# x509 certificate Implementation
In this notebook, we will walk through the steps of implementing the x509 certificate generation process

## Authors
[Abtin Zandi](https://github.com/Abtinz), [Amirfazel Koozegar kaleji](https://github.com/mr-amirfazel)

## Organization
[AUT-basics-of-security-fall-2024](https://github.com/AUT-basics-of-security-fall-2024)

In [1]:
from datetime import datetime, timedelta
from ipaddress import IPv4Address
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.backends.openssl.backend import backend

## Step 1: Alternative Names (Hostname , Public ip)

In [16]:
from cryptography.x509 import Name, NameAttribute
from cryptography.x509.oid import NameOID

# Hostname for the certificate
HOST_NAME = "google.com"


In [17]:

# Define the certificate name using x509.Name and set the common name (CN)
certificate_name = Name([NameAttribute(NameOID.COMMON_NAME, HOST_NAME)])

print("certificate name: ", certificate_name)
print("certificate name type: ", type(certificate_name))

certificate name:  <Name(CN=google.com)>
certificate name type:  <class 'cryptography.x509.name.Name'>


In [4]:
# Let's configure the list of alternative DNS names and domains for the certificate.
# The hostname should be included in the Subject Alternative Name (SAN) field.
# This approach ensures compatibility with modern browsers and tools, as the COMMON_NAME is deprecated.

alternative_names = [
    # Adding the server's hostname as a DNSName entry in the SAN list
    x509.DNSName(HOST_NAME)
]

In [5]:
'''
If you don't have a real DNS name (common in most testing scenarios),
you can use public and private IP addresses in the Subject Alternative Name (SAN) field.
SANs can include both DNS names and IP addresses, which makes the certificate flexible for various environments.
You should add the DNS sample name(can be the ip address value as a string) or maybe the real one and the use the  IPAddress to add public_ip and private_ip to x509 alternative names
public is already provided --> 8.8.8.8

'''

#append the simple hostname and then add associated ip(public or private one)
#attention: ip address should be one of IPv4Address, IPv4Network, IPv6Address, IPv6Network classes ...
#you are allowed to evade from appending the private ip but consider a condition for it's provision


"\nIf you don't have a real DNS name (common in most testing scenarios),\nyou can use public and private IP addresses in the Subject Alternative Name (SAN) field.\nSANs can include both DNS names and IP addresses, which makes the certificate flexible for various environments.\nYou should add the DNS sample name(can be the ip address value as a string) or maybe the real one and the use the  IPAddress to add public_ip and private_ip to x509 alternative names\npublic is already provided --> 8.8.8.8\n\n"

In [6]:
''' Now, we need to build the Subject Alternative Name (SAN) attribute for our certificate.
    The SAN field is a critical component of modern certificates as it lists all the valid identities (e.g., DNS names, IPs) that the certificate is allowed to represent.
    This ensures compatibility with browsers, tools, and stricter TLS implementations that rely on the SAN field.
    The 'alternative_names' array contains all the DNS names and IP addresses we previously configured. Using this array, we create a SubjectAlternativeName object to include in the certificate.

    Result: The 'subject_alternative_names' object will encapsulate all the entries (DNS names and IP addresses)

'''

subject_alternative_names = None

print(subject_alternative_names)

None


## Step 2: Time and Basic Constraints

In [7]:
from datetime import datetime, timedelta

# Calculate starting and deadline times for the certificate
current_time = datetime.utcnow()
print("current time: ", current_time)

# Define the deadline for the certificate validity period (1 year from now)
deadline = current_time + timedelta(days=365)
print("deadline: ", deadline)

current time:  2024-12-11 18:35:36.414299
deadline:  2025-12-11 18:35:36.414299


## Step 3: RSA private key generation

In [8]:
#now we have to generate the private key using rsa algorithm for signing the certificate
#generate a RSA private key which we are going to use to sign the certificate
#note: public_exponent should be 65537
#backend  is OpenSSL API binding interfaces from cryptography\hazmat\backends\openssl\backend
key = None

In [9]:
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.backends import default_backend

# Generate RSA private key
key = rsa.generate_private_key(
    public_exponent=65537,
    key_size=2048,
    backend=default_backend()
)

# Specify encoding format and encryption algorithm
encoding = serialization.Encoding.PEM
private_format = serialization.PrivateFormat.PKCS8
encryption_algorithm = serialization.NoEncryption()

private_key = key.private_bytes(
    encoding=encoding,
    format=private_format,
    encryption_algorithm=encryption_algorithm,
)

print("RSA PRIVATE KEY:\n", private_key)

RSA PRIVATE KEY:
 b'-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCrgqGFsB3zbcxl\nf/kEFAnGGDNlIDXNL7YOKIzaCAsWh4KNeUbz9eF2xwvP9vt+VDpNp99dCAoBH17J\nJywY5UCvzaNcELQr51zdxNyWn5xF5c10LHmUAxxSGMc4sPBpkZWBuYVDbD8gWO9o\nyAJcqalnSOrJaGsaz7rkCGw+LrhfYwVGBW8z9J6+ae2kIT7NQkaYGkooGYIM4y2S\nSwZQ182FD2zA7DoqhJmyyRH7fHeKnFbqVeMG+1q9dOpSEjFdx6ZABGgcLrcLO7Om\nIBxNY+ersYp9t/LtXDXZFGtMym81SbC7RfG/4QxUkPaGoU2qOJPNAdzJ05T45C76\nzn+F/GiDAgMBAAECggEAEIv4oizZo7CsjzMhIGAAIv9J7HztDXy651n8kzrcOjI2\nSdV97CK4VXzipA/DniG2KX1p5h0ICg+viPluHoDC4UzJPYqgnbojXx0tD8/nHcwL\n94qK63K/x4cVQWAgvntwA/H7Up2EGzTS9DYuGo6FbEeND1CZp+tYScPEqnZYQPhK\n24Rc6TKt2pzhHkgg8R7Tt01tLbcq/jh0nJz2rwnYWjz0y9meTsSCY0CfahGugZ1O\nN4F0i83vvdUvrvaYYobL9ABsJX7m1pFy/tJ87xSwmxxdS1hh6K/KZHHQ69UiGqul\nayzBBqe+ES2O4aDGhThLn6+zRv2vnHxHu57kQBQSYQKBgQDnJAun3eRQLxPFgo1S\nufDAMkh28j20Cx3uanr4YGRsXeVe5UeoWby3DvZxKTYAFqLTj8JOTVZvztnLDYkA\nsOeHgiH4N/lOBvF9rJ/WIeWPc1RoudisgD5uQ1PohMb2kOPCsn0dup1gtq4Fhpp2\ntE8T9vsRyHL86A03q24XuwO9CwK

## Step 4: BasicConstraints

In [10]:
from cryptography.x509 import BasicConstraints

# Define the Basic Constraints extension for the certificate
basic_constraints = BasicConstraints(ca=True, path_length=0)
print("basic_constraints:", basic_constraints)

basic_constraints: <BasicConstraints(ca=True, path_length=0)>


## Step 5: Certificate

In [19]:
from cryptography.x509 import SubjectAlternativeName

# Define the Subject Alternative Name (SAN) extension
subject_alternative_names_extension = x509.SubjectAlternativeName(alternative_names)

# Add the SAN extension to the certificate
produced_certificate = (
    x509.CertificateBuilder()
    .subject_name(certificate_name)
    .issuer_name(certificate_name)
    .public_key(key.public_key())
    .serial_number(1000)
    .not_valid_before(current_time)
    .not_valid_after(deadline)
    .add_extension(basic_constraints, False)
    .add_extension(subject_alternative_names_extension, False)  # Use the correct extension object
    .sign(key, hashes.SHA256(), backend)
)

print(f"certificate version {produced_certificate.version} ")
print(f"certificate name {produced_certificate.issuer} ")
print(f"certificate won't be valid after {produced_certificate.not_valid_after} ")
print(f"certificate won't be valid before {produced_certificate.not_valid_before} ")

certificate = produced_certificate.public_bytes(
    encoding=serialization.Encoding.PEM
)

print(certificate)


certificate version Version.v3 
certificate name <Name(CN=google.com)> 
certificate won't be valid after 2025-12-11 18:35:36 
certificate won't be valid before 2024-12-11 18:35:36 
b'-----BEGIN CERTIFICATE-----\nMIIC0DCCAbigAwIBAgICA+gwDQYJKoZIhvcNAQELBQAwFTETMBEGA1UEAwwKZ29v\nZ2xlLmNvbTAeFw0yNDEyMTExODM1MzZaFw0yNTEyMTExODM1MzZaMBUxEzARBgNV\nBAMMCmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCr\ngqGFsB3zbcxlf/kEFAnGGDNlIDXNL7YOKIzaCAsWh4KNeUbz9eF2xwvP9vt+VDpN\np99dCAoBH17JJywY5UCvzaNcELQr51zdxNyWn5xF5c10LHmUAxxSGMc4sPBpkZWB\nuYVDbD8gWO9oyAJcqalnSOrJaGsaz7rkCGw+LrhfYwVGBW8z9J6+ae2kIT7NQkaY\nGkooGYIM4y2SSwZQ182FD2zA7DoqhJmyyRH7fHeKnFbqVeMG+1q9dOpSEjFdx6ZA\nBGgcLrcLO7OmIBxNY+ersYp9t/LtXDXZFGtMym81SbC7RfG/4QxUkPaGoU2qOJPN\nAdzJ05T45C76zn+F/GiDAgMBAAGjKjAoMA8GA1UdEwQIMAYBAf8CAQAwFQYDVR0R\nBA4wDIIKZ29vZ2xlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAJDSpWKtYIUXeCEoK\nBj9JGc6MRebE5nnRhmMIwd7pO5kfVmUoGC13G40E8lG6tE2SZuXlBmm4Y4ZB7ZN/\nCbEGNJslGXjbDJk5pzw9utSnXDdfve90O6pD/73pgOTysDPWFq8777warKNMXA

  print(f"certificate won't be valid after {produced_certificate.not_valid_after} ")
  print(f"certificate won't be valid before {produced_certificate.not_valid_before} ")
