Skip to content

Instantly share code, notes, and snippets.

@cpu

cpu/name_constraint_test.py Secret

Created August 8, 2023 17:47
Show Gist options
  • Save cpu/ae33c0c88cb40b7009297160d65d6a66 to your computer and use it in GitHub Desktop.
Save cpu/ae33c0c88cb40b7009297160d65d6a66 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
name_constraint_test.py
from pathlib import Path
import datetime
from cryptography import x509
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.hazmat.primitives.serialization import Encoding
from cryptography.hazmat.backends import default_backend
from cryptography.x509.oid import NameOID
NOT_BEFORE: datetime.datetime = datetime.datetime.utcfromtimestamp(0x1FEDF00D - 30)
NOT_AFTER: datetime.datetime = datetime.datetime.utcfromtimestamp(0x1FEDF00D + 30)
ca_private_key: ec.EllipticCurvePrivateKey = ec.generate_private_key(
ec.SECP256R1(), default_backend()
)
ca_public_key: ec.EllipticCurvePublicKey = ca_private_key.public_key()
ca_name: x509.Name = x509.Name(
[
x509.NameAttribute(
NameOID.COMMON_NAME, "name-constraint-test.example.com"
),
])
ca_cert_builder: x509.CertificateBuilder = x509.CertificateBuilder()
ca_cert_builder = ca_cert_builder.subject_name(ca_name)
ca_cert_builder = ca_cert_builder.issuer_name(ca_name)
ca_cert_builder = ca_cert_builder.not_valid_before(NOT_BEFORE)
ca_cert_builder = ca_cert_builder.not_valid_after(NOT_AFTER)
ca_cert_builder = ca_cert_builder.serial_number(x509.random_serial_number())
ca_cert_builder = ca_cert_builder.public_key(ca_public_key)
ca_cert_builder = ca_cert_builder.add_extension(
x509.BasicConstraints(ca=True, path_length=None),
critical=True,
)
ca_cert_builder = ca_cert_builder.add_extension(
x509.NameConstraints(permitted_subtrees=[x509.DNSName(".tr")], excluded_subtrees=None),
critical=True,
)
ca_cert = ca_cert_builder.sign(
private_key=ca_private_key,
algorithm=hashes.SHA256(),
backend=default_backend(),
)
with Path("./test.ca.der").open("wb") as f:
f.write(ca_cert.public_bytes(Encoding.DER))
ee_private_key: ec.EllipticCurvePrivateKey = ec.generate_private_key(
ec.SECP256R1(), default_backend()
)
ee_public_key: ec.EllipticCurvePublicKey = ee_private_key.public_key()
ee_name: x509.Name = x509.Name(
[
x509.NameAttribute(
NameOID.COMMON_NAME, "example.com"
),
])
ee_cert_builder: x509.CertificateBuilder = x509.CertificateBuilder()
ee_cert_builder = ee_cert_builder.subject_name(ee_name)
ee_cert_builder = ee_cert_builder.issuer_name(ca_name)
ee_cert_builder = ee_cert_builder.not_valid_before(NOT_BEFORE)
ee_cert_builder = ee_cert_builder.not_valid_after(NOT_AFTER)
ee_cert_builder = ee_cert_builder.serial_number(x509.random_serial_number())
ee_cert_builder = ee_cert_builder.public_key(ee_public_key)
ee_cert_builder = ee_cert_builder.add_extension(x509.SubjectAlternativeName([x509.DNSName("example.com")]), critical=False)
ee_cert = ee_cert_builder.sign(
private_key=ca_private_key,
algorithm=hashes.SHA256(),
backend=default_backend(),
)
with Path("./test.ee.der").open("wb") as f:
f.write(ee_cert.public_bytes(Encoding.DER))
ee_valid_name: x509.Name = x509.Name(
[
x509.NameAttribute(
NameOID.COMMON_NAME, "example.tr"
),
])
ee_cert_builder: x509.CertificateBuilder = x509.CertificateBuilder()
ee_cert_builder = ee_cert_builder.subject_name(ee_valid_name)
ee_cert_builder = ee_cert_builder.issuer_name(ca_name)
ee_cert_builder = ee_cert_builder.not_valid_before(NOT_BEFORE)
ee_cert_builder = ee_cert_builder.not_valid_after(NOT_AFTER)
ee_cert_builder = ee_cert_builder.serial_number(x509.random_serial_number())
ee_cert_builder = ee_cert_builder.public_key(ee_public_key)
ee_cert_builder = ee_cert_builder.add_extension(x509.SubjectAlternativeName([x509.DNSName("example.tr")]), critical=False)
ee_cert = ee_cert_builder.sign(
private_key=ca_private_key,
algorithm=hashes.SHA256(),
backend=default_backend(),
)
with Path("./test.ee.valid.der").open("wb") as f:
f.write(ee_cert.public_bytes(Encoding.DER))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment