我正在使用python,pyopenssl库验证针对它的CA的CRL。
我拥有的是:
我获得了证书颁发机构:
with open(ca_file_path) as ca_file_obj:
ca = crypto.load_certificate(crypto.FILETYPE_PEM, ca_file_obj.read())
我得到了CRL:
with open(crl_file_path) as crl_file_obj:
crl = crypto.load_crl(crypto.FILETYPE_PEM, crl_file_obj.read())
如何验证CRL属于CA,我知道可以用openssl完成,但是如何在纯python代码中解决它,而不打开openssl作为子进程?任何想法都有人吗?
答案 0 :(得分:0)
通过使用pyopenssl,您可以:
# Export CRL as a cryptography CRL.
crl_crypto = crl.to_cryptography()
# Get CA Public Key as _RSAPublicKey
ca_pub_key = ca.get_pubkey().to_cryptography_key()
# Validate CRL against CA
valid_signature = crl_crypto.is_signature_valid()
考虑到检查CRL上签名的有效性不足以知道CRL是否应该被信任(参见Demo)