centos/centpkg
1
0
Fork 0
mirror of https://git.centos.org/centos/centpkg.git synced 2025-02-24 00:32:55 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Migrate from pyOpenSSL to cryptography

Browse source 
pyOpenSSL upstream "strongly suggests" switching to cryptography.

959a031fa3

Resolves #52
This commit is contained in:
Carl George 2021-12-07 00:17:30 -06:00 committed by tdawson
parent 04734c4692
commit 73d52905ad
2 changed files with 16 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
requirements.txt
View file

@ -1,5 +1,5 @@
pycurl pycurl
pyOpenSSL cryptography
rpkg rpkg
six six
GitPython GitPython

36
src/centpkg/centos_cert.py
View file

@ -1,8 +1,7 @@
from __future__ import print_function from __future__ import print_function
import os import os
from OpenSSL import crypto from cryptography import x509
import urlgrabber import urlgrabber
import datetime import datetime
@ -23,8 +22,13 @@ def _open_cert():
if not os.access(cert_file, os.R_OK): if not os.access(cert_file, os.R_OK):
raise centos_cert_error("""!!! cannot read your centos cert file !!! raise centos_cert_error("""!!! cannot read your centos cert file !!!
!!! Ensure the file is readable and try again !!!""") !!! Ensure the file is readable and try again !!!""")
raw_cert = open(cert_file).read() raw_cert = open(cert_file, 'rb').read()
my_cert = crypto.load_certificate(crypto.FILETYPE_PEM, raw_cert) try:
my_cert = x509.load_pem_x509_certificate(raw_cert)
except TypeError:
# it was required to specify a backend prior to cryptography 3.1
from cryptography.hazmat.backends import default_backend
my_cert = x509.load_pem_x509_certificate(raw_cert, default_backend())
return my_cert return my_cert
def verify_cert(): def verify_cert():
@ -35,17 +39,13 @@ def verify_cert():
Expiry time warn if less than 21 days Expiry time warn if less than 21 days
""" """
my_cert = _open_cert() my_cert = _open_cert()
serial_no = my_cert.get_serial_number()
valid_until = my_cert.get_notAfter()[:8]
# CRL verification would go here # CRL verification would go here
#crl = urlgrabber.urlread("https://<url_to_crl>/ca/crl.pem") #crl = urlgrabber.urlread("https://<url_to_crl>/ca/crl.pem")
dateFmt = '%Y%m%d' warn = datetime.datetime.now() + datetime.timedelta(days=21)
delta = datetime.datetime.now() + datetime.timedelta(days=21)
warn = datetime.datetime.strftime(delta, dateFmt)
print('cert expires: %s-%s-%s' % (valid_until[:4], valid_until[4:6], valid_until[6:8])) print(my_cert.not_valid_after.strftime('cert expires: %Y-%m-%d'))
if valid_until < warn: if my_cert.not_valid_after < warn:
print('WARNING: Your cert expires soon.') print('WARNING: Your cert expires soon.')
@ -57,10 +57,8 @@ def certificate_expired():
""" """
my_cert = _open_cert() my_cert = _open_cert()
if my_cert.has_expired(): return my_cert.not_valid_after < datetime.datetime.now()
return True
else:
return False
def read_user_cert(): def read_user_cert():
""" """
@ -69,9 +67,5 @@ def read_user_cert():
""" """
my_cert = _open_cert() my_cert = _open_cert()
subject = str(my_cert.get_subject()) [common_name] = my_cert.subject.get_attributes_for_oid(x509.oid.NameOID.COMMON_NAME)
subject_line = subject.split("CN=") return common_name.value
cn_parts = subject_line[1].split("/")
username = cn_parts[0]
return username