certtools/generate_intermediate.py at master · cfms-dev/certtools · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
import datetime

from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.x509.oid import NameOID

# Load root cert
with open("./signing/root_cert.pem", "rb") as root_crtfile:
    root_cert = x509.load_pem_x509_certificate(root_crtfile.read())

# Load root private key
with open("./signing/root_key.pem", "rb") as root_keyfile:
    root_key = serialization.load_pem_private_key(root_keyfile.read(), password=None)
    # assert type(root_key) == ECPrivateKey
    # ec.generate_private_key()

# Generate our intermediate key
int_key = ec.generate_private_key(ec.SECP256R1())
subject = x509.Name(
    [
        x509.NameAttribute(NameOID.COUNTRY_NAME, "CN"),
        x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "Beijing"),
        x509.NameAttribute(NameOID.LOCALITY_NAME, "Beijing"),
        x509.NameAttribute(
            NameOID.ORGANIZATION_NAME, "CFMS Intermediate CA Management Organization"
        ),
        x509.NameAttribute(NameOID.COMMON_NAME, "CFMS Intermediate CA"),
    ]
)
int_cert = (
    x509.CertificateBuilder()
    .subject_name(subject)
    .issuer_name(root_cert.subject)
    .public_key(int_key.public_key())
    .serial_number(x509.random_serial_number())
    .not_valid_before(datetime.datetime.now(datetime.timezone.utc))
    .not_valid_after(
        # Our intermediate will be valid for ~3 years
        datetime.datetime.now(datetime.timezone.utc)
        + datetime.timedelta(days=365 * 3)
    )
    .add_extension(
        # Allow no further intermediates (path length 0)
        x509.BasicConstraints(ca=True, path_length=0),
        critical=True,
    )
    .add_extension(
        x509.KeyUsage(
            digital_signature=True,
            content_commitment=False,
            key_encipherment=False,
            data_encipherment=False,
            key_agreement=False,
            key_cert_sign=True,
            crl_sign=True,
            encipher_only=False,
            decipher_only=False,
        ),
        critical=True,
    )
    .add_extension(
        x509.SubjectKeyIdentifier.from_public_key(int_key.public_key()),
        critical=False,
    )
    .add_extension(
        x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
            root_cert.extensions.get_extension_for_class(
                x509.SubjectKeyIdentifier
            ).value
        ),
        critical=False,
    )
    .sign(root_key, hashes.SHA256())
)

with open("./signing/int_key.pem", "wb") as f:
    f.write(
        int_key.private_bytes(
            encoding=serialization.Encoding.PEM,
            format=serialization.PrivateFormat.TraditionalOpenSSL,
            encryption_algorithm=serialization.NoEncryption(),
            # encryption_algorithm=serialization.BestAvailableEncryption(b"passphrase"),
        )
    )

with open("./signing/int_cert.pem", "wb") as f:
    f.write(int_cert.public_bytes(serialization.Encoding.PEM))