4. CRS (Certificate Signing Request)¶
4.1. Example¶
from optigatrust import objects, crypto
from optigatrust.csr import CSRBuilder
csr_key_obj = objects.ECCKey(0xe0f3)
builder = CSRBuilder(
{
'country_name': 'DE',
'state_or_province_name': 'Bayern',
'organization_name': 'Infineon Technologies AG',
'common_name': 'OPTIGA(TM) Trust IoT',
},
pkey
)
builder.build(csr_key_obj)
# or RSA
csr_key_obj = objects.RSAKey(0xe0fc)
print(csr_key_obj)
pkey, _ = crypto.generate_pair(key_object=csr_key_obj, key_size=ki)
builder = CSRBuilder(
{
'country_name': 'DE',
'state_or_province_name': 'Bayern',
'organization_name': 'Infineon Technologies AG',
'common_name': 'OPTIGA(TM) Trust IoT',
},
pkey
)
builder.build(csr_key_obj)
4.2. API¶
-
optigatrust.csr.
pem_armor_csr
(certification_request)¶ Encodes a CSR into PEM format
- Parameters
certification_request – An asn1crypto.csr.CertificationRequest object of the CSR to armor. Typically this is obtained from
build()
.- Returns
A byte string of the PEM-encoded CSR
-
class
optigatrust.csr.
CSRBuilder
(subject, subject_public_key)¶ -
build
(signing_key)¶ Validates the certificate information, constructs an X.509 certificate and then signs it :param signing_key: An asn1crypto.keys.PrivateKeyInfo or oscrypto.asymmetric.PrivateKey object for the private key to sign the request with. This should be the private key that matches the public key.
- Returns
An asn1crypto.csr.CertificationRequest object of the request
-
property
ca
¶ None or a bool - if the request is for a CA cert. None indicates no basic constraints extension request.
-
property
extended_key_usage
¶ A set of unicode strings representing the allowed usage of the key from the extended key usage extension. Empty set indicates no extended key usage extension request.
-
property
key_usage
¶ A set of unicode strings representing the allowed usage of the key. Empty set indicates no key usage extension request.
-
set_extension
(name, value)¶ Sets the value for an extension using a fully constructed Asn1Value object from asn1crypto. Normally this should not be needed, and the convenience attributes should be sufficient. See the definition of asn1crypto.x509.Extension to determine the appropriate object type for a given extension. Extensions are marked as critical when RFC5280 or RFC6960 indicate so. If an extension is validly marked as critical or not (such as certificate policies and extended key usage), this class will mark it as non-critical.
- Parameters
name – A unicode string of an extension id name from asn1crypto.x509.ExtensionId
value – A value object per the specs defined by asn1crypto.x509.Extension
-
property
subject_alt_domains
¶ A list of unicode strings of all domains in the subject alt name extension request. Empty list indicates no subject alt name extension request.
-
property
subject_alt_ips
¶ A list of unicode strings of all IPs in the subject alt name extension request. Empty list indicates no subject alt name extension request.
-