Comments (26)
You can't. Our X.509 creation API is documented here: https://cryptography.io/en/latest/x509/tutorial/#
from cryptography.
Is it possible to add this feature?
from cryptography.
from cryptography.
What adding extensions would look like in your API calls:
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = critical,CA:true
crlDistributionPoints = URI:http://www.example.org/example_ca.crl
I'm trying to do it like this:
cert = x509.CertificateBuilder().subject_name(
subject
).issuer_name(
issuer
).public_key(
key.public_key()
).serial_number(
x509.random_serial_number()
).not_valid_before(
datetime.datetime.now(datetime.timezone.utc)
).not_valid_after(
# Our certificate will be valid for 10 days
datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=10)
).add_extension(
x509.SubjectKeyIdentifier(hash),
x509.AuthorityKeyIdentifier(issuer.public_bytes, authority_cert_issuer=None, authority_cert_serial_number=None),
x509.BasicConstraints(ca=True, path_length=None),
critical=True,
# Sign our certificate with our private key
).sign(key, hashes.SHA256())
but I'm getting an error:
TypeError: CertificateBuilder.add_extension() got multiple values for argument 'critical'
Can you please tell me the right way?
from cryptography.
from cryptography.
I remodeled it like this:
subject = issuer = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, "RU"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "Saint-Petersburg"),
x509.NameAttribute(NameOID.LOCALITY_NAME, "Saint-Petersburg"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, "LABICS"),
x509.NameAttribute(NameOID.COMMON_NAME, "Example Certificate Authority"),
])
cert = x509.CertificateBuilder().subject_name(
subject
).issuer_name(
issuer
).public_key(
key.public_key()
).serial_number(
x509.random_serial_number()
).not_valid_before(
datetime.datetime.now(datetime.timezone.utc)
).not_valid_after(
# Our certificate will be valid for 10 days
datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=10)
).add_extension(
x509.SubjectKeyIdentifier(hash),
critical=False,
# Sign our certificate with our private key
).add_extension(
x509.AuthorityKeyIdentifier(issuer.public_bytes, authority_cert_issuer=None, authority_cert_serial_number=None),
critical=False,
).add_extension(
x509.BasicConstraints(ca=True, path_length=None),
critical=True,
).sign(key, hashes.SHA256())
But now it's giving me an error:
TypeError: 'builtin_function_or_method' object cannot be converted to 'PyBytes'
from cryptography.
from cryptography.
Please tell me how to connect extensions correctly:
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
I am completely confused.
from cryptography.
from cryptography.
I am having trouble specifying the correct key_identifier in the x509.AuthorityKeyIdentifier method.
How do I do this, there are no examples in the documentation.
from cryptography.
from cryptography.
I am creating a root self-signed certificate subject = issuer.
subject = issuer = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, “RU”),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, “Saint-Petersburg”),
x509.NameAttribute(NameOID.LOCALITY_NAME, “Saint-Petersburg”),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, “LABICS”),
x509.NameAttribute(NameOID.COMMON_NAME, “Example Certificate Authority”),
])
cert = x509.CertificateBuilder().subject_name(
subject
).issuer_name(
issuer
).public_key(
key.public_key()
).serial_number(
x509.random_serial_number()
).not_valid_before(
datetime.datetime.now(datetime.timezone.utc)
).not_valid_after(
# Our certificate will be valid for 10 days
datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=10)
).add_extension(
x509.AuthorityKeyIdentifier(issuer.public_bytes(), authority_cert_issuer=None, authority_cert_serial_number=None),
critical=False,
).add_extension(
x509.BasicConstraints(ca=True, path_length=None),
critical=True,
).sign(key, hashes.SHA256()))
How to specify the correct key_identifier in my code
from cryptography.
from cryptography.
Figured out how to get key_identifier.
How to get authority_cert_issuer and authority_cert_serial_number?
from cryptography.
authority_cert_issuer
and authority_cert_serial_number
are generally not used.
from cryptography.
We just need to specify these parameters to get a certificate like this:
X509v3 extensions:
X509v3 Subject Key Identifier:
56:D6:4A:1E:1B:CD:25:62:6C:F2:BB:63:37:2B:1C:09:96:9D:21:11
X509v3 Authority Key Identifier:
keyid:56:D6:4A:1E:1B:CD:25:62:6C:F2:BB:63:37:2B:1C:09:96:9D:21:11
DirName:/C=RU/ST=Saint-Petersburg/L=Saint-Petersburg/O=LABICS/[email protected]/CN=Example Certificate Authority
serial:07:5E:20:63:B0:B1:68:30:39:FE:A2:6A:4C:69:08:64:5A:A7:0C:A6
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 CRL Distribution Points:
Full Name:
URI:http://www.example.org/example_ca.crl
Now this is implemented through openssl, we need to add Subject Key Identifier, Authority Key Identifier and CRL Distribution Points extensions.
from cryptography.
from cryptography.
In the Authority Key Identifier extension you need to specify the authority_cert_issuer and authority_cert_serial_number.
I can't figure out how to get them.
from cryptography.
from cryptography.
We just need to specify these parameters to get a certificate like this:
X509v3 extensions: X509v3 Subject Key Identifier: 56:D6:4A:1E:1B:CD:25:62:6C:F2:BB:63:37:2B:1C:09:96:9D:21:11 X509v3 Authority Key Identifier: keyid:56:D6:4A:1E:1B:CD:25:62:6C:F2:BB:63:37:2B:1C:09:96:9D:21:11 DirName:/C=RU/ST=Saint-Petersburg/L=Saint-Petersburg/O=LABICS/[email protected]/CN=Example Certificate Authority serial:07:5E:20:63:B0:B1:68:30:39:FE:A2:6A:4C:69:08:64:5A:A7:0C:A6 X509v3 Basic Constraints: critical CA:TRUE X509v3 CRL Distribution Points: Full Name: URI:http://www.example.org/example_ca.crl
Now this is implemented through openssl, we need to add Subject Key Identifier, Authority Key Identifier and CRL Distribution Points extensions.
I need to generate a certificate with the parameters as I have given above, that's why I am asking questions.
The documentation does not say anything at all about how to get the values of these parameters.
Only their type and description are given.
from cryptography.
from cryptography.
alex, you either don't understand what I'm asking or you simply can't answer the question.
You give answers that mean nothing.
Do you have specialists who can really help me, and not stall uselessly?
from cryptography.
Ok, you're way over the line here. I'm one of the two principal maintainers of this project, and any support I and the other maintainers provide are entirely on a volunteer basis. We do not have other specialists....
I'm attempting to answer your questions, but frankly what you are asking for is not clear.
X.509 is an incredibly expansive specification. Throughout this issue you have consistently asked both basic Python and basic X.509 questions and have not demonstrated any efforts to do any of your own research or debugging.
So I'll continue to do my best to answer questions about how to use this project, but you should consider that it's unclear what you are asking for, and no one would be able to help you.
from cryptography.
All right, let's start over:
I have a running process that requires the generation of self-signed certificates with certain parameters.
We are now creating the certificates with openssl tools, calling them from python code.
We want to move on to the cryptography library, which you are the developers of.
But according to the documentation we can't understand how to get the parameters necessary to add the necessary extensions when generating the root certificate.
That's why I addressed to you with quite specific questions.
from cryptography.
When adding the AuthorityKeyIdentifier extension, you must specify the authority_cert_issuer parameters,
and authority_cert_serial_number parameters, which are set to None by default.
So I'm asking how to get these values.
Here is my code that is working now:
from cryptography import x509
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.x509.oid import NameOID
import datetime
one_day = datetime.timedelta(1, 0, 0)
private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
)
public_key = private_key.public_key()
ski = x509.SubjectKeyIdentifier.from_public_key(public_key)
aki = x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(ski)
builder = x509.CertificateBuilder()
builder = builder.subject_name(x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Saint-Petersburg'),
x509.NameAttribute(NameOID.LOCALITY_NAME, u'Saint-Petersburg'),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'LABICS'),
x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'[email protected]'),
x509.NameAttribute(NameOID.COMMON_NAME, u'Example Certificate Authority'),
]))
builder._issuer_name = builder._subject_name
builder = builder.not_valid_before(datetime.datetime.today() - one_day)
builder = builder.not_valid_after(datetime.datetime.today() + (one_day * 30))
builder = builder.serial_number(x509.random_serial_number())
builder = builder.public_key(public_key)
builder = builder.add_extension(
x509.AuthorityKeyIdentifier(aki.key_identifier,
authority_cert_issuer=None,
authority_cert_serial_number=None),
critical=False,
)
builder = builder.add_extension(
x509.SubjectAlternativeName(
[x509.DNSName('cryptography.io')]
),
critical=False
)
builder = builder.add_extension(
x509.BasicConstraints(ca=True, path_length=None), critical=True,
)
certificate = builder.sign(
private_key=private_key, algorithm=hashes.SHA256(),
)
if isinstance(certificate, x509.Certificate):
with open("./ca_cert.key", "wb") as f:
f.write(private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.BestAvailableEncryption(b"whatever")
))
with open("./ca_cert.pem", "wb") as f:
f.write(certificate.public_bytes(
encoding=serialization.Encoding.PEM,
))
from cryptography.
The manner in which you've chosen to engage in here makes it seem as if you think the maintainers of this project are employees of a company with which you have a support contract. Nothing could be further from the truth.
Our documentation cannot be a complete reference for everything in X.509 and if you have highly specific requirements then I'd suggest reading the relevant RFCs in addition to our docs. Alex has provided a great deal of assistance, but ultimately the issue tracker is for bugs in this project, not a place for the maintainers to do your homework.
While Alex has expressed a large degree of patience for your behavior, I believe this warrants a suspension for 7 days. If you want to engage more productively after that time please feel free to file another issue, but bear in mind the purpose of this issue tracker.
from cryptography.
Related Issues (20)
- Import "cryptography.hazmat.bindings._rust" could not be resolved (M1 Mac) HOT 10
- [42.0.6] "DLL Load Failed" On Windows 7 With Python 3.8 HOT 4
- Error loading RSA private key with password HOT 2
- AES-SIV does not accept empty plaintext. HOT 1
- ImportError: DLL load failed while import _rust: The specified procedure could not be found HOT 5
- 'cryptography.hazmat.bindings._rust.x509.Certificat' object has no attribute 'public_key_algorithm_oid' HOT 3
- Add support of Ed25519ph (i.e. ed25519 + SHA512) HOT 12
- Need information on building cryptography 42.0.5 (moving from 3.2 -> 42.0.5) HOT 13
- `x509.load_pem_x509_certificate` fails when `trailerField` param is present for RSASSA-PSS signatures HOT 6
- BadSignature(\'Signature is not valid\')\ HOT 3
- Invalid serialization format when using FIPS provder raises InternalError HOT 1
- .private_bytes(..) with incorrect passphrase presents interactive prompt with from OpenSSL 3.0.13 (#7129 redux) HOT 5
- how to call get_peer_cert_chain from cryptography HOT 2
- Cannot find functions in module ffi HOT 2
- Certificate signing by the root certificate HOT 4
- How to maintain a database of issued certificates HOT 9
- NULL is not accepted as hash function parameters HOT 7
- Certificate verification fails if the certificate being verified does not contain the relevant extensions HOT 6
- typo? Certificat versus Certificate in cryptography.hazmat.bindings._rust.x509.Certificat HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cryptography.