diff options
author | Christian Poessinger <christian@poessinger.com> | 2022-02-19 10:35:55 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-02-19 10:35:55 +0100 |
commit | ae65ff7cc62959608d190923737283480398277d (patch) | |
tree | 88a6fee64eec7e677f88181af19bab4295c73845 /python | |
parent | 4829307f01c1a90c90173b2c2c6e538aec82c6f0 (diff) | |
parent | 3d1b34bf715e594aa4a013d409bfcc5a4c4ad99c (diff) | |
download | vyos-1x-ae65ff7cc62959608d190923737283480398277d.tar.gz vyos-1x-ae65ff7cc62959608d190923737283480398277d.zip |
Merge pull request #1227 from chenxiaolong/T4245
pki: eapol: T4245: Add full CA and client cert chains to wpa_supplicant PEM files
Diffstat (limited to 'python')
-rw-r--r-- | python/vyos/pki.py | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/python/vyos/pki.py b/python/vyos/pki.py index 68ad73bf2..0b916eaae 100644 --- a/python/vyos/pki.py +++ b/python/vyos/pki.py @@ -331,3 +331,29 @@ def verify_certificate(cert, ca_cert): return True except InvalidSignature: return False + +# Certificate chain + +def find_parent(cert, ca_certs): + for ca_cert in ca_certs: + if verify_certificate(cert, ca_cert): + return ca_cert + return None + +def find_chain(cert, ca_certs): + remaining = ca_certs.copy() + chain = [cert] + + while remaining: + parent = find_parent(chain[-1], remaining) + if parent is None: + # No parent in the list of remaining certificates or there's a circular dependency + break + elif parent == chain[-1]: + # Self-signed: must be root CA (end of chain) + break + else: + remaining.remove(parent) + chain.append(parent) + + return chain |