Пример #1
0
    def test_load_crl_string(self):
        f = open('tests/crl_data/certs/revoking_crl.pem')
        data = f.read()
        f.close()
        crl = X509.load_crl_string(data)
        self.assertIsInstance(crl, X509.CRL)

        ca = X509.load_cert("tests/crl_data/certs/revoking_ca.pem")
        ca_issuer = ca.get_issuer()
        crl_issuer = crl.get_issuer()
        self.assertEqual(ca_issuer.as_hash(), crl_issuer.as_hash())
Пример #2
0
    def test_load_crl_string(self):
        f = open('tests/crl_data/certs/revoking_crl.pem')
        data = f.read()
        f.close()
        crl = X509.load_crl_string(data)
        self.assertIsInstance(crl, X509.CRL)

        ca = X509.load_cert("tests/crl_data/certs/revoking_ca.pem")
        ca_issuer = ca.get_issuer()
        crl_issuer = crl.get_issuer()
        self.assertEqual(ca_issuer.as_hash(), crl_issuer.as_hash())
Пример #3
0
    def validate_certificate_pem(self, cert_pem, ca_pem, crl_pems=None, check_crls=True, crl_dir=None, log_func=None):
        '''
        Validates a certificate against a CA certificate and CRLs if they exist.
        Input expects PEM encoded strings.

        @param cert_pem: PEM encoded certificate
        @type  cert_pem: str

        @param ca_pem: PEM encoded CA certificates, allows chain of CA certificates if concatenated together
        @type  ca_pem: str

        @param crl_pems: List of CRLs, each CRL is a PEM encoded string
        @type  crl_pems: List[str]

        @param check_crls: Defaults to True, if False will skip CRL check
        @type  check_crls: boolean

        @param crl_dir: Path to search for CRLs, default is None which defaults to configuration file parameter
        @type  crl_dir: str

        @param log_func: a function to log debug messages
        @param log_func: a function accepting a single string

        @return: true if the certificate was signed by the given CA; false otherwise
        @rtype:  boolean
        '''
        if not log_func:
            log_func = LOG.info
        cert = X509.load_cert_string(cert_pem)
        if not M2CRYPTO_HAS_CRL_SUPPORT:
            # Will only be able to use first CA from the ca_pem if it was a chain
            ca_cert = X509.load_cert_string(ca_pem)
            return cert.verify(ca_cert.get_pubkey())
        ca_chain = self.get_certs_from_string(ca_pem, log_func)
        crl_stack = X509.CRL_Stack()
        if check_crls:
            for ca in ca_chain:
                ca_hash = ca.get_issuer().as_hash()
                stack = self.get_crl_stack(ca_hash, crl_dir=crl_dir)
                for c in stack:
                    crl_stack.push(c)
            if crl_pems:
                for c in crl_pems:
                    crl_stack.push(X509.load_crl_string(c))
        return self.x509_verify_cert(cert, ca_chain, crl_stack, log_func=log_func)