我们从Python开源项目中,提取了以下3个代码示例,用于说明如何使用cryptography.x509.CertificateRevocationListBuilder()。
def load_or_create_crl(crl_file, ca_crt, pkey): if os.path.isfile(crl_file): with open(crl_file, 'rb') as f: crl = x509.load_pem_x509_crl( data=f.read(), backend=default_backend() ) else: crl = x509.CertificateRevocationListBuilder().issuer_name( ca_crt.subject ).last_update( datetime.datetime.utcnow() ).next_update( datetime.datetime.utcnow() + datetime.timedelta(days=365 * 10) ).sign( private_key=pkey, algorithm=hashes.SHA256(), backend=default_backend() ) with open(crl_file, 'wb') as f: f.write(crl.public_bytes( encoding=serialization.Encoding.PEM, )) return crl
def update_crl(crl_file, revoked_certs, ca_crt, pkey): with open(crl_file, 'rb') as f: old_crl = x509.load_pem_x509_crl( data=f.read(), backend=default_backend() ) crl = x509.CertificateRevocationListBuilder().issuer_name( ca_crt.subject ).last_update( datetime.datetime.utcnow() ).next_update( datetime.datetime.utcnow() + datetime.timedelta(days=365 * 10) ) for cert in revoked_certs: crl = crl.add_revoked_certificate( x509.RevokedCertificateBuilder().serial_number( cert.serial ).revocation_date( datetime.datetime.utcnow() ).build( default_backend() ) ) for cert in old_crl: crl = crl.add_revoked_certificate(cert) crl = crl.sign( private_key=pkey, algorithm=hashes.SHA256(), backend=default_backend() ) with open(crl_file, 'wb') as f: f.write(crl.public_bytes( # pylint: disable=no-member encoding=serialization.Encoding.PEM, )) return crl
def build_crl(): #from cryptography import x509 # from cryptography.hazmat.backends import default_backend #from cryptography.hazmat.primitives import hashes # from cryptography.hazmat.primitives.asymmetric import rsa #from cryptography.x509.oid import NameOID #import datetime ca=get_newest_ca() one_day = datetime.timedelta(1, 0, 0) builder = x509.CertificateRevocationListBuilder() builder = builder.issuer_name(x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME,ca.common_name), ])) builder = builder.last_update(datetime.datetime.today()) builder = builder.next_update(datetime.datetime.today() + one_day) revoked_list=Certificate.objects.filter(issuer_serial_number=ca.serial_number,revoked=True) for revoked_cert in revoked_list: logger.debug("revoked serial_number: %s",revoked_cert.serial_number) revoked_cert = x509.RevokedCertificateBuilder().serial_number(int(revoked_cert.serial_number) ).revocation_date( datetime.datetime.today() ).build(default_backend()) builder = builder.add_revoked_certificate(revoked_cert) crl = builder.sign( private_key=loadPEMKey(keyStorePath(ca.serial_number)), algorithm=hashes.SHA256(), backend=default_backend() ) dataStream=crl.public_bytes(serialization.Encoding.PEM) return dataStream
