0

我正在尝试使用 Python 加密项目向现有 CRL 添加其他证书: https ://cryptography.io/

查看 CRL 构建器的文档,我看不到加载现有 CRL、使用 进行添加add_revoked_certificate(revoked_certificate)然后退出 CRL 的方法。

add_revoked_certificate(revoked_certificate)需要提及的文档:

revoked_certificate – RevokedCertificate 的一个实例。这些可以从现有的 CRL 获得或使用 RevokedCertificateBuilder 创建。

这让我相信没有现成的方式来更新 CRL,但我只是想确保我没有遗漏任何东西。

对于它的价值,我当前的代码如下,我插入了伪代码作为我正在尝试做的事情的注释。

def revoke_cert(cert_revocation_list_pem, cert_pem):
    # Load CRL
    cert_revocation_list = x509.load_pem_x509_crl(
        cert_revocation_list_pem.encode("ascii"), default_backend()
    )

    # Load cert
    cert = x509.load_pem_x509_certificate(cert_pem.encode("ascii"), default_backend())

    # Create a revoked cert
    builder = x509.RevokedCertificateBuilder()
    builder = builder.revocation_date(datetime.today())
    builder = builder.serial_number(cert.serial_number)
    revoked_cert = builder.build(default_backend())

    # I want to do something like this
    #cert_revocation_list.append(revoked_cert)

    return cert_revocation_list.public_bytes(encoding=serialization.Encoding.PEM)

一如既往,感谢您的帮助!

编辑:

我最终添加了第三个参数来接受要撤销的证书列表。

def build_crl(cert_authority_pem, private_key_pem, certs_to_revoke=None):
    # Load our root cert
    root_cert = x509.load_pem_x509_certificate(
        cert_authority_pem.encode("ascii"), default_backend()
    )

    # Load our root key
    root_key = serialization.load_pem_private_key(
        private_key_pem.encode("ascii"), password=None, backend=default_backend()
    )

    builder = x509.CertificateRevocationListBuilder()
    builder = builder.last_update(datetime.today())
    builder = builder.next_update(datetime.today() + timedelta(1, 0, 0))
    builder = builder.issuer_name(root_cert.issuer)
    if certs_to_revoke:
        for revoked_cert in certs_to_revoke:
            builder = builder.add_revoked_certificate(revoked_cert)
    cert_revocation_list = builder.sign(
        private_key=root_key, algorithm=hashes.SHA256(), backend=default_backend()
    )
    return cert_revocation_list.public_bytes(encoding=serialization.Encoding.PEM)
4

1 回答 1

0

以下是如何使用密码学的详细示例: 示例

# cert you want to revoke
cert_to_revoke_data = open("openssl/client1.crt","rb").read()
cert_to_revoke = x509.load_pem_x509_certificate(cert_to_revoke_data, backend=default_backend())

pem_cert = open("openssl/ca.crt","rb").read()
ca_crt = x509.load_pem_x509_certificate(pem_cert, default_backend())
pem_key = open("openssl/ca.key","rb").read()
ca_key = serialization.load_pem_private_key(pem_key, password=b"test", backend=default_backend())

# load crl
pem_crl_data = open("openssl/ca.crl","rb").read()
crl = x509.load_pem_x509_crl(pem_crl_data, backend=default_backend())

# generate a new crl object
builder = x509.CertificateRevocationListBuilder()
builder = builder.issuer_name(crl.issuer)
builder = builder.last_update(crl.last_update)
builder = builder.next_update(datetime.datetime.now() + datetime.timedelta(1, 0, 0))

# add crl certificates from file to the new crl object
for i in range(0,len(crl)):    
    builder = builder.add_revoked_certificate(crl[i])

# see if the cert to be revokek already in the list    
ret = crl.get_revoked_certificate_by_serial_number(cert_to_revoke.serial_number)

# if not, then add new revoked cert
if  not isinstance(ret, x509.RevokedCertificate):
    
    revoked_cert = x509.RevokedCertificateBuilder()\
    .serial_number(cert_to_revoke.serial_number)\
    .revocation_date(datetime.datetime.now()).build(backend=default_backend())
    
    builder = builder.add_revoked_certificate(revoked_cert)

# sign and save to new crl file
cert_revocation_list = builder.sign(private_key=ca_key,algorithm=hashes.SHA256(),backend=default_backend())

with open("openssl/ca.crl","wb") as f:
    f.write(cert_revocation_list.public_bytes(serialization.Encoding.PEM))
于 2020-11-11T15:55:52.090 回答