# x509 certificate Implementation
In this notebook, we will walk through the steps of implementing the x509 certificate generation process

## Authors
[Abtin Zandi](https://github.com/Abtinz), [Amirfazel Koozegar kaleji](https://github.com/mr-amirfazel)

## Organization
[AUT-basics-of-security-fall-2024](https://github.com/AUT-basics-of-security-fall-2024)

In [1]:
from datetime import datetime, timedelta
from ipaddress import IPv4Address
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.backends.openssl.backend import backend

## Step 1: Alternative Names (Hostname , Public ip)

In [2]:
HOST_NAME = "google.com"

#you can optionally provide a public IP or private IP  -> (IPv4Address, IPv4Network, IPv6Address, IPv6Network)
public_ip, private_ip = IPv4Address("8.8.8.8") , None

In [3]:
'''Creating a certificate name with specific attributes using Name from x509
    -> NameAttribute: defines an attribute of the X.509 name (key-value pair)

        -> NameOID.COMMON_NAME specifies the Common Name field, which is typically used to identify the hostname or domain name associated with the certificate
        -> HOST_NAME representing the hostname or server name that we are using as our x509 Name
'''

certificate_name = x509.Name([
    x509.NameAttribute(NameOID.COMMON_NAME, HOST_NAME)
])

print("certificate name: ", certificate_name)
print("certificate name type: ", type(certificate_name))

certificate name:  <Name(CN=google.com)>
certificate name type:  <class 'cryptography.x509.name.Name'>


In [4]:
# Let's configure the list of alternative DNS names and domains for the certificate.
# The hostname should be included in the Subject Alternative Name (SAN) field.
# This approach ensures compatibility with modern browsers and tools, as the COMMON_NAME is deprecated.

alternative_names = [
    # Adding the server's hostname as a DNSName entry in the SAN list
    x509.DNSName(HOST_NAME)
]

In [5]:
'''
If you don't have a real DNS name (common in most testing scenarios),
you can use public and private IP addresses in the Subject Alternative Name (SAN) field.
SANs can include both DNS names and IP addresses, which makes the certificate flexible for various environments.
You should add the DNS sample name(can be the ip address value as a string) or maybe the real one and the use the  IPAddress to add public_ip and private_ip to x509 alternative names
public is already provided --> 8.8.8.8

'''

#append the simple hostname and then add associated ip(public or private one)
#attention: ip address should be one of IPv4Address, IPv4Network, IPv6Address, IPv6Network classes ...
#you are allowed to evade from appending the private ip but consider a condition for it's provision
alternative_names.append(x509.DNSName(str(public_ip)))
alternative_names.append(x509.IPAddress(public_ip))

In [6]:
''' Now, we need to build the Subject Alternative Name (SAN) attribute for our certificate.
    The SAN field is a critical component of modern certificates as it lists all the valid identities (e.g., DNS names, IPs) that the certificate is allowed to represent.
    This ensures compatibility with browsers, tools, and stricter TLS implementations that rely on the SAN field.
    The 'alternative_names' array contains all the DNS names and IP addresses we previously configured. Using this array, we create a SubjectAlternativeName object to include in the certificate.

    Result: The 'subject_alternative_names' object will encapsulate all the entries (DNS names and IP addresses)

'''

subject_alternative_names = x509.SubjectAlternativeName(alternative_names)

print(subject_alternative_names)

<SubjectAlternativeName(<GeneralNames([<DNSName(value='google.com')>, <DNSName(value='8.8.8.8')>, <IPAddress(value=8.8.8.8)>])>)>


## Step 2: Time and Basic Constraints

In [7]:
#here we will calculate starting and deadline times of certificate
#you are allowed to use another time to start the certificate period
current_time = datetime.utcnow()
print("current time: ",current_time)
#use timedelta and declare an one year deadline for certificate
deadline = current_time + timedelta(days=365)
print("deadline: ",current_time)

current time:  2024-12-14 19:05:42.799937
deadline:  2024-12-14 19:05:42.799937


## Step 3: RSA private key generation

In [8]:
#now we have to generate the private key using rsa algorithm for signing the certificate
#generate a RSA private key which we are going to use to sign the certificate
#note: public_exponent should be 65537
#backend  is OpenSSL API binding interfaces from cryptography\hazmat\backends\openssl\backend
key = rsa.generate_private_key(
    public_exponent=65537,
    key_size=2048,
    backend=backend
)

In [9]:
#now we wanna see the private_key value that we are going to sign certificate with

# Specify the encoding format as PEM. This is the standard format for storing keys in a readable form.
encoding = serialization.Encoding.PEM

# Define the private key format as Traditional OpenSSL: This is a widely-used format for private keys, compatible with many tools and libraries.
private_format = serialization.PrivateFormat.TraditionalOpenSSL

# Specify the encryption algorithm for securing the private key: NoEncryption() means the private key will not be password-protected.
encryption_algorithm = serialization.NoEncryption()

private_key = key.private_bytes(
    encoding=encoding,
    format=private_format,
    encryption_algorithm=encryption_algorithm,
)

print("RSA PRIVATE KEY:\n", private_key)

RSA PRIVATE KEY:
 b'-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEA1FTYB53NBIG74q06E+wgd34jcDXkoBKkY0snX71nf+Mtfg5c\ns2O08wx5AI1oh7KDKVcaKCpLSB6Aq2murodus/b9oI7Uwhm0uzmcCXg3tUTzmXuv\nrIbbWBBBFA1xq7Fjt2FzSzcqIWlHdraM9DW1GwxzIz3YsJyZmKs0QlgWrcHoXgw3\nH/kjZRCRGwyiHgmCsd3cT7ma1TzZOWBJwDbGKrEorkayHJSnuUrr4Zjgq+aGTR3z\nwNUry9PrSAmLSwmY0ctVe1bFZz77H5Ljz9k2NCe6wbvQl34VY+Re0AFD5CuDmize\ntW3XELLhP3Iy9l1GY2auAzY1BA4zNo8VJmux9wIDAQABAoIBAFiNWdszUIGEqZsL\nq6ELZS7wiE8P6t1naO+QNEeVcki/sgVUcAzQlHKYzQ4R63pMVK81CE+f8+2L6xWR\n6awYB28+nuALMWgR2HIMwKqiXHlY3E8yaj2FsIy1mq6GPNXiETg1iCPiScvNYGR+\nFaLzkyhItOwJqwldBiHJpO3WVv73kOV2J7SzjLQbFA4jjG9EFv/jGhjrvwLyJtKu\nr3Olk8vSwM14K4ugeOt0YSkwE2WcLxY00Sk2i7DDJS3uRNt8nKO+hIlMat6jdbT6\nNnvZ5VmEiW58rYPfVSMKZGWXsJAA9pl3jBAIG9QZAlZOl9tWu2d6XtvIYBtrr5YI\ntv7ewCECgYEA92xIA02pQG6NVuBMWsh8eaKAx/nYDE6oRGANAe+0y2NnSwytHtby\nJ6sfLpVK8QH6HidlNUBoKUlO3jeFQQHRoNFI6AWh9xiWyW0xupGhKrpegUI+F6pp\nsyQF4hgfx8wZ70x7Fw3KHtEh0/JOk/c+BzG6jTfODMIkuv/A3n4xnVUCgYEA27El\n028mBlVW1GM3nmodSvYq0ej

## Step 4: BasicConstraints

In [10]:
''' Define the Basic Constraints extension for the certificate using x509.
    The Basic Constraints extension specifies whether the certificate is a Certificate Authority (CA) and, if so, how deep the chain of trust it can create is allowed to go.
'''

# Set ca=True to indicate that this certificate is a Certificate Authority (CA). This means it is allowed to issue other certificates.
# Set path_length=0 to restrict the certificate’s authority:  A path length of 0 means this certificate can only sign itself (self-signed) and cannot be used to issue other subordinate certificates.

basic_constraints = x509.BasicConstraints(ca=True, path_length=0)
print("basic_constraints:" , basic_constraints)

basic_constraints: <BasicConstraints(ca=True, path_length=0)>


## Step 5: Certificate

In [11]:
#eventually, we produce the certificate with given attributes that we created earlier
produced_certificate = (
        x509.CertificateBuilder()
        .subject_name(certificate_name)
        .issuer_name(certificate_name)
        .public_key(key.public_key())
        .serial_number(1000)
        .not_valid_before(current_time)
        .not_valid_after(deadline)
        .add_extension(basic_constraints, False)
        .add_extension(subject_alternative_names, False)
        .sign(key, hashes.SHA256(), backend)
)

print(f"certificate version{produced_certificate.version} ")
print(f"certificate name{produced_certificate.issuer} ")
print(f"certificate won't be valid after {produced_certificate.not_valid_after} ")
print(f"certificate won't be valid before {produced_certificate.not_valid_before} ")

certificate = produced_certificate.public_bytes(
    encoding=serialization.Encoding.PEM
)

print(certificate)
print("sep")

certificate versionVersion.v3 
certificate name<Name(CN=google.com)> 
certificate won't be valid after 2025-12-14 19:05:42 
certificate won't be valid before 2024-12-14 19:05:42 
b'-----BEGIN CERTIFICATE-----\nMIIC3zCCAcegAwIBAgICA+gwDQYJKoZIhvcNAQELBQAwFTETMBEGA1UEAwwKZ29v\nZ2xlLmNvbTAeFw0yNDEyMTQxOTA1NDJaFw0yNTEyMTQxOTA1NDJaMBUxEzARBgNV\nBAMMCmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDU\nVNgHnc0EgbvirToT7CB3fiNwNeSgEqRjSydfvWd/4y1+DlyzY7TzDHkAjWiHsoMp\nVxooKktIHoCraa6uh26z9v2gjtTCGbS7OZwJeDe1RPOZe6+shttYEEEUDXGrsWO3\nYXNLNyohaUd2toz0NbUbDHMjPdiwnJmYqzRCWBatweheDDcf+SNlEJEbDKIeCYKx\n3dxPuZrVPNk5YEnANsYqsSiuRrIclKe5SuvhmOCr5oZNHfPA1SvL0+tICYtLCZjR\ny1V7VsVnPvsfkuPP2TY0J7rBu9CXfhVj5F7QAUPkK4OaLN61bdcQsuE/cjL2XUZj\nZq4DNjUEDjM2jxUma7H3AgMBAAGjOTA3MA8GA1UdEwQIMAYBAf8CAQAwJAYDVR0R\nBB0wG4IKZ29vZ2xlLmNvbYIHOC44LjguOIcECAgICDANBgkqhkiG9w0BAQsFAAOC\nAQEAqUgczn44o4OzJ7bdKPZBepVmUvk1Lk5W8WMnQ67yXeYBVzvvzaYbQFk4tO8j\nBLbzpbkBmLdtPcGDAKvZn2amNMf3904HJMKyHZXcWkbgo1c0UIKQ4fI9M0k3Pv/b

  print(f"certificate won't be valid after {produced_certificate.not_valid_after} ")
  print(f"certificate won't be valid before {produced_certificate.not_valid_before} ")
