ruben/sort_certificate
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add option to also include root certificate, for e.g. ldns-dane processing

Browse Source
This commit is contained in:
Ruben van Staveren 2020-03-30 11:16:07 +02:00
parent 22a2549294
commit 53d97c30c2
Failed to extract signature
1 changed files with 19 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
sort_certificate.py
View File

@ -116,6 +116,14 @@ def match_cert_privkey(cert, priv):
return get_pub_modulus(cert) == get_priv_modulus(priv) return get_pub_modulus(cert) == get_priv_modulus(priv)
def find_root(x509_objects, root_issuers):
'''
Find a suitable anchor by finding the intermediate that was signed by root
'''
root_cert = root_issuers[str(x509_objects[-1].get_issuer())]
logging.debug('Retrieved root certificate %s', root_cert.get_subject())
return root_cert
def find_intermediate_root(x509_objects, root_issuers): def find_intermediate_root(x509_objects, root_issuers):
''' '''
Find a suitable anchor by finding the intermediate that was signed by root Find a suitable anchor by finding the intermediate that was signed by root
@ -146,7 +154,7 @@ def order_x509(x509_objects, root_issuers):
root_crt = [x for x in x509_objects if x.get_subject() == x.get_issuer()] root_crt = [x for x in x509_objects if x.get_subject() == x.get_issuer()]
if root_crt: if root_crt:
root_crt = x509_objects.pop(x509_objects.index(root_crt[0])) root_crt = x509_objects.pop(x509_objects.index(root_crt[0]))
logging.warning('Found root certificate %s in input', logging.warning('Found self signed (root) certificate %s in input',
str(root_crt.get_subject())) str(root_crt.get_subject()))
# Double check if our self signed root certificate is not also present # Double check if our self signed root certificate is not also present
# as an intermediate: # as an intermediate:
@ -226,8 +234,8 @@ def load_root_issuers():
logging.debug(onlyrsa_exception) logging.debug(onlyrsa_exception)
continue continue
root_issuers = [str(root_cert.get_subject()) root_issuers = {str(root_cert.get_subject()): root_cert
for root_cert in root_certs] for root_cert in root_certs}
return root_issuers return root_issuers
@ -264,6 +272,8 @@ def main():
action='store_true', help='Just print chain') action='store_true', help='Just print chain')
outputgrp.add_argument('--no-chain', dest='print_chain', outputgrp.add_argument('--no-chain', dest='print_chain',
action='store_false', help='Omit chain from output') action='store_false', help='Omit chain from output')
outputgrp.add_argument('--include-root', dest='include_root',
action='store_true', help='Also include the root certificate')
outputgrp.set_defaults(print_chain=True) outputgrp.set_defaults(print_chain=True)
outputgrp.add_argument('--key', dest='print_key', outputgrp.add_argument('--key', dest='print_key',
@ -347,6 +357,10 @@ def main():
logging.info('OK: Modulus of provided certificate' logging.info('OK: Modulus of provided certificate'
' and private key match') ' and private key match')
if args.include_root:
logging.debug('root certificate in output requested')
x509_objects.append(find_root(x509_objects, root_issuers))
logging.debug("Print certificates in order") logging.debug("Print certificates in order")
# Need to do b'CN' to have this python3 compatible # Need to do b'CN' to have this python3 compatible
logging.info('Writing bundle for Subject: %s', logging.info('Writing bundle for Subject: %s',
@ -355,7 +369,8 @@ def main():
if x[0] == b'CN'][0]) if x[0] == b'CN'][0])
for x509_object in [x for x in x509_objects for x509_object in [x for x in x509_objects
if x.get_subject() != x.get_issuer()]: if x.get_subject() != x.get_issuer()
or args.include_root]:
# Stringify subject like openssl x509 -subject # Stringify subject like openssl x509 -subject
x509_subject = \ x509_subject = \