def test_load_crl_string(self): f = open('tests/crl_data/certs/revoking_crl.pem') data = f.read() f.close() crl = X509.load_crl_string(data) self.assertIsInstance(crl, X509.CRL) ca = X509.load_cert("tests/crl_data/certs/revoking_ca.pem") ca_issuer = ca.get_issuer() crl_issuer = crl.get_issuer() self.assertEqual(ca_issuer.as_hash(), crl_issuer.as_hash())
def validate_certificate_pem(self, cert_pem, ca_pem, crl_pems=None, check_crls=True, crl_dir=None, log_func=None): ''' Validates a certificate against a CA certificate and CRLs if they exist. Input expects PEM encoded strings. @param cert_pem: PEM encoded certificate @type cert_pem: str @param ca_pem: PEM encoded CA certificates, allows chain of CA certificates if concatenated together @type ca_pem: str @param crl_pems: List of CRLs, each CRL is a PEM encoded string @type crl_pems: List[str] @param check_crls: Defaults to True, if False will skip CRL check @type check_crls: boolean @param crl_dir: Path to search for CRLs, default is None which defaults to configuration file parameter @type crl_dir: str @param log_func: a function to log debug messages @param log_func: a function accepting a single string @return: true if the certificate was signed by the given CA; false otherwise @rtype: boolean ''' if not log_func: log_func = LOG.info cert = X509.load_cert_string(cert_pem) if not M2CRYPTO_HAS_CRL_SUPPORT: # Will only be able to use first CA from the ca_pem if it was a chain ca_cert = X509.load_cert_string(ca_pem) return cert.verify(ca_cert.get_pubkey()) ca_chain = self.get_certs_from_string(ca_pem, log_func) crl_stack = X509.CRL_Stack() if check_crls: for ca in ca_chain: ca_hash = ca.get_issuer().as_hash() stack = self.get_crl_stack(ca_hash, crl_dir=crl_dir) for c in stack: crl_stack.push(c) if crl_pems: for c in crl_pems: crl_stack.push(X509.load_crl_string(c)) return self.x509_verify_cert(cert, ca_chain, crl_stack, log_func=log_func)