feat(crypto): add functions necessary to generate the ari data

Add generate_ari_data, get_certificate_aki and
get_certificate_serial functions to the project.

Refs: #121

Author: piraz

automatoes/crypto.py

@@ -1,6 +1,4 @@
-# -*- coding: UTF-8 -*-
-#
-# Copyright 2019-2023 Flávio Gonçalves Garcia
+# Copyright 2019-2025 Flavio Garcia
 # Copyright 2016-2017 Veeti Paananen under MIT License
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -28,7 +26,7 @@
 with warnings.catch_warnings():
     warnings.simplefilter("ignore")
     from cryptography import x509
-from cryptography.x509 import NameOID, DNSName, SubjectAlternativeName
+from cryptography.x509 import NameOID, DNSName
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.asymmetric import padding
 from cryptography.hazmat.primitives.asymmetric.rsa import (
@@ -90,6 +88,13 @@ def certbot_key_data_to_int(key_data: dict) -> dict:
     return key_data_int
 
 
+def generate_ari_data(cert):
+    aki_b64 = base64.urlsafe_b64encode(get_certificate_aki(cert).encode())
+    serial_b64 = base64.urlsafe_b64encode(
+            get_certificate_serial(cert).encode())
+    return f"{aki_b64}.{serial_b64}"
+
+
 def generate_header(account_key):
     """
     Creates a new request header for the specified account key.
@@ -234,6 +239,18 @@ def get_issuer_certificate_domain_name(cert):
         return cn.value
 
 
+def get_certificate_aki(cert):
+    for ext in cert.extensions:
+        if isinstance(ext.value, x509.AuthorityKeyIdentifier):
+            hex = ext.value.key_identifier.hex()
+            return ":".join(hex[i:i+2] for i in range(0, len(hex), 2))
+
+
+def get_certificate_serial(cert):
+    hex = format(cert.serial_number, "x")
+    return ":".join(hex[i:i+2] for i in range(0, len(hex), 2))
+
+
 def get_certificate_domain_name(cert):
     for ext in cert.extensions:
         if isinstance(ext.value, x509.SubjectAlternativeName):

tests/ari_test.py

@@ -0,0 +1,53 @@
+# Copyright 2019-2025 Flavio Garcia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from . import FIXTURES_ROOT
+from automatoes.crypto import (generate_ari_data,
+                               get_certificate_aki,
+                               get_certificate_serial,
+                               load_pem_certificate)
+import base64
+from cartola import fs
+import unittest
+import os
+
+
+class ARITestCase(unittest.TestCase):
+    """ Tests the crypto module from automatoes
+    """
+
+    def test_aki(self):
+        """ Test the strip_certificate function """
+        key_directory = os.path.join(FIXTURES_ROOT, "keys", "candango.org",
+                                     "another")
+
+        key_crt = fs.read(
+            os.path.join(key_directory, "another.candango.org.crt"),
+            True
+        )
+
+        pem_crt = load_pem_certificate(key_crt)
+
+        aki = get_certificate_aki(pem_crt)
+        serial = get_certificate_serial(pem_crt)
+        expected_aki = ("c0:cc:03:46:b9:58:20:cc:5c:72:70:f3:e1:2e:cb:20:a6:"
+                        "f5:68:3a")
+        expected_serial = ("fa:f3:97:73:26:ea:e8:44:e7:14:00:20:ae:90:60:af:"
+                           "ba:44")
+        aki_b64 = base64.urlsafe_b64encode(expected_aki.encode())
+        serial_b64 = base64.urlsafe_b64encode(expected_serial.encode())
+
+        self.assertEqual(expected_aki, aki)
+        self.assertEqual(expected_serial, serial)
+        self.assertEqual(f"{aki_b64}.{serial_b64}", generate_ari_data(pem_crt))