Add option to also include root certificate, for e.g. ldns-dane processing

2020-03-30 11:16:07 +02:00 · 2020-03-30 11:16:07 +02:00 · 53d97c30c2
commit 53d97c30c2
parent 22a2549294
1 changed files with 19 additions and 4 deletions
--- a/sort_certificate.py
+++ b/sort_certificate.py
@ -116,6 +116,14 @@ def match_cert_privkey(cert, priv):
    return get_pub_modulus(cert) == get_priv_modulus(priv)


+def find_root(x509_objects, root_issuers):
+    '''
+    Find a suitable anchor by finding the intermediate that was signed by root
+    '''
+    root_cert = root_issuers[str(x509_objects[-1].get_issuer())]
+    logging.debug('Retrieved root certificate %s', root_cert.get_subject())
+    return root_cert
+
 def find_intermediate_root(x509_objects, root_issuers):
    '''
    Find a suitable anchor by finding the intermediate that was signed by root
@ -146,7 +154,7 @@ def order_x509(x509_objects, root_issuers):
    root_crt = [x for x in x509_objects if x.get_subject() == x.get_issuer()]
    if root_crt:
        root_crt = x509_objects.pop(x509_objects.index(root_crt[0]))
-        logging.warning('Found root certificate %s in input',
+        logging.warning('Found self signed (root) certificate %s in input',
                        str(root_crt.get_subject()))
        # Double check if our self signed root certificate is not also present
        # as an intermediate:
@ -226,8 +234,8 @@ def load_root_issuers():
                logging.debug(onlyrsa_exception)
                continue

-        root_issuers = [str(root_cert.get_subject())
-                        for root_cert in root_certs]
+        root_issuers = {str(root_cert.get_subject()): root_cert
+                        for root_cert in root_certs}
        return root_issuers


@ -264,6 +272,8 @@ def main():
                           action='store_true', help='Just print chain')
    outputgrp.add_argument('--no-chain', dest='print_chain',
                           action='store_false', help='Omit chain from output')
+    outputgrp.add_argument('--include-root', dest='include_root',
+                           action='store_true', help='Also include the root certificate')
    outputgrp.set_defaults(print_chain=True)

    outputgrp.add_argument('--key', dest='print_key',
@ -347,6 +357,10 @@ def main():
                logging.info('OK: Modulus of provided certificate'
                             ' and private key match')

+        if args.include_root:
+            logging.debug('root certificate in output requested')
+            x509_objects.append(find_root(x509_objects, root_issuers))
+
        logging.debug("Print certificates in order")
        # Need to do b'CN' to have this python3 compatible
        logging.info('Writing bundle for Subject: %s',
@ -355,7 +369,8 @@ def main():
                      if x[0] == b'CN'][0])

        for x509_object in [x for x in x509_objects
-                            if x.get_subject() != x.get_issuer()]:
+                            if x.get_subject() != x.get_issuer()
+                            or args.include_root]:

            # Stringify subject like openssl x509 -subject
            x509_subject = \