Python 根据其CA验证CRL
我正在使用python、pyopenssl库来验证CRL是否符合其CA 我得到的是: 我获得证书颁发机构:Python 根据其CA验证CRL,python,pyopenssl,Python,Pyopenssl,我正在使用python、pyopenssl库来验证CRL是否符合其CA 我得到的是: 我获得证书颁发机构: with open(ca_file_path) as ca_file_obj: ca = crypto.load_certificate(crypto.FILETYPE_PEM, ca_file_obj.read()) 我得到了CRL: with open(crl_file_path) as crl_file_obj: crl = crypto.load_crl(c
with open(ca_file_path) as ca_file_obj:
ca = crypto.load_certificate(crypto.FILETYPE_PEM, ca_file_obj.read())
with open(crl_file_path) as crl_file_obj:
crl = crypto.load_crl(crypto.FILETYPE_PEM, crl_file_obj.read())
我知道可以使用openssl来验证CRL是否属于CA,但是如何在纯python代码中解决它,而不将openssl作为子进程打开?任何想法都是任何人?通过使用pyopenssl,您可以执行以下操作:
# Export CRL as a cryptography CRL.
crl_crypto = crl.to_cryptography()
# Get CA Public Key as _RSAPublicKey
ca_pub_key = ca.get_pubkey().to_cryptography_key()
# Validate CRL against CA
valid_signature = crl_crypto.is_signature_valid()
考虑到检查CRL上签名的有效性不足以知道是否应该信任CRL(请参见)除了签名之外,我还应该验证什么?当前日期是否介于上次更新和下次更新之间?