in azext_edge/edge/util/x509.py [0:0]
def generate_self_signed_cert(valid_days: int = DEFAULT_VALID_DAYS) -> Tuple[bytes, bytes]:
if not valid_days or valid_days < 0:
valid_days = DEFAULT_VALID_DAYS
# Not using DEFAULT_EC_ALGO due CodeQL issue parsing private key algo
key = ec.generate_private_key(curve=ec.SECP256R1(), backend=default_backend())
key_bytes = key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
)
subject = issuer = x509.Name(
[
x509.NameAttribute(NameOID.COMMON_NAME, "Azure IoT Operations Quickstart Root CA - Not for Production"),
]
)
public_key = key.public_key()
cert = (
x509.CertificateBuilder()
.subject_name(subject)
.issuer_name(issuer)
.public_key(public_key)
.serial_number(x509.random_serial_number())
.not_valid_before(datetime.now(timezone.utc))
.not_valid_after(datetime.now(timezone.utc) + timedelta(days=valid_days))
.add_extension(
x509.BasicConstraints(ca=True, path_length=None),
critical=True,
)
.add_extension(
x509.KeyUsage(
key_cert_sign=True,
digital_signature=False,
crl_sign=False,
content_commitment=False,
data_encipherment=False,
decipher_only=False,
encipher_only=False,
key_agreement=False,
key_encipherment=False,
),
critical=False,
)
.add_extension(
x509.SubjectKeyIdentifier.from_public_key(public_key),
critical=False,
)
.sign(key, hashes.SHA256())
)
return (cert.public_bytes(serialization.Encoding.PEM), key_bytes)