# Certificates (X.509)

Import useful packages for project

In [219]:
# For a CSR, self-signed and key type

from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives.serialization import load_pem_private_key
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
import datetime

import OpenSSL.crypto
from OpenSSL.crypto import load_certificate_request, FILETYPE_PEM

## Create a Certificate Signing Request (CSR)

**Steps for request a signing certificate**

1. Generate a private/public key pair.
2. Create a request for a certificate, which is signed by our key (to prove that we own that key).
3. Give our CSR to a CA (but not the private key).
4. The CA validates that we own the resource (e.g. domain) we want a certificate for.
5. The CA gives us a certificate, signed by them, which identifies our public key, and the resource we are authenticated for.
6. We configure our server to use that certificate, combined with our private key, to server traffic.

### First step

In [220]:
# Generate our key
try:
    with open('key.pem', 'rb') as f:
        key_data = f.read()
        print(str(key_data, 'utf-8'))
    key = load_pem_private_key(key_data, b"password", default_backend())
except FileNotFoundError:
    print("error")
    key = rsa.generate_private_key(
        public_exponent=65537,
        key_size=2048,
        backend=default_backend()
    )
    with open('key.pem', 'wb+') as f:
        f.write(key.private_bytes(
            encoding=serialization.Encoding.PEM,
            format=serialization.PrivateFormat.TraditionalOpenSSL,
            encryption_algorithm=serialization.BestAvailableEncryption(b"password")
        ))

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,B3BD04101773953EF752015269FBB387

e1Mn1rzKVSOh1UHswi7102zTcKmtwHOe6/6exteHD2Je1PwMnQYcEHoqqt3jFNd+
JFhsLnn7G9qaWfywSlgB/YasGXA/zx3kKjK1rRbPSn8aZptOWTl3Q8migNXntW/1
7+J6wSO3UuwLp66LuYBdZvPzzHIQRPGjqxS5/gWqXbkvRpvQredL1Sj2cF7rPdRy
Fd/NHjqvRsqYdzWl0nNhmaLf57UZydwmyTLmhEl08Y3W0gOMNGVUW0i8Xp+7qluH
ke06J2cr+mJnzKZ1r0wAvbGB8vf07PHatyl441qMJxJw3oy8OOV8RlUZTH7sri6U
Qi82rCuGWFAXCjylxPqjHdKtSGPvUXucNBQKvBX9sQXZEPqNP0j1F2/zz8oJoANR
IyVkygtvpqsmL19qcwaCv+4fEaahmRRjNGNNmG+H3xFqbtxT+3Tk7muvaHI7ke5g
Z77qx4XHhPTKbPRRieo2wLeYoinjr8HmNhNWHjxwg4GyKeJS0zC+hb9aIh+mrzO4
/OZXLBX2+364QlA6NdO4Y/GGmuCooGuMVSU1WkWozCrqnvqQvIQO6ir+x4XPKnZk
vSkaEBxlyfamguIYsRXehUAL74XYso9G3CNOaWVA0nlt4UPQ4AJgyUFfK23yYDeR
/xAgjWhHvUazXHKDp6u3fLDcjck+igTyASYVtmQn35LRAXaL+KULetBo8OSaoafh
Mce601oWos3S1ahsaAiUzrQjt9EvJS0ahbdDOBJfcZ0lCZWdTCgRfsLlnomwIHqF
L58wE1y2mmHwOFzeHqVzNUFyZ2ivV3FU8wZ1c692U1UgqqihBpcx2c9pmcP5oBXy
+pSuh6YRBOkXCc+SXAOuexDOBekEw4G5/SLA4ONr5OcB

### Second step

In [221]:
# Generate a CSR
csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([
    # Provide various details about who we are.
    x509.NameAttribute(NameOID.COUNTRY_NAME, u"CH"),
    x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Neuchatel"),
    x509.NameAttribute(NameOID.LOCALITY_NAME, u"Neuchatel"),
    x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"HE-Arc"),
    x509.NameAttribute(NameOID.COMMON_NAME, u"www.he-arc.ch"),
])).add_extension(
    x509.SubjectAlternativeName([
        # Describe what sites we want this certificate for.
        x509.DNSName(u"www.he-arc.ch"),
        x509.DNSName(u"webmail.he-arc.ch"),
        x509.DNSName(u"intranet.he-arc.ch"),
    ]),
critical=False,
# Sign the CSR with our private key.
).sign(key, hashes.SHA256(), default_backend())

# Write our CSR out to disk.
with open("csr.pem", "wb") as f:
    f.write(csr.public_bytes(serialization.Encoding.PEM))

### Read and deserialize the CSR

In [222]:
with open("csr.pem", "rb") as f:
    csr = f.read()
print(str(csr, 'utf-8'))

-----BEGIN CERTIFICATE REQUEST-----
MIIC9TCCAd0CAQAwXjELMAkGA1UEBhMCQ0gxEjAQBgNVBAgMCU5ldWNoYXRlbDES
MBAGA1UEBwwJTmV1Y2hhdGVsMQ8wDQYDVQQKDAZIRS1BcmMxFjAUBgNVBAMMDXd3
dy5oZS1hcmMuY2gwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOkx5u
prwB5N/Oap0cQ241PoHP8sGhfBmo7hOZhsH0VkyKKPGrf07u36wazcwU7BT5VudB
NUGxkTQTu+dM0HVEVfPPRXVLNgFzrRVktg1yTA4p6o/45IVk/Owz8FYGZ5laTkq1
drnsp4q8AIMt97BDsK9DBW9G1f5TISrAm72bvsOI5AQYo71YcLaa/6Zvm4e0HUP2
AiyBOpvoYrhhP6+F07NRYSODzT9lgSaJgQnlxwCVAHDgfuenk7u6nCsNP+urf5zl
3t9P+smnaeS+BPTtDNW411D1gqPv1Ojtg6WbUyQUyqpf3EcUkkc74uowChf5iP/v
3NaJ+cJaj2NP0S9lAgMBAAGgUjBQBgkqhkiG9w0BCQ4xQzBBMD8GA1UdEQQ4MDaC
DXd3dy5oZS1hcmMuY2iCEXdlYm1haWwuaGUtYXJjLmNoghJpbnRyYW5ldC5oZS1h
cmMuY2gwDQYJKoZIhvcNAQELBQADggEBAJRbMM/0WFem1RiHZuTJrykJ/pYVgJYo
/KUj9XjMGfhIXcePIxJ8WzcUsC0SdgCkHKuPgrL+JgcIkVq71p0wRo6McDoHrSc+
64AUVZxERQK6nyaNeV8f0G+wNpZxxo558TKrVMXGbD/DQwJGYHMOJKeGw6wks/Qa
xbebI5QCUOvjTizC879wMao0jryBOERnPBuXdiquXGfDv/7MVk6Fq4wljyCiQ9Ju
W19ExkEbcRL13Ya2BhLhr39cWtD+ZyV4rxqlxRBZFnzgXA6Nm079Ow

### Show certificate content

In [235]:
req = load_certificate_request(FILETYPE_PEM, csr)
key = req.get_pubkey()

key_type = 'RSA' if key.type() == OpenSSL.crypto.TYPE_RSA else 'DSA'
print("Key type:", key_type)
subject = req.get_subject()
extensions = req.get_extensions()

components = dict(subject.get_components())

print("Country :", str(components[b'C'], 'utf-8'))
print("State :", str(components[b'ST'], 'utf-8'))
print("City :", str(components[b'L'], 'utf-8'))
print("Company :", str(components[b'O'], 'utf-8'))
print("Website :", str(components[b'CN'], 'utf-8'))

print(extensions[0])

key type: RSA
Country : CH
State : Neuchatel
City : Neuchatel
Company : HE-Arc
Website : www.he-arc.ch
DNS:www.he-arc.ch, DNS:webmail.he-arc.ch, DNS:intranet.he-arc.ch


## Creating a self-signed certificate

### Creating the issuer (CA) and the subject (us)

In [224]:
subject = issuer = x509.Name([
    x509.NameAttribute(NameOID.COUNTRY_NAME, u"CH"),
    x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Neuchatel"),
    x509.NameAttribute(NameOID.LOCALITY_NAME, u"Neuchatel"),
    x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"HE-Arc"),
    x509.NameAttribute(NameOID.COMMON_NAME, u"www.he-arc.ch"),
])

### Load previously generated private key

In [225]:
with open('key.pem', 'rb') as f:
    key_data = f.read()
    
key = load_pem_private_key(key_data, b"password", default_backend())

### Create self signed certificate

Class CertificateBuilder:
   * **subject_name**: us (HE-Arc)
   * **issuer_name**: CA (HE-Arc)
   * **public_key**: our public key that will be signed by the CA private key
   * **serial_number**: number that uniquely identifies a certificate given the user
   * **not_valid_before**: start date of certificate validity
   * **not_valid_after**: end date of certificate validity
   * **add_extension**: associate other domains to this certificate (all localhost domains share this certificate)
   * **sign**: sign the certificate using the CA private key

In [226]:
 cert = x509.CertificateBuilder( \
    ).subject_name(subject \
    ).issuer_name(issuer \
    ).public_key(key.public_key() \
    ).serial_number(x509.random_serial_number() \
    ).not_valid_before(datetime.datetime.utcnow() \
    ).not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=10) \
    ).add_extension(x509.SubjectAlternativeName([x509.DNSName(u"localhost")]),critical=False, \
    ).sign(key, hashes.SHA256(), default_backend())

### Write our certificate out to disk.

In [227]:
with open("self_signed_certificate.pem", "wb") as f:
    f.write(cert.public_bytes(serialization.Encoding.PEM))

### Verify certificate validity

In [228]:
with open('self_signed_certificate.pem', 'rb') as f:
    pem_data = f.read()

In [229]:
cert = x509.load_pem_x509_certificate(pem_data, default_backend())

In [230]:
cert.not_valid_after

datetime.datetime(2020, 3, 12, 14, 22, 15)

## Determining Certificate or Certificate Signing Request Key Type

In [231]:
public_key = cert.public_key()
if isinstance(public_key, rsa.RSAPublicKey):
    print("RSA")
    print(cert.not_valid_after)
elif isinstance(public_key, ec.EllipticCurvePublicKey):
    # Do something EC specific
    print("Elliptic")
else:
    print("Other")
    # Remember to handle this case

RSA
2020-03-12 14:22:15


## Create a revoked certificate

In [232]:
builder = x509.RevokedCertificateBuilder()
builder = builder.revocation_date(datetime.datetime.today())
builder = builder.serial_number(3333)
revoked_certificate = builder.build(default_backend())
isinstance(revoked_certificate, x509.RevokedCertificate)

True

## Test url certificate using urllib 

In [233]:
import urllib.request
from urllib.error import URLError
import requests

import urllib.error
try:
    page = urllib.request.urlopen('http://google.com') #url with valid certificate
    #page = urllib.request.urlopen('http://expired.badssl.com') #url with revoked certificate
    print(page.getcode())
except URLError as e:
    print(e.reason)

200


### Verify ubs certificate

In [None]:
with open('ubs.pem', 'rb') as f:
    pem_data = f.read()
print(str(pem_data, 'utf-8'))

In [None]:
cert = x509.load_pem_x509_certificate(pem_data, default_backend())
print(cert)

In [None]:
cert.subject

In [None]:
issuer = {}
tmp = str(cert.issuer.rfc4514_string().encode('utf8'),'utf-8').split(",")
for attribute in tmp:
    res = attribute.split("=")
    issuer[res[0]] = res[1]
    
subject = {}
tmp = str(cert.subject.rfc4514_string().encode('utf8'),'utf-8').split(",")
for attribute in tmp:
    res = attribute.split("=")
    subject[res[0]] = res[1]

In [None]:
print("Issuer name:", issuer["CN"])
print("Issuer country:", issuer["C"])
print("Subject name:", subject["CN"])
print("Subject country:", subject["C"])
print("Subject organisation:", subject["O"])
print("Subject Locality:", subject["L"])
print("Start date :", str(cert.not_valid_before))
print("End date :", str(cert.not_valid_after))
print("Serial number :", str(cert.serial_number))