Task #7484
Updated by pulpbot about 2 years ago
**Ticket moved to GitHub**: "pulp/pulp-certguard/143":https://github.com/pulp/pulp-certguard/issues/143 ---- library to use: https://pypi.org/project/cryptography/ ## Current usage: The code itself uses PyOpenssl in two areas: 1) Validation a certificate is in PEM format [here](https://github.com/pulp/pulp-certguard/blob/040177c629d24b02c93afe922e782df9acdba58e/pulp_certguard/app/serializers.py#L24) 2) Ensuring a certificate is unexpired [here](https://github.com/pulp/pulp-certguard/blob/50e42a320be515026998d9a0a378b820d95b3efe/pulp_certguard/app/models.py#L84-L86) 3) Ensuring a client certificate is signed by the CA certificate [here](https://github.com/pulp/pulp-certguard/blob/50e42a320be515026998d9a0a378b820d95b3efe/pulp_certguard/app/models.py#L79-L83) ## Replacement calls in `cryptography` The [`load_pem_x509_certificate`](https://cryptography.io/en/latest/x509/reference/#cryptography.x509.load_pem_x509_certificate) call expects a PEM encoded cert (not DNR) so we can test this provides validation at instantiation time. We can probably manually check a valid certificate's usng the [`Certificate.not_valid_after](https://cryptography.io/en/latest/x509/reference/#cryptography.x509.Certificate.not_valid_after) attribute against the current UTC time. I do not see how to validate that a valid PEM certificate was signed by another valid PEM certificate.