def get_revoked_certificate_by_serial_number(self, serial_number):
revoked = self._backend._ffi.new("X509_REVOKED **")
asn1_int = _encode_asn1_int_gc(self._backend, serial_number)
res = self._backend._lib.X509_CRL_get0_by_serial(
self._sorted_crl, revoked, asn1_int)
if res == 0:
return None
else:
self._backend.openssl_assert(revoked[0] != self._backend._ffi.NULL)
return _RevokedCertificate(self._backend, self._sorted_crl,
revoked[0])
def get_revoked_certificate_by_serial_number(self, serial_number):
revoked = self._backend._ffi.new("X509_REVOKED **")
asn1_int = _encode_asn1_int_gc(self._backend, serial_number)
res = self._backend._lib.X509_CRL_get0_by_serial(
self._x509_crl, revoked, asn1_int
)
if res == 0:
return None
else:
self._backend.openssl_assert(
revoked[0] != self._backend._ffi.NULL
)
return _RevokedCertificate(
self._backend, self._x509_crl, revoked[0]
)
def create_x509_certificate(self, builder, private_key, algorithm):
if not isinstance(builder, x509.CertificateBuilder):
raise TypeError('Builder type mismatch.')
if not isinstance(algorithm, hashes.HashAlgorithm):
raise TypeError('Algorithm must be a registered hash algorithm.')
if (
isinstance(algorithm, hashes.MD5) and not
isinstance(private_key, rsa.RSAPrivateKey)
):
raise ValueError(
"MD5 is not a supported hash algorithm for EC/DSA certificates"
)
# Resolve the signature algorithm.
evp_md = self._lib.EVP_get_digestbyname(
algorithm.name.encode('ascii')
)
self.openssl_assert(evp_md != self._ffi.NULL)
# Create an empty certificate.
x509_cert = self._lib.X509_new()
x509_cert = self._ffi.gc(x509_cert, backend._lib.X509_free)
# Set the x509 version.
res = self._lib.X509_set_version(x509_cert, builder._version.value)
self.openssl_assert(res == 1)
# Set the subject's name.
res = self._lib.X509_set_subject_name(
x509_cert, _encode_name_gc(self, builder._subject_name)
)
self.openssl_assert(res == 1)
# Set the subject's public key.
res = self._lib.X509_set_pubkey(
x509_cert, builder._public_key._evp_pkey
)
self.openssl_assert(res == 1)
# Set the certificate serial number.
serial_number = _encode_asn1_int_gc(self, builder._serial_number)
res = self._lib.X509_set_serialNumber(x509_cert, serial_number)
self.openssl_assert(res == 1)
# Set the "not before" time.
if isinstance(builder, ExtBuilder):
time_str = _format_asn1_time_str(builder._not_valid_before, builder._not_valid_before_format)
else:
time_str = _format_asn1_time_str(builder._not_valid_before)
res = self._lib.ASN1_TIME_set_string(
self._lib.X509_get_notBefore(x509_cert),
time_str
)
if res == self._ffi.NULL:
self._raise_time_set_error()
# Set the "not after" time.
if isinstance(builder, ExtBuilder):
time_str = _format_asn1_time_str(builder._not_valid_after, builder._not_valid_after_format)
else:
time_str = _format_asn1_time_str(builder._not_valid_after)
res = self._lib.ASN1_TIME_set_string(
self._lib.X509_get_notAfter(x509_cert),
time_str
)
if res == self._ffi.NULL:
self._raise_time_set_error()
# Add extensions.
self._create_x509_extensions(
extensions=builder._extensions,
handlers=_EXTENSION_ENCODE_HANDLERS,
x509_obj=x509_cert,
add_func=self._lib.X509_add_ext,
gc=True
)
# Set the issuer name.
res = self._lib.X509_set_issuer_name(
x509_cert, _encode_name_gc(self, builder._issuer_name)
)
self.openssl_assert(res == 1)
# Sign the certificate with the issuer's private key.
res = self._lib.X509_sign(
x509_cert, private_key._evp_pkey, evp_md
)
if res == 0:
errors = self._consume_errors()
self.openssl_assert(
errors[0]._lib_reason_match(
self._lib.ERR_LIB_RSA,
self._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY
)
)
raise ValueError("Digest too big for RSA key")
return _Certificate(self, x509_cert)
