Joe*_*son 8 python cryptography python-3.x
我正在创建一个像这样的 CA:
openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.cert
这给了我两个 PEM 文件。
然后我调用这个函数,其中cert_authority和private_key是上面生成的数据的字符串。
def create_cert(cert_authority, private_key):
one_day = datetime.timedelta(1, 0, 0)
# Use our private key to generate a public key
private_key = serialization.load_pem_private_key(
private_key.encode("ascii"), password=None, backend=default_backend()
)
public_key = private_key.public_key()
ca = x509.load_pem_x509_certificate(
cert_authority.encode("ascii"), default_backend()
)
builder = x509.CertificateBuilder()
builder = builder.subject_name(
x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io")])
)
builder = builder.issuer_name(ca.issuer)
builder = builder.not_valid_before(datetime.datetime.today() - one_day)
builder = builder.not_valid_after(datetime.datetime.today() + (one_day * 30))
builder = builder.serial_number(x509.random_serial_number())
builder = builder.public_key(public_key)
cert = builder.sign(
private_key=private_key, algorithm=hashes.SHA256(), backend=default_backend()
)
print(cert.public_bytes(serialization.Encoding.PEM))
然后,这会生成似乎是证书的内容,但是将数据复制并粘贴到文件中(并按照http://srdevspot.blogspot.com/2011/08/openssl-error0906d064pem包装 64 行并使用 Unix 换行符。 html ) 尝试验证时出现此错误:
$ openssl verify -CAfile ca.crt -untrusted phone.crt
unable to load certificates
希望我错过了一些简单的东西,因为我是这一切的新手!
最后我会注意到,如果密码学不是最好的,我愿意使用另一个加密库。
编辑:
现在根据保罗非常有用的回应使用这个:
def create_cert(cert_authority, private_key):
one_day = datetime.timedelta(1, 0, 0)
# Use our private key to generate a public key
root_key = serialization.load_pem_private_key(
private_key.encode("ascii"), password=None, backend=default_backend()
)
root_cert = x509.load_pem_x509_certificate(
cert_authority.encode("ascii"), default_backend()
)
# Now we want to generate a cert from that root
cert_key = rsa.generate_private_key(
public_exponent=65537, key_size=2048, backend=default_backend()
)
new_subject = x509.Name(
[
x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Texas"),
x509.NameAttribute(NameOID.LOCALITY_NAME, u"Austin"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"New Org Name!"),
]
)
cert = (
x509.CertificateBuilder()
.subject_name(new_subject)
.issuer_name(root_cert.issuer)
.public_key(cert_key.public_key())
.serial_number(x509.random_serial_number())
.not_valid_before(datetime.datetime.utcnow())
.not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=30))
.add_extension(
x509.SubjectAlternativeName([x509.DNSName(u"somedomain.com")]),
critical=False,
)
.sign(root_key, hashes.SHA256(), default_backend())
)
# Dump to scratch
with open("scratch/phone_cert.pem", "wb") as f:
f.write(cert.public_bytes(encoding=serialization.Encoding.PEM))
# Return PEM
cert_pem = cert.public_bytes(encoding=serialization.Encoding.PEM)
cert_key_pem = cert_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
)
return cert_pem, cert_key_pem
这是保存文件并将创建的证书和私钥作为 PEM 字符串返回的正确方法吗?
我还发现,当我尝试使用openssl verify -verbose -CAfile ca.crt -untrusted phone_cert.pem该命令针对保存的 PEM 验证创建的证书时,该命令永远不会返回——可能是一个单独的问题,但会感谢任何想法。
Pau*_*rer 13
我在这里看到了两个问题。首先,您正在创建另一个自签名证书,因此您生成的证书不是由 CA 签名的,它本身就是一个 CA。要更正此问题,您需要使用 CA 的私钥进行签名(例如private_key在您的示例中),但您需要创建一个与新证书关联的新私钥,并将其公钥嵌入到证书中。
certificate_private_key = <generate an ec or rsa key here>
certificate_public_key = certificate_private_key.public_key()
然后做
builder = builder.public_key(certificate_public_key)
您的输出也有问题,因为您试图从打印语句中复制和粘贴内容。的输出cert.public_bytes(serialization.Encoding.PEM)将是带有分隔符和正确 PEM 行长度的有效 X509 证书,因此将其直接写入文件:
with open("cert.crt", "wb") as f:
f.write(cert.public_bytes(serialization.Encoding.PEM))
结果可以解析为 openssl x509 -noout -text -in cert.crt
这是一个完整的示例,cryptography用于创建自签名根 CA 并使用该 CA 签署证书。
import datetime
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
root_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend()
)
subject = issuer = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Texas"),
x509.NameAttribute(NameOID.LOCALITY_NAME, u"Austin"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"),
x509.NameAttribute(NameOID.COMMON_NAME, u"My CA"),
])
root_cert = x509.CertificateBuilder().subject_name(
subject
).issuer_name(
issuer
).public_key(
root_key.public_key()
).serial_number(
x509.random_serial_number()
).not_valid_before(
datetime.datetime.utcnow()
).not_valid_after(
datetime.datetime.utcnow() + datetime.timedelta(days=3650)
).sign(root_key, hashes.SHA256(), default_backend())
# Now we want to generate a cert from that root
cert_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend()
)
new_subject = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Texas"),
x509.NameAttribute(NameOID.LOCALITY_NAME, u"Austin"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"New Org Name!"),
])
cert = x509.CertificateBuilder().subject_name(
new_subject
).issuer_name(
root_cert.issuer
).public_key(
cert_key.public_key()
).serial_number(
x509.random_serial_number()
).not_valid_before(
datetime.datetime.utcnow()
).not_valid_after(
datetime.datetime.utcnow() + datetime.timedelta(days=30)
).add_extension(
x509.SubjectAlternativeName([x509.DNSName(u"somedomain.com")]),
critical=False,
).sign(root_key, hashes.SHA256(), default_backend())
小智 5
我必须发布答案,因为我是新手,还不能发表评论
我非常依赖 Pauls 的回答来进行我自己的实施,这非常有用且很有帮助。但是我必须在 CA 证书上再添加一个扩展名openssl verify -verbose -CAfile ca.crt client.crt才能正常工作。
添加.add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True)到根 CertificateBuilder 就可以了。
ca_crt = x509.CertificateBuilder() \
.subject_name(subject) \
.issuer_name(issuer) \
.public_key(ca_key.public_key()) \
.serial_number(x509.random_serial_number()) \
.not_valid_before(datetime.datetime.today() - one_day) \
.not_valid_after(datetime.datetime.today() + (one_day * 365)) \
.add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True) \
.sign(ca_key, hashes.SHA256(), default_backend())
其他一切都像保罗一样。