ruben/sort_certificate
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Please pylint/pep8 etc

Browse Source
This commit is contained in:
Ruben van Staveren 2020-08-17 12:19:21 +02:00
parent 1e5aa31eb8
commit e22223ba66
Failed to extract signature
1 changed files with 53 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
sort_certificate.py
View File

@ -11,7 +11,6 @@ import fileinput
from argparse import ArgumentParser
from datetime import datetime
from OpenSSL import crypto
from Crypto.Util import asn1
from cryptography.hazmat.primitives import serialization
import certifi.core
@ -30,15 +29,18 @@ SHA1 Fingerprint={sha1fingerprint}
ASN1TIME_FMT = str('%Y%m%d%H%M%SZ'.encode('utf8'))
OPENSSLTIME_FMT = '%b %e %T %Y GMT'
class OnlyRSAKeyException(Exception):
'''
When we encounter other than RSA crypto material
'''
pass
class CertificateComponentException(Exception):
'''
When something is not right with the whole cert+intermediates+private key bundle
When something is not right with the whole cert+intermediates+private key
bundle
'''
pass
@ -72,9 +74,12 @@ def get_cert_pubkey(cert):
'''
cert_crypto = cert.to_cryptography()
pub = cert_crypto.public_key().public_bytes(serialization.Encoding.PEM, serialization.PublicFormat.SubjectPublicKeyInfo)
pubkey = cert_crypto.public_key()
pub_bytes = pubkey.public_bytes(
serialization.Encoding.PEM,
serialization.PublicFormat.SubjectPublicKeyInfo)
return pub
return pub_bytes
def get_priv_pubkey(priv):
@ -84,9 +89,12 @@ def get_priv_pubkey(priv):
priv_crypto = priv.to_cryptography_key()
pub = priv_crypto.public_key().public_bytes(serialization.Encoding.PEM, serialization.PublicFormat.SubjectPublicKeyInfo)
pubkey = priv_crypto.public_key()
pub_bytes = pubkey.public_bytes(
serialization.Encoding.PEM,
serialization.PublicFormat.SubjectPublicKeyInfo)
return pub
return pub_bytes
def match_cert_privkey(cert, priv):
@ -106,6 +114,7 @@ def find_root(x509_objects, root_issuers):
logging.debug('Retrieved root certificate %s', root_cert.get_subject())
return root_cert
def find_intermediate_root(x509_objects, root_issuers):
'''
Find a suitable anchor by finding the intermediate that was signed by root
@ -178,11 +187,13 @@ def order_x509(x509_objects, root_issuers):
bundle.insert(0, x509_objects.pop(x509_objects.index(sibling[0])))
else:
# Lets complain
raise CertificateComponentException('Non matching certificates in input:'
raise CertificateComponentException('Non matching certificates in '
'input:'
' No sibling found for %s'
% bundle[0].get_subject())
return bundle
def load_root_issuers():
'''
Return the list of CA roots (RSA only)
@ -241,29 +252,43 @@ def handle_args():
outputgrp = parser.add_mutually_exclusive_group()
outputgrp.add_argument('--just-certificate', dest='print_cert',
action='store_true', help='Just print certificate')
outputgrp.add_argument('--no-certificate', dest='print_cert',
outputgrp.add_argument('--just-certificate',
dest='print_cert',
action='store_true',
help='Just print certificate')
outputgrp.add_argument('--no-certificate',
dest='print_cert',
action='store_false',
help='Omit certificate from output')
outputgrp.set_defaults(print_cert=True)
outputgrp.add_argument('--just-chain', dest='print_chain',
action='store_true', help='Just print chain')
outputgrp.add_argument('--no-chain', dest='print_chain',
action='store_false', help='Omit chain from output')
outputgrp.add_argument('--include-root', dest='include_root',
action='store_true', help='Also include the root certificate')
outputgrp.add_argument('--just-chain',
dest='print_chain',
action='store_true',
help='Just print chain')
outputgrp.add_argument('--no-chain',
dest='print_chain',
action='store_false',
help='Omit chain from output')
outputgrp.add_argument('--include-root',
dest='include_root',
action='store_true',
help='Also include the root certificate')
outputgrp.set_defaults(print_chain=True)
outputgrp.add_argument('--key', dest='print_key',
outputgrp.add_argument('--key',
dest='print_key',
action='store_true', default=True,
help='Just print key')
outputgrp.add_argument('--no-key', dest='print_key',
action='store_false', help='Omit key from output')
outputgrp.add_argument('--no-key',
dest='print_key',
action='store_false',
help='Omit key from output')
outputgrp.set_defaults(print_key=True)
parser.add_argument('x509files', metavar='x509 file', nargs='*',
parser.add_argument('x509files',
metavar='x509 file',
nargs='*',
help='x509 fullchain (+ rsa privkey)'
' bundles to be checked')
@ -275,7 +300,6 @@ def main():
main program start and argument parsing
'''
root_issuers = None
args = handle_args()
@ -326,22 +350,26 @@ def main():
get_components()
if len(rsa_objects) > 1:
raise CertificateComponentException('More than one RSA private key found in input.'
raise CertificateComponentException('More than one RSA private key'
' found in input.'
' Aborting')
elif rsa_objects:
if not match_cert_privkey(x509_objects[0], rsa_objects[0]):
raise CertificateComponentException('Provided certificate'
' and RSA private key do not match')
' and RSA private key'
' do not match')
else:
logging.info('OK: Public key of provided certificate'
' and RSA private key match')
elif len(pk_objects) > 1:
raise CertificateComponentException('More than one RSA private key found in input.'
raise CertificateComponentException('More than one RSA private key'
' found in input.'
' Aborting')
elif pk_objects:
if not match_cert_privkey(x509_objects[0], pk_objects[0]):
raise CertificateComponentException('Provided certificate'
' and private key do not match')
' and private key'
' do not match')
else:
logging.info('OK: Public key of provided certificate'
' and private key match')