Project

Profile

Help

Task #7484

Updated by pulpbot about 2 years ago

 

 **Ticket moved to GitHub**: "pulp/pulp-certguard/143":https://github.com/pulp/pulp-certguard/issues/143 




 ---- 


 library to use:    https://pypi.org/project/cryptography/ 

 ## Current usage: 

 The code itself uses PyOpenssl in two areas: 

 1) Validation a certificate is in PEM format [here](https://github.com/pulp/pulp-certguard/blob/040177c629d24b02c93afe922e782df9acdba58e/pulp_certguard/app/serializers.py#L24) 

 2) Ensuring a certificate is    unexpired [here](https://github.com/pulp/pulp-certguard/blob/50e42a320be515026998d9a0a378b820d95b3efe/pulp_certguard/app/models.py#L84-L86) 

 3) Ensuring a client certificate is signed by the CA certificate [here](https://github.com/pulp/pulp-certguard/blob/50e42a320be515026998d9a0a378b820d95b3efe/pulp_certguard/app/models.py#L79-L83) 

 ## Replacement calls in `cryptography` 

 The [`load_pem_x509_certificate`](https://cryptography.io/en/latest/x509/reference/#cryptography.x509.load_pem_x509_certificate) call expects a PEM encoded cert (not DNR) so we can test this provides validation at instantiation time. 

 We can probably manually check a valid certificate's usng the [`Certificate.not_valid_after](https://cryptography.io/en/latest/x509/reference/#cryptography.x509.Certificate.not_valid_after) attribute against the current UTC time. 

 I do not see how to validate that a valid PEM certificate was signed by another valid PEM certificate. 

Back