我正在开发一个Python 3.4应用程序组件,该组件检查其CA提供的CRL中是否存在URL的证书。我正在使用加密程序包加载证书以及CRL。下面是代码部分;
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.x509.oid import ExtensionOID
from cryptography.x509.oid import NameOID
import urllib.request
URL = "www.xxx.com"
cert_str = ssl.get_server_certificate((URL,443))
pem_data = cert_str.encode()
cert = x509.load_pem_x509_certificate(pem_data, default_backend())
crlDistrPoints = cert.extensions.get_extension_for_oid(ExtensionOID.CRL_DISTRIBUTION_POINTS)
crlURL = crlDistrPoints.value.full_name[0].value
crlFile = "/path...."
urllib.request.urlretrieve(crlURL,crlFile) # downloading a .crl file and save as crlFile
# Need to convert a crlFile to PEM format for pem_crl_data below
crl = x509.load_pem_x509_crl(pem_crl_data, default_backend())
该代码从站点“ crlURL”下载一个CRL文件,并将其存储为crlFile。该文件的扩展名为.crl。该文件必须转换为PEM格式(并分配给pem_crl_data)才能获取crl对象“ crl”。如何进行转换(甚至不保存本地文件)?
答案 0 :(得分:0)
使用pyOpenSSL中的加密模块:
from OpenSSL import crypto
然后使用这段代码:
with open(crlFile, "rb") as in_file:
crl_obj = crypto.load_crl(crypto.FILETYPE_ASN1, in_file.read())
pem_crl_data = crypto.dump_crl(crypto.FILETYPE_PEM, crl_obj)