summaryrefslogtreecommitdiff
path: root/python/vyos
diff options
context:
space:
mode:
authorsarthurdev <965089+sarthurdev@users.noreply.github.com>2022-06-29 02:28:00 +0200
committersarthurdev <965089+sarthurdev@users.noreply.github.com>2022-06-29 17:13:53 +0200
commitefd956f912b84c8df8902d56e16f22cbd90efdd0 (patch)
treebba35e415994343ebd7fec756417fb5176fa88c2 /python/vyos
parent0d5ac59894ae7c10bd9d69047fa7098de66f835f (diff)
downloadvyos-1x-efd956f912b84c8df8902d56e16f22cbd90efdd0.tar.gz
vyos-1x-efd956f912b84c8df8902d56e16f22cbd90efdd0.zip
openvpn: T4485: Update PKI migrator to handle full CA chain migration
* Also determines and maps to correct CA for migrated CRL
Diffstat (limited to 'python/vyos')
-rw-r--r--python/vyos/pki.py29
1 files changed, 29 insertions, 0 deletions
diff --git a/python/vyos/pki.py b/python/vyos/pki.py
index 648064a3a..cd15e3878 100644
--- a/python/vyos/pki.py
+++ b/python/vyos/pki.py
@@ -332,6 +332,35 @@ def verify_certificate(cert, ca_cert):
except InvalidSignature:
return False
+def verify_crl(crl, ca_cert):
+ # Verify CRL was signed by specified CA
+ if ca_cert.subject != crl.issuer:
+ return False
+
+ ca_public_key = ca_cert.public_key()
+ try:
+ if isinstance(ca_public_key, rsa.RSAPublicKeyWithSerialization):
+ ca_public_key.verify(
+ crl.signature,
+ crl.tbs_certlist_bytes,
+ padding=padding.PKCS1v15(),
+ algorithm=crl.signature_hash_algorithm)
+ elif isinstance(ca_public_key, dsa.DSAPublicKeyWithSerialization):
+ ca_public_key.verify(
+ crl.signature,
+ crl.tbs_certlist_bytes,
+ algorithm=crl.signature_hash_algorithm)
+ elif isinstance(ca_public_key, ec.EllipticCurvePublicKeyWithSerialization):
+ ca_public_key.verify(
+ crl.signature,
+ crl.tbs_certlist_bytes,
+ signature_algorithm=ec.ECDSA(crl.signature_hash_algorithm))
+ else:
+ return False # We cannot verify it
+ return True
+ except InvalidSignature:
+ return False
+
def verify_ca_chain(sorted_names, pki_node):
if len(sorted_names) == 1: # Single cert, no chain
return True