diff options
| author | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2022-06-29 02:28:00 +0200 |
|---|---|---|
| committer | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2022-06-29 17:13:53 +0200 |
| commit | efd956f912b84c8df8902d56e16f22cbd90efdd0 (patch) | |
| tree | bba35e415994343ebd7fec756417fb5176fa88c2 /python | |
| parent | 0d5ac59894ae7c10bd9d69047fa7098de66f835f (diff) | |
| download | vyos-1x-efd956f912b84c8df8902d56e16f22cbd90efdd0.tar.gz vyos-1x-efd956f912b84c8df8902d56e16f22cbd90efdd0.zip | |
openvpn: T4485: Update PKI migrator to handle full CA chain migration
* Also determines and maps to correct CA for migrated CRL
Diffstat (limited to 'python')
| -rw-r--r-- | python/vyos/pki.py | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/python/vyos/pki.py b/python/vyos/pki.py index 648064a3a..cd15e3878 100644 --- a/python/vyos/pki.py +++ b/python/vyos/pki.py @@ -332,6 +332,35 @@ def verify_certificate(cert, ca_cert): except InvalidSignature: return False +def verify_crl(crl, ca_cert): + # Verify CRL was signed by specified CA + if ca_cert.subject != crl.issuer: + return False + + ca_public_key = ca_cert.public_key() + try: + if isinstance(ca_public_key, rsa.RSAPublicKeyWithSerialization): + ca_public_key.verify( + crl.signature, + crl.tbs_certlist_bytes, + padding=padding.PKCS1v15(), + algorithm=crl.signature_hash_algorithm) + elif isinstance(ca_public_key, dsa.DSAPublicKeyWithSerialization): + ca_public_key.verify( + crl.signature, + crl.tbs_certlist_bytes, + algorithm=crl.signature_hash_algorithm) + elif isinstance(ca_public_key, ec.EllipticCurvePublicKeyWithSerialization): + ca_public_key.verify( + crl.signature, + crl.tbs_certlist_bytes, + signature_algorithm=ec.ECDSA(crl.signature_hash_algorithm)) + else: + return False # We cannot verify it + return True + except InvalidSignature: + return False + def verify_ca_chain(sorted_names, pki_node): if len(sorted_names) == 1: # Single cert, no chain return True |