# x509 certificate Implementation
In this notebook, we will walk through the steps of implementing the x509 certificate generation process

## Authors
[Abtin Zandi](https://github.com/Abtinz), [Amirfazel Koozegar kaleji](https://github.com/mr-amirfazel) 

## Organization 
[AUT-basics-of-security-fall-2024](https://github.com/AUT-basics-of-security-fall-2024) 

In [1]:
from datetime import datetime, timedelta
from ipaddress import IPv4Address
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.backends.openssl.backend import backend

## Step 1: Alternative Names (Hostname , Public ip)

In [2]:
HOST_NAME = "google.com"

#you can optionally provide a public IP or private IP  -> (IPv4Address, IPv4Network, IPv6Address, IPv6Network)
public_ip, private_ip = IPv4Address("8.8.8.8") , None

In [None]:
'''Creating a certificate name with specific attributes using Name from x509
    -> NameAttribute: defines an attribute of the X.509 name (key-value pair)
       
        -> NameOID.COMMON_NAME specifies the Common Name field, which is typically used to identify the hostname or domain name associated with the certificate
        -> HOST_NAME representing the hostname or server name that we are using as our x509 Name
'''

certificate_name = None

print("certificate name: ", certificate_name)
print("certificate name type: ", type(certificate_name))

certificate name:  <Name(CN=google.com)>
certificate name type:  <class 'cryptography.x509.name.Name'>


In [4]:
# Let's configure the list of alternative DNS names and domains for the certificate.
# The hostname should be included in the Subject Alternative Name (SAN) field. 
# This approach ensures compatibility with modern browsers and tools, as the COMMON_NAME is deprecated.

alternative_names = [
    # Adding the server's hostname as a DNSName entry in the SAN list
    x509.DNSName(HOST_NAME)
]

In [None]:
''' Now, we need to build the Subject Alternative Name (SAN) attribute for our certificate.
    The SAN field is a critical component of modern certificates as it lists all the valid identities (e.g., DNS names, IPs) that the certificate is allowed to represent. 
    This ensures compatibility with browsers, tools, and stricter TLS implementations that rely on the SAN field.
    The 'alternative_names' array contains all the DNS names and IP addresses we previously configured. Using this array, we create a SubjectAlternativeName object to include in the certificate.

    Result: The 'subject_alternative_names' object will encapsulate all the entries (DNS names and IP addresses)
    
'''

subject_alternative_names = None

print(subject_alternative_names)

[<DNSName(value='google.com')>, <DNSName(value='8.8.8.8')>, <IPAddress(value=8.8.8.8)>]


In [6]:
''' Now, we need to build the Subject Alternative Name (SAN) attribute for our certificate.
    The SAN field is a critical component of modern certificates as it lists all the valid identities (e.g., DNS names, IPs) that the certificate is allowed to represent. 
    This ensures compatibility with browsers, tools, and stricter TLS implementations that rely on the SAN field.
    The 'alternative_names' array contains all the DNS names and IP addresses we previously configured. Using this array, we create a SubjectAlternativeName object to include in the certificate.

    Result: The 'subject_alternative_names' object will encapsulate all the entries (DNS names and IP addresses)
    
'''

subject_alternative_names = x509.SubjectAlternativeName(alternative_names)

print(subject_alternative_names)

<SubjectAlternativeName(<GeneralNames([<DNSName(value='google.com')>, <DNSName(value='8.8.8.8')>, <IPAddress(value=8.8.8.8)>])>)>


## Step 2: Time and Basic Constraints

In [None]:
#here we will calculate starting and deadline times of certificate
#you are allowed to use another time to start the certificate period
current_time = datetime.utcnow()
print("current time: ",current_time)
#use timedelta and declare an one year deadline for certificate
deadline = None
print("deadline: ",current_time)

current time:  2024-11-24 20:50:41.982046
deadline:  2024-11-24 20:50:41.982046


## Step 3: RAS private key generation

In [None]:
#now we have to generate the private key using rsa algorithm for signing the certificate
#generate a RSA private key which we are going to use to sign the certificate
#note: public_exponent should be 65537
#backend  is OpenSSL API binding interfaces from cryptography\hazmat\backends\openssl\backend
key = None

In [None]:
#now we wanna see the private_key value that we are going to sign certificate with

# Specify the encoding format as PEM. This is the standard format for storing keys in a readable form.
encoding = None

# Define the private key format as Traditional OpenSSL: This is a widely-used format for private keys, compatible with many tools and libraries.
private_format = None

# Specify the encryption algorithm for securing the private key: NoEncryption() means the private key will not be password-protected.
encryption_algorithm = None

private_key = key.private_bytes(
    encoding=encoding,
    format=private_format,
    encryption_algorithm=encryption_algorithm,
)

print("RSA PRIVATE KEY:\n", private_key)

RSA PRIVATE KEY:
 b'-----BEGIN RSA PRIVATE KEY-----\nMIIEogIBAAKCAQEAsEItYoqOivH879huyy+2aG4DW4tCHAnl9rgx4KsXgB0fd+UM\n0dtxVocegsAmGPVK2cEmP+HCHiHNAZKS8oZO+yKyfkm6HzxqTaElJYetExzi7tc2\nxachAt/uWd8Xm3hHW1BJJ3G5IvSgZ45DQ/RiaVmMcuBsm3VlhhTDjbqYmtBKBmbV\nISeKjqMI6HCaIezD4jRtO7YBWmv2lxRObJ0VyZGRKjQIjikddwPEn4YLM5S/avfq\ndb60NeS+iBw4ENXpCxw/bbF/yIMzmN3w9rRWMV1VtgjrkHvB426IE9aoiw0ib0vp\npLuBIadh1pKH/WAEv/iK31i4Wb2oIQWVuZwHhQIDAQABAoIBAAZwRGwnF5HnyQ+R\n3mo5sfYanrDHY4DWs7nRfLDyTwd1COM+ULuRwpAgm3K3Riz/ON6/eYA35Plozq5S\nBmApm9T8rXyDgPMHJ/LyAgNe82mRUpDa97s8oa4TNAfAaIJbYG/rfOCd/N9UBFAE\nGFzxHm8uwDyqCg2bujuton8Y494z0hrqBZcsY6SiwKILGxgf1cn3OEpaaE3KiHit\noZG9Tpkc/DaVYpWZw9QaFBqW2sr4OHVtDrIIwWLT2A26ZELDh9SMsjDv89sN6l2k\nDFm3UJAHDpGWvqCEwQodLNE2ik6isy0+37MoDqxRwgbkAzk+E3YDKy6YHAQMh7Om\n8QLM+YECgYEA2CUGwlxe7KZiIkepfJH+HxjmdKr0uZjX9Bw9BnJn9t9AAHu/W2LH\nBarwcuTnCUM9cDRs3FWrJMR9u3DQDlhmcoZERz3U/3zvVecROnCypk7GATQWnP0p\nkldfDG7XAKd5pgQpOMekg1DzZzvMkDDy1qizFrCqyO7ct5lBXNZRDzECgYEA0MJZ\n0TKABzwMJ1hN8c02gzr5dzi

## Step 4: BasicConstraints

In [None]:
''' Define the Basic Constraints extension for the certificate using x509. 
    The Basic Constraints extension specifies whether the certificate is a Certificate Authority (CA) and, if so, how deep the chain of trust it can create is allowed to go.
'''

# Set ca=True to indicate that this certificate is a Certificate Authority (CA). This means it is allowed to issue other certificates.
# Set path_length=0 to restrict the certificate’s authority:  A path length of 0 means this certificate can only sign itself (self-signed) and cannot be used to issue other subordinate certificates.

basic_constraints = None
print("basic_constraints:" , basic_constraints)

basic_constraints: <BasicConstraints(ca=True, path_length=0)>


## Step 5: Certificate

In [11]:
#eventually, we produce the certificate with given attributes that we created earlier
produced_certificate = (
        x509.CertificateBuilder()
        .subject_name(certificate_name)
        .issuer_name(certificate_name)
        .public_key(key.public_key())
        .serial_number(1000)
        .not_valid_before(current_time)
        .not_valid_after(deadline)
        .add_extension(basic_constraints, False)
        .add_extension(subject_alternative_names, False)
        .sign(key, hashes.SHA256(), backend)
)

print(f"certificate version{produced_certificate.version} ")
print(f"certificate name{produced_certificate.issuer} ")
print(f"certificate won't be valid after {produced_certificate.not_valid_after} ")
print(f"certificate won't be valid before {produced_certificate.not_valid_before} ")

certificate = produced_certificate.public_bytes(
    encoding=serialization.Encoding.PEM
)

print(certificate)

certificate versionVersion.v3 
certificate name<Name(CN=google.com)> 
certificate won't be valid after 2025-11-25 20:50:41 
certificate won't be valid before 2024-11-24 20:50:41 
b'-----BEGIN CERTIFICATE-----\nMIIC3zCCAcegAwIBAgICA+gwDQYJKoZIhvcNAQELBQAwFTETMBEGA1UEAwwKZ29v\nZ2xlLmNvbTAeFw0yNDExMjQyMDUwNDFaFw0yNTExMjUyMDUwNDFaMBUxEzARBgNV\nBAMMCmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCw\nQi1iio6K8fzv2G7LL7ZobgNbi0IcCeX2uDHgqxeAHR935QzR23FWhx6CwCYY9UrZ\nwSY/4cIeIc0BkpLyhk77IrJ+SbofPGpNoSUlh60THOLu1zbFpyEC3+5Z3xebeEdb\nUEkncbki9KBnjkND9GJpWYxy4GybdWWGFMONupia0EoGZtUhJ4qOowjocJoh7MPi\nNG07tgFaa/aXFE5snRXJkZEqNAiOKR13A8SfhgszlL9q9+p1vrQ15L6IHDgQ1ekL\nHD9tsX/IgzOY3fD2tFYxXVW2COuQe8HjbogT1qiLDSJvS+mku4Ehp2HWkof9YAS/\n+IrfWLhZvaghBZW5nAeFAgMBAAGjOTA3MA8GA1UdEwQIMAYBAf8CAQAwJAYDVR0R\nBB0wG4IKZ29vZ2xlLmNvbYIHOC44LjguOIcECAgICDANBgkqhkiG9w0BAQsFAAOC\nAQEAh7mzqfga0owbppJTBG69vCXYQl09Z6Eac+XLxgWGSyaqLsp2izRs6cdOMc6+\nlQnN6V26+IHZSWu3eUOrmOUQkb7GRA+GHbyFWCv7erhm7SckTQe0mB8v+nF8csHm