-
-
Save cpu/ae33c0c88cb40b7009297160d65d6a66 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pathlib import Path | |
import datetime | |
from cryptography import x509 | |
from cryptography.hazmat.primitives import hashes | |
from cryptography.hazmat.primitives.asymmetric import ec | |
from cryptography.hazmat.primitives.serialization import Encoding | |
from cryptography.hazmat.backends import default_backend | |
from cryptography.x509.oid import NameOID | |
NOT_BEFORE: datetime.datetime = datetime.datetime.utcfromtimestamp(0x1FEDF00D - 30) | |
NOT_AFTER: datetime.datetime = datetime.datetime.utcfromtimestamp(0x1FEDF00D + 30) | |
ca_private_key: ec.EllipticCurvePrivateKey = ec.generate_private_key( | |
ec.SECP256R1(), default_backend() | |
) | |
ca_public_key: ec.EllipticCurvePublicKey = ca_private_key.public_key() | |
ca_name: x509.Name = x509.Name( | |
[ | |
x509.NameAttribute( | |
NameOID.COMMON_NAME, "name-constraint-test.example.com" | |
), | |
]) | |
ca_cert_builder: x509.CertificateBuilder = x509.CertificateBuilder() | |
ca_cert_builder = ca_cert_builder.subject_name(ca_name) | |
ca_cert_builder = ca_cert_builder.issuer_name(ca_name) | |
ca_cert_builder = ca_cert_builder.not_valid_before(NOT_BEFORE) | |
ca_cert_builder = ca_cert_builder.not_valid_after(NOT_AFTER) | |
ca_cert_builder = ca_cert_builder.serial_number(x509.random_serial_number()) | |
ca_cert_builder = ca_cert_builder.public_key(ca_public_key) | |
ca_cert_builder = ca_cert_builder.add_extension( | |
x509.BasicConstraints(ca=True, path_length=None), | |
critical=True, | |
) | |
ca_cert_builder = ca_cert_builder.add_extension( | |
x509.NameConstraints(permitted_subtrees=[x509.DNSName(".tr")], excluded_subtrees=None), | |
critical=True, | |
) | |
ca_cert = ca_cert_builder.sign( | |
private_key=ca_private_key, | |
algorithm=hashes.SHA256(), | |
backend=default_backend(), | |
) | |
with Path("./test.ca.der").open("wb") as f: | |
f.write(ca_cert.public_bytes(Encoding.DER)) | |
ee_private_key: ec.EllipticCurvePrivateKey = ec.generate_private_key( | |
ec.SECP256R1(), default_backend() | |
) | |
ee_public_key: ec.EllipticCurvePublicKey = ee_private_key.public_key() | |
ee_name: x509.Name = x509.Name( | |
[ | |
x509.NameAttribute( | |
NameOID.COMMON_NAME, "example.com" | |
), | |
]) | |
ee_cert_builder: x509.CertificateBuilder = x509.CertificateBuilder() | |
ee_cert_builder = ee_cert_builder.subject_name(ee_name) | |
ee_cert_builder = ee_cert_builder.issuer_name(ca_name) | |
ee_cert_builder = ee_cert_builder.not_valid_before(NOT_BEFORE) | |
ee_cert_builder = ee_cert_builder.not_valid_after(NOT_AFTER) | |
ee_cert_builder = ee_cert_builder.serial_number(x509.random_serial_number()) | |
ee_cert_builder = ee_cert_builder.public_key(ee_public_key) | |
ee_cert_builder = ee_cert_builder.add_extension(x509.SubjectAlternativeName([x509.DNSName("example.com")]), critical=False) | |
ee_cert = ee_cert_builder.sign( | |
private_key=ca_private_key, | |
algorithm=hashes.SHA256(), | |
backend=default_backend(), | |
) | |
with Path("./test.ee.der").open("wb") as f: | |
f.write(ee_cert.public_bytes(Encoding.DER)) | |
ee_valid_name: x509.Name = x509.Name( | |
[ | |
x509.NameAttribute( | |
NameOID.COMMON_NAME, "example.tr" | |
), | |
]) | |
ee_cert_builder: x509.CertificateBuilder = x509.CertificateBuilder() | |
ee_cert_builder = ee_cert_builder.subject_name(ee_valid_name) | |
ee_cert_builder = ee_cert_builder.issuer_name(ca_name) | |
ee_cert_builder = ee_cert_builder.not_valid_before(NOT_BEFORE) | |
ee_cert_builder = ee_cert_builder.not_valid_after(NOT_AFTER) | |
ee_cert_builder = ee_cert_builder.serial_number(x509.random_serial_number()) | |
ee_cert_builder = ee_cert_builder.public_key(ee_public_key) | |
ee_cert_builder = ee_cert_builder.add_extension(x509.SubjectAlternativeName([x509.DNSName("example.tr")]), critical=False) | |
ee_cert = ee_cert_builder.sign( | |
private_key=ca_private_key, | |
algorithm=hashes.SHA256(), | |
backend=default_backend(), | |
) | |
with Path("./test.ee.valid.der").open("wb") as f: | |
f.write(ee_cert.public_bytes(Encoding.DER)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment