def Verify(self, public_key): """Verify the data in this blob. Args: public_key: The public key to use for verification. Returns: True when verification succeeds. Raises: rdfvalue.DecodeError if the data is not suitable verified. """ if self.digest_type != self.HashType.SHA256: raise rdfvalue.DecodeError("Unsupported digest.") if self.signature_type not in [ self.SignatureType.RSA_PKCS1v15, self.SignatureType.RSA_PSS ]: raise rdfvalue.DecodeError("Unsupported signature type.") try: public_key.Verify(self.data, self.signature) except InvalidSignature as e: raise rdfvalue.DecodeError("Could not verify blob. Error: %s" % e) return True
def GetCN(self): subject = self._value.subject try: cn_attributes = subject.get_attributes_for_oid(oid.NameOID.COMMON_NAME) if len(cn_attributes) > 1: raise rdfvalue.DecodeError("Cert has more than 1 CN entries.") cn_attribute = cn_attributes[0] except IndexError: raise rdfvalue.DecodeError("Cert has no CN") return cn_attribute.value
def ParseFromString(self, string): try: self._value = x509.load_pem_x509_certificate( string, backend=openssl.backend) except (ValueError, TypeError) as e: raise rdfvalue.DecodeError("Invalid certificate %s: %s" % (string, e)) # This can also raise if there isn't exactly one CN entry. self.GetCN()
def __init__(self, initializer=None): if initializer is None: super(RDFX509Cert, self).__init__(None) elif isinstance(initializer, RDFX509Cert): super(RDFX509Cert, self).__init__(initializer._value) # pylint: disable=protected-access elif isinstance(initializer, x509.Certificate): super(RDFX509Cert, self).__init__(initializer) elif isinstance(initializer, bytes): try: value = x509.load_pem_x509_certificate(initializer, backend=openssl.backend) except (ValueError, TypeError) as e: raise rdfvalue.DecodeError("Invalid certificate %s: %s" % (initializer, e)) super(RDFX509Cert, self).__init__(value) else: raise rdfvalue.InitializeError("Cannot initialize %s from %s." % (self.__class__, initializer)) if self._value is not None: self.GetCN( ) # This can also raise if there isn't exactly one CN entry.