# Certificates (X.509)

Import useful packages for project

In [38]:
# For a CSR, self-signed and key type

from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives.serialization import load_pem_private_key
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
import datetime

import OpenSSL.crypto
from OpenSSL.crypto import load_certificate_request, FILETYPE_PEM

## Create a Certificate Signing Request (CSR)

**Steps for request a signing certificate**

1. Generate a private/public key pair.
2. Create a request for a certificate, which is signed by our key (to prove that we own that key).
3. Give our CSR to a CA (but not the private key).
4. The CA validates that we own the resource (e.g. domain) we want a certificate for.
5. The CA gives us a certificate, signed by them, which identifies our public key, and the resource we are authenticated for.
6. We configure our server to use that certificate, combined with our private key, to server traffic.

### First step

Generation of the private key using RSA and save it in a .pem file. If the key is already generated, we just load the file key.pem.

In [39]:
# Generate our key
try:
    with open('key.pem', 'rb') as f:
        key_data = f.read()
        print(str(key_data, 'utf-8'))
    key = load_pem_private_key(key_data, b"password", default_backend())
except FileNotFoundError:
    print("error")
    key = rsa.generate_private_key(
        public_exponent=65537,
        key_size=2048,
        backend=default_backend()
    )
    with open('key.pem', 'wb+') as f:
        f.write(key.private_bytes(
            encoding=serialization.Encoding.PEM,
            format=serialization.PrivateFormat.TraditionalOpenSSL,
            encryption_algorithm=serialization.BestAvailableEncryption(b"password")
        ))

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,66544B35313380A5A21AB389595DBB12

AJbEtN6dFgTwdGBaW6OuE2aGuZP1bHW7j7W2QSJyXaAJ7y5HYgLzsDNy2odJFrbJ
mwmP9/Du/A+GyCOTINDblaQ/gEm05cdkt2n+iRRTstRbpuetRsMCIdzT2Lbj5/L6
VlFIeu/kJQjesfBvNlamj0+1TPZUslp9ocxWVu9Ci8KkFKCLiBJiEm5RFUalFTDN
i3UNGciFRufQgSI1uS4MgE0NDyWA5Dp1HUWo2/shH8jwFGiHYcBcxDelcbFlbI9j
83stH4FjW4hx6QBiDHSlxxv8qjV/XFVxoDFBPNdvszODdgH3xJtCGeYA99I7HY53
25hNTVIr/op546f/NgoRcwo7XccOZWluOiFxdtUoHzpboY3NOSPqJMJGtlsop6bh
hCaiSCLZd826je1wwdnvvaXQKdc7n0uiwE+yQXFT24rUttegbSYPdn8E6Ul5gAcm
c4SRmQGQMPO0gbgh4sCfqL/mu8ocxjfPparrUw6l1PjBgpcuZBMh3gltiqs59O3N
TPIWM5WyIp4Xy3XTZPixFccSti0UcteDi9i9bLnDpE0gaOo23HX+hLk1S913lK4K
tE3RyNEkQtgyrcKM/z/LvS//hSvG2AR7kXWGJ4o6oR3OPiCEiiAyKOgxnmMKsk52
R1exizJmLRJQI6qRcJmOVp5wE2uiARsDDbQmkmCC0RQMvbV89l7sYymiaSimshvA
/nytdFClujJYW+vyVhF1EoYX8hZgH4rPlAYSlYa5O7tEWIk7SfFqRl4GskFtoAXx
2pV9OalRFR2tfVEb/sMyCrOO27fkvxnAJbCiAMNKeQyxUSz9s8/ajne6sYyUJJHx
VS++DEaWRu57mIbTXYjkW8eVlq59lrgcMk4vOdwh6l2+

### Second step

We create a file named csr.pem. It's a request for a signing certificate to a trusted CA.

In [40]:
# Generate a CSR
csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([
    # Provide various details about who we are.
    x509.NameAttribute(NameOID.COUNTRY_NAME, u"CH"),
    x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Neuchatel"),
    x509.NameAttribute(NameOID.LOCALITY_NAME, u"Neuchatel"),
    x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"HE-Arc"),
    x509.NameAttribute(NameOID.COMMON_NAME, u"www.he-arc.ch"),
])).add_extension(
    x509.SubjectAlternativeName([
        # Describe what sites we want this certificate for.
        x509.DNSName(u"www.he-arc.ch"),
        x509.DNSName(u"webmail.he-arc.ch"),
        x509.DNSName(u"intranet.he-arc.ch"),
    ]),
critical=False,
# Sign the CSR with our private key.
).sign(key, hashes.SHA256(), default_backend())

# Write our CSR out to disk.
with open("csr.pem", "wb") as f:
    f.write(csr.public_bytes(serialization.Encoding.PEM))

### Read and deserialize the CSR

After the generation, we load the certificate to show the content of the file

In [41]:
with open("csr.pem", "rb") as f:
    csr = f.read()
print(str(csr, 'utf-8'))

-----BEGIN CERTIFICATE REQUEST-----
MIIC9TCCAd0CAQAwXjELMAkGA1UEBhMCQ0gxEjAQBgNVBAgMCU5ldWNoYXRlbDES
MBAGA1UEBwwJTmV1Y2hhdGVsMQ8wDQYDVQQKDAZIRS1BcmMxFjAUBgNVBAMMDXd3
dy5oZS1hcmMuY2gwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+ic++
5eXkql8llpvLUzFim97gCc7PBIUX9pEVedgd5jkJ1mRg0hWNdYm2QBgGZ2eQH6zf
tIbfr1oyZqXnS7yX7ALE00cRuZU12avkcG4XWkznUwKc8dunG2HUoOr0ws6C6qeP
qeChHz1xLsQdc4nYff6XoB58X7fZdnHD0VnWBCbJN+Xdhi1FCBzVnRig2CGloa1z
yaGBXkTlT/HQuEVzerhDaqC1IxafIoIkWPf6hwWVpFxQ890R+21L0BMkZFWzrmJj
WutdqrmdgaF0+BnZWUKh9e8XTRvuiVVuV3qq4uOe1t1KvLFt8MEjpj2y4ke/C3Sm
a2zxZtL9TGCtSBfNAgMBAAGgUjBQBgkqhkiG9w0BCQ4xQzBBMD8GA1UdEQQ4MDaC
DXd3dy5oZS1hcmMuY2iCEXdlYm1haWwuaGUtYXJjLmNoghJpbnRyYW5ldC5oZS1h
cmMuY2gwDQYJKoZIhvcNAQELBQADggEBAJmgaWmGZegoKB3ISTacBCLOvZGe95FV
pUHx52sOeTX615LL7dsF2/xm+OorlrsrlQM4mevp2o8KQZCWKRYFOISpEcsBF7mE
DG2KYKzqp1T1uL7TSMG+yxakoTGucaji0lxdk5zXczB7jjFs613/mSFFakACbpsa
7PNYsw/2rVOsy/j/oXITWV/6ESgOrvuMqdLWvw5apPVsuQeECxsb6aeyfutUQZU3
E1GOt7LA/Tt+5Rwdnn1Ntu1FevzOvHdKZLByxPDtrC934CssB3Y24f

### Show certificate informations

We iterate on the certificate to get and show informations about the given certificate.

Here we'll show the type of the key used to sign the certificate, the country, the company name, etc.

In [42]:
req = load_certificate_request(FILETYPE_PEM, csr)
key = req.get_pubkey()

key_type = 'RSA' if key.type() == OpenSSL.crypto.TYPE_RSA else 'DSA'
print("Key type:", key_type)
subject = req.get_subject()
extensions = req.get_extensions()

components = dict(subject.get_components())

print("Country :", str(components[b'C'], 'utf-8'))
print("State :", str(components[b'ST'], 'utf-8'))
print("City :", str(components[b'L'], 'utf-8'))
print("Company :", str(components[b'O'], 'utf-8'))
print("Website :", str(components[b'CN'], 'utf-8'))

print(extensions[0])

Key type: RSA
Country : CH
State : Neuchatel
City : Neuchatel
Company : HE-Arc
Website : www.he-arc.ch
DNS:www.he-arc.ch, DNS:webmail.he-arc.ch, DNS:intranet.he-arc.ch


**These following steps could not been realized because we have to give to the CA a real domain, informations and dispose of a server.**

3. Give our CSR to a CA (but not the private key).
4. The CA validates that we own the resource (e.g. domain) we want a certificate for.
5. The CA gives us a certificate, signed by them, which identifies our public key, and the resource we are authenticated for.
6. We configure our server to use that certificate, combined with our private key, to server traffic.

## Creating a self-signed certificate

### Creating the issuer (CA) and the subject (us)

As we want to create a self signed certificate, we are the issuer and the subject at the same time. This would be used to test locally or to use https in an intranet.

In [43]:
subject = issuer = x509.Name([
    x509.NameAttribute(NameOID.COUNTRY_NAME, u"CH"),
    x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Neuchatel"),
    x509.NameAttribute(NameOID.LOCALITY_NAME, u"Neuchatel"),
    x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"HE-Arc"),
    x509.NameAttribute(NameOID.COMMON_NAME, u"www.he-arc.ch"),
])

### Load previously generated private key

In [44]:
with open('key.pem', 'rb') as f:
    key_data = f.read()
    
key = load_pem_private_key(key_data, b"password", default_backend())

### Create self signed certificate

Class CertificateBuilder:
   * **subject_name**: us (HE-Arc)
   * **issuer_name**: CA (HE-Arc)
   * **public_key**: our public key that will be signed by the CA private key
   * **serial_number**: number that uniquely identifies a certificate given the user
   * **not_valid_before**: start date of certificate validity
   * **not_valid_after**: end date of certificate validity
   * **add_extension**: associate other domains to this certificate (all localhost domains share this certificate)
   * **sign**: sign the certificate using the CA private key

In [45]:
 cert = x509.CertificateBuilder( \
    ).subject_name(subject \
    ).issuer_name(issuer \
    ).public_key(key.public_key() \
    ).serial_number(x509.random_serial_number() \
    ).not_valid_before(datetime.datetime.utcnow() \
    ).not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=10) \
    ).add_extension(x509.SubjectAlternativeName([x509.DNSName(u"localhost")]),critical=False, \
    ).sign(key, hashes.SHA256(), default_backend())

### Write our certificate out to disk.

In [46]:
with open("self_signed_certificate.pem", "wb") as f:
    f.write(cert.public_bytes(serialization.Encoding.PEM))

### Verify certificate validity

We check if we haven't surpassed the end date.

In [47]:
with open('self_signed_certificate.pem', 'rb') as f:
    pem_data = f.read()

In [48]:
cert = x509.load_pem_x509_certificate(pem_data, default_backend())

**If we get a true, it means that the certificate has not expired and it's still valid :**

In [64]:
cert.not_valid_after > datetime.datetime.today()

True

## Create a revoked certificate

In [70]:
builder = x509.RevokedCertificateBuilder()
builder = builder.revocation_date(datetime.datetime.today()) # Define the date this certificate was revoked
builder = builder.serial_number(3333)
revoked_certificate = builder.build(default_backend())

isinstance used with **x509.RevokedCertificate** return true if the certificate is revoked

In [68]:
isinstance(revoked_certificate, x509.RevokedCertificate)

True

## Test url certificate using urllib and https://badssl.com/

Badssl is a website who provides different url with known certificate errors. It allows us to test different case of bad certificate.

In [72]:
import urllib.request
from urllib.error import URLError
import requests

import urllib.error
try:
   #page = urllib.request.urlopen('http://google.com') # url with valid certificate, will return code 200
   #page = urllib.request.urlopen('http://expired.badssl.com') # certificate is expired
   #page = urllib.request.urlopen('http://wrong.host.badssl.com') # wrong host on certificate
    page = urllib.request.urlopen('http://untrusted-root.badssl.com') # CA that signed the certificate is not trusted by our browser
    print(page.getcode())
except URLError as e:
    print(e.reason)

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1076)


### Verify ubs certificate

We download the official UBS certificate from their website

In [52]:
with open('ubs.pem', 'rb') as f:
    pem_data = f.read()
print(str(pem_data, 'utf-8'))

-----BEGIN CERTIFICATE-----
MIIHIjCCBgqgAwIBAgIQAYo39/Fx4O1cqCG/Zgrj5zANBgkqhkiG9w0BAQsFADB1
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk
IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTE5MTAyODAwMDAwMFoXDTIxMTIwODEy
MDAwMFowga0xHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYB
BAGCNzwCAQMTAkNIMRgwFgYLKwYBBAGCNzwCAQIMB1rDvHJpY2gxGDAWBgNVBAUT
D0NIRS0xMDEgMzI5IDU2MTELMAkGA1UEBhMCQ0gxDzANBgNVBAcTBlp1cmljaDEP
MA0GA1UEChMGVUJTIEFHMRQwEgYDVQQDEwt3d3cudWJzLmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMvb1wb2uiTdaqLE1Z0+aNI2xtZkq9WjSJMN
PykdI/1532gT3FRbI8xJHCb88u8Dw3KKhJaMfvZqMEw2VKRqN1vfA8Wtvj8jQrSo
Y7eMRYvusmnpZCdmWCbUEufVPB3HDBFsixHwQf1CQ5dlvi1PTm5ql9QDttkotb05
lp17DSQNEvY4idFIhidzc5w2L9/yLNJLkFRM8ezJF44TPAma/806OIdaoY6o7jNU
TVbQ0nMxw0YC67XRSbWJnpjdJBhFTQ1Px4dpKiJEJVv2bQObpIAp4YzTR1UMEjGW
TIhT2lJCfeSLCbAN0X+6mX0RwYMao6cd2dMZcW4Y9YTaw/Yh5F8CAwEAAaOCA3Mw
ggNvMB8GA1UdIwQYMBaAFD3TUKXWoK3u80pgCmXTIdT4+NYPMB0GA1UdDgQWBB

In [73]:
cert = x509.load_pem_x509_certificate(pem_data, default_backend()) # We load the certificate into an object

We iterate over the issuer and subject to format the data into a simplier data structure :

In [54]:
issuer = {}
tmp = str(cert.issuer.rfc4514_string().encode('utf8'),'utf-8').split(",")
for attribute in tmp:
    res = attribute.split("=")
    issuer[res[0]] = res[1]
    
subject = {}
tmp = str(cert.subject.rfc4514_string().encode('utf8'),'utf-8').split(",")
for attribute in tmp:
    res = attribute.split("=")
    subject[res[0]] = res[1]

Now, we can display the different informations contains into the certificates, eg. Country, company name, etc...

In [55]:
print("Issuer name:", issuer["CN"])
print("Issuer country:", issuer["C"])
print("Subject name:", subject["CN"])
print("Subject country:", subject["C"])
print("Subject organisation:", subject["O"])
print("Subject Locality:", subject["L"])
print("Start date :", str(cert.not_valid_before))
print("End date :", str(cert.not_valid_after))
print("Serial number :", str(cert.serial_number))

Issuer name: DigiCert SHA2 Extended Validation Server CA
Issuer country: US
Subject name: www.ubs.com
Subject country: CH
Subject organisation: UBS AG
Subject Locality: Zurich
Start date : 2019-10-28 00:00:00
End date : 2021-12-08 12:00:00
Serial number : 2046900138870622124013464740506035175


## Show certificate with untrusted root (untrusted CA)

We load a bad certificate, downloaded from https://untrusted-root.badssl.com/. The goal is to prove why this certificate is untrusted.

In [74]:
with open('untrusted-root.pem', 'rb') as f:
    pem_data = f.read()
print(str(pem_data, 'utf-8'))

-----BEGIN CERTIFICATE-----
MIIEmTCCAoGgAwIBAgIJAOywCwT04S08MA0GCSqGSIb3DQEBCwUAMIGBMQswCQYD
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5j
aXNjbzEPMA0GA1UECgwGQmFkU1NMMTQwMgYDVQQDDCtCYWRTU0wgVW50cnVzdGVk
IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE5MTAwOTIzMDg1MFoXDTIx
MTAwODIzMDg1MFowYjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx
FjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNVBAoMBkJhZFNTTDEVMBMGA1UE
AwwMKi5iYWRzc2wuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
wgTs+IzuBMKz2FDVcFjMkxjrXKhoSbAitfmVnrErLHY+bMBLYExM6rK0wA+AtrD5
csmGAvlcQV0TK39xxEu86ZQuUDemZxxhjPZBQsVG0xaHJ5906wqdEVImIXNshEx5
VeTRa+gGPUgVUq2zKNuq/27/YJVKd2s58STRMbbdTcDE/FO5bUKttXz+rvUV0jNI
5yJxx8IUemwo6jdK3+pstXK0flqiFtxpsVdE2woSq97DD0d0XEEi4Zr5G5PmrSIG
KS6xukkcDCeeo/uL90ByAKySCNmMV4RTgQXL5v5rVJhAJ4XHELtzcO9pGEEHRVV8
+WQ/PSzDqXzrkxpMhtHKhQIDAQABozIwMDAJBgNVHRMEAjAAMCMGA1UdEQQcMBqC
DCouYmFkc3NsLmNvbYIKYmFkc3NsLmNvbTANBgkqhkiG9w0BAQsFAAOCAgEAhU5h
jESEo1M5HCTHYlC1EkoxRG+bBLaYtiDsJl3HwlhtYx+r03UvWrwJ7QXhjda1G9

In [57]:
cert = x509.load_pem_x509_certificate(pem_data, default_backend())

We iterate over the issuer and subject to format the data into a simplier data structure :

In [58]:
issuer = {}
tmp = str(cert.issuer.rfc4514_string().encode('utf8'),'utf-8').split(",")
for attribute in tmp:
    res = attribute.split("=")
    issuer[res[0]] = res[1]
    
subject = {}
tmp = str(cert.subject.rfc4514_string().encode('utf8'),'utf-8').split(",")
for attribute in tmp:
    res = attribute.split("=")
    subject[res[0]] = res[1]

Now, we can display the informations we get form the certificate. We easily notice that the issuer name is not an official certificates authority. So we can deduce that the error come from this, **because it's an untrusted root** !

In [59]:
print("\033[1mIssuer name:", issuer["CN"],"\033[0m")
print("Issuer country:", issuer["C"])
print("Subject name:", subject["CN"])
print("Subject country:", subject["C"])
print("Subject organisation:", subject["O"])
print("Subject Locality:", subject["L"])
print("Start date :", str(cert.not_valid_before))
print("End date :", str(cert.not_valid_after))
print("Serial number :", str(cert.serial_number))

[1mIssuer name: BadSSL Untrusted Root Certificate Authority [0m
Issuer country: US
Subject name: *.badssl.com
Subject country: US
Subject organisation: BadSSL
Subject Locality: San Francisco
Start date : 2019-10-09 23:08:50
End date : 2021-10-08 23:08:50
Serial number : 17055143904768240956
