def Verify(self, public_key):
"""Verify the data in this blob.
Args:
public_key: The public key to use for verification.
Returns:
True when verification succeeds.
Raises:
rdfvalue.DecodeError if the data is not suitable verified.
"""
if self.digest_type != self.HashType.SHA256:
raise rdfvalue.DecodeError("Unsupported digest.")
if self.signature_type not in [
self.SignatureType.RSA_PKCS1v15, self.SignatureType.RSA_PSS
]:
raise rdfvalue.DecodeError("Unsupported signature type.")
try:
public_key.Verify(self.data, self.signature)
except InvalidSignature as e:
raise rdfvalue.DecodeError("Could not verify blob. Error: %s" % e)
return True
def GetCN(self):
subject = self._value.subject
try:
cn_attributes = subject.get_attributes_for_oid(oid.NameOID.COMMON_NAME)
if len(cn_attributes) > 1:
raise rdfvalue.DecodeError("Cert has more than 1 CN entries.")
cn_attribute = cn_attributes[0]
except IndexError:
raise rdfvalue.DecodeError("Cert has no CN")
return cn_attribute.value
def ParseFromString(self, string):
try:
self._value = x509.load_pem_x509_certificate(
string, backend=openssl.backend)
except (ValueError, TypeError) as e:
raise rdfvalue.DecodeError("Invalid certificate %s: %s" % (string, e))
# This can also raise if there isn't exactly one CN entry.
self.GetCN()