Generate X509 certificates according to Avviso SPID 29 v3

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for italia from gravatar.com italia

Unverified details

These details have not been verified by PyPI
Project links
Meta
Report project as malware

Project description

spid-compliant-certificates

Python native solution to generate and validate X.509 certificates according to Avviso SPID n.29 v3.

Installation

Nothing more than

$ pip install spid-compliant-certificates

Alternatively, you can install it from sources

$ pip install -r requirements.txt
$ python setup.py install

Command line usage

Generate private key, self-signed X.509 ertificate and CSR for public sector SPID service provider

$ spid-compliant-certificates generator \
    --key-size 3072 \
    --common-name "A.C.M.E" \
    --days 365 \
    --entity-id https://spid.acme.it \
    --locality-name Roma \
    --org-id "PA:IT-c_h501" \
    --org-name "A Company Making Everything" \
    --sector public
[DEBUG] Starting new HTTPS connection (1): indicepa.gov.it:443
[DEBUG] https://indicepa.gov.it:443 "GET /ricerca/n-dettaglioamministrazione.php?cod_amm=c_h501 HTTP/1.1" 200 23778
[INFO ] Private key saved to key.pem
[INFO ]   Inspect with OpenSSL: openssl rsa -in key.pem -noout -text
[INFO ] CSR saved to csr.pem
[INFO ]   Inspect with OpenSSL: openssl req -in csr.pem -noout -text
[INFO ]   Inspect with OpenSSL: openssl asn1parse -i -inform PEM -in csr.pem
[INFO ] Self-signed certificate saved to crt.pem
[INFO ]   Inspect with OpenSSL: openssl x509 -noout -text -in crt.pem
[INFO ]   Inspect with OpenSSL: openssl asn1parse -i -inform PEM -in crt.pem

Validate the self-signed X.509 certificate

$ spid-compliant-certificates validator --sector public
[INFO ] Validating certificate crt.pem against public sector specifications
[INFO ] Checking the key type and size: success
[INFO ]     The keypair must be RSA
[INFO ]     The key size must be greater than or equal to 2048 (now: 3072)
[INFO ]     The key size must be one of [2048, 3072, 4096] (now: 3072)
[INFO ] Checking the signature digest algorithm: success
[INFO ]     The digest algorithm must be one of ['sha256', 'sha512'] (now: sha256)
[INFO ] Checking the SubjectDN: success
[INFO ]     Name attribute [initials, 2.5.4.43] is not allowed in subjectDN
[INFO ]     Name attribute [name, 2.5.4.41] is not allowed in subjectDN
[INFO ]     Name attribute [emailAddress, 1.2.840.113549.1.9.1] is not allowed in subjectDN
[INFO ]     Name attribute [givenName, 2.5.4.42] is not allowed in subjectDN
[INFO ]     Name attribute [pseudonym, 2.5.4.65] is not allowed in subjectDN
[INFO ]     Name attribute [surname, 2.5.4.4] is not allowed in subjectDN
[INFO ]     Name attribute [organizationIdentifier, 2.5.4.97] must be present in subjectDN
[INFO ]     Name attribute [uri, 2.5.4.83] must be present in subjectDN
[INFO ]     Name attribute [commonName, 2.5.4.3] must be present in subjectDN
[INFO ]     Name attribute [countryName, 2.5.4.6] must be present in subjectDN
[INFO ]     Name attribute [localityName, 2.5.4.7] must be present in subjectDN
[INFO ]     Name attribute [localityName, 2.5.4.7] must be present in subjectDN
[INFO ]     Name attribute [organizationName, 2.5.4.10] must be present in subjectDN
[INFO ]     Value for name attribute [organizationName, 2.5.4.10] can not be empty
[INFO ]     Value for name attribute [commonName, 2.5.4.3] can not be empty
[INFO ]     Value for name attribute [Unknown OID, 2.5.4.83] can not be empty
[INFO ]     Value for name attribute [Unknown OID, 2.5.4.97] can not be empty
[INFO ]     Value for name attribute [Unknown OID, 2.5.4.97] must match [^PA:IT-\S{1,11}$] (now: PA:IT-c_h501)
[INFO ]     Value for name attribute [countryName, 2.5.4.6] can not be empty
[INFO ]     Value for name attribute [countryName, 2.5.4.6] is not a valid country code (IT)
[INFO ]     Value for name attribute [localityName, 2.5.4.7] can not be empty
[INFO ] Checking basicConstraints x509 extension: success
[INFO ]     basicConstraints can not be set as critical
[INFO ]     CA must be FALSE
[INFO ] Checking keyUsage x509 extension: success
[INFO ]     keyUsage must be set as critical
[INFO ]     content_commitment must be set
[INFO ]     digital_signature must be set
[INFO ]     crl_sign must be unset
[INFO ]     data_encipherment must be unset
[INFO ]     key_agreement must be unset
[INFO ]     key_cert_sign must be unset
[INFO ]     key_encipherment must be unset
[INFO ] Checking certificatePolicies x509 extension: success
[INFO ]     certificatePolicies can not be set as critical
[INFO ]     policy 1.3.76.16.6 must be present
[INFO ]     policy 1.3.76.16.4.2.1 must be present
[INFO ]     policy 1.3.76.16.6 must have UserNotice.ExplicitText=agIDcert (now: agIDcert)
[INFO ]     policy 1.3.76.16.4.2.1 must have UserNotice.ExplicitText=cert_SP_Pub (now: cert_SP_Pub)

Generate private key and CSR for private sector SPID service provider

$ spid-compliant-certificates generator \
    --key-size 3072 \
    --common-name "A.C.M.E" \
    --days 365 \
    --entity-id https://spid.acme.it \
    --locality-name Roma \
    --org-id "VATIT-12345678901" \
    --org-name "A Company Making Everything" \
    --sector private
[INFO ] Private key saved to key.pem
[INFO ]   Inspect with OpenSSL: openssl rsa -in key.pem -noout -text
[INFO ] CSR saved to csr.pem
[INFO ]   Inspect with OpenSSL: openssl req -in csr.pem -noout -text
[INFO ]   Inspect with OpenSSL: openssl asn1parse -i -inform PEM -in csr.pem

Are you looking for further info?

$ spid-compliant-certificates --help
$ spid-compliant-certificates generator --help
$ spid-compliant-certificates validator --help

Docker usage

Build the image locally

$ docker build --tag local/spid-compliant-certificates .

or pull it from Docker Hub

$ docker pull italia/spid-compliant-certificates

In order to access files generated/validated by the container, mount your local path to /certs, which is the default container working directory.

$ docker run -ti --rm \
    -v "/your/local/path:/certs" \
    italia/spid-compliant-certificates generator \
        --key-size 3072 \
        --common-name "A.C.M.E" \
        --days 365 \
        --entity-id https://spid.acme.it \
        --locality-name Roma \
        --org-id "PA:IT-c_h501" \
        --org-name "A Company Making Everything" \
        --sector public
[DEBUG] Starting new HTTPS connection (1): indicepa.gov.it:443
[DEBUG] https://indicepa.gov.it:443 "GET /ricerca/n-dettaglioamministrazione.php?cod_amm=c_h501 HTTP/1.1" 200 23778
[INFO ] Private key saved to key.pem
[INFO ]   Inspect with OpenSSL: openssl rsa -in key.pem -noout -text
[INFO ] CSR saved to csr.pem
[INFO ]   Inspect with OpenSSL: openssl req -in csr.pem -noout -text
[INFO ]   Inspect with OpenSSL: openssl asn1parse -i -inform PEM -in csr.pem
[INFO ] Self-signed certificate saved to crt.pem
[INFO ]   Inspect with OpenSSL: openssl x509 -noout -text -in crt.pem
[INFO ]   Inspect with OpenSSL: openssl asn1parse -i -inform PEM -in crt.pem

Dev usage

The package provides Pyton unittest test cases that can be imported in your Python project

import unittest

from spid_compliant_certificates.validator.test_cases import TestPrivateSector
from spid_compliant_certificates.validator.test_cases import TestPublicSector

if __name__ == '__main__':
    suite = unittest.TestSuite()
    loader = unittest.TestLoader()

    test_cases = (TestPrivateSector, TestPublicSector, YourOtherTestCase)
    for test_class in test_cases:
        tests = loader.loadTestsFromTestCase(test_class)
        suite.addTests(tests)

    runner = unittest.TextTestRunner()
    runner.run(suite)

Furtermore, they can also be executed from the command line as follows

$ CERT_FILE=/path/to/your/cert.pem python -m unittest -vv spid_compliant_certificates.validator.test_cases.TestPrivateSector
test_basic_constraints (spid_compliant_certificates.validator.test_cases.private_sector.TestPrivateSector) ... ok
test_certificate_policies (spid_compliant_certificates.validator.test_cases.private_sector.TestPrivateSector) ... ok
test_digest_algorithm (spid_compliant_certificates.validator.test_cases.private_sector.TestPrivateSector) ... ok
test_key_type_and_size (spid_compliant_certificates.validator.test_cases.private_sector.TestPrivateSector) ... ok
test_key_usage (spid_compliant_certificates.validator.test_cases.private_sector.TestPrivateSector) ... ok
test_subject_dn (spid_compliant_certificates.validator.test_cases.private_sector.TestPrivateSector) ... ok

----------------------------------------------------------------------
Ran 6 tests in 0.030s

OK


$ CERT_FILE=/path/to/your/cert.pem python -m unittest -vv spid_compliant_certificates.validator.test_cases.TestPublicSector
test_basic_constraints (spid_compliant_certificates.validator.test_cases.public_sector.TestPublicSector) ... ok
test_certificate_policies (spid_compliant_certificates.validator.test_cases.public_sector.TestPublicSector) ... ok
test_digest_algorithm (spid_compliant_certificates.validator.test_cases.public_sector.TestPublicSector) ... ok
test_key_type_and_size (spid_compliant_certificates.validator.test_cases.public_sector.TestPublicSector) ... ok
test_key_usage (spid_compliant_certificates.validator.test_cases.public_sector.TestPublicSector) ... ok
test_subject_dn (spid_compliant_certificates.validator.test_cases.public_sector.TestPublicSector) ... ok

----------------------------------------------------------------------
Ran 6 tests in 0.019s

OK

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for italia from gravatar.com italia

Unverified details

These details have not been verified by PyPI
Project links
Meta

Release history Release notifications | RSS feed

This version

0.5.5

0.5.4

0.5.3

0.5.2

0.5.1

0.5

0.4.2

0.4.1

0.4

0.3.1

0.3

0.2

0.1

0.1a0 pre-release

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

spid_compliant_certificates-0.5.5.tar.gz (18.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

spid_compliant_certificates-0.5.5-py3-none-any.whl (36.6 kB view details)

Uploaded Python 3

File details

Details for the file spid_compliant_certificates-0.5.5.tar.gz.

File metadata

File hashes

Hashes for spid_compliant_certificates-0.5.5.tar.gz
Algorithm Hash digest
SHA256 fc8711053a11300b2815de005a8a6ad53da07d768973efd443adec6a945ddd0a
MD5 f459b57082964c9f4f64fd4bd7674db5
BLAKE2b-256 c41924f30f645cf5571fc310e58b94b73dbb0e4e245f7d4ad76111f778597eed

See more details on using hashes here.

File details

Details for the file spid_compliant_certificates-0.5.5-py3-none-any.whl.

File metadata

File hashes

Hashes for spid_compliant_certificates-0.5.5-py3-none-any.whl
Algorithm Hash digest
SHA256 66ad9513fb002628ea85e9141d6a1f5cda1d144f4c76ac61636a472fc374fac6
MD5 fb54d9f168ee96a0c6eefebc51618581
BLAKE2b-256 cb47362e7952e29e93733036fd8a7a86b5105b3bf25f474b841febe2374596dc

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page