markscottwright

How to create a self-signed certificate in Python

I used to have a Word Press blog (I suppose I still do) and this was by far my most popular post. (A quick google search showed my code in a bunch of projects).

Often times, you need a keypair and certificate for a website, but you don't need it to be signed by a recognized CA. Here's how to do that in python. Note that the method below isn't the most current, since it's using the common name component of the certificate's Subject as the hostname, instead of the Subject Alternative Name. See rfc2818 for more information.

from socket import gethostname
from OpenSSL import crypto

markscottwright

I had some historical key material data in pkcs#1 format that needed to be in pkcs#8 for input into another system. Here's how to do it, using BouncyCastle:

import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.DERObject;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import java.security.PrivateKey;

markscottwright

/*
 * This is a skeleton for a pkcs11 application that takes care of loading the named pkcs11 library and getting
 * the list of pkcs11 functions.
 */
#include <iostream>
#include <iomanip>
#include <windows.h>

// get this from https://www.cryptsoft.com/pkcs11doc/STANDARD/include/v220
// also get pkcs11t.h, pkcs11f.h, pkcs11.h

markscottwright

import java.util.Set;

import javax.xml.namespace.QName;
import javax.xml.soap.SOAPEnvelope;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPHeader;
import javax.xml.soap.SOAPHeaderElement;
import javax.xml.soap.SOAPMessage;
import javax.xml.ws.handler.MessageContext;
import javax.xml.ws.handler.soap.SOAPHandler;

markscottwright

# how to verify the signature if you have the CAs certificate.  This doesn't seem to work if you specify
# a subordinate CA, even if that CA is the one that issued the cert that created the signature.
openssl smime -verify -inform der -in signature-file -content signed-file -CAfile ca-certificate-in-pem-format

# how to verify everything except the certificate - so the signatures are checked, but no attempt is made
# to verify that the CAs certificate is trusted
openssl smime -verify -noverify -inform der -in signature-file -content signed-file

markscottwright

# how to format a table in VIM

function! Strip(input_string)
    return substitute(a:input_string, '^\s*\(.\{-}\)\s*$', '\1', '')
endfunction

function! GetFields(line_num)
    let cur_line = Strip(getline(a:line_num))
    let maybe_padded = split(cur_line, "|")
    let fields = []

markscottwright

  import logging
  from django.conf import settings
  logging.getLogger('django.db.backends').setLevel(logging.DEBUG)
  logging.getLogger('django.db.backends').addHandler(logging.StreamHandler())
  settings.DEBUG = True

markscottwright

import java.io.IOException;
import java.io.InputStream;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;

import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.x509.AccessDescription;

markscottwright

package scratch;

import java.awt.BorderLayout;
import java.awt.datatransfer.DataFlavor;
import java.awt.datatransfer.UnsupportedFlavorException;
import java.io.File;
import java.io.IOException;
import java.util.Arrays;
import java.util.List;

markscottwright

package scratch;

import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;