4. CRS (Certificate Signing Request)¶

4.1. Example¶

from optigatrust import objects, crypto
from optigatrust.csr import CSRBuilder

csr_key_obj = objects.ECCKey(0xe0f3)

builder = CSRBuilder(
            {
                    'country_name': 'DE',
                    'state_or_province_name': 'Bayern',
                    'organization_name': 'Infineon Technologies AG',
                    'common_name': 'OPTIGA(TM) Trust IoT',
            },
            pkey
    )

builder.build(csr_key_obj)

# or RSA

csr_key_obj = objects.RSAKey(0xe0fc)
print(csr_key_obj)
pkey, _ = crypto.generate_pair(key_object=csr_key_obj, key_size=ki)

builder = CSRBuilder(
            {
                    'country_name': 'DE',
                    'state_or_province_name': 'Bayern',
                    'organization_name': 'Infineon Technologies AG',
                    'common_name': 'OPTIGA(TM) Trust IoT',
            },
            pkey
    )

builder.build(csr_key_obj)

4.2. API¶

optigatrust.csr.pem_armor_csr(certification_request)¶

Encodes a CSR into PEM format

Parameters

certification_request – An asn1crypto.csr.CertificationRequest object of the CSR to armor. Typically this is obtained from build().

Returns

A byte string of the PEM-encoded CSR

class optigatrust.csr.CSRBuilder(subject, subject_public_key)¶

build(signing_key)¶

Validates the certificate information, constructs an X.509 certificate and then signs it :param signing_key: An asn1crypto.keys.PrivateKeyInfo or oscrypto.asymmetric.PrivateKey object for the private key to sign the request with. This should be the private key that matches the public key.

Returns

An asn1crypto.csr.CertificationRequest object of the request

property ca¶

None or a bool - if the request is for a CA cert. None indicates no basic constraints extension request.

property extended_key_usage¶

A set of unicode strings representing the allowed usage of the key from the extended key usage extension. Empty set indicates no extended key usage extension request.

property key_usage¶

A set of unicode strings representing the allowed usage of the key. Empty set indicates no key usage extension request.

set_extension(name, value)¶

Sets the value for an extension using a fully constructed Asn1Value object from asn1crypto. Normally this should not be needed, and the convenience attributes should be sufficient. See the definition of asn1crypto.x509.Extension to determine the appropriate object type for a given extension. Extensions are marked as critical when RFC5280 or RFC6960 indicate so. If an extension is validly marked as critical or not (such as certificate policies and extended key usage), this class will mark it as non-critical.

Parameters

• name – A unicode string of an extension id name from asn1crypto.x509.ExtensionId

• value – A value object per the specs defined by asn1crypto.x509.Extension

property subject_alt_domains¶

A list of unicode strings of all domains in the subject alt name extension request. Empty list indicates no subject alt name extension request.

property subject_alt_ips¶

A list of unicode strings of all IPs in the subject alt name extension request. Empty list indicates no subject alt name extension request.