CRS (Certificate Signing Request)
Example
from optigatrust import objects, crypto
from optigatrust.csr import CSRBuilder
csr_key_obj = objects.ECCKey(0xe0f3)
builder = CSRBuilder(
{
'country_name': 'DE',
'state_or_province_name': 'Bayern',
'organization_name': 'Infineon Technologies AG',
'common_name': 'OPTIGA(TM) Trust IoT',
},
pkey
)
builder.build(csr_key_obj)
# or RSA
csr_key_obj = objects.RSAKey(0xe0fc)
print(csr_key_obj)
pkey, _ = crypto.generate_pair(key_object=csr_key_obj, key_size=ki)
builder = CSRBuilder(
{
'country_name': 'DE',
'state_or_province_name': 'Bayern',
'organization_name': 'Infineon Technologies AG',
'common_name': 'OPTIGA(TM) Trust IoT',
},
pkey
)
builder.build(csr_key_obj)
API
This module implements all Certificate Signing Request related APIs of the optigatrust package
- optigatrust.csr.pem_armor_csr(certification_request)
Encodes a CSR into PEM format
- Parameters:
certification_request – An asn1crypto.csr.CertificationRequest object of the CSR to armor. Typically this is obtained from
build()
.- Returns:
A byte string of the PEM-encoded CSR
- class optigatrust.csr.CSRBuilder(subject, subject_public_key)
- build(signing_key)
Validates the certificate information, constructs an X.509 certificate and then signs it :param signing_key: An asn1crypto.keys.PrivateKeyInfo or oscrypto.asymmetric.PrivateKey object for the private key to sign the request with. This should be the private key that matches the public key.
- Returns:
An asn1crypto.csr.CertificationRequest object of the request
- property ca
None or a bool - if the request is for a CA cert. None indicates no basic constraints extension request.
- property extended_key_usage
A set of unicode strings representing the allowed usage of the key from the extended key usage extension. Empty set indicates no extended key usage extension request.
- property key_usage
A set of unicode strings representing the allowed usage of the key. Empty set indicates no key usage extension request.
- set_extension(name, value)
Sets the value for an extension using a fully constructed Asn1Value object from asn1crypto. Normally this should not be needed, and the convenience attributes should be sufficient. See the definition of asn1crypto.x509.Extension to determine the appropriate object type for a given extension. Extensions are marked as critical when RFC5280 or RFC6960 indicate so. If an extension is validly marked as critical or not (such as certificate policies and extended key usage), this class will mark it as non-critical.
- Parameters:
name – A unicode string of an extension id name from asn1crypto.x509.ExtensionId
value – A value object per the specs defined by asn1crypto.x509.Extension
- property subject_alt_domains
A list of unicode strings of all domains in the subject alt name extension request. Empty list indicates no subject alt name extension request.
- property subject_alt_ips
A list of unicode strings of all IPs in the subject alt name extension request. Empty list indicates no subject alt name extension request.