ruben/sort_certificate
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Please pylint/pep8 etc

Browse Source
This commit is contained in:
Ruben van Staveren 2020-08-17 12:19:21 +02:00
parent 1e5aa31eb8
commit e22223ba66
Failed to extract signature
1 changed files with 53 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
sort_certificate.py
View File

@ -11,7 +11,6 @@ import fileinput
from argparse import ArgumentParser from argparse import ArgumentParser
from datetime import datetime from datetime import datetime
from OpenSSL import crypto from OpenSSL import crypto
from Crypto.Util import asn1
from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives import serialization
import certifi.core import certifi.core
@ -30,15 +29,18 @@ SHA1 Fingerprint={sha1fingerprint}
ASN1TIME_FMT = str('%Y%m%d%H%M%SZ'.encode('utf8')) ASN1TIME_FMT = str('%Y%m%d%H%M%SZ'.encode('utf8'))
OPENSSLTIME_FMT = '%b %e %T %Y GMT' OPENSSLTIME_FMT = '%b %e %T %Y GMT'
class OnlyRSAKeyException(Exception): class OnlyRSAKeyException(Exception):
''' '''
When we encounter other than RSA crypto material When we encounter other than RSA crypto material
''' '''
pass pass
class CertificateComponentException(Exception): class CertificateComponentException(Exception):
''' '''
When something is not right with the whole cert+intermediates+private key bundle When something is not right with the whole cert+intermediates+private key
bundle
''' '''
pass pass
@ -72,9 +74,12 @@ def get_cert_pubkey(cert):
''' '''
cert_crypto = cert.to_cryptography() cert_crypto = cert.to_cryptography()
pub = cert_crypto.public_key().public_bytes(serialization.Encoding.PEM, serialization.PublicFormat.SubjectPublicKeyInfo) pubkey = cert_crypto.public_key()
pub_bytes = pubkey.public_bytes(
serialization.Encoding.PEM,
serialization.PublicFormat.SubjectPublicKeyInfo)
return pub return pub_bytes
def get_priv_pubkey(priv): def get_priv_pubkey(priv):
@ -84,9 +89,12 @@ def get_priv_pubkey(priv):
priv_crypto = priv.to_cryptography_key() priv_crypto = priv.to_cryptography_key()
pub = priv_crypto.public_key().public_bytes(serialization.Encoding.PEM, serialization.PublicFormat.SubjectPublicKeyInfo) pubkey = priv_crypto.public_key()
pub_bytes = pubkey.public_bytes(
serialization.Encoding.PEM,
serialization.PublicFormat.SubjectPublicKeyInfo)
return pub return pub_bytes
def match_cert_privkey(cert, priv): def match_cert_privkey(cert, priv):
@ -106,6 +114,7 @@ def find_root(x509_objects, root_issuers):
logging.debug('Retrieved root certificate %s', root_cert.get_subject()) logging.debug('Retrieved root certificate %s', root_cert.get_subject())
return root_cert return root_cert
def find_intermediate_root(x509_objects, root_issuers): def find_intermediate_root(x509_objects, root_issuers):
''' '''
Find a suitable anchor by finding the intermediate that was signed by root Find a suitable anchor by finding the intermediate that was signed by root
@ -178,11 +187,13 @@ def order_x509(x509_objects, root_issuers):
bundle.insert(0, x509_objects.pop(x509_objects.index(sibling[0]))) bundle.insert(0, x509_objects.pop(x509_objects.index(sibling[0])))
else: else:
# Lets complain # Lets complain
raise CertificateComponentException('Non matching certificates in input:' raise CertificateComponentException('Non matching certificates in '
'input:'
' No sibling found for %s' ' No sibling found for %s'
% bundle[0].get_subject()) % bundle[0].get_subject())
return bundle return bundle
def load_root_issuers(): def load_root_issuers():
''' '''
Return the list of CA roots (RSA only) Return the list of CA roots (RSA only)
@ -241,29 +252,43 @@ def handle_args():
outputgrp = parser.add_mutually_exclusive_group() outputgrp = parser.add_mutually_exclusive_group()
outputgrp.add_argument('--just-certificate', dest='print_cert', outputgrp.add_argument('--just-certificate',
action='store_true', help='Just print certificate') dest='print_cert',
outputgrp.add_argument('--no-certificate', dest='print_cert', action='store_true',
help='Just print certificate')
outputgrp.add_argument('--no-certificate',
dest='print_cert',
action='store_false', action='store_false',
help='Omit certificate from output') help='Omit certificate from output')
outputgrp.set_defaults(print_cert=True) outputgrp.set_defaults(print_cert=True)
outputgrp.add_argument('--just-chain', dest='print_chain', outputgrp.add_argument('--just-chain',
action='store_true', help='Just print chain') dest='print_chain',
outputgrp.add_argument('--no-chain', dest='print_chain', action='store_true',
action='store_false', help='Omit chain from output') help='Just print chain')
outputgrp.add_argument('--include-root', dest='include_root', outputgrp.add_argument('--no-chain',
action='store_true', help='Also include the root certificate') dest='print_chain',
action='store_false',
help='Omit chain from output')
outputgrp.add_argument('--include-root',
dest='include_root',
action='store_true',
help='Also include the root certificate')
outputgrp.set_defaults(print_chain=True) outputgrp.set_defaults(print_chain=True)
outputgrp.add_argument('--key', dest='print_key', outputgrp.add_argument('--key',
dest='print_key',
action='store_true', default=True, action='store_true', default=True,
help='Just print key') help='Just print key')
outputgrp.add_argument('--no-key', dest='print_key', outputgrp.add_argument('--no-key',
action='store_false', help='Omit key from output') dest='print_key',
action='store_false',
help='Omit key from output')
outputgrp.set_defaults(print_key=True) outputgrp.set_defaults(print_key=True)
parser.add_argument('x509files', metavar='x509 file', nargs='*', parser.add_argument('x509files',
metavar='x509 file',
nargs='*',
help='x509 fullchain (+ rsa privkey)' help='x509 fullchain (+ rsa privkey)'
' bundles to be checked') ' bundles to be checked')
@ -275,7 +300,6 @@ def main():
main program start and argument parsing main program start and argument parsing
''' '''
root_issuers = None root_issuers = None
args = handle_args() args = handle_args()
@ -326,22 +350,26 @@ def main():
get_components() get_components()
if len(rsa_objects) > 1: if len(rsa_objects) > 1:
raise CertificateComponentException('More than one RSA private key found in input.' raise CertificateComponentException('More than one RSA private key'
' found in input.'
' Aborting') ' Aborting')
elif rsa_objects: elif rsa_objects:
if not match_cert_privkey(x509_objects[0], rsa_objects[0]): if not match_cert_privkey(x509_objects[0], rsa_objects[0]):
raise CertificateComponentException('Provided certificate' raise CertificateComponentException('Provided certificate'
' and RSA private key do not match') ' and RSA private key'
' do not match')
else: else:
logging.info('OK: Public key of provided certificate' logging.info('OK: Public key of provided certificate'
' and RSA private key match') ' and RSA private key match')
elif len(pk_objects) > 1: elif len(pk_objects) > 1:
raise CertificateComponentException('More than one RSA private key found in input.' raise CertificateComponentException('More than one RSA private key'
' found in input.'
' Aborting') ' Aborting')
elif pk_objects: elif pk_objects:
if not match_cert_privkey(x509_objects[0], pk_objects[0]): if not match_cert_privkey(x509_objects[0], pk_objects[0]):
raise CertificateComponentException('Provided certificate' raise CertificateComponentException('Provided certificate'
' and private key do not match') ' and private key'
' do not match')
else: else:
logging.info('OK: Public key of provided certificate' logging.info('OK: Public key of provided certificate'
' and private key match') ' and private key match')