authentik/passbook/crypto/builder.py

"""Create self-signed certificates"""
import datetime
import uuid

from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.x509.oid import NameOID


class CertificateBuilder:
    """Build self-signed certificates"""

    __public_key = None
    __private_key = None
    __builder = None
    __certificate = None

    def __init__(self):
        self.__public_key = None
        self.__private_key = None
        self.__builder = None
        self.__certificate = None

    def build(self):
        """Build self-signed certificate"""
        one_day = datetime.timedelta(1, 0, 0)
        self.__private_key = rsa.generate_private_key(
            public_exponent=65537, key_size=2048, backend=default_backend()
        )
        self.__public_key = self.__private_key.public_key()
        self.__builder = (
            x509.CertificateBuilder()
            .subject_name(
                x509.Name(
                    [
                        x509.NameAttribute(
                            NameOID.COMMON_NAME, "passbook Self-signed Certificate",
                        ),
                        x509.NameAttribute(NameOID.ORGANIZATION_NAME, "passbook"),
                        x509.NameAttribute(
                            NameOID.ORGANIZATIONAL_UNIT_NAME, "Self-signed"
                        ),
                    ]
                )
            )
            .issuer_name(
                x509.Name(
                    [
                        x509.NameAttribute(
                            NameOID.COMMON_NAME, "passbook Self-signed Certificate",
                        ),
                    ]
                )
            )
            .not_valid_before(datetime.datetime.today() - one_day)
            .not_valid_after(datetime.datetime.today() + datetime.timedelta(days=365))
            .serial_number(int(uuid.uuid4()))
            .public_key(self.__public_key)
        )
        self.__certificate = self.__builder.sign(
            private_key=self.__private_key,
            algorithm=hashes.SHA256(),
            backend=default_backend(),
        )

    @property
    def private_key(self):
        """Return private key in PEM format"""
        return self.__private_key.private_bytes(
            encoding=serialization.Encoding.PEM,
            format=serialization.PrivateFormat.TraditionalOpenSSL,
            encryption_algorithm=serialization.NoEncryption(),
        ).decode("utf-8")

    @property
    def certificate(self):
        """Return certificate in PEM format"""
        return self.__certificate.public_bytes(
            encoding=serialization.Encoding.PEM,
        ).decode("utf-8")
crypto: implement simple certificate-key pair for easier management 2020-03-03 22:35:25 +00:00			`"""Create self-signed certificates"""`
			`import datetime`
			`import uuid`

			`from cryptography import x509`
			`from cryptography.hazmat.backends import default_backend`
			`from cryptography.hazmat.primitives import hashes, serialization`
			`from cryptography.hazmat.primitives.asymmetric import rsa`
			`from cryptography.x509.oid import NameOID`


			`class CertificateBuilder:`
			`"""Build self-signed certificates"""`

			`__public_key = None`
			`__private_key = None`
			`__builder = None`
			`__certificate = None`

			`def __init__(self):`
			`self.__public_key = None`
			`self.__private_key = None`
			`self.__builder = None`
			`self.__certificate = None`

			`def build(self):`
			`"""Build self-signed certificate"""`
			`one_day = datetime.timedelta(1, 0, 0)`
			`self.__private_key = rsa.generate_private_key(`
			`public_exponent=65537, key_size=2048, backend=default_backend()`
			`)`
			`self.__public_key = self.__private_key.public_key()`
			`self.__builder = (`
			`x509.CertificateBuilder()`
			`.subject_name(`
			`x509.Name(`
			`[`
			`x509.NameAttribute(`
WIP Use Flows for Sources and Providers (#32) * core: start migrating to flows for authorisation * sources/oauth: start type-hinting * core: create default user * core: only show user delete button if an unenrollment flow exists * flows: Correctly check initial policies on flow with context * policies: add more verbosity to engine * sources/oauth: migrate to flows * sources/oauth: fix typing errors * flows: add more tests * sources/oauth: start implementing unittests * sources/ldap: add option to disable user sync, move connection init to model * sources/ldap: re-add default PropertyMappings * providers/saml: re-add default PropertyMappings * admin: fix missing stage count * stages/identification: fix sources not being shown * crypto: fix being unable to save with private key * crypto: re-add default self-signed keypair * policies: rewrite cache_key to prevent wrong cache * sources/saml: migrate to flows for auth and enrollment * stages/consent: add new stage * admin: fix PropertyMapping widget not rendering properly * core: provider.authorization_flow is mandatory * flows: add support for "autosubmit" attribute on form * flows: add InMemoryStage for dynamic stages * flows: optionally allow empty flows from FlowPlanner * providers/saml: update to authorization_flow * sources/: fix flow executor URL flows: fix pylint error * flows: wrap responses in JSON object to easily handle redirects * flow: dont cache plan's context * providers/oauth: rewrite OAuth2 Provider to use flows * providers/: update docstrings of models core: fix forms not passing help_text through safe * flows: fix HttpResponses not being converted to JSON * providers/oidc: rewrite to use flows * flows: fix linting 2020-06-07 14:35:08 +00:00			`NameOID.COMMON_NAME, "passbook Self-signed Certificate",`
crypto: implement simple certificate-key pair for easier management 2020-03-03 22:35:25 +00:00			`),`
WIP Use Flows for Sources and Providers (#32) * core: start migrating to flows for authorisation * sources/oauth: start type-hinting * core: create default user * core: only show user delete button if an unenrollment flow exists * flows: Correctly check initial policies on flow with context * policies: add more verbosity to engine * sources/oauth: migrate to flows * sources/oauth: fix typing errors * flows: add more tests * sources/oauth: start implementing unittests * sources/ldap: add option to disable user sync, move connection init to model * sources/ldap: re-add default PropertyMappings * providers/saml: re-add default PropertyMappings * admin: fix missing stage count * stages/identification: fix sources not being shown * crypto: fix being unable to save with private key * crypto: re-add default self-signed keypair * policies: rewrite cache_key to prevent wrong cache * sources/saml: migrate to flows for auth and enrollment * stages/consent: add new stage * admin: fix PropertyMapping widget not rendering properly * core: provider.authorization_flow is mandatory * flows: add support for "autosubmit" attribute on form * flows: add InMemoryStage for dynamic stages * flows: optionally allow empty flows from FlowPlanner * providers/saml: update to authorization_flow * sources/: fix flow executor URL flows: fix pylint error * flows: wrap responses in JSON object to easily handle redirects * flow: dont cache plan's context * providers/oauth: rewrite OAuth2 Provider to use flows * providers/: update docstrings of models core: fix forms not passing help_text through safe * flows: fix HttpResponses not being converted to JSON * providers/oidc: rewrite to use flows * flows: fix linting 2020-06-07 14:35:08 +00:00			`x509.NameAttribute(NameOID.ORGANIZATION_NAME, "passbook"),`
crypto: implement simple certificate-key pair for easier management 2020-03-03 22:35:25 +00:00			`x509.NameAttribute(`
WIP Use Flows for Sources and Providers (#32) * core: start migrating to flows for authorisation * sources/oauth: start type-hinting * core: create default user * core: only show user delete button if an unenrollment flow exists * flows: Correctly check initial policies on flow with context * policies: add more verbosity to engine * sources/oauth: migrate to flows * sources/oauth: fix typing errors * flows: add more tests * sources/oauth: start implementing unittests * sources/ldap: add option to disable user sync, move connection init to model * sources/ldap: re-add default PropertyMappings * providers/saml: re-add default PropertyMappings * admin: fix missing stage count * stages/identification: fix sources not being shown * crypto: fix being unable to save with private key * crypto: re-add default self-signed keypair * policies: rewrite cache_key to prevent wrong cache * sources/saml: migrate to flows for auth and enrollment * stages/consent: add new stage * admin: fix PropertyMapping widget not rendering properly * core: provider.authorization_flow is mandatory * flows: add support for "autosubmit" attribute on form * flows: add InMemoryStage for dynamic stages * flows: optionally allow empty flows from FlowPlanner * providers/saml: update to authorization_flow * sources/: fix flow executor URL flows: fix pylint error * flows: wrap responses in JSON object to easily handle redirects * flow: dont cache plan's context * providers/oauth: rewrite OAuth2 Provider to use flows * providers/: update docstrings of models core: fix forms not passing help_text through safe * flows: fix HttpResponses not being converted to JSON * providers/oidc: rewrite to use flows * flows: fix linting 2020-06-07 14:35:08 +00:00			`NameOID.ORGANIZATIONAL_UNIT_NAME, "Self-signed"`
crypto: implement simple certificate-key pair for easier management 2020-03-03 22:35:25 +00:00			`),`
			`]`
			`)`
			`)`
			`.issuer_name(`
			`x509.Name(`
			`[`
			`x509.NameAttribute(`
WIP Use Flows for Sources and Providers (#32) * core: start migrating to flows for authorisation * sources/oauth: start type-hinting * core: create default user * core: only show user delete button if an unenrollment flow exists * flows: Correctly check initial policies on flow with context * policies: add more verbosity to engine * sources/oauth: migrate to flows * sources/oauth: fix typing errors * flows: add more tests * sources/oauth: start implementing unittests * sources/ldap: add option to disable user sync, move connection init to model * sources/ldap: re-add default PropertyMappings * providers/saml: re-add default PropertyMappings * admin: fix missing stage count * stages/identification: fix sources not being shown * crypto: fix being unable to save with private key * crypto: re-add default self-signed keypair * policies: rewrite cache_key to prevent wrong cache * sources/saml: migrate to flows for auth and enrollment * stages/consent: add new stage * admin: fix PropertyMapping widget not rendering properly * core: provider.authorization_flow is mandatory * flows: add support for "autosubmit" attribute on form * flows: add InMemoryStage for dynamic stages * flows: optionally allow empty flows from FlowPlanner * providers/saml: update to authorization_flow * sources/: fix flow executor URL flows: fix pylint error * flows: wrap responses in JSON object to easily handle redirects * flow: dont cache plan's context * providers/oauth: rewrite OAuth2 Provider to use flows * providers/: update docstrings of models core: fix forms not passing help_text through safe * flows: fix HttpResponses not being converted to JSON * providers/oidc: rewrite to use flows * flows: fix linting 2020-06-07 14:35:08 +00:00			`NameOID.COMMON_NAME, "passbook Self-signed Certificate",`
crypto: implement simple certificate-key pair for easier management 2020-03-03 22:35:25 +00:00			`),`
			`]`
			`)`
			`)`
			`.not_valid_before(datetime.datetime.today() - one_day)`
			`.not_valid_after(datetime.datetime.today() + datetime.timedelta(days=365))`
			`.serial_number(int(uuid.uuid4()))`
			`.public_key(self.__public_key)`
			`)`
			`self.__certificate = self.__builder.sign(`
			`private_key=self.__private_key,`
			`algorithm=hashes.SHA256(),`
			`backend=default_backend(),`
			`)`

			`@property`
			`def private_key(self):`
			`"""Return private key in PEM format"""`
			`return self.__private_key.private_bytes(`
			`encoding=serialization.Encoding.PEM,`
			`format=serialization.PrivateFormat.TraditionalOpenSSL,`
			`encryption_algorithm=serialization.NoEncryption(),`
			`).decode("utf-8")`

			`@property`
			`def certificate(self):`
			`"""Return certificate in PEM format"""`
			`return self.__certificate.public_bytes(`
			`encoding=serialization.Encoding.PEM,`
			`).decode("utf-8")`