我正在尝试使用Python密码术项目https://cryptography.io/
将其他证书添加到现有CRL中看docs的CRL构建器,我看不到加载现有CRL,用add_revoked_certificate(revoked_certificate)添加其他内容然后辞去CRL的方法。
add_revoked_certificate(revoked_certificate)的文档中提到:
revoked_certificate – RevokedCertificate的实例。这些可以是 从现有CRL获得或使用 RevokedCertificateBuilder。
这使我相信没有现成的方式可以更新CRL,但我只是想确保自己没有遗漏任何东西。
对于它的价值,我当前的代码如下,并且我插入了伪代码作为对我要执行的操作的注释。
def revoke_cert(cert_revocation_list_pem, cert_pem):
# Load CRL
cert_revocation_list = x509.load_pem_x509_crl(
cert_revocation_list_pem.encode("ascii"), default_backend()
)
# Load cert
cert = x509.load_pem_x509_certificate(cert_pem.encode("ascii"), default_backend())
# Create a revoked cert
builder = x509.RevokedCertificateBuilder()
builder = builder.revocation_date(datetime.today())
builder = builder.serial_number(cert.serial_number)
revoked_cert = builder.build(default_backend())
# I want to do something like this
#cert_revocation_list.append(revoked_cert)
return cert_revocation_list.public_bytes(encoding=serialization.Encoding.PEM)
一如既往,感谢您的帮助!
编辑:
我最终添加了第三个参数来接受要撤销的证书列表。
def build_crl(cert_authority_pem, private_key_pem, certs_to_revoke=None):
# Load our root cert
root_cert = x509.load_pem_x509_certificate(
cert_authority_pem.encode("ascii"), default_backend()
)
# Load our root key
root_key = serialization.load_pem_private_key(
private_key_pem.encode("ascii"), password=None, backend=default_backend()
)
builder = x509.CertificateRevocationListBuilder()
builder = builder.last_update(datetime.today())
builder = builder.next_update(datetime.today() + timedelta(1, 0, 0))
builder = builder.issuer_name(root_cert.issuer)
if certs_to_revoke:
for revoked_cert in certs_to_revoke:
builder = builder.add_revoked_certificate(revoked_cert)
cert_revocation_list = builder.sign(
private_key=root_key, algorithm=hashes.SHA256(), backend=default_backend()
)
return cert_revocation_list.public_bytes(encoding=serialization.Encoding.PEM)
答案 0 :(得分:0)
这是如何使用加密的详细示例: example
# cert you want to revoke
cert_to_revoke_data = open("openssl/client1.crt","rb").read()
cert_to_revoke = x509.load_pem_x509_certificate(cert_to_revoke_data, backend=default_backend())
pem_cert = open("openssl/ca.crt","rb").read()
ca_crt = x509.load_pem_x509_certificate(pem_cert, default_backend())
pem_key = open("openssl/ca.key","rb").read()
ca_key = serialization.load_pem_private_key(pem_key, password=b"test", backend=default_backend())
# load crl
pem_crl_data = open("openssl/ca.crl","rb").read()
crl = x509.load_pem_x509_crl(pem_crl_data, backend=default_backend())
# generate a new crl object
builder = x509.CertificateRevocationListBuilder()
builder = builder.issuer_name(crl.issuer)
builder = builder.last_update(crl.last_update)
builder = builder.next_update(datetime.datetime.now() + datetime.timedelta(1, 0, 0))
# add crl certificates from file to the new crl object
for i in range(0,len(crl)):
builder = builder.add_revoked_certificate(crl[i])
# see if the cert to be revokek already in the list
ret = crl.get_revoked_certificate_by_serial_number(cert_to_revoke.serial_number)
# if not, then add new revoked cert
if not isinstance(ret, x509.RevokedCertificate):
revoked_cert = x509.RevokedCertificateBuilder()\
.serial_number(cert_to_revoke.serial_number)\
.revocation_date(datetime.datetime.now()).build(backend=default_backend())
builder = builder.add_revoked_certificate(revoked_cert)
# sign and save to new crl file
cert_revocation_list = builder.sign(private_key=ca_key,algorithm=hashes.SHA256(),backend=default_backend())
with open("openssl/ca.crl","wb") as f:
f.write(cert_revocation_list.public_bytes(serialization.Encoding.PEM))