Python cryptography.x509.load_pem_x509_certificate() Examples
The following are 30
code examples of cryptography.x509.load_pem_x509_certificate().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
cryptography.x509
, or try the search function
.
.
Example #1
| Source File: test_ipa.py From custodia with GNU General Public License v3.0 | 8 votes |
|
def setup_method(self, method):
super(TestCustodiaIPACertRequests, self).setup_method(method)
cert = x509.load_pem_x509_certificate(CERT_PEM, default_backend())
cert_der = cert.public_bytes(serialization.Encoding.DER)
cert_stripped = base64.b64encode(cert_der)
ca = x509.load_pem_x509_certificate(CA_PEM, default_backend())
ca_der = ca.public_bytes(serialization.Encoding.DER)
self.m_api.Command.cert_request.return_value = {
u'result': {
u'subject': 'dummy subject',
u'request_id': 1,
u'serial_number': 1,
u'certificate': cert_stripped,
u'certificate_chain': (
cert_der,
ca_der,
)
}
}
Example #2
| Source File: certificates.py From core with GNU General Public License v3.0 | 7 votes |
|
def _scan_a_cert(id, cert_path, key_path, assigns, is_acme=False):
with open(cert_path, "rb") as f:
crt = x509.load_pem_x509_certificate(f.read(), default_backend())
with open(key_path, "rb") as f:
key = serialization.load_pem_private_key(
f.read(),
password=None,
backend=default_backend()
)
sha1 = binascii.hexlify(crt.fingerprint(hashes.SHA1())).decode()
md5 = binascii.hexlify(crt.fingerprint(hashes.MD5())).decode()
sha1 = ":".join([sha1[i:i+2].upper() for i in range(0, len(sha1), 2)])
md5 = ":".join([md5[i:i+2].upper() for i in range(0, len(md5), 2)])
kt = "RSA" if isinstance(key.public_key(), rsa.RSAPublicKey) else "DSA"
common_name = crt.subject.get_attributes_for_oid(NameOID.COMMON_NAME)
return Certificate(
id=id, cert_path=cert_path, key_path=key_path, keytype=kt,
keylength=key.key_size, domain=common_name[0].value,
assigns=assigns.get(id, []), expiry=crt.not_valid_after, sha1=sha1,
md5=md5, is_acme=is_acme)
Example #3
| Source File: test_local.py From octavia with Apache License 2.0 | 6 votes |
|
def test_generate_cert_key_pair(self):
cn = 'testCN'
bit_length = 512
# Attempt to generate a cert/key pair
cert_object = self.cert_generator.generate_cert_key_pair(
cn=cn,
validity=2 * 365 * 24 * 60 * 60,
bit_length=bit_length,
passphrase=self.ca_private_key_passphrase,
ca_cert=self.ca_certificate,
ca_key=self.ca_private_key,
ca_key_pass=self.ca_private_key_passphrase
)
# Validate that the cert and key are loadable
cert = x509.load_pem_x509_certificate(
data=cert_object.certificate, backend=backends.default_backend())
self.assertIsNotNone(cert)
key = serialization.load_pem_private_key(
data=cert_object.private_key,
password=cert_object.private_key_passphrase,
backend=backends.default_backend())
self.assertIsNotNone(key)
Example #4
| Source File: minion_config.py From python-tripleoclient with Apache License 2.0 | 6 votes |
|
def _get_public_tls_parameters(service_certificate_path):
with open(service_certificate_path, "rb") as pem_file:
pem_data = pem_file.read()
cert = x509.load_pem_x509_certificate(pem_data, default_backend())
private_key = serialization.load_pem_private_key(
pem_data,
password=None,
backend=default_backend())
key_pem = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption())
cert_pem = cert.public_bytes(serialization.Encoding.PEM)
return {
'SSLCertificate': cert_pem,
'SSLKey': key_pem
}
Example #5
| Source File: undercloud_config.py From python-tripleoclient with Apache License 2.0 | 6 votes |
|
def _get_public_tls_parameters(service_certificate_path):
with open(service_certificate_path, "rb") as pem_file:
pem_data = pem_file.read()
cert = x509.load_pem_x509_certificate(pem_data, default_backend())
private_key = serialization.load_pem_private_key(
pem_data,
password=None,
backend=default_backend())
key_pem = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption())
cert_pem = cert.public_bytes(serialization.Encoding.PEM)
return {
'SSLCertificate': cert_pem,
'SSLKey': key_pem
}
Example #6
| Source File: base.py From django-ca with GNU General Public License v3.0 | 6 votes |
|
def _load_pub(data):
basedir = data.get('basedir', settings.FIXTURES_DIR)
path = os.path.join(basedir, data['pub_filename'])
with open(path, 'rb') as stream:
pem = stream.read().replace(b'\r\n', b'\n')
pub_data = {
'pem': pem.decode('utf-8'),
'parsed': x509.load_pem_x509_certificate(pem, default_backend()),
}
if data.get('pub_der_filename'):
der_path = os.path.join(basedir, data['pub_der_filename'])
with open(der_path, 'rb') as stream:
der = stream.read().replace(b'\r\n', b'\n')
pub_data['der'] = der
# Failes for alt-extensions since alternative AKI was added
#pub_data['der_parsed'] = x509.load_der_x509_certificate(der, default_backend()),
return pub_data
Example #7
| Source File: azuread_tenant.py From Dailyfresh-B2C with Apache License 2.0 | 6 votes |
|
def get_certificate(self, kid):
# retrieve keys from jwks_url
resp = self.request(self.jwks_url(), method='GET')
resp.raise_for_status()
# find the proper key for the kid
for key in resp.json()['keys']:
if key['kid'] == kid:
x5c = key['x5c'][0]
break
else:
raise DecodeError('Cannot find kid={}'.format(kid))
certificate = '-----BEGIN CERTIFICATE-----\n' \
'{}\n' \
'-----END CERTIFICATE-----'.format(x5c)
return load_pem_x509_certificate(certificate.encode(),
default_backend())
Example #8
| Source File: import_cert.py From django-ca with GNU General Public License v3.0 | 6 votes |
|
def handle(self, pub, **options):
pub_data = pub.read()
try: # close reader objects (otherwise we get a ResourceWarning)
pub.close()
except Exception: # pragma: no cover
pass
# load public key
try:
pub_loaded = x509.load_pem_x509_certificate(pub_data, default_backend())
except Exception:
try:
pub_loaded = x509.load_der_x509_certificate(pub_data, default_backend())
except Exception:
raise CommandError('Unable to load public key.')
cert = Certificate(ca=options['ca'])
cert.x509 = pub_loaded
cert.save()
Example #9
| Source File: cert.py From tls-canary with Mozilla Public License 2.0 | 6 votes |
|
def __init__(self, data):
"""
Cert constructor
It can handle PEM and DER encoded strings and lists of int bytes.
:param data: bytes or list of int
"""
if type(data) == list:
data = bytes(data)
if type(data) != bytes:
raise Exception("data must be bytes or list of int bytes")
self.__raw_data = data
if b"-----BEGIN CERTIFICATE-----" in data:
self.x509 = x509.load_pem_x509_certificate(data, backends.default_backend())
self.__raw_type = "PEM"
else:
self.x509 = x509.load_der_x509_certificate(data, backends.default_backend())
self.__raw_type = "DER"
Example #10
| Source File: config.py From bitmask-dev with GNU General Public License v3.0 | 6 votes |
|
def validate_ca_cert(self, ignored):
expected = self._get_expected_ca_cert_fingerprint()
algo, expectedfp = expected.split(':')
expectedfp = expectedfp.replace(' ', '')
backend = default_backend()
with open(self._get_ca_cert_path(), 'r') as f:
certstr = f.read()
cert = load_pem_x509_certificate(certstr, backend)
hasher = getattr(hashes, algo)()
fpbytes = cert.fingerprint(hasher)
fp = binascii.hexlify(fpbytes)
if fp != expectedfp:
os.unlink(self._get_ca_cert_path())
self.log.error("Fingerprint of CA cert doesn't match: %s <-> %s"
% (fp, expectedfp))
raise NetworkError("The provider's CA fingerprint doesn't match")
Example #11
| Source File: decorators.py From commandment with MIT License | 6 votes |
|
def pem_certificate_upload(f):
"""Parse PEM formatted certificate in request data
TODO: form field name option
"""
@wraps(f)
def decorator(*args, **kwargs):
try:
certificate_data = request.files['file'].read()
g.certificate = x509.load_pem_x509_certificate(certificate_data, backend=default_backend())
except UnsupportedAlgorithm as e:
current_app.logger.info('could not parse PEM certificate data')
abort(400, 'invalid input data')
return f(*args, **kwargs)
return decorator
Example #12
| Source File: keybag.py From pyaff4 with Apache License 2.0 | 6 votes |
|
def create(vek, keySizeBytes, certificatePath):
#print("VEK: " + str(binascii.hexlify(vek)))
publicKeyPem = open(certificatePath).read()
publicKey = RSA.importKey(publicKeyPem)
# Convert from PEM to DER
lines = publicKeyPem.replace(" ", '').split()
publicKeyDer = binascii.a2b_base64(''.join(lines[1:-1]))
cert = x509.load_pem_x509_certificate(SmartStr(publicKeyPem), default_backend())
subjectName = cert.subject.rfc4514_string()
serial = cert.serial_number
cipher = PKCS1_OAEP.new(key=publicKey, hashAlgo=SHA256, mgfunc=lambda x, y: pss.MGF1(x, y, SHA1))
wrapped_key = cipher.encrypt(vek)
#print("WrappedKey: " + str(binascii.hexlify(wrapped_key)))
return CertEncryptedKeyBag(subjectName, serial, keySizeBytes, wrapped_key)
Example #13
| Source File: 0010_auto_20181128_2054.py From django-ca with GNU General Public License v3.0 | 6 votes |
|
def add_valid_from(apps, schema_editor):
Certificate = apps.get_model('django_ca', 'Certificate')
for cert in Certificate.objects.all():
backend = default_backend()
pem = x509.load_pem_x509_certificate(force_bytes(cert.pub), backend)
valid_from = pem.not_valid_before
if settings.USE_TZ:
valid_from = timezone.make_aware(valid_from)
cert.valid_from = valid_from
cert.save()
CertificateAuthority = apps.get_model('django_ca', 'CertificateAuthority')
for cert in CertificateAuthority.objects.all():
backend = default_backend()
pem = x509.load_pem_x509_certificate(force_bytes(cert.pub), backend)
valid_from = pem.not_valid_before
if settings.USE_TZ:
valid_from = timezone.make_aware(valid_from)
cert.valid_from = valid_from
cert.save()
Example #14
| Source File: fqdn_finder.py From habu with BSD 3-Clause "New" or "Revised" License | 6 votes |
|
def fqdns_from_certificate(cert_data):
try:
cert = x509.load_pem_x509_certificate(cert_data, default_backend())
except ValueError:
pass
try:
cert = x509.load_der_x509_certificate(cert_data, default_backend())
except ValueError:
raise ValueError("No recognized cert format. Allowed: PEM or DER")
names = set()
names.add(cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value.lower().rstrip('.'))
try:
alt_names = cert.extensions.get_extension_for_class(x509.SubjectAlternativeName)
except x509.extensions.ExtensionNotFound:
alt_names = None
if alt_names:
for alt_name in alt_names.value.get_values_for_type(x509.DNSName):
names.add(alt_name.lower().rstrip('.'))
return list(sorted(names))
Example #15
| Source File: cmd_cert_names.py From habu with BSD 3-Clause "New" or "Revised" License | 6 votes |
|
def cert_get_names(cert_data):
try:
cert = x509.load_pem_x509_certificate(cert_data, default_backend())
except ValueError:
pass
try:
cert = x509.load_der_x509_certificate(cert_data, default_backend())
except ValueError:
raise ValueError("No recognized cert format. Allowed: PEM or DER")
names = set()
names.add(cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value.lower())
try:
alt_names = cert.extensions.get_extension_for_class(x509.SubjectAlternativeName)
except x509.extensions.ExtensionNotFound:
alt_names = None
if alt_names:
for alt_name in alt_names.value.get_values_for_type(x509.DNSName):
names.add(alt_name.lower())
return list(sorted(names))
Example #16
| Source File: app.py From commandment with MIT License | 6 votes |
|
def anchor_certs():
"""Download a list of certificates to trust the MDM
The response is a JSON array of base64 encoded DER certs as described in the DEP profile creation documentation."""
anchors = []
if 'CA_CERTIFICATE' in current_app.config:
with open(current_app.config['CA_CERTIFICATE'], 'rb') as fd:
pem_data = fd.read()
c: x509.Certificate = x509.load_pem_x509_certificate(pem_data, backend=default_backend())
der = c.public_bytes(Encoding.DER)
anchors.append(urlsafe_b64encode(der))
if 'SSL_CERTIFICATE' in current_app.config:
with open(current_app.config['SSL_CERTIFICATE'], 'rb') as fd:
pem_data = fd.read()
c: x509.Certificate = x509.load_pem_x509_certificate(pem_data, backend=default_backend())
der = c.public_bytes(Encoding.DER)
anchors.append(urlsafe_b64encode(der))
return jsonify(anchors)
Example #17
| Source File: acme.py From hass-nabucasa with GNU General Public License v3.0 | 5 votes |
|
def load_certificate(self) -> None:
"""Get x509 Cert-Object."""
if self._x509 or not self.path_fullchain.exists():
return
def _load_cert():
"""Load certificate in a thread."""
return x509.load_pem_x509_certificate(
self.path_fullchain.read_bytes(), default_backend()
)
self._x509 = await self.cloud.run_executor(_load_cert)
Example #18
| Source File: tls.py From integrations-core with BSD 3-Clause "New" or "Revised" License | 5 votes |
|
def local_cert_loader(self, cert):
backend = default_backend()
if b'-----BEGIN CERTIFICATE-----' in cert:
return load_pem_x509_certificate(cert, backend)
return load_der_x509_certificate(cert, backend)
Example #19
| Source File: crypto.py From python-eduvpn-client with GNU General Public License v3.0 | 5 votes |
|
def common_name_from_cert(pem_data): # type: (bytes) -> str
"""
Extract common name from client certificate.
args:
pem_data (str): PEM encoded certificate
returns:
str: the common name of the client certificate.
"""
cert = x509.load_pem_x509_certificate(pem_data, default_backend())
return cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
Example #20
| Source File: certificate.py From calvin-base with Apache License 2.0 | 5 votes |
|
def get_public_key(certificate):
"""
Return the public key from certificate
certificate: certificate as a PEM formatted string
"""
# _log.info("get_public_key:\n\tcertificate={}".format(certificate))
cert_pem = OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, certificate)
cert = load_pem_x509_certificate(cert_pem, default_backend())
return cert.public_key()
# The following line can replace the two lines above in pyOpenSSL version 16.0.0 (unreleased):
# return OpenSSL.crypto.dump_publickey(OpenSSL.crypto.FILETYPE_PEM, certificate.get_pubkey())
Example #21
| Source File: runtime_credentials.py From calvin-base with Apache License 2.0 | 5 votes |
|
def get_public_key(self):
"""Return the public key from certificate"""
# _log.debug("get_public_key")
certpath, cert, certstr = self.get_own_cert()
try:
cert = load_pem_x509_certificate(certstr, default_backend())
except Exception as err:
_log.error("Failed to load X509 certificate from PEM, err={}".format(err))
raise
return cert.public_key()
Example #22
| Source File: x509.py From bazarr with GNU General Public License v3.0 | 5 votes |
|
def create_ssl_context(cert_byes, pk_bytes, password=None,
encoding=Encoding.PEM):
"""Create an SSL Context with the supplied cert/password.
:param cert_bytes array of bytes containing the cert encoded
using the method supplied in the ``encoding`` parameter
:param pk_bytes array of bytes containing the private key encoded
using the method supplied in the ``encoding`` parameter
:param password array of bytes containing the passphrase to be used
with the supplied private key. None if unencrypted.
Defaults to None.
:param encoding ``cryptography.hazmat.primitives.serialization.Encoding``
details the encoding method used on the ``cert_bytes`` and
``pk_bytes`` parameters. Can be either PEM or DER.
Defaults to PEM.
"""
backend = default_backend()
cert = None
key = None
if encoding == Encoding.PEM:
cert = x509.load_pem_x509_certificate(cert_byes, backend)
key = load_pem_private_key(pk_bytes, password, backend)
elif encoding == Encoding.DER:
cert = x509.load_der_x509_certificate(cert_byes, backend)
key = load_der_private_key(pk_bytes, password, backend)
else:
raise ValueError('Invalid encoding provided: Must be PEM or DER')
if not (cert and key):
raise ValueError('Cert and key could not be parsed from '
'provided data')
check_cert_dates(cert)
ssl_context = PyOpenSSLContext(PROTOCOL)
ssl_context._ctx.use_certificate(X509.from_cryptography(cert))
ssl_context._ctx.use_privatekey(PKey.from_cryptography_key(key))
return ssl_context
Example #23
| Source File: certificate.py From calvin-base with Apache License 2.0 | 5 votes |
|
def encrypt_object_with_RSA(certificate, plaintext, unencrypted_data=None):
"""
Encrypts an object using hybrid cryptography
-certificate: PEM certificate
-plaintext: string to be encrypted
-unencrypted_data: data that will not be encrypted, but appended, e.g., usefull for debugging
"""
import base64
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.asymmetric import padding,rsa
from cryptography.hazmat.primitives import hashes
#Wrap plaintext with a symmetric key
wrapped_object = _wrap_object_with_symmetric_key(plaintext)
#Extract public key from certificate
cert = x509.load_pem_x509_certificate(certificate, default_backend())
message = wrapped_object['symmetric_key']
public_key = cert.public_key()
#Encrypt symmetric key with RSA public key
ciphertext = public_key.encrypt(
message,
padding.OAEP(
mgf=padding.MGF1(algorithm=hashes.SHA1()),
algorithm=hashes.SHA1(),
label=None
)
)
encrypted_object = {'encrypted_symmetric_key':base64.b64encode(ciphertext),
'iv':wrapped_object['iv'],
'ciphertext':wrapped_object['ciphertext'],
'unencrypted_data':unencrypted_data}
return encrypted_object
Example #24
| Source File: crypto.py From spid-testenv2 with GNU Affero General Public License v3.0 | 5 votes |
|
def _get_pubkey(self):
cert_bytes = pem_format(self._cert).encode('ascii')
x509 = load_pem_x509_certificate(cert_bytes, backend=default_backend())
return x509.public_key()
Example #25
| Source File: crypto.py From spid-testenv2 with GNU Affero General Public License v3.0 | 5 votes |
|
def load_certificate(cert):
cert = cleanup_certificate_string(cert)
return load_pem_x509_certificate(
pem_format(cert).encode('ascii'), backend=default_backend()
)
Example #26
| Source File: cryptography_backend.py From python-jose with MIT License | 5 votes |
|
def _process_cert(self, key):
key = load_pem_x509_certificate(key, self.cryptography_backend())
self.prepared_key = key.public_key()
Example #27
| Source File: models.py From django-ca with GNU General Public License v3.0 | 5 votes |
|
def x509(self):
"""The underlying :py:class:`cg:cryptography.x509.Certificate`."""
if self._x509 is None:
backend = default_backend()
self._x509 = x509.load_pem_x509_certificate(force_bytes(self.pub), backend)
return self._x509
Example #28
| Source File: apnspushkin.py From sygnal with Apache License 2.0 | 5 votes |
|
def _report_certificate_expiration(self, certfile):
"""Export the epoch time that the certificate expires as a metric."""
with open(certfile, "rb") as f:
cert_bytes = f.read()
cert = load_pem_x509_certificate(cert_bytes, default_backend())
# Report the expiration time as seconds since the epoch (in UTC time).
CERTIFICATE_EXPIRATION_GAUGE.labels(pushkin=self.name).set(
cert.not_valid_after.replace(tzinfo=timezone.utc).timestamp()
)
Example #29
| Source File: certificates.py From core with GNU General Public License v3.0 | 5 votes |
|
def scan_authorities():
"""
Search proper directory for certificates, load them and store metadata.
:return: list of CertificateAuthority objects
:rtype: list
"""
logger.debug("Crts", "Scanning for certificate authorities")
storage.certificate_authorities.clear()
ca_cert_dir = config.get("certificates", "ca_cert_dir")
ca_key_dir = config.get("certificates", "ca_key_dir")
if not os.path.exists(ca_cert_dir):
os.makedirs(ca_cert_dir)
if not os.path.exists(ca_key_dir):
os.makedirs(ca_key_dir)
for x in glob.glob(os.path.join(ca_cert_dir, "*.pem")):
id = os.path.splitext(os.path.split(x)[1])[0]
with open(x, "rb") as f:
cert = x509.load_pem_x509_certificate(f.read(), default_backend())
key_path = os.path.join(ca_key_dir, "{0}.key".format(id))
with open(key_path, "rb") as f:
with open(key_path, "rb") as f:
key = serialization.load_pem_private_key(
f.read(),
password=None,
backend=default_backend()
)
sha1 = binascii.hexlify(cert.fingerprint(hashes.SHA1())).decode()
md5 = binascii.hexlify(cert.fingerprint(hashes.MD5())).decode()
kt = "RSA" if isinstance(key.public_key(), rsa.RSAPublicKey) else "DSA"
ca = CertificateAuthority(id, x, key_path, cert.not_valid_after,
kt, key.key_size, sha1, md5)
storage.certificate_authorities[id] = ca
return storage.certificate_authorities
Example #30
| Source File: views.py From django-ca with GNU General Public License v3.0 | 5 votes |
|
def get_responder_cert(self):
# User configured a loaded certificate
if isinstance(self.responder_cert, x509.Certificate):
return self.responder_cert
responder_cert = self.get_responder_cert_data()
return load_pem_x509_certificate(responder_cert, default_backend())
