Version 1.07. See CHANGELOG.md

Author: Nolan Rumble

CHANGELOG.md

@@ -1,3 +1,7 @@
+# 2023-05-31
+## Version 1.07
+* Adjusting code to align with better coding practices.
+
 # 2023-05-21
 ## Version 1.06
 * Adjusting code to align with better coding practices.

CryptographySupport/CryptographyFileOperations.py

@@ -21,7 +21,7 @@ class CryptographyFileOperations:
     CLASS_VERSION = 0.01
 
     @staticmethod
-    def generatePassphrase(__passwordLength: int):
+    def generatePassphrase(__passwordLength: int) -> str:
         """Generate a random password based on the length supplied."""
         # Define the valid letters for the password.
         validLetters = "abcdefghijklmnopqrstuvwxyz"

CryptographySupport/CryptographySupport.py

@@ -1,12 +1,12 @@
 # Description:           Cryptography support
 # Author:                TheScriptGuy
-# Last modified:         2023-05-20
-# Version:               0.01
+# Last modified:         2023-05-31
+# Version:               0.02
 
 from typing import Union
 from cryptography.hazmat.primitives.asymmetric import rsa, ec
-from cryptography.hazmat.primitives import hashes
-from cryptography.x509.oid import NameOID
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.x509.oid import NameOID, ExtendedKeyUsageOID
 from cryptography import x509
 
 
@@ -15,7 +15,7 @@ class CryptographySupport:
 
     PRIVATE_KEY_TYPES = Union[rsa.RSAPrivateKey, ec.EllipticCurvePrivateKey]
     PUBLIC_KEY_TYPES = Union[rsa.RSAPublicKey, ec.EllipticCurvePublicKey]
-    CLASS_VERSION = "0.01"
+    CLASS_VERSION = "0.02"
 
     @staticmethod
     def generate_hash(__hash: str) -> hashes.HashAlgorithm:
@@ -98,6 +98,30 @@ def build_name_attribute(certificateAttributes: dict) -> list:
 
         return name_attribute_list
 
+    @staticmethod
+    def build_extended_key_usage(certificateAttributes: dict) -> list:
+        """Build Extended Key Usage list from certificateAttributes."""
+        attribute_mapping = {
+            "clientAuth": ExtendedKeyUsageOID.CLIENT_AUTH,
+            "serverAuth": ExtendedKeyUsageOID.SERVER_AUTH,
+            "codeSigning": ExtendedKeyUsageOID.CODE_SIGNING,
+            "emailProtection": ExtendedKeyUsageOID.EMAIL_PROTECTION,
+            "timeStamping": ExtendedKeyUsageOID.TIME_STAMPING,
+            "ocspSigning": ExtendedKeyUsageOID.OCSP_SIGNING,
+            "anyExtendedKeyUsage": ExtendedKeyUsageOID.ANY_EXTENDED_KEY_USAGE
+        }
+
+        attribute_list = []
+
+        for value in certificateAttributes['extensions']['extendedKeyUsage']:
+            if value is None:
+                continue
+            elif value in attribute_mapping:
+                attribute_list.append(attribute_mapping[value])
+
+        return attribute_list
+
+
     def __init__(self):
         """Initialize the class."""
         self.initialized = True

README.md

@@ -29,7 +29,7 @@ $ python3 generate-certificate.py -h
 usage: generate-certificate.py [-h] [--companyName COMPANYNAME] [--generateRootCA] [--generateClientCertificate] [--generatePKCS12]
                                [--nonRestrictiveRootCA] [--ecc] [--removeAllCertsAndKeys] [--windowsInstallation]
 
-Certificate Generation v1.06
+Certificate Generation v1.07
 
 options:
   -h, --help            show this help message and exit
@@ -154,7 +154,6 @@ My recommendation is to leave the following fields:
 
 If you'd like to edit how the certificates are generated, you can edit this dict within `def certificateMetaData`:
 ```python
-    # Root Certificate Authority information. Edit at your own risk.
     certificateInfo["RootCA"] = {
         "oid": {
             "CN": args.companyName + " Root CA",
@@ -181,7 +180,8 @@ If you'd like to edit how the certificates are generated, you can edit this dict
             "digest": "sha512"
         },
         "extensions": {
-            "keyUsage": "digitalSignature, nonRepudiation, keyCertSign",
+            "keyUsage": ["digitalSignature", "nonRepudiation", "keyCertSign"],
+            "extendedKeyUsage": ["clientAuth"]
         }
     }
 
@@ -210,8 +210,8 @@ If you'd like to edit how the certificates are generated, you can edit this dict
             "digest": "sha256"
         },
         "extensions": {
-            "keyUsage": "digitalSignature, nonRepudiation",
-            "extendedKeyUsage": "clientAuth"
+            "keyUsage": ["digitalSignature", "nonRepudiation"],
+            "extendedKeyUsage": ["clientAuth"]
         }
     }
 ```

generate-certificate.py

@@ -1,7 +1,7 @@
 # Description:     Create a Root CA with a client Authentication certificate that's signed by the Root CA.
 # Author:          TheScriptGuy
-# Last modified:   2023-05-21
-# Version:         1.06
+# Last modified:   2023-05-31
+# Version:         1.07
 
 from cryptography import x509
 
@@ -17,7 +17,7 @@
 import argparse
 import random
 
-scriptVersion = "1.06"
+scriptVersion = "1.07"
 
 
 def certificateMetaData():
@@ -60,7 +60,8 @@ def certificateMetaData():
             "digest": "sha512"
         },
         "extensions": {
-            "keyUsage": "digitalSignature, nonRepudiation, keyCertSign",
+            "keyUsage": ["digitalSignature", "nonRepudiation", "keyCertSign"],
+            "extendedKeyUsage": ["clientAuth"]
         }
     }
 
@@ -89,8 +90,8 @@ def certificateMetaData():
             "digest": "sha256"
         },
         "extensions": {
-            "keyUsage": "digitalSignature, nonRepudiation",
-            "extendedKeyUsage": "clientAuth"
+            "keyUsage": ["digitalSignature", "nonRepudiation"],
+            "extendedKeyUsage": ["clientAuth"]
         }
     }
 
@@ -153,20 +154,43 @@ def printWindowsInstallationInstructions(
     print(f"C:\\>certutil -importpfx -f -Enterprise -p {__p12Password} {__certificateInfo['ClientAuthentication']['clientCertificatePKCS12']} NoExport")
 
 
-def createRootCA(__certificateMetaData: dict) -> None:
-    """Create a Root CA with the information from the --companyName argument."""
+def create_root_private_keys(__certificateMetaData: dict) -> CryptographySupport.CryptographySupport.PRIVATE_KEY_TYPES:
+    """Create a private key."""
     # First check to see if the --ecc argument was passed. If passed, generate ECC key.
     if args.ecc:
-        rootCAPrivateKey = ec.generate_private_key(
+        __private_key = ec.generate_private_key(
             curve=CryptographySupport.CryptographySupport.generate_curve(__certificateMetaData["RootCA"]["ecc"]["curve"]),
             backend=default_backend()
         )
     else:
-        rootCAPrivateKey = rsa.generate_private_key(
+        __private_key = rsa.generate_private_key(
             public_exponent=65537,
             key_size=__certificateMetaData["RootCA"]["rsa"]["rsa_bits"],
             backend=default_backend()
         )
+    return __private_key
+
+
+def create_client_private_keys(__certificateMetaData: dict) -> CryptographySupport.CryptographySupport.PRIVATE_KEY_TYPES:
+    """Create a private key."""
+    # First check to see if the --ecc argument was passed. If passed, generate ECC key.
+    if args.ecc:
+        __private_key = ec.generate_private_key(
+            curve=CryptographySupport.CryptographySupport.generate_curve(__certificateMetaData["ClientAuthentication"]["ecc"]["curve"]),
+            backend=default_backend()
+        )
+    else:
+        __private_key = rsa.generate_private_key(
+            public_exponent=65537,
+            key_size=__certificateMetaData["ClientAuthentication"]["rsa"]["rsa_bits"],
+            backend=default_backend()
+        )
+    return __private_key
+
+
+def createRootCA(__certificateMetaData: dict) -> None:
+    """Create a Root CA with the information from the --companyName argument."""
+    rootCAPrivateKey = create_root_private_keys(__certificateMetaData)
 
     rootCAPublicKey = rootCAPrivateKey.public_key()
     rootCACertificateBuilder = x509.CertificateBuilder()
@@ -208,9 +232,12 @@ def createRootCA(__certificateMetaData: dict) -> None:
             rootCAKeyUsage, True
         )
 
+        # Create the ExtendedKeyUsage list
+        rootCAExtendedKeyUsage = CryptographySupport.CryptographySupport.build_extended_key_usage(__certificateMetaData['RootCA'])
+
         # Add extension for only allowing CA to do Client Authentication
         rootCACertificateBuilder = rootCACertificateBuilder.add_extension(
-            x509.ExtendedKeyUsage([x509.OID_CLIENT_AUTH]), critical=True
+            x509.ExtendedKeyUsage(rootCAExtendedKeyUsage), critical=True
         )
 
     # Apply basic constraints to certificate.
@@ -271,22 +298,12 @@ def create_client_certificate(__certificateMetaData: dict) -> None:
     """Create the client certificate and sign it from the root CA created from createRootCA()"""
     check_root_ca_files_exist(__certificateMetaData)
 
-    # First check to see if the --ecc argument was passed. If passed, generate ECC key.
-    if args.ecc:
-        clientPrivateKey = ec.generate_private_key(
-            curve=CryptographySupport.CryptographySupport.generate_curve(__certificateMetaData["ClientAuthentication"]["ecc"]["curve"]),
-            backend=default_backend()
-        )
-    else:
-        clientPrivateKey = rsa.generate_private_key(
-            public_exponent=65537,
-            key_size=__certificateMetaData["ClientAuthentication"]["rsa"]["rsa_bits"],
-            backend=default_backend()
-        )
+    clientPrivateKey = create_client_private_keys(__certificateMetaData)
 
     clientPublicKey = clientPrivateKey.public_key()
 
     clientNameAttributes = CryptographySupport.CryptographySupport.build_name_attribute(__certificateMetaData['ClientAuthentication'])
+    
     clientCertificateBuilder = x509.CertificateBuilder()
     clientCertificateBuilder = clientCertificateBuilder.subject_name(x509.Name(clientNameAttributes))
 
@@ -305,8 +322,11 @@ def create_client_certificate(__certificateMetaData: dict) -> None:
     clientCertificateBuilder = clientCertificateBuilder.add_extension(
         x509.BasicConstraints(ca=True, path_length=0), critical=True
     )
+
+    # Add extended key usage extensions to the certificate
+    clientCertificateExtendedKeyUsage = CryptographySupport.CryptographySupport.build_extended_key_usage(__certificateMetaData['ClientAuthentication'])
     clientCertificateBuilder = clientCertificateBuilder.add_extension(
-        x509.ExtendedKeyUsage([x509.OID_CLIENT_AUTH]), critical=True
+        x509.ExtendedKeyUsage(clientCertificateExtendedKeyUsage), critical=True
     )
 
     # Load Root CA Key