Implementing-cryptography-using-python
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
44 Chapter 2 ■ Cryptographic Protocols and Perfect Secrecy
# Sign the CSR with our private key.
).sign(key, hashes.SHA256(), default_backend())
with open("csr.pem", "wb") as f:
f.write(csr.public_bytes(serialization.Encoding.PEM))
print('Operateion Completed.')
Certificate Revocation
If we continue to examine the situation presented, you can see that communications
between Alice and Bob rely on the trust of the certificate authority and
each party must keep their private key secure. Should one of their keys become
compromised, the certificate needs to be nullified or revoked. If Alice’s key was
compromised in an attack, the attacker (Trent) can continue to impersonate
Alice up to the end of the certificate’s validity period. If Alice detects the compromise,
she can ask for revocation of the corresponding public-key certificate.
Certificate revocation is performed by maintaining a list of compromised certificates;
these lists are known as certificate revocation lists, or CRLs. CRLs are
stored in the X.500 directory; when a user or process is checking a certificate,
it must not only confirm that the certificate exists but also make sure the certificate
is not on a CRL. The certificate revocation process is quite slow and can
be costly and ineffective.
If you’ve used the previous example to generate a key, you will be able to
load it using the following code. Examine the use of load_pem_private_key(),
as shown here:
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.serialization import load_pem_
private_key
encryptedpass = b"Ilik32Cod3"
key = load_pem_private_key(open('rsakey.pem', 'rb').read(),encryptedpass,
default_backend())
# Generate CSR
csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"CA"),
x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"Python Cryptography"),
x509.NameAttribute(NameOID.COMMON_NAME, u"8gwifi.org"),
])).add_extension(
x509.SubjectAlternativeName([
x509.DNSName(u"mysite.com"),
]),