我们从Python开源项目中,提取了以下2个代码示例,用于说明如何使用cryptography.x509.DirectoryName()。
def create_ca_certificate(cn, key_size=4096, certify_days=365): key = rsa.generate_private_key(public_exponent=65537, key_size=key_size, backend=default_backend()) key_id = x509.SubjectKeyIdentifier.from_public_key(key.public_key()) subject = issuer = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, cn)]) now = datetime.datetime.utcnow() serial = x509.random_serial_number() cert = x509.CertificateBuilder() \ .subject_name(subject) \ .issuer_name(issuer) \ .public_key(key.public_key()) \ .serial_number(serial) \ .not_valid_before(now) \ .not_valid_after(now + datetime.timedelta(days=certify_days)) \ .add_extension(key_id, critical=False) \ .add_extension(x509.AuthorityKeyIdentifier(key_id.digest, [x509.DirectoryName(issuer)], serial), critical=False) \ .add_extension(x509.BasicConstraints(ca=True, path_length=0), critical=True) \ .add_extension(x509.KeyUsage(digital_signature=True, content_commitment=False, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=True, crl_sign=True, encipher_only=False, decipher_only=False), critical=True) \ .sign(key, hashes.SHA256(), default_backend()) cert = cert.public_bytes(serialization.Encoding.PEM) key = key.private_bytes(encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption()) return cert, key
def issue_certificate(cn, ca_cert, ca_key, organizations=(), san_dns=(), san_ips=(), key_size=2048, certify_days=365, is_web_server=False, is_web_client=False): ca_cert = x509.load_pem_x509_certificate(ca_cert, default_backend()) ca_key = serialization.load_pem_private_key(ca_key, password=None, backend=default_backend()) ca_key_id = x509.SubjectKeyIdentifier.from_public_key(ca_key.public_key()) key = rsa.generate_private_key(public_exponent=65537, key_size=key_size, backend=default_backend()) subject_name_attributes = [x509.NameAttribute(NameOID.COMMON_NAME, cn)] subject_name_attributes += [x509.NameAttribute(NameOID.ORGANIZATION_NAME, org) for org in organizations] subject = x509.Name(subject_name_attributes) now = datetime.datetime.utcnow() cert = x509.CertificateBuilder() \ .subject_name(subject) \ .issuer_name(ca_cert.issuer) \ .public_key(key.public_key()) \ .serial_number(x509.random_serial_number()) \ .not_valid_before(now) \ .not_valid_after(now + datetime.timedelta(days=certify_days)) \ .add_extension(x509.AuthorityKeyIdentifier(ca_key_id.digest, [x509.DirectoryName(ca_cert.issuer)], ca_cert.serial_number), critical=False) \ .add_extension(x509.KeyUsage(digital_signature=True, content_commitment=False, key_encipherment=True, data_encipherment=False, key_agreement=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False), critical=True) extended_usages = [] if is_web_server: extended_usages.append(ExtendedKeyUsageOID.SERVER_AUTH) if is_web_client: extended_usages.append(ExtendedKeyUsageOID.CLIENT_AUTH) if extended_usages: cert = cert.add_extension(x509.ExtendedKeyUsage(extended_usages), critical=False) sans = [x509.DNSName(name) for name in san_dns] sans += [x509.IPAddress(ipaddress.ip_address(ip)) for ip in san_ips] if sans: cert = cert.add_extension(x509.SubjectAlternativeName(sans), critical=False) cert = cert.sign(ca_key, hashes.SHA256(), default_backend()) cert = cert.public_bytes(serialization.Encoding.PEM) key = key.private_bytes(encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption()) return cert, key
