本文整理汇总了Python中cryptography.x509.BasicConstraints方法的典型用法代码示例。如果您正苦于以下问题:Python x509.BasicConstraints方法的具体用法?Python x509.BasicConstraints怎么用?Python x509.BasicConstraints使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类cryptography.x509的用法示例。
在下文中一共展示了x509.BasicConstraints方法的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: build_csr
# 需要导入模块: from cryptography import x509 [as 别名]
# 或者: from cryptography.x509 import BasicConstraints [as 别名]
def build_csr(self, hostname, **kwargs):
realm = self.plugin.ipa.env.realm
builder = x509.CertificateSigningRequestBuilder()
builder = builder.subject_name(
x509.Name([
x509.NameAttribute(oid.NameOID.COMMON_NAME, hostname),
x509.NameAttribute(oid.NameOID.ORGANIZATION_NAME, realm),
])
)
build = builder.add_extension(
x509.BasicConstraints(ca=False, path_length=None), critical=True,
)
build = builder.add_extension(
x509.ExtendedKeyUsage([TLS_SERVERAUTH]), critical=True
)
builder = build.add_extension(
x509.SubjectAlternativeName([x509.DNSName(hostname)]),
critical=False
)
return builder
# pylint: disable=arguments-differ 示例2: create_cert_builder
# 需要导入模块: from cryptography import x509 [as 别名]
# 或者: from cryptography.x509 import BasicConstraints [as 别名]
def create_cert_builder(subject, issuer_name, public_key, days=365, is_ca=False):
"""
The method to create a builder for all types of certificates.
:param subject: The subject of the certificate.
:param issuer_name: The name of the issuer.
:param public_key: The public key of the certificate.
:param days: The number of days for which the certificate is valid. The default is 1 year or 365 days.
:param is_ca: Boolean to indicate if a cert is ca or non ca.
:return: The certificate builder.
:rtype: :class `x509.CertificateBuilder`
"""
builder = x509.CertificateBuilder()
builder = builder.subject_name(subject)
builder = builder.issuer_name(issuer_name)
builder = builder.public_key(public_key)
builder = builder.not_valid_before(datetime.today())
builder = builder.not_valid_after(datetime.today() + timedelta(days=days))
builder = builder.serial_number(int(uuid.uuid4()))
builder = builder.add_extension(
x509.BasicConstraints(ca=is_ca, path_length=None), critical=True
)
return builder 示例3: create_self_signed_certificate
# 需要导入模块: from cryptography import x509 [as 别名]
# 或者: from cryptography.x509 import BasicConstraints [as 别名]
def create_self_signed_certificate(subject_name, private_key, days_valid=365):
subject = x509.Name([
x509.NameAttribute(x509.NameOID.ORGANIZATION_NAME, u"Test, Inc."),
x509.NameAttribute(x509.NameOID.COMMON_NAME, subject_name)
])
certificate = x509.CertificateBuilder().subject_name(
subject
).issuer_name(
subject
).public_key(
private_key.public_key()
).serial_number(
x509.random_serial_number()
).add_extension(
x509.BasicConstraints(ca=True, path_length=None), critical=True
).not_valid_before(
datetime.datetime.utcnow()
).not_valid_after(
datetime.datetime.utcnow() + datetime.timedelta(days=days_valid)
).sign(private_key, hashes.SHA256(), backends.default_backend())
return certificate 示例4: certificate
# 需要导入模块: from cryptography import x509 [as 别名]
# 或者: from cryptography.x509 import BasicConstraints [as 别名]
def certificate(private_key: rsa.RSAPrivateKey) -> x509.Certificate:
b = x509.CertificateBuilder()
name = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"CA"),
x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"Commandment"),
x509.NameAttribute(NameOID.COMMON_NAME, u"CA-CERTIFICATE"),
])
cer = b.subject_name(name).issuer_name(name).public_key(
private_key.public_key()
).serial_number(1).not_valid_before(
datetime.datetime.utcnow()
).not_valid_after(
datetime.datetime.utcnow() + datetime.timedelta(days=10)
).add_extension(
x509.BasicConstraints(ca=False, path_length=None), True
).sign(private_key, hashes.SHA256(), default_backend())
return cer 示例5: ca_cert_builder
# 需要导入模块: from cryptography import x509 [as 别名]
# 或者: from cryptography.x509 import BasicConstraints [as 别名]
def ca_cert_builder(
public_key,
common_name="Root CA",
issuer=None,
basic_constraints=x509.BasicConstraints(
ca=True, path_length=None),
key_usage=cert_key_usage(
key_cert_sign=True),
subject_alternative_names=None,
not_valid_before=None,
not_valid_after=None,
valid_days=3650,
):
return cert_builder(
public_key=public_key,
common_name=common_name,
issuer=issuer,
basic_constraints=basic_constraints,
key_usage=key_usage,
subject_alternative_names=subject_alternative_names,
not_valid_before=not_valid_before,
not_valid_after=not_valid_after,
valid_days=valid_days,
) 示例6: _generate_csr
# 需要导入模块: from cryptography import x509 [as 别名]
# 或者: from cryptography.x509 import BasicConstraints [as 别名]
def _generate_csr(cls, cn, private_key, passphrase=None):
pk = serialization.load_pem_private_key(
data=private_key, password=passphrase,
backend=backends.default_backend())
csr = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, cn),
])
)
csr = csr.add_extension(
x509.BasicConstraints(
ca=False,
path_length=None
),
critical=True
)
csr = csr.add_extension(
x509.KeyUsage(
digital_signature=True,
key_encipherment=True,
data_encipherment=True,
key_agreement=True,
content_commitment=False,
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
decipher_only=False
),
critical=True
)
csr = csr.add_extension(
x509.SubjectAlternativeName([x509.DNSName(cn)]),
critical=False
)
signed_csr = csr.sign(
pk,
getattr(hashes, CONF.certificates.signing_digest.upper())(),
backends.default_backend())
return signed_csr.public_bytes(serialization.Encoding.PEM) 示例7: test_sign_cert
# 需要导入模块: from cryptography import x509 [as 别名]
# 或者: from cryptography.x509 import BasicConstraints [as 别名]
def test_sign_cert(self):
# Attempt sign a cert
signed_cert = self.cert_generator.sign_cert(
csr=self.certificate_signing_request,
validity=2 * 365 * 24 * 60 * 60,
ca_cert=self.ca_certificate,
ca_key=self.ca_private_key,
ca_key_pass=self.ca_private_key_passphrase,
ca_digest=self.signing_digest
)
self.assertIn("-----BEGIN CERTIFICATE-----",
signed_cert.decode('ascii'))
# Load the cert for specific tests
cert = x509.load_pem_x509_certificate(
data=signed_cert, backend=backends.default_backend())
# Make sure expiry time is accurate
should_expire = (datetime.datetime.utcnow() +
datetime.timedelta(seconds=2 * 365 * 24 * 60 * 60))
diff = should_expire - cert.not_valid_after
self.assertLess(diff, datetime.timedelta(seconds=10))
# Make sure this is a version 3 X509.
self.assertEqual('v3', cert.version.name)
# Make sure this cert is marked as Server and Client Cert via the
# extended Key Usage extension
self.assertIn(x509.oid.ExtendedKeyUsageOID.SERVER_AUTH,
cert.extensions.get_extension_for_class(
x509.ExtendedKeyUsage).value._usages)
self.assertIn(x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH,
cert.extensions.get_extension_for_class(
x509.ExtendedKeyUsage).value._usages)
# Make sure this cert can't sign other certs
self.assertFalse(cert.extensions.get_extension_for_class(
x509.BasicConstraints).value.ca) 示例8: certificate_template
# 需要导入模块: from cryptography import x509 [as 别名]
# 或者: from cryptography.x509 import BasicConstraints [as 别名]
def certificate_template(
subject: x509.name.Name,
issuer: x509.name.Name,
public_key: x509.name.Name,
certauthority: bool = False,
) -> x509.base.CertificateBuilder:
if certauthority:
not_valid_after = datetime.datetime.utcnow() + datetime.timedelta(days=365 * 10)
else: # shorter valid length for on-the-fly certificates
not_valid_after = datetime.datetime.utcnow() + datetime.timedelta(days=7)
return (
x509.CertificateBuilder()
.subject_name(subject)
.issuer_name(issuer)
.public_key(public_key)
.serial_number(x509.random_serial_number())
.not_valid_before(datetime.datetime.utcnow())
.not_valid_after(not_valid_after)
.add_extension(
x509.SubjectAlternativeName([x509.DNSName("localhost")]), critical=True
)
.add_extension(
x509.BasicConstraints(ca=certauthority, path_length=None), critical=True
)
) 示例9: _decode_basic_constraints
# 需要导入模块: from cryptography import x509 [as 别名]
# 或者: from cryptography.x509 import BasicConstraints [as 别名]
def _decode_basic_constraints(backend, bc_st):
basic_constraints = backend._ffi.cast("BASIC_CONSTRAINTS *", bc_st)
basic_constraints = backend._ffi.gc(
basic_constraints, backend._lib.BASIC_CONSTRAINTS_free
)
# The byte representation of an ASN.1 boolean true is \xff. OpenSSL
# chooses to just map this to its ordinal value, so true is 255 and
# false is 0.
ca = basic_constraints.ca == 255
if basic_constraints.pathlen == backend._ffi.NULL:
path_length = None
else:
path_length = backend._asn1_integer_to_int(basic_constraints.pathlen)
return x509.BasicConstraints(ca, path_length) 示例10: _decode_basic_constraints
# 需要导入模块: from cryptography import x509 [as 别名]
# 或者: from cryptography.x509 import BasicConstraints [as 别名]
def _decode_basic_constraints(backend, bc_st):
basic_constraints = backend._ffi.cast("BASIC_CONSTRAINTS *", bc_st)
basic_constraints = backend._ffi.gc(
basic_constraints, backend._lib.BASIC_CONSTRAINTS_free
)
# The byte representation of an ASN.1 boolean true is \xff. OpenSSL
# chooses to just map this to its ordinal value, so true is 255 and
# false is 0.
ca = basic_constraints.ca == 255
path_length = _asn1_integer_to_int_or_none(
backend, basic_constraints.pathlen
)
return x509.BasicConstraints(ca, path_length) 示例11: create_csr
# 需要导入模块: from cryptography import x509 [as 别名]
# 或者: from cryptography.x509 import BasicConstraints [as 别名]
def create_csr(private_key, csr_file, subject, is_ca=False):
"""
Method to create a certificate signing request.
:param private_key: The private key to the certificate.
:param csr_file: The file name of the certificate signing request.
:param subject: The subject fo the certificate signing request.
:param is_ca: Boolean to indicate if a cert is ca or non ca.
:return: The certificate signing request.
:rtype: :class `x509.CertificateSigningRequest`
"""
builder = (
x509.CertificateSigningRequestBuilder()
.subject_name(
x509.Name(
[
# Provide various details about who we are.
x509.NameAttribute(NameOID.COMMON_NAME, str.encode(subject).decode("utf-8"))
]
)
)
.add_extension(x509.BasicConstraints(ca=is_ca, path_length=None), critical=False)
)
csr = builder.sign(
private_key=private_key, algorithm=hashes.SHA256(), backend=default_backend()
)
with open(csr_file, "wb") as f:
f.write(csr.public_bytes(serialization.Encoding.PEM))
return csr 示例12: _generate_ca_cert
# 需要导入模块: from cryptography import x509 [as 别名]
# 或者: from cryptography.x509 import BasicConstraints [as 别名]
def _generate_ca_cert(self):
"""
Generate a CA cert/key.
"""
if self._ca_key is None:
self._ca_key = generate_private_key(u'rsa')
self._ca_name = x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u'ACME Snake Oil CA')])
self._ca_cert = (
x509.CertificateBuilder()
.subject_name(self._ca_name)
.issuer_name(self._ca_name)
.not_valid_before(self._now() - timedelta(seconds=3600))
.not_valid_after(self._now() + timedelta(days=3650))
.public_key(self._ca_key.public_key())
.serial_number(int(uuid4()))
.add_extension(
x509.BasicConstraints(ca=True, path_length=0),
critical=True)
.add_extension(
x509.SubjectKeyIdentifier.from_public_key(
self._ca_key.public_key()),
critical=False)
.sign(
private_key=self._ca_key,
algorithm=hashes.SHA256(),
backend=default_backend()))
self._ca_aki = x509.AuthorityKeyIdentifier.from_issuer_public_key(
self._ca_key.public_key()) 示例13: _deserialize
# 需要导入模块: from cryptography import x509 [as 别名]
# 或者: from cryptography.x509 import BasicConstraints [as 别名]
def _deserialize(self, value, attr, data):
ca = value.get("ca", False)
path_length = value.get("path_length", None)
if ca:
if not isinstance(path_length, (type(None), int)):
raise ValidationError(
"A CA certificate path_length (for BasicConstraints) must be None or an integer."
)
return x509.BasicConstraints(ca=True, path_length=path_length)
else:
return x509.BasicConstraints(ca=False, path_length=None) 示例14: generate_selfsigned_cert
# 需要导入模块: from cryptography import x509 [as 别名]
# 或者: from cryptography.x509 import BasicConstraints [as 别名]
def generate_selfsigned_cert(hostname="/CN=Chia Blockchain CA", key=None):
"""Generates self signed certificate for a hostname, and optional IP addresses."""
# Generate our key
if key is None:
key = rsa.generate_private_key(
public_exponent=65537, key_size=2048, backend=default_backend(),
)
name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, hostname)])
# path_len=0 means this cert can only sign itself, not other certs.
basic_contraints = x509.BasicConstraints(ca=True, path_length=0)
now = datetime.utcnow()
cert = (
x509.CertificateBuilder()
.subject_name(name)
.issuer_name(name)
.public_key(key.public_key())
.serial_number(1000)
.not_valid_before(now)
.not_valid_after(now + timedelta(days=10 * 365))
.add_extension(basic_contraints, False)
.sign(key, hashes.SHA256(), default_backend())
)
cert_pem = cert.public_bytes(encoding=serialization.Encoding.PEM)
key_pem = key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
)
return cert_pem.decode(), key_pem.decode() 示例15: generate_cert
# 需要导入模块: from cryptography import x509 [as 别名]
# 或者: from cryptography.x509 import BasicConstraints [as 别名]
def generate_cert(service, namespace, private_key):
name = x509.Name([
x509.NameAttribute(x509.oid.NameOID.COMMON_NAME,
"{0}.{1}.svc".format(service, namespace))
])
subj_alternative_names = x509.SubjectAlternativeName([
x509.DNSName("{0}".format(service)),
x509.DNSName("{0}.{1}".format(service, namespace)),
x509.DNSName("{0}.{1}.svc".format(service, namespace)),
])
constraints = x509.BasicConstraints(ca=True, path_length=None)
now = datetime.now()
cert_builder = x509.CertificateBuilder()
cert_builder = (cert_builder.subject_name(name)
.issuer_name(name)
.add_extension(subj_alternative_names, False)
.add_extension(constraints, False)
.not_valid_before(now)
.not_valid_after(now + timedelta(days=36500))
.public_key(private_key.public_key())
.serial_number(x509.random_serial_number()))
cert = cert_builder.sign(private_key, hashes.SHA256(), default_backend())
return cert