1from datetime import datetime, timedelta 2 3from cryptography import x509 4from cryptography.hazmat.backends import default_backend 5from cryptography.hazmat.primitives import hashes, serialization 6from cryptography.hazmat.primitives.asymmetric import rsa 7from cryptography.x509.oid import NameOID 8 9from pip._internal.utils.typing import MYPY_CHECK_RUNNING 10 11if MYPY_CHECK_RUNNING: 12 from typing import Text, Tuple 13 14 15def make_tls_cert(hostname): 16 # type: (Text) -> Tuple[x509.Certificate, rsa.RSAPrivateKey] 17 key = rsa.generate_private_key( 18 public_exponent=65537, 19 key_size=2048, 20 backend=default_backend() 21 ) 22 subject = issuer = x509.Name([ 23 x509.NameAttribute(NameOID.COMMON_NAME, hostname), 24 ]) 25 cert = ( 26 x509.CertificateBuilder() 27 .subject_name(subject) 28 .issuer_name(issuer) 29 .public_key(key.public_key()) 30 .serial_number(x509.random_serial_number()) 31 .not_valid_before(datetime.utcnow()) 32 .not_valid_after(datetime.utcnow() + timedelta(days=10)) 33 .add_extension( 34 x509.SubjectAlternativeName([x509.DNSName(hostname)]), 35 critical=False, 36 ) 37 .sign(key, hashes.SHA256(), default_backend()) 38 ) 39 return cert, key 40 41 42def serialize_key(key): 43 # type: (rsa.RSAPrivateKey) -> bytes 44 return key.private_bytes( 45 encoding=serialization.Encoding.PEM, 46 format=serialization.PrivateFormat.TraditionalOpenSSL, 47 encryption_algorithm=serialization.NoEncryption(), 48 ) 49 50 51def serialize_cert(cert): 52 # type: (x509.Certificate) -> bytes 53 return cert.public_bytes(serialization.Encoding.PEM) 54