From efd956f912b84c8df8902d56e16f22cbd90efdd0 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Wed, 29 Jun 2022 02:28:00 +0200
Subject: openvpn: T4485: Update PKI migrator to handle full CA chain migration

* Also determines and maps to correct CA for migrated CRL
---
 python/vyos/pki.py | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

(limited to 'python/vyos/pki.py')

diff --git a/python/vyos/pki.py b/python/vyos/pki.py
index 648064a3a..cd15e3878 100644
--- a/python/vyos/pki.py
+++ b/python/vyos/pki.py
@@ -332,6 +332,35 @@ def verify_certificate(cert, ca_cert):
     except InvalidSignature:
         return False
 
+def verify_crl(crl, ca_cert):
+    # Verify CRL was signed by specified CA
+    if ca_cert.subject != crl.issuer:
+        return False
+
+    ca_public_key = ca_cert.public_key()
+    try:
+        if isinstance(ca_public_key, rsa.RSAPublicKeyWithSerialization):
+            ca_public_key.verify(
+                crl.signature,
+                crl.tbs_certlist_bytes,
+                padding=padding.PKCS1v15(),
+                algorithm=crl.signature_hash_algorithm)
+        elif isinstance(ca_public_key, dsa.DSAPublicKeyWithSerialization):
+            ca_public_key.verify(
+                crl.signature,
+                crl.tbs_certlist_bytes,
+                algorithm=crl.signature_hash_algorithm)
+        elif isinstance(ca_public_key, ec.EllipticCurvePublicKeyWithSerialization):
+            ca_public_key.verify(
+                crl.signature,
+                crl.tbs_certlist_bytes,
+                signature_algorithm=ec.ECDSA(crl.signature_hash_algorithm))
+        else:
+            return False # We cannot verify it
+        return True
+    except InvalidSignature:
+        return False
+
 def verify_ca_chain(sorted_names, pki_node):
     if len(sorted_names) == 1: # Single cert, no chain
         return True
-- 
cgit v1.2.3