I have a Python script that looks for all x509 self-signed certificates in a directory, verifies them and writes information about them into the table (valid date, expiration date, subject, issuer). Is there any way to create a list of revoked .crl certificates using the pyOpenSSL library and revoke one of them? Or is it done only with the help of terminal commands and the os library?
I did not find such questions with the answer on the forum.
Reviewing your question, I noticed you say self-signed certificates. Revoking a self-signed certificate usually doesn't work. To revoke a self-signed certificates you have to include it in a CRL signed by the self-signed certificate itself. As revoking a certificate implies the certificate's key may be compromised, an attacker in possession of the key can easily generate a newer CRL that doesn't include the self-signed certificate. To solve that, you need a trusted third party to issue the CRLs. However, it's very hard to achieve.
I'll keep the example bellow, but it doesn't solve your problem.
--
Yes, it's possible to create a CRL using pyopenssl, you can see the example bellow (based on this example).
However, pyopenssl's CRL.set_nextUpdate function has a bug and doesn't set the specified date. So you have to wait the fix to really use it.
# -*- coding: latin-1 -*-
#
# Copyright (C) AB Strakt
# Copyright (C) Jean-Paul Calderone
# See LICENSE for details.
"""
Certificate generation module.
"""
from OpenSSL import crypto
TYPE_RSA = crypto.TYPE_RSA
TYPE_DSA = crypto.TYPE_DSA
def createKeyPair(type, bits):
"""
Create a public/private key pair.
Arguments: type - Key type, must be one of TYPE_RSA and TYPE_DSA
bits - Number of bits to use in the key
Returns: The public/private key pair in a PKey object
"""
pkey = crypto.PKey()
pkey.generate_key(type, bits)
return pkey
def createCertRequest(pkey, digest="sha256", **name):
"""
Create a certificate request.
Arguments: pkey - The key to associate with the request
digest - Digestion method to use for signing, default is md5
**name - The name of the subject of the request, possible
arguments are:
C - Country name
ST - State or province name
L - Locality name
O - Organization name
OU - Organizational unit name
CN - Common name
emailAddress - E-mail address
Returns: The certificate request in an X509Req object
"""
req = crypto.X509Req()
subj = req.get_subject()
for (key,value) in name.items():
setattr(subj, key, value)
req.set_pubkey(pkey)
req.sign(pkey, digest)
return req
def createCertificate(req, issuerCert, issuerKey, serial, notBefore, notAfter, digest="sha256"):
"""
Generate a certificate given a certificate request.
Arguments: req - Certificate reqeust to use
issuerCert - The certificate of the issuer
issuerKey - The private key of the issuer
serial - Serial number for the certificate
notBefore - Timestamp (relative to now) when the certificate
starts being valid
notAfter - Timestamp (relative to now) when the certificate
stops being valid
digest - Digest method to use for signing, default is md5
Returns: The signed certificate in an X509 object
"""
cert = crypto.X509()
cert.set_serial_number(serial)
cert.gmtime_adj_notBefore(notBefore)
cert.gmtime_adj_notAfter(notAfter)
cert.set_issuer(issuerCert.get_subject())
cert.set_subject(req.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.sign(issuerKey, digest)
return cert
def createCrl(issuerCert, issuerKey, serial, lastUpdate, nextUpdate, revokedList, digest="sha256"):
"""
Generate a certificate revocation list (CRL).
Arguments: issuerCert - The certificate of the issuer
issuerKey - The private key of the issuer
serial - Serial number for the crl
lastUpdate - ASN1 timestamp ("YYYMMDDhhmmssZ") of the last crl update
nextUpdate - ASN1 timestamp ("YYYMMDDhhmmssZ") of the next crl update
revokedList - A list of Revoked objects.
digest - Digest method to use for signing, default is sha256
Returns: The signed crl in a CRL object
"""
crl = crypto.CRL()
crl.set_lastUpdate(lastUpdate)
crl.set_nextUpdate(nextUpdate) # BUG: this line doesn't set the next update
for revoked in revokedList:
crl.add_revoked(revoked)
crl.sign(issuerCert, issuerKey, digest)
return crl
# Creates a self signed certificate
pkey = createKeyPair(TYPE_RSA, 2048)
req = createCertRequest(pkey, "sha256", C="BR", CN="Teste")
cert = createCertificate(req, req, pkey, 1, 0, 60*60*24*365*5, "sha256")
# Creates the revoked objects
revoked1 = crypto.Revoked()
revoked1.set_serial(b"1") # certificate's serial number
revoked1.set_rev_date(b"20190601010101Z") # certificate's revocation date
revoked1.set_reason(b'keyCompromise') # certificate's revocation reason
revoked2 = crypto.Revoked()
revoked2.set_serial(b"2")
revoked2.set_rev_date(b"20190601010101Z")
revoked2.set_reason(None)
# Creates the CRL using the revoked objects
crl = createCrl(cert, pkey, 1, b"20190101010101Z", b"20190101010101Z", [revoked1, revoked2, ], b"sha256")
# Prints the CRL as PEM and TEXT
crl_pem = crypto.dump_crl(crypto.FILETYPE_PEM, crl)
print(crl_pem)
print()
crl_str = crypto.dump_crl(crypto.FILETYPE_TEXT, crl)
print(crl_str)