예제 #1
0
    def test_basic(self):
        # test the default view
        response = self.client.get(
            reverse('default', kwargs={'serial': self.ca.serial}))
        self.assertEqual(response.status_code, 200)
        self.assertEqual(response['Content-Type'], 'application/pkix-crl')

        crl = x509.load_der_x509_crl(response.content, default_backend())
        self.assertIsInstance(crl.signature_hash_algorithm, hashes.SHA512)
        self.assertEqual(list(crl), [])

        # revoke a certificate
        cert = Certificate.objects.get(serial=self.cert.serial)
        cert.revoke()

        # fetch again - we should see a cached response
        response = self.client.get(
            reverse('default', kwargs={'serial': self.ca.serial}))
        self.assertEqual(response.status_code, 200)
        self.assertEqual(response['Content-Type'], 'application/pkix-crl')
        crl = x509.load_der_x509_crl(response.content, default_backend())
        self.assertIsInstance(crl.signature_hash_algorithm, hashes.SHA512)
        self.assertEqual(list(crl), [])

        # clear the cache and fetch again
        cache.clear()
        response = self.client.get(
            reverse('default', kwargs={'serial': self.ca.serial}))
        self.assertEqual(response.status_code, 200)
        self.assertEqual(response['Content-Type'], 'application/pkix-crl')
        crl = x509.load_der_x509_crl(response.content, default_backend())
        self.assertIsInstance(crl.signature_hash_algorithm, hashes.SHA512)
        self.assertEqual(len(list(crl)), 1)
        self.assertEqual(crl[0].serial_number, cert.x509.serial)
예제 #2
0
    def test_cache_all_crls(self):
        hash_cls = hashes.SHA512
        enc_cls = Encoding.DER
        tasks.cache_crls()

        for ca, data in self.cas.items():
            key = get_crl_cache_key(data.serial, hash_cls, enc_cls, 'ca')
            crl = x509.load_der_x509_crl(cache.get(key), default_backend())
            self.assertIsInstance(crl.signature_hash_algorithm, hash_cls)

            key = get_crl_cache_key(data.serial, hash_cls, enc_cls, 'user')
            crl = x509.load_der_x509_crl(cache.get(key), default_backend())
예제 #3
0
    def test_cache_all_crls(self) -> None:
        """Test caching when all CAs are valid."""
        hash_cls = hashes.SHA512
        enc_cls = Encoding.DER
        tasks.cache_crls()

        for data in self.cas.values():
            key = get_crl_cache_key(data.serial, hash_cls(), enc_cls, "ca")
            crl = x509.load_der_x509_crl(cache.get(key), default_backend())
            self.assertIsInstance(crl.signature_hash_algorithm, hash_cls)

            key = get_crl_cache_key(data.serial, hash_cls(), enc_cls, "user")
            crl = x509.load_der_x509_crl(cache.get(key), default_backend())
예제 #4
0
    def test_basic(self):
        """Test caching with a specific serial."""

        hash_cls = hashes.SHA512
        enc_cls = Encoding.DER

        for data in self.cas.values():
            tasks.cache_crl(data.serial)

            key = get_crl_cache_key(data.serial, hash_cls, enc_cls, 'ca')
            crl = x509.load_der_x509_crl(cache.get(key), default_backend())
            self.assertIsInstance(crl.signature_hash_algorithm, hash_cls)

            key = get_crl_cache_key(data.serial, hash_cls, enc_cls, 'user')
            crl = x509.load_der_x509_crl(cache.get(key), default_backend())
예제 #5
0
    def __init__(self, module):
        super(CRLInfo, self).__init__(module.params['path'] or '', 'present',
                                      False, module.check_mode)

        self.content = module.params['content']

        self.module = module

        self.crl = None
        if self.content is None:
            try:
                with open(self.path, 'rb') as f:
                    data = f.read()
            except Exception as e:
                self.module.fail_json(
                    msg='Error while reading CRL file from disk: {0}'.format(
                        e))
        else:
            data = self.content.encode('utf-8')
            if not identify_pem_format(data):
                data = base64.b64decode(self.content)

        self.crl_pem = identify_pem_format(data)
        try:
            if self.crl_pem:
                self.crl = x509.load_pem_x509_crl(data, default_backend())
            else:
                self.crl = x509.load_der_x509_crl(data, default_backend())
        except Exception as e:
            self.module.fail_json(
                msg='Error while decoding CRL: {0}'.format(e))
예제 #6
0
파일: revok_cert.py 프로젝트: Veckbv/crypt 
def get_revok_date_and_ser_number():
    with open(crl_path, 'rb') as crl_file:
        data = crl_file.read()
    crl = x509.load_der_x509_crl(data, default_backend())

    for r in crl:
        print(f'{r.revocation_date} {r.serial_number}')
예제 #7
0
def _download_http_crl(endpoint, key_identifier):
    """
    :param endpoint: url della crl
    :param key_identifier: chiave identificativa dell'issuer del certificato
    :return:
    """

    crl_dest = make_crl_store_path(endpoint, key_identifier) + ".crl"
    crl_meta_dest = make_crl_store_path(endpoint, key_identifier) + ".txt"

    try:
        r = requests.get(endpoint)
        if r.status_code == 200:
            try:
                crl = crypto.load_crl(crypto.FILETYPE_PEM, r.content)
            except:
                crl_x509 = x509.load_der_x509_crl(r.content, default_backend())
                crl = crypto.CRL.from_cryptography(crl_x509)
            with open(crl_dest, 'w') as f:
                f.write(crypto.dump_crl(crypto.FILETYPE_PEM, crl).decode())
            with open(crl_meta_dest, 'w') as f:
                f.write(endpoint)
        else:
            LOG.error('Errore durante il download della CRL con endpoint = {}'.
                      format(endpoint),
                      extra=set_client_ip())
    except Exception as e:
        LOG.error(
            'Eccezione durante il download della CRL con key_identifier = {}'.
            format(key_identifier),
            extra=set_client_ip())
        LOG.error("Exception: {}".format(str(e)), extra=set_client_ip())
예제 #8
0
파일: base.py 프로젝트: zwd1990/django-ca 
    def assertCRL(self, crl, certs=None, signer=None, expires=86400, algorithm=None, encoding=Encoding.PEM,
                  idp=None, extensions=None, crl_number=0, skip_authority_key_identifier=False):
        certs = certs or []
        signer = signer or self.cas['child']
        algorithm = algorithm or ca_settings.CA_DIGEST_ALGORITHM
        extensions = extensions or []
        expires = datetime.utcnow() + timedelta(seconds=expires)

        if idp is not None:  # pragma: no branch, pragma: only cryptography>=2.5
            extensions.append(idp)
        extensions.append(x509.Extension(
            value=x509.CRLNumber(crl_number=crl_number),
            critical=False, oid=ExtensionOID.CRL_NUMBER
        ))
        if not skip_authority_key_identifier:
            extensions.append(signer.authority_key_identifier.as_extension())

        if encoding == Encoding.PEM:
            crl = x509.load_pem_x509_crl(crl, default_backend())
        else:
            crl = x509.load_der_x509_crl(crl, default_backend())

        self.assertIsInstance(crl.signature_hash_algorithm, type(algorithm))
        self.assertTrue(crl.is_signature_valid(signer.x509.public_key()))
        self.assertEqual(crl.issuer, signer.x509.subject)
        self.assertEqual(crl.last_update, datetime.utcnow())
        self.assertEqual(crl.next_update, expires)
        self.assertCountEqual(list(crl.extensions), extensions)

        entries = {e.serial_number: e for e in crl}
        expected = {c.x509.serial_number: c for c in certs}
        self.assertCountEqual(entries, expected)
        for serial, entry in entries.items():
            self.assertEqual(entry.revocation_date, datetime.utcnow())
            self.assertEqual(list(entry.extensions), [])
예제 #9
0
def crl_verify(cert_path):
    """
    Attempts to verify a certificate using CRL.

    :param cert_path:
    :return: True if certificate is valid, False otherwise
    :raise Exception: If certificate does not have CRL
    """
    with open(cert_path, 'rt') as c:
        cert = parse_certificate(c.read())

    distribution_points = cert.extensions.get_extension_for_oid(
        x509.OID_CRL_DISTRIBUTION_POINTS).value

    for p in distribution_points:
        point = p.full_name[0].value

        try:
            response = requests.get(point)

            if response.status_code != 200:
                raise Exception("Unable to retrieve CRL: {0}".format(point))
        except ConnectionError:
            raise Exception("Unable to retrieve CRL: {0}".format(point))

        crl = x509.load_der_x509_crl(response.content,
                                     backend=default_backend())

        for r in crl:
            if cert.serial == r.serial_number:
                return

    return True
예제 #10
0
    def test_basic(self):
        hash_cls = hashes.SHA512
        enc_cls = Encoding.DER
        stdout, stderr = self.cmd('cache_crls')
        self.assertEqual(stdout, '')
        self.assertEqual(stderr, '')

        for name, ca in self.cas.items():
            key = get_crl_cache_key(ca.serial, hash_cls, enc_cls, 'ca')
            crl = x509.load_der_x509_crl(cache.get(key), default_backend())
            self.assertIsNotNone(crl)
            self.assertIsInstance(crl.signature_hash_algorithm, hash_cls)

            key = get_crl_cache_key(ca.serial, hash_cls, enc_cls, 'user')
            crl = x509.load_der_x509_crl(cache.get(key), default_backend())
            self.assertIsNotNone(crl)
예제 #11
0
파일: verify.py 프로젝트: harmw/lemur 
def crl_verify(cert_path):
    """
    Attempts to verify a certificate using CRL.

    :param cert_path:
    :return: True if certificate is valid, False otherwise
    :raise Exception: If certificate does not have CRL
    """
    with open(cert_path, 'rt') as c:
        cert = parse_certificate(c.read())

    distribution_points = cert.extensions.get_extension_for_oid(x509.OID_CRL_DISTRIBUTION_POINTS).value

    for p in distribution_points:
        point = p.full_name[0].value

        try:
            response = requests.get(point)

            if response.status_code != 200:
                raise Exception("Unable to retrieve CRL: {0}".format(point))
        except ConnectionError:
            raise Exception("Unable to retrieve CRL: {0}".format(point))

        crl = x509.load_der_x509_crl(response.content, backend=default_backend())

        for r in crl:
            if cert.serial == r.serial_number:
                return

    return True
예제 #12
0
def get_certificate_crls(
        certificate: x509.Certificate) -> List[x509.CertificateRevocationList]:
    """ Extract CRLs from given certificate. CRLs are not mandatory, so it's not a problem
    if for whatever reason they cannot be fetched or read at this exact moment.

    Args:
        certificate: SSL certificate of which CRLs will be retrieved from

    Returns:
        list of Certificate Revocation Lists
    """

    try:
        distribution_points = certificate.extensions.get_extension_for_oid(
            oid=x509.ExtensionOID.CRL_DISTRIBUTION_POINTS, )
    except x509.ExtensionNotFound:
        return []

    crl_urls = []
    for distribution_point in distribution_points.value:
        for crl in distribution_point.full_name:
            crl_urls.append(crl.value)

    crls = []
    for url in crl_urls:
        try:
            data = requests.get(url=url).content
            crl = x509.load_der_x509_crl(data=data)
        except (RequestException, ValueError) as e:
            logger.warning(f'Could not get the CRL from {url}: {e}')
        else:
            crls.append(crl)
    return crls
예제 #13
0
def crl_verify(cert, cert_path):
    """
    Attempts to verify a certificate using CRL.

    :param cert:
    :param cert_path:
    :return: True if certificate is valid, False otherwise
    :raise Exception: If certificate does not have CRL
    """
    try:
        distribution_points = cert.extensions.get_extension_for_oid(
            x509.OID_CRL_DISTRIBUTION_POINTS).value
    except x509.ExtensionNotFound:
        current_app.logger.debug("No CRLDP extension in certificate {}".format(
            cert.serial_number))
        return None

    for p in distribution_points:
        point = p.full_name[0].value

        if point not in crl_cache:
            current_app.logger.debug("Retrieving CRL: {}".format(point))
            try:
                response = requests.get(point)

                if response.status_code != 200:
                    raise Exception(
                        "Unable to retrieve CRL: {0}".format(point))
            except InvalidSchema:
                # Unhandled URI scheme (like ldap://); skip this distribution point.
                continue
            except ConnectionError:
                raise Exception("Unable to retrieve CRL: {0}".format(point))

            crl_cache[point] = x509.load_der_x509_crl(
                response.content, backend=default_backend())
        else:
            current_app.logger.debug("CRL point is cached {}".format(point))

        for r in crl_cache[point]:
            if cert.serial_number == r.serial_number:
                try:
                    reason = r.extensions.get_extension_for_class(
                        x509.CRLReason).value
                    # Handle "removeFromCRL" revoke reason as unrevoked;
                    # continue with the next distribution point.
                    # Per RFC 5280 section 6.3.3 (k):
                    #  https://tools.ietf.org/html/rfc5280#section-6.3.3
                    if reason == x509.ReasonFlags.remove_from_crl:
                        break
                except x509.ExtensionNotFound:
                    pass

                current_app.logger.debug("CRL reports certificate "
                                         "revoked: {}".format(
                                             cert.serial_number))
                return False

    return True
예제 #14
0
 def crl_verification(self):
     for value in self.crl.value:
         for full_name in value.full_name:
             request = requests.get(full_name.value)
             crl = x509.load_der_x509_crl(request.content,default_backend())
     if not crl:
         return True
     else: return False
예제 #15
0
 def load_crl_der(fn: str) -> CertificateRevocationList:
     crl_return = None
     if (fn and Path(fn).exists()):
         with open(fn, "rb") as file:
             data = file.read()
             if data and len(data) > 0:
                 crl_return = load_der_x509_crl(data, default_backend())
     return crl_return
예제 #16
0
    def test_serial(self) -> None:
        """Test passing an explicit serial."""

        stdout, stderr = self.cmd("cache_crls", self.ca.serial)
        self.assertEqual(stdout, "")
        self.assertEqual(stderr, "")

        key = get_crl_cache_key(self.ca.serial, hashes.SHA512(), Encoding.DER,
                                "ca")
        crl = x509.load_der_x509_crl(cache.get(key), default_backend())
        self.assertIsNotNone(crl)
        self.assertIsInstance(crl.signature_hash_algorithm, hashes.SHA512)

        key = get_crl_cache_key(self.ca.serial, hashes.SHA512(), Encoding.DER,
                                "user")
        crl = x509.load_der_x509_crl(cache.get(key), default_backend())
        self.assertIsNotNone(crl)
예제 #17
0
def is_certificate_revoked(serial_number, crl_url):
    r = requests.get(crl_url)
    try:
        crl = x509.load_der_x509_crl(r.content, default_backend())
    except ValueError as e:
        crl = x509.load_pem_x509_crl(r.content, default_backend())
    return crl.get_revoked_certificate_by_serial_number(
        serial_number) is not None
예제 #18
0
 def updateCRL(self, crl, url):
     filename = self.cache[url]["filename"]
     crl_object = x509.load_der_x509_crl(crl, default_backend())
     timestamp = crl_object.next_update.timestamp()
     self.cache[url] = {"timestamp": timestamp, "filename": filename}
     self.saveCRL(crl, filename)
     self.saveCRLDescription()
     return True
예제 #19
0
 def load_crl(self):
     crl_path = "../../../crl/"
     files = [f for f in os.scandir(crl_path)]
     crl = []
     for f in files:
         with open(f, "rb") as file:
             crlist = x509.load_der_x509_crl(file.read(), default_backend())
             crl.append(crlist)
     return crl
예제 #20
0
    def test_serial(self):
        """Test passing an explicit serial."""
        ca = self.cas['root']

        hash_cls = hashes.SHA512
        enc_cls = Encoding.DER
        stdout, stderr = self.cmd('cache_crls', ca.serial)
        self.assertEqual(stdout, '')
        self.assertEqual(stderr, '')

        key = get_crl_cache_key(ca.serial, hash_cls, enc_cls, 'ca')
        crl = x509.load_der_x509_crl(cache.get(key), default_backend())
        self.assertIsNotNone(crl)
        self.assertIsInstance(crl.signature_hash_algorithm, hash_cls)

        key = get_crl_cache_key(ca.serial, hash_cls, enc_cls, 'user')
        crl = x509.load_der_x509_crl(cache.get(key), default_backend())
        self.assertIsNotNone(crl)
예제 #21
0
 def _load_crl(self, crl_data, data_type):
     if data_type == "PEM":
         return x509.load_pem_x509_crl(crl_data, default_backend())
     elif data_type == "DER":
         return x509.load_der_x509_crl(crl_data, default_backend())
     else:
         raise InvalidCRLDataTypeException(
             'crl data type %s not recognized' % data_type)
     return None
예제 #22
0
def load_cert_revocation_list(filename,file_type):
    with open(filename, "rb") as pem_file:
        pem_data = pem_file.read()
        if file_type=="der":
            cert = x509.load_der_x509_crl(pem_data, default_backend())
        elif file_type=="pem":
            cert = x509.load_pem_x509_crl(pem_data, default_backend())

    return cert
예제 #23
0
파일: verify.py 프로젝트: Netflix/lemur 
def crl_verify(cert, cert_path):
    """
    Attempts to verify a certificate using CRL.

    :param cert:
    :param cert_path:
    :return: True if certificate is valid, False otherwise
    :raise Exception: If certificate does not have CRL
    """
    try:
        distribution_points = cert.extensions.get_extension_for_oid(
            x509.OID_CRL_DISTRIBUTION_POINTS
        ).value
    except x509.ExtensionNotFound:
        current_app.logger.debug("No CRLDP extension in certificate {}".format(cert.serial_number))
        return None

    for p in distribution_points:
        point = p.full_name[0].value

        if point not in crl_cache:
            current_app.logger.debug("Retrieving CRL: {}".format(point))
            try:
                response = requests.get(point)

                if response.status_code != 200:
                    raise Exception("Unable to retrieve CRL: {0}".format(point))
            except InvalidSchema:
                # Unhandled URI scheme (like ldap://); skip this distribution point.
                continue
            except ConnectionError:
                raise Exception("Unable to retrieve CRL: {0}".format(point))

            crl_cache[point] = x509.load_der_x509_crl(response.content,
                                                      backend=default_backend())
        else:
            current_app.logger.debug("CRL point is cached {}".format(point))

        for r in crl_cache[point]:
            if cert.serial_number == r.serial_number:
                try:
                    reason = r.extensions.get_extension_for_class(x509.CRLReason).value
                    # Handle "removeFromCRL" revoke reason as unrevoked;
                    # continue with the next distribution point.
                    # Per RFC 5280 section 6.3.3 (k):
                    #  https://tools.ietf.org/html/rfc5280#section-6.3.3
                    if reason == x509.ReasonFlags.remove_from_crl:
                        break
                except x509.ExtensionNotFound:
                    pass

                current_app.logger.debug("CRL reports certificate "
                                         "revoked: {}".format(cert.serial_number))
                return False

    return True
예제 #24
0
파일: base.py 프로젝트: tunfish/django-ca 
    def assertCRL(
            self,
            crl,
            expected=None,
            signer=None,
            expires=86400,  # pylint: disable=invalid-name
            algorithm=None,
            encoding=Encoding.PEM,
            idp=None,
            extensions=None,
            crl_number=0):
        """Test the given CRL.

        Parameters
        ----------

        crl : bytes
            The raw CRL
        expected : list
            List of CAs/certs to be expected in this CRL
        """
        expected = expected or []
        signer = signer or self.cas['child']
        algorithm = algorithm or ca_settings.CA_DIGEST_ALGORITHM
        extensions = extensions or []
        expires = datetime.utcnow() + timedelta(seconds=expires)

        if idp is not None:  # pragma: no branch
            extensions.append(idp)
        extensions.append(
            x509.Extension(value=x509.CRLNumber(crl_number=crl_number),
                           critical=False,
                           oid=ExtensionOID.CRL_NUMBER))
        extensions.append(
            x509.Extension(value=signer.get_authority_key_identifier(),
                           oid=ExtensionOID.AUTHORITY_KEY_IDENTIFIER,
                           critical=False))

        if encoding == Encoding.PEM:
            crl = x509.load_pem_x509_crl(crl, default_backend())
        else:
            crl = x509.load_der_x509_crl(crl, default_backend())

        self.assertIsInstance(crl.signature_hash_algorithm, type(algorithm))
        self.assertTrue(crl.is_signature_valid(signer.x509.public_key()))
        self.assertEqual(crl.issuer, signer.x509.subject)
        self.assertEqual(crl.last_update, datetime.utcnow())
        self.assertEqual(crl.next_update, expires)
        self.assertCountEqual(list(crl.extensions), extensions)

        entries = {e.serial_number: e for e in crl}
        expected = {c.x509.serial_number: c for c in expected}
        self.assertCountEqual(entries, expected)
        for entry in entries.values():
            self.assertEqual(entry.revocation_date, datetime.utcnow())
            self.assertEqual(list(entry.extensions), [])
예제 #25
0
def update_revoked_keys():
    from pki.models import RevokedCertificate
    crl = urllib.request.urlopen('http://crl.pki.gov.kz/rsa.crl')
    cert_crl = x509.load_der_x509_crl(crl.read(), default_backend())
    now = datetime.now()
    for r in cert_crl:
        if (now - r.revocation_date).days == 0:
            RevokedCertificate.objects.get_or_create(
                revocation_date=make_aware(r.revocation_date),
                serial_number=r.serial_number)
예제 #26
0
 def load_crl(self, crl_bytes):
     try:
         crl = x509.load_pem_x509_crl(crl_bytes, backend=default_backend())
         return crl
     except:
         try:
             crl = x509.load_der_x509_crl(crl_bytes,
                                          backend=default_backend())
             return crl
         except:
             return None
예제 #27
0
    def test_basic(self) -> None:
        """Test the basic command.

        Note: Without an explicit serial expired CAs are excluded, that's why we need @freeze_time().
        """

        stdout, stderr = self.cmd("cache_crls")
        self.assertEqual(stdout, "")
        self.assertEqual(stderr, "")

        for ca in self.new_cas.values():
            key = get_crl_cache_key(ca.serial, hashes.SHA512(), Encoding.DER,
                                    "ca")
            crl = x509.load_der_x509_crl(cache.get(key), default_backend())
            self.assertIsNotNone(crl)
            self.assertIsInstance(crl.signature_hash_algorithm, hashes.SHA512)

            key = get_crl_cache_key(ca.serial, hashes.SHA512(), Encoding.DER,
                                    "user")
            crl = x509.load_der_x509_crl(cache.get(key), default_backend())
            self.assertIsNotNone(crl)
예제 #28
0
    def test_basic(self):
        """Test the basic command.

        Note: Without an explicit serial expired CAs are excluded, that's why we need @freeze_time().
        """

        hash_cls = hashes.SHA512
        enc_cls = Encoding.DER
        stdout, stderr = self.cmd('cache_crls')
        self.assertEqual(stdout, '')
        self.assertEqual(stderr, '')

        for ca in self.cas.values():
            key = get_crl_cache_key(ca.serial, hash_cls, enc_cls, 'ca')
            crl = x509.load_der_x509_crl(cache.get(key), default_backend())
            self.assertIsNotNone(crl)
            self.assertIsInstance(crl.signature_hash_algorithm, hash_cls)

            key = get_crl_cache_key(ca.serial, hash_cls, enc_cls, 'user')
            crl = x509.load_der_x509_crl(cache.get(key), default_backend())
            self.assertIsNotNone(crl)
예제 #29
0
def revokated(lst):
    rl = []
    for i in range(4):
        i += 1
        f = open("crl/cc_ec_cidadao_crl00" + str(i) + "_crl.crl", "rb")
        data = f.read()
        crl = x509.load_der_x509_crl(data, default_backend())
        for x in crl:
            rl.append(x.serial_number)

    for x in lst:
        if x.serial_number in rl:
            return True
    return False
예제 #30
0
    def load_crl(self, path):
        """Loads CRLs from disk"""
        try:
            with os.scandir(path) as it:
                for entry in it:
                    if entry.name.endswith('crl') and entry.is_file():
                        with open(path + entry.name, 'rb') as f:
                            crl_data = f.read()
                            crl = x509.load_der_x509_crl(crl_data)
                            self.crls_list.append(crl)

                logger.info("Certicates loaded!")
        except:
            logger.error(
                "Could not read Path!Make sure to run this file on the /client directory"
            )
예제 #31
0
파일: verify.py 프로젝트: zeus911/lemur 
def crl_verify(cert_path):
    """
    Attempts to verify a certificate using CRL.

    :param cert_path:
    :return: True if certificate is valid, False otherwise
    :raise Exception: If certificate does not have CRL
    """
    with open(cert_path, 'rt') as c:
        cert = parse_certificate(c.read())

    distribution_points = cert.extensions.get_extension_for_oid(
        x509.OID_CRL_DISTRIBUTION_POINTS).value

    for p in distribution_points:
        point = p.full_name[0].value

        try:
            response = requests.get(point)

            if response.status_code != 200:
                raise Exception("Unable to retrieve CRL: {0}".format(point))
        except InvalidSchema:
            # Unhandled URI scheme (like ldap://); skip this distribution point.
            continue
        except ConnectionError:
            raise Exception("Unable to retrieve CRL: {0}".format(point))

        crl = x509.load_der_x509_crl(response.content,
                                     backend=default_backend())

        for r in crl:
            if cert.serial == r.serial_number:
                try:
                    reason = r.extensions.get_extension_for_class(
                        x509.CRLReason).value
                    # Handle "removeFromCRL" revoke reason as unrevoked; continue with the next distribution point.
                    # Per RFC 5280 section 6.3.3 (k): https://tools.ietf.org/html/rfc5280#section-6.3.3
                    if reason == x509.ReasonFlags.remove_from_crl:
                        break
                except x509.ExtensionNotFound:
                    pass

                return

    return True
예제 #32
0
    def addCRLToDescription(self, crl, url):

        crl_object = x509.load_der_x509_crl(crl, default_backend())

        # Index of filename
        if len(self.cache) == 0:
            self.cache["global"] = {"index": 1}

        # Create filename and update the index
        filename = str(self.cache["global"]["index"]) + ".crl"
        self.cache["global"]["index"] += 1

        timestamp = crl_object.next_update.timestamp()

        self.cache[url] = {"filename": filename, "timestamp": timestamp}
        self.saveCRL(crl, filename)
        self.saveCRLDescription()
        return True
예제 #33
0
    def status(self, ca):
        # When the local node is not a CA, return "disabled"
        if not self.check_local_ca_instance():
            print("CRL generation: disabled")
            return

        # Local node is a CA, check its configuration
        if ca.is_crlgen_enabled():
            print("CRL generation: enabled")
            try:
                crl_filename = os.path.join(paths.PKI_CA_PUBLISH_DIR,
                                            'MasterCRL.bin')
                with open(crl_filename, 'rb') as f:
                    crl = x509.load_der_x509_crl(f.read(), default_backend())
                    print("Last CRL update: {}".format(crl.last_update))
                    for ext in crl.extensions:
                        if ext.oid == x509.oid.ExtensionOID.CRL_NUMBER:
                            print("Last CRL Number: {}".format(
                                ext.value.crl_number))
            except IOError:
                logger.error("Unable to find last CRL")
        else:
            print("CRL generation: disabled")
예제 #34
0
#!/usr/bin/env python3

"""
    Procesado de una lista CRL
"""

from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes

crl_pem = open("crl_der.crt", "rb").read()
crl = x509.load_der_x509_crl(crl_pem, default_backend())

print("Numero de Certificados revocados: %d" % len(crl))

print("Serial\t\t\t\t\tFecha Revocación")
for cert in crl:
    print("%s\t%s" % (cert.serial_number, str(cert.revocation_date)))