)
|
|
).sign(private_key, hashes.SHA256(), backends.default_backend())
|
|
|
|
return certificate
|
|
|
|
|
|
def create_certificate(subject_name,
|
|
private_key,
|
|
signing_certificate,
|
|
signing_key,
|
|
days_valid=365,
|
|
client_auth=False):
|
|
subject = x509.Name([
|
|
x509.NameAttribute(x509.NameOID.ORGANIZATION_NAME, u"Test, Inc."),
|
|
x509.NameAttribute(x509.NameOID.COMMON_NAME, subject_name)
|
|
])
|
|
builder = x509.CertificateBuilder().subject_name(
|
|
subject
|
|
).issuer_name(
|
|
signing_certificate.subject
|
|
).public_key(
|
|
private_key.public_key()
|
|
).serial_number(
|
|
x509.random_serial_number()
|
|
).not_valid_before(
|
|
datetime.datetime.utcnow()
|
|
).not_valid_after(
|
|
datetime.datetime.utcnow() + datetime.timedelta(days=days_valid)
|
|
)
|
|
|
|
if client_auth:
|
|
builder = builder.add_extension(
|
|
x509.ExtendedKeyUsage([x509.ExtendedKeyUsageOID.CLIENT_AUTH]),
|
|
critical=True
|
|
)
|
|
|
|
certificate = builder.sign(
|
|
signing_key,
|
|
hashes.SHA256(),
|
|
backends.default_backend()
|
|
)
|
|
return certificate
|
|
|
|
|
|
def main():
|
|
root_key = create_rsa_private_key()
|
|
root_certificate = create_self_signed_certificate(
|
|
u"Root CA",
|
|
root_key
|
|
)
|
|
|
|
server_key = create_rsa_private_key()
|
|
server_certificate = create_certificate(
|
|
u"Server Certificate",
|
|
server_key,
|
|
root_certificate,
|
|
root_key
|
|
)
|
|
|
|
john_doe_client_key = create_rsa_private_key()
|
|
john_doe_client_certificate = create_certificate(
|
|
u"John Doe",
|
|
john_doe_client_key,
|
|
root_certificate,
|
|
root_key,
|
|
client_auth=True
|
|
)
|
|
jane_doe_client_key = create_rsa_private_key()
|
|
jane_doe_client_certificate = create_certificate(
|
|
u"Jane Doe",
|
|
jane_doe_client_key,
|
|
root_certificate,
|
|
root_key,
|
|
client_auth=True
|
|
)
|
|
john_smith_client_key = create_rsa_private_key()
|
|
john_smith_client_certificate = create_certificate(
|
|
u"John Smith",
|
|
john_smith_client_key,
|
|
root_certificate,
|
|
root_key,
|
|
client_auth=True
|
|
)
|
|
jane_smith_client_key = create_rsa_private_key()
|
|
jane_smith_client_certificate = create_certificate(
|
|
u"Jane Smith",
|
|
jane_smith_client_key,
|
|
root_certificate,
|
|
root_key,
|
|
)
|
|
|
|
with open("root_key.pem", "wb") as f:
|
|
f.write(root_key.private_bytes(
|
|
encoding=serialization.Encoding.PEM,
|
|
format=serialization.PrivateFormat.PKCS8,
|
|
encryption_algorithm=serialization.NoEncryption()
|
|
))
|
|
with open("root_certificate.pem", "wb") as f:
|
|
f.write(
|
|
root_certificate.public_bytes(
|
|
serialization.Encoding.PEM
|
|
)
|
|
)
|
|
with open("server_key.pem", "wb") as f:
|
|
f.write(server_key.private_bytes(
|
|
encoding=serialization.Encoding.PEM,
|
|
format=serialization.PrivateFormat.PKCS8,
|
|
encryption_algorithm=serialization.NoEncryption()
|
|
))
|
|
with open("server_certificate.pem", "wb") as f:
|
|
f.write(
|
|
server_certificate.public_bytes(
|
|
serialization.Encoding.PEM
|
|
)
|
|
)
|
|
with open("client_key_john_doe.pem", "wb") as f:
|
|
f.write(john_doe_client_key.private_bytes(
|
|
encoding=serialization.Encoding.PEM,
|
|
format=serialization.PrivateFormat.PKCS8,
|
|
encryption_algorithm=serialization.NoEncryption()
|
|
))
|
|
with open("client_certificate_john_doe.pem", "wb") as f:
|
|
f.write(
|
|
john_doe_client_certificate.public_bytes(
|
|
serialization.Encoding.PEM
|
|
)
|
|
)
|
|
with open("client_key_jane_doe.pem", "wb") as f:
|
|
f.write(jane_doe_client_key.private_bytes(
|
|
encoding=serialization.Encoding.PEM,
|
|
format=serialization.PrivateFormat.PKCS8,
|
|
encryption_algorithm=serialization.NoEncryption()
|
|
))
|
|
with open("client_certificate_jane_doe.pem", "wb") as f:
|
|
f.write(
|
|
jane_doe_client_certificate.public_bytes(
|
|
serialization.Encoding.PEM
|
|
)
|
|
)
|
|
with open("client_key_john_smith.pem", "wb") as f:
|
|
f.write(john_smith_client_key.private_bytes(
|
|
encoding=serialization.Encoding.PEM,
|
|
format=serialization.PrivateFormat.PKCS8,
|
|
encryption_algorithm=serialization.NoEncryption()
|
|
))
|
|
with open("client_certificate_john_smith.pem", "wb") as f:
|
|
f.write(
|
|
john_smith_client_certificate.public_bytes(
|
|
serialization.Encoding.PEM
|
|
)
|
|
)
|
|
with open("client_key_jane_smith.pem", "wb") as f:
|
|
f.write(jane_smith_client_key.private_bytes(
|
|
encoding=serialization.Encoding.PEM,
|
|
format=serialization.PrivateFormat.PKCS8,
|
|
encryption_algorithm=serialization.NoEncryption()
|
|
))
|
|
with open("client_certificate_jane_smith.pem", "wb") as f:
|
|
f.write(
|
|
jane_smith_client_certificate.public_bytes(
|
|
serialization.Encoding.PEM
|
|
)
|
|
)
|
|
|
|
|
|
if __name__ == '__main__':
|
|
main()
|