Coder Social home page Coder Social logo

Comments (26)

alex avatar alex commented on September 18, 2024

You can't. Our X.509 creation API is documented here: https://cryptography.io/en/latest/x509/tutorial/#

from cryptography.

AndryAsh avatar AndryAsh commented on September 18, 2024

Is it possible to add this feature?

from cryptography.

alex avatar alex commented on September 18, 2024

from cryptography.

AndryAsh avatar AndryAsh commented on September 18, 2024

What adding extensions would look like in your API calls:

subjectKeyIdentifier	= hash
authorityKeyIdentifier	= keyid:always,issuer:always
basicConstraints	= critical,CA:true
crlDistributionPoints	= URI:http://www.example.org/example_ca.crl

I'm trying to do it like this:

cert = x509.CertificateBuilder().subject_name(
    subject
).issuer_name(
    issuer
).public_key(
    key.public_key()
).serial_number(
    x509.random_serial_number()
).not_valid_before(
    datetime.datetime.now(datetime.timezone.utc)
).not_valid_after(
    # Our certificate will be valid for 10 days
    datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=10)
).add_extension(
    x509.SubjectKeyIdentifier(hash),
    x509.AuthorityKeyIdentifier(issuer.public_bytes, authority_cert_issuer=None, authority_cert_serial_number=None),
    x509.BasicConstraints(ca=True, path_length=None),
    critical=True,
    # Sign our certificate with our private key
).sign(key, hashes.SHA256())

but I'm getting an error:

TypeError: CertificateBuilder.add_extension() got multiple values for argument 'critical'

Can you please tell me the right way?

from cryptography.

alex avatar alex commented on September 18, 2024

from cryptography.

AndryAsh avatar AndryAsh commented on September 18, 2024

I remodeled it like this:

subject = issuer = x509.Name([
    x509.NameAttribute(NameOID.COUNTRY_NAME, "RU"),
    x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "Saint-Petersburg"),
    x509.NameAttribute(NameOID.LOCALITY_NAME, "Saint-Petersburg"),
    x509.NameAttribute(NameOID.ORGANIZATION_NAME, "LABICS"),
    x509.NameAttribute(NameOID.COMMON_NAME, "Example Certificate Authority"),
])
cert = x509.CertificateBuilder().subject_name(
    subject
).issuer_name(
    issuer
).public_key(
    key.public_key()
).serial_number(
    x509.random_serial_number()
).not_valid_before(
    datetime.datetime.now(datetime.timezone.utc)
).not_valid_after(
    # Our certificate will be valid for 10 days
    datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=10)
).add_extension(
    x509.SubjectKeyIdentifier(hash),
    critical=False,
    # Sign our certificate with our private key
).add_extension(
    x509.AuthorityKeyIdentifier(issuer.public_bytes, authority_cert_issuer=None, authority_cert_serial_number=None),
    critical=False,
).add_extension(
    x509.BasicConstraints(ca=True, path_length=None),
    critical=True,
).sign(key, hashes.SHA256())

But now it's giving me an error:

TypeError: 'builtin_function_or_method' object cannot be converted to 'PyBytes'

from cryptography.

alex avatar alex commented on September 18, 2024

from cryptography.

AndryAsh avatar AndryAsh commented on September 18, 2024

Please tell me how to connect extensions correctly:

subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always

I am completely confused.

from cryptography.

alex avatar alex commented on September 18, 2024

from cryptography.

AndryAsh avatar AndryAsh commented on September 18, 2024

I am having trouble specifying the correct key_identifier in the x509.AuthorityKeyIdentifier method.
How do I do this, there are no examples in the documentation.

from cryptography.

alex avatar alex commented on September 18, 2024

from cryptography.

AndryAsh avatar AndryAsh commented on September 18, 2024

I am creating a root self-signed certificate subject = issuer.

subject = issuer = x509.Name([
    x509.NameAttribute(NameOID.COUNTRY_NAME, “RU”),
    x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, “Saint-Petersburg”),
    x509.NameAttribute(NameOID.LOCALITY_NAME, “Saint-Petersburg”),
    x509.NameAttribute(NameOID.ORGANIZATION_NAME, “LABICS”),
    x509.NameAttribute(NameOID.COMMON_NAME, “Example Certificate Authority”),
])
cert = x509.CertificateBuilder().subject_name(
    subject
).issuer_name(
    issuer
).public_key(
    key.public_key()
).serial_number(
    x509.random_serial_number()
).not_valid_before(
    datetime.datetime.now(datetime.timezone.utc)
).not_valid_after(
    # Our certificate will be valid for 10 days
    datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=10)
).add_extension(
    x509.AuthorityKeyIdentifier(issuer.public_bytes(), authority_cert_issuer=None, authority_cert_serial_number=None),
    critical=False,
).add_extension(
    x509.BasicConstraints(ca=True, path_length=None),
    critical=True,
).sign(key, hashes.SHA256()))

How to specify the correct key_identifier in my code

from cryptography.

alex avatar alex commented on September 18, 2024

from cryptography.

AndryAsh avatar AndryAsh commented on September 18, 2024

Figured out how to get key_identifier.
How to get authority_cert_issuer and authority_cert_serial_number?

from cryptography.

alex avatar alex commented on September 18, 2024

authority_cert_issuer and authority_cert_serial_number are generally not used.

from cryptography.

AndryAsh avatar AndryAsh commented on September 18, 2024

We just need to specify these parameters to get a certificate like this:

X509v3 extensions:
            X509v3 Subject Key Identifier: 
                56:D6:4A:1E:1B:CD:25:62:6C:F2:BB:63:37:2B:1C:09:96:9D:21:11
            X509v3 Authority Key Identifier: 
                keyid:56:D6:4A:1E:1B:CD:25:62:6C:F2:BB:63:37:2B:1C:09:96:9D:21:11
                DirName:/C=RU/ST=Saint-Petersburg/L=Saint-Petersburg/O=LABICS/[email protected]/CN=Example Certificate Authority
                serial:07:5E:20:63:B0:B1:68:30:39:FE:A2:6A:4C:69:08:64:5A:A7:0C:A6
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 CRL Distribution Points: 
                Full Name:
                  URI:http://www.example.org/example_ca.crl

Now this is implemented through openssl, we need to add Subject Key Identifier, Authority Key Identifier and CRL Distribution Points extensions.

from cryptography.

alex avatar alex commented on September 18, 2024

from cryptography.

AndryAsh avatar AndryAsh commented on September 18, 2024

In the Authority Key Identifier extension you need to specify the authority_cert_issuer and authority_cert_serial_number.
I can't figure out how to get them.

from cryptography.

alex avatar alex commented on September 18, 2024

from cryptography.

AndryAsh avatar AndryAsh commented on September 18, 2024

We just need to specify these parameters to get a certificate like this:

X509v3 extensions:
            X509v3 Subject Key Identifier: 
                56:D6:4A:1E:1B:CD:25:62:6C:F2:BB:63:37:2B:1C:09:96:9D:21:11
            X509v3 Authority Key Identifier: 
                keyid:56:D6:4A:1E:1B:CD:25:62:6C:F2:BB:63:37:2B:1C:09:96:9D:21:11
                DirName:/C=RU/ST=Saint-Petersburg/L=Saint-Petersburg/O=LABICS/[email protected]/CN=Example Certificate Authority
                serial:07:5E:20:63:B0:B1:68:30:39:FE:A2:6A:4C:69:08:64:5A:A7:0C:A6
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 CRL Distribution Points: 
                Full Name:
                  URI:http://www.example.org/example_ca.crl

Now this is implemented through openssl, we need to add Subject Key Identifier, Authority Key Identifier and CRL Distribution Points extensions.

I need to generate a certificate with the parameters as I have given above, that's why I am asking questions.
The documentation does not say anything at all about how to get the values of these parameters.
Only their type and description are given.

from cryptography.

alex avatar alex commented on September 18, 2024

from cryptography.

AndryAsh avatar AndryAsh commented on September 18, 2024

alex, you either don't understand what I'm asking or you simply can't answer the question.
You give answers that mean nothing.
Do you have specialists who can really help me, and not stall uselessly?

from cryptography.

alex avatar alex commented on September 18, 2024

Ok, you're way over the line here. I'm one of the two principal maintainers of this project, and any support I and the other maintainers provide are entirely on a volunteer basis. We do not have other specialists....

I'm attempting to answer your questions, but frankly what you are asking for is not clear.

X.509 is an incredibly expansive specification. Throughout this issue you have consistently asked both basic Python and basic X.509 questions and have not demonstrated any efforts to do any of your own research or debugging.

So I'll continue to do my best to answer questions about how to use this project, but you should consider that it's unclear what you are asking for, and no one would be able to help you.

from cryptography.

AndryAsh avatar AndryAsh commented on September 18, 2024

All right, let's start over:
I have a running process that requires the generation of self-signed certificates with certain parameters.
We are now creating the certificates with openssl tools, calling them from python code.
We want to move on to the cryptography library, which you are the developers of.
But according to the documentation we can't understand how to get the parameters necessary to add the necessary extensions when generating the root certificate.
That's why I addressed to you with quite specific questions.

from cryptography.

AndryAsh avatar AndryAsh commented on September 18, 2024

When adding the AuthorityKeyIdentifier extension, you must specify the authority_cert_issuer parameters,
and authority_cert_serial_number parameters, which are set to None by default.
So I'm asking how to get these values.
Here is my code that is working now:

from cryptography import x509
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.x509.oid import NameOID
import datetime

one_day = datetime.timedelta(1, 0, 0)

private_key = rsa.generate_private_key(
    public_exponent=65537,
    key_size=2048,
)

public_key = private_key.public_key()

ski = x509.SubjectKeyIdentifier.from_public_key(public_key)
aki = x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(ski)

builder = x509.CertificateBuilder()
builder = builder.subject_name(x509.Name([
    x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
    x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Saint-Petersburg'),
    x509.NameAttribute(NameOID.LOCALITY_NAME, u'Saint-Petersburg'),
    x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'LABICS'),
    x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'[email protected]'),
    x509.NameAttribute(NameOID.COMMON_NAME, u'Example Certificate Authority'),
]))

builder._issuer_name = builder._subject_name

builder = builder.not_valid_before(datetime.datetime.today() - one_day)
builder = builder.not_valid_after(datetime.datetime.today() + (one_day * 30))
builder = builder.serial_number(x509.random_serial_number())
builder = builder.public_key(public_key)
builder = builder.add_extension(
    x509.AuthorityKeyIdentifier(aki.key_identifier,
                                authority_cert_issuer=None,
                                authority_cert_serial_number=None),
    critical=False,
)
builder = builder.add_extension(
    x509.SubjectAlternativeName(
        [x509.DNSName('cryptography.io')]
    ),
    critical=False
)
builder = builder.add_extension(
    x509.BasicConstraints(ca=True, path_length=None), critical=True,
)
certificate = builder.sign(
    private_key=private_key, algorithm=hashes.SHA256(),
)

if isinstance(certificate, x509.Certificate):
    with open("./ca_cert.key", "wb") as f:
        f.write(private_key.private_bytes(
            encoding=serialization.Encoding.PEM,
            format=serialization.PrivateFormat.TraditionalOpenSSL,
            encryption_algorithm=serialization.BestAvailableEncryption(b"whatever")
    ))

    with open("./ca_cert.pem", "wb") as f:
        f.write(certificate.public_bytes(
            encoding=serialization.Encoding.PEM,
    ))

from cryptography.

reaperhulk avatar reaperhulk commented on September 18, 2024

The manner in which you've chosen to engage in here makes it seem as if you think the maintainers of this project are employees of a company with which you have a support contract. Nothing could be further from the truth.

Our documentation cannot be a complete reference for everything in X.509 and if you have highly specific requirements then I'd suggest reading the relevant RFCs in addition to our docs. Alex has provided a great deal of assistance, but ultimately the issue tracker is for bugs in this project, not a place for the maintainers to do your homework.

While Alex has expressed a large degree of patience for your behavior, I believe this warrants a suspension for 7 days. If you want to engage more productively after that time please feel free to file another issue, but bear in mind the purpose of this issue tracker.

from cryptography.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.