summaryrefslogtreecommitdiff
path: root/python
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2022-02-19 10:35:55 +0100
committerGitHub <noreply@github.com>2022-02-19 10:35:55 +0100
commitae65ff7cc62959608d190923737283480398277d (patch)
tree88a6fee64eec7e677f88181af19bab4295c73845 /python
parent4829307f01c1a90c90173b2c2c6e538aec82c6f0 (diff)
parent3d1b34bf715e594aa4a013d409bfcc5a4c4ad99c (diff)
downloadvyos-1x-ae65ff7cc62959608d190923737283480398277d.tar.gz
vyos-1x-ae65ff7cc62959608d190923737283480398277d.zip
Merge pull request #1227 from chenxiaolong/T4245
pki: eapol: T4245: Add full CA and client cert chains to wpa_supplicant PEM files
Diffstat (limited to 'python')
-rw-r--r--python/vyos/pki.py26
1 files changed, 26 insertions, 0 deletions
diff --git a/python/vyos/pki.py b/python/vyos/pki.py
index 68ad73bf2..0b916eaae 100644
--- a/python/vyos/pki.py
+++ b/python/vyos/pki.py
@@ -331,3 +331,29 @@ def verify_certificate(cert, ca_cert):
return True
except InvalidSignature:
return False
+
+# Certificate chain
+
+def find_parent(cert, ca_certs):
+ for ca_cert in ca_certs:
+ if verify_certificate(cert, ca_cert):
+ return ca_cert
+ return None
+
+def find_chain(cert, ca_certs):
+ remaining = ca_certs.copy()
+ chain = [cert]
+
+ while remaining:
+ parent = find_parent(chain[-1], remaining)
+ if parent is None:
+ # No parent in the list of remaining certificates or there's a circular dependency
+ break
+ elif parent == chain[-1]:
+ # Self-signed: must be root CA (end of chain)
+ break
+ else:
+ remaining.remove(parent)
+ chain.append(parent)
+
+ return chain