我们从Python开源项目中,提取了以下50个代码示例,用于说明如何使用cryptography.x509.DNSName()。
def create_csr(key, domains, must_staple=False): """ Creates a CSR in DER format for the specified key and domain names. """ assert domains name = x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, domains[0]), ]) san = x509.SubjectAlternativeName([x509.DNSName(domain) for domain in domains]) csr = x509.CertificateSigningRequestBuilder().subject_name(name) \ .add_extension(san, critical=False) if must_staple: ocsp_must_staple = x509.TLSFeature(features=[x509.TLSFeatureType.status_request]) csr = csr.add_extension(ocsp_must_staple, critical=False) csr = csr.sign(key, hashes.SHA256(), default_backend()) return export_csr_for_acme(csr)
def _match_subject_name(cert, subject_name, compare_func=operator.eq, alt_names=True): names = [] if alt_names: try: alt_names = cert.extensions.get_extension_for_oid(ExtensionOID.SUBJECT_ALTERNATIVE_NAME) names = alt_names.value.get_values_for_type(x509.DNSName) except x509.extensions.ExtensionNotFound: pass if not names: common_names = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) if common_names: common_name = common_names[0] names = [common_name.value] if not any(compare_func(name, subject_name) for name in names): if len(names) > 1: raise InvalidCertificate("Subject name %r doesn't match either of %s" % (subject_name, ', '.join(map(repr, names)))) elif len(names) == 1: raise InvalidCertificate("Subject name %r doesn't match %r" % (subject_name, names[0])) else: raise InvalidCertificate("No appropriate commonName or subjectAltName DNSName fields were found")
def match(self, value): # This is somewhat terrible. Probably can be better after # pyca/service_identity#14 is resolved. target_ids = [ DNSPattern(target_name.encode('utf-8')) for target_name in ( value.extensions .get_extension_for_oid( ExtensionOID.SUBJECT_ALTERNATIVE_NAME) .value .get_values_for_type(x509.DNSName) )] ids = [DNS_ID(self.name)] try: verify_service_identity( cert_patterns=target_ids, obligatory_ids=ids, optional_ids=[]) except VerificationError: return Mismatch( '{!r} is not valid for {!r}'.format(value, self.name))
def get_san_entries(self): return [x509.DNSName(u'{}'.format(san)) for san in self.get_all_domains()[1:]]
def get_certificate_domains(cert): """ Gets a list of all Subject Alternative Names in the specified certificate. """ for ext in cert.extensions: ext = ext.value if isinstance(ext, x509.SubjectAlternativeName): return ext.get_values_for_type(x509.DNSName) return []
def _add_sans(subject, sans): subject.add_extension( [x509.DNSName(dns_name) for dns_name in dns_names], critical=False)
def _hostname_to_x509(hostname): # Because we are a DWIM library for lazy slackers, we cheerfully pervert # the cryptography library's carefully type-safe API, and silently DTRT # for any of the following hostname types: # # - "example.org" # - "example.org" # - "éxamplë.org" # - "xn--xampl-9rat.org" # - "xn--xampl-9rat.org" # - "127.0.0.1" # - "::1" # - "10.0.0.0/8" # - "2001::/16" # # and wildcard variants of the hostnames. if not isinstance(hostname, unicode): raise TypeError("hostnames must be text (unicode on py2, str on py3)") # Have to try ip_address first, because ip_network("127.0.0.1") is # interpreted as being the network 127.0.0.1/32. Which I guess would be # fine, actually, but why risk it. for ip_converter in [ipaddress.ip_address, ipaddress.ip_network]: try: ip_hostname = ip_converter(hostname) except ValueError: continue else: return x509.IPAddress(ip_hostname) # Encode to an A-label, like cryptography wants if hostname.startswith("*."): alabel_bytes = b"*." + idna.encode(hostname[2:], uts46=True) else: alabel_bytes = idna.encode(hostname, uts46=True) # Then back to text, which is mandatory on cryptography 2.0 and earlier, # and may or may not be deprecated in cryptography 2.1. alabel = alabel_bytes.decode("ascii") return x509.DNSName(alabel)
def test_basics(): ca = CA() today = datetime.datetime.today() assert b"BEGIN CERTIFICATE" in ca.cert_pem.bytes() ca_cert = x509.load_pem_x509_certificate( ca.cert_pem.bytes(), default_backend()) assert ca_cert.not_valid_before <= today <= ca_cert.not_valid_after assert ca_cert.issuer == ca_cert.subject bc = ca_cert.extensions.get_extension_for_class(x509.BasicConstraints) assert bc.value.ca == True assert bc.critical == True with pytest.raises(ValueError): ca.issue_server_cert() server = ca.issue_server_cert(u"test-1.example.org", u"test-2.example.org") assert b"PRIVATE KEY" in server.private_key_pem.bytes() assert b"BEGIN CERTIFICATE" in server.cert_chain_pems[0].bytes() assert len(server.cert_chain_pems) == 1 assert server.private_key_pem.bytes() in server.private_key_and_cert_chain_pem.bytes() for blob in server.cert_chain_pems: assert blob.bytes() in server.private_key_and_cert_chain_pem.bytes() server_cert = x509.load_pem_x509_certificate( server.cert_chain_pems[0].bytes(), default_backend()) assert server_cert.not_valid_before <= today <= server_cert.not_valid_after assert server_cert.issuer == ca_cert.subject san = server_cert.extensions.get_extension_for_class(x509.SubjectAlternativeName) hostnames = san.value.get_values_for_type(x509.DNSName) assert hostnames == [u"test-1.example.org", u"test-2.example.org"]
def generate_tls_sni_01_cert(server_name, key_type=u'rsa', _generate_private_key=None): """ Generate a certificate/key pair for responding to a tls-sni-01 challenge. :param str server_name: The SAN the certificate should have. :param str key_type: The type of key to generate; usually not necessary. :rtype: ``Tuple[`~cryptography.x509.Certificate`, PrivateKey]`` :return: A tuple of the certificate and private key. """ key = (_generate_private_key or generate_private_key)(key_type) name = x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, u'acme.invalid')]) cert = ( x509.CertificateBuilder() .subject_name(name) .issuer_name(name) .not_valid_before(datetime.now() - timedelta(seconds=3600)) .not_valid_after(datetime.now() + timedelta(seconds=3600)) .serial_number(int(uuid.uuid4())) .public_key(key.public_key()) .add_extension( x509.SubjectAlternativeName([x509.DNSName(server_name)]), critical=False) .sign( private_key=key, algorithm=hashes.SHA256(), backend=default_backend()) ) return (cert, key)
def csr_for_names(names, key): """ Generate a certificate signing request for the given names and private key. .. seealso:: `acme.client.Client.request_issuance` .. seealso:: `generate_private_key` :param ``List[str]``: One or more names (subjectAltName) for which to request a certificate. :param key: A Cryptography private key object. :rtype: `cryptography.x509.CertificateSigningRequest` :return: The certificate request message. """ if len(names) == 0: raise ValueError('Must have at least one name') if len(names[0]) > 64: common_name = u'san.too.long.invalid' else: common_name = names[0] return ( x509.CertificateSigningRequestBuilder() .subject_name(x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, common_name)])) .add_extension( x509.SubjectAlternativeName(list(map(x509.DNSName, names))), critical=False) .sign(key, hashes.SHA256(), default_backend()))
def get_default_cert_opts(self, name): opts = {"sans": []} if name == "apiserver": opts["sans"].append( x509.DNSName("kubernetes"), x509.DNSName("kubernetes.default"), ) return opts
def create_csr(key, domains): """ Creates a CSR in DER format for the specified key and domain names. """ assert domains name = x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, domains[0]), ]) san = x509.SubjectAlternativeName([x509.DNSName(domain) for domain in domains]) csr = x509.CertificateSigningRequestBuilder().subject_name(name) \ .add_extension(san, critical=False) \ .sign(key, hashes.SHA256(), default_backend()) return export_csr_for_acme(csr)
def get_subj_alt_name(peer_cert): """ Given an PyOpenSSL certificate, provides all the subject alternative names. """ # Pass the cert to cryptography, which has much better APIs for this. if hasattr(peer_cert, "to_cryptography"): cert = peer_cert.to_cryptography() else: # This is technically using private APIs, but should work across all # relevant versions before PyOpenSSL got a proper API for this. cert = _Certificate(openssl_backend, peer_cert._x509) # We want to find the SAN extension. Ask Cryptography to locate it (it's # faster than looping in Python) try: ext = cert.extensions.get_extension_for_class( x509.SubjectAlternativeName ).value except x509.ExtensionNotFound: # No such extension, return the empty list. return [] except (x509.DuplicateExtension, x509.UnsupportedExtension, x509.UnsupportedGeneralNameType, UnicodeError) as e: # A problem has been found with the quality of the certificate. Assume # no SAN field is present. log.warning( "A problem was encountered with the certificate that prevented " "urllib3 from finding the SubjectAlternativeName field. This can " "affect certificate validation. The error was %s", e, ) return [] # We want to return dNSName and iPAddress fields. We need to cast the IPs # back to strings because the match_hostname function wants them as # strings. # Sadly the DNS names need to be idna encoded and then, on Python 3, UTF-8 # decoded. This is pretty frustrating, but that's what the standard library # does with certificates, and so we need to attempt to do the same. names = [ ('DNS', _dnsname_to_stdlib(name)) for name in ext.get_values_for_type(x509.DNSName) ] names.extend( ('IP Address', str(name)) for name in ext.get_values_for_type(x509.IPAddress) ) return names
def get_subj_alt_name(peer_cert): """ Given an PyOpenSSL certificate, provides all the subject alternative names. """ # Pass the cert to cryptography, which has much better APIs for this. # This is technically using private APIs, but should work across all # relevant versions until PyOpenSSL gets something proper for this. cert = _Certificate(openssl_backend, peer_cert._x509) # We want to find the SAN extension. Ask Cryptography to locate it (it's # faster than looping in Python) try: ext = cert.extensions.get_extension_for_class( x509.SubjectAlternativeName ).value except x509.ExtensionNotFound: # No such extension, return the empty list. return [] except (x509.DuplicateExtension, x509.UnsupportedExtension, x509.UnsupportedGeneralNameType, UnicodeError) as e: # A problem has been found with the quality of the certificate. Assume # no SAN field is present. log.warning( "A problem was encountered with the certificate that prevented " "urllib3 from finding the SubjectAlternativeName field. This can " "affect certificate validation. The error was %s", e, ) return [] # We want to return dNSName and iPAddress fields. We need to cast the IPs # back to strings because the match_hostname function wants them as # strings. # Sadly the DNS names need to be idna encoded and then, on Python 3, UTF-8 # decoded. This is pretty frustrating, but that's what the standard library # does with certificates, and so we need to attempt to do the same. names = [ ('DNS', _dnsname_to_stdlib(name)) for name in ext.get_values_for_type(x509.DNSName) ] names.extend( ('IP Address', str(name)) for name in ext.get_values_for_type(x509.IPAddress) ) return names
def check_certificate(self, domain): """ Download and get information from the TLS certificate """ pem = ssl.get_server_certificate((domain, 443)) if self.output: with open(os.path.join(self.output, 'cert.pem'), 'wb') as f: f.write(pem) cert = x509.load_pem_x509_certificate(str(pem), default_backend()) self.log.critical("\tCertificate:") self.log.critical("\t\tDomain: %s", ",".join(map(lambda x: x.value, cert.subject))) self.log.critical("\t\tNot After: %s", str(cert.not_valid_after)) self.log.critical("\t\tNot Before: %s", str(cert.not_valid_before)) self.log.critical("\t\tCA Issuer: %s", ", ".join(map(lambda x:x.value, cert.issuer))) self.log.critical("\t\tSerial: %s", cert.serial_number) for ext in cert.extensions: if ext.oid._name == 'basicConstraints': if ext.value.ca: self.log.critical("\t\tBasic Constraints: True") elif ext.oid._name == 'subjectAltName': self.log.critical("\t\tAlternate names: %s", ", ".join(ext.value.get_values_for_type(x509.DNSName)))
def issue_certificate(cn, ca_cert, ca_key, organizations=(), san_dns=(), san_ips=(), key_size=2048, certify_days=365, is_web_server=False, is_web_client=False): ca_cert = x509.load_pem_x509_certificate(ca_cert, default_backend()) ca_key = serialization.load_pem_private_key(ca_key, password=None, backend=default_backend()) ca_key_id = x509.SubjectKeyIdentifier.from_public_key(ca_key.public_key()) key = rsa.generate_private_key(public_exponent=65537, key_size=key_size, backend=default_backend()) subject_name_attributes = [x509.NameAttribute(NameOID.COMMON_NAME, cn)] subject_name_attributes += [x509.NameAttribute(NameOID.ORGANIZATION_NAME, org) for org in organizations] subject = x509.Name(subject_name_attributes) now = datetime.datetime.utcnow() cert = x509.CertificateBuilder() \ .subject_name(subject) \ .issuer_name(ca_cert.issuer) \ .public_key(key.public_key()) \ .serial_number(x509.random_serial_number()) \ .not_valid_before(now) \ .not_valid_after(now + datetime.timedelta(days=certify_days)) \ .add_extension(x509.AuthorityKeyIdentifier(ca_key_id.digest, [x509.DirectoryName(ca_cert.issuer)], ca_cert.serial_number), critical=False) \ .add_extension(x509.KeyUsage(digital_signature=True, content_commitment=False, key_encipherment=True, data_encipherment=False, key_agreement=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False), critical=True) extended_usages = [] if is_web_server: extended_usages.append(ExtendedKeyUsageOID.SERVER_AUTH) if is_web_client: extended_usages.append(ExtendedKeyUsageOID.CLIENT_AUTH) if extended_usages: cert = cert.add_extension(x509.ExtendedKeyUsage(extended_usages), critical=False) sans = [x509.DNSName(name) for name in san_dns] sans += [x509.IPAddress(ipaddress.ip_address(ip)) for ip in san_ips] if sans: cert = cert.add_extension(x509.SubjectAlternativeName(sans), critical=False) cert = cert.sign(ca_key, hashes.SHA256(), default_backend()) cert = cert.public_bytes(serialization.Encoding.PEM) key = key.private_bytes(encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption()) return cert, key
