Update: replace hash symlink with CA bundle for certificate verification
All checks were successful
/ test (push) Successful in 17s
All checks were successful
/ test (push) Successful in 17s
This commit is contained in:
47
simple-ca.py
47
simple-ca.py
@@ -33,32 +33,23 @@ def _err(msg):
|
||||
print(f"ERROR: {msg}", file=sys.stderr)
|
||||
|
||||
|
||||
def make_hash_link(cert_path):
|
||||
if not os.path.isfile(cert_path):
|
||||
_err(f"Certificate file {cert_path} does not exist.")
|
||||
return False
|
||||
|
||||
cert_dir = os.path.dirname(cert_path)
|
||||
try:
|
||||
result = subprocess.run(
|
||||
["openssl", "x509", "-in", cert_path, "-noout", "-hash"],
|
||||
capture_output=True, text=True, check=True,
|
||||
)
|
||||
except subprocess.CalledProcessError:
|
||||
_err(f"Failed to calculate hash for certificate {cert_path}.")
|
||||
return False
|
||||
|
||||
cert_hash = result.stdout.strip()
|
||||
if not cert_hash:
|
||||
_err(f"Failed to calculate hash for certificate {cert_path}.")
|
||||
return False
|
||||
|
||||
link_path = os.path.join(cert_dir, f"{cert_hash}.0")
|
||||
target = os.path.basename(cert_path)
|
||||
if os.path.islink(link_path) or os.path.exists(link_path):
|
||||
os.remove(link_path)
|
||||
os.symlink(target, link_path)
|
||||
return True
|
||||
def _rebuild_ca_bundle(ca_dir):
|
||||
"""Write ca_bundle.pem = root cert + any issuing CA certs in this dir."""
|
||||
bundle_path = os.path.join(ca_dir, "ca_bundle.pem")
|
||||
parts = []
|
||||
root = os.path.join(ca_dir, "ca_cert.pem")
|
||||
if os.path.isfile(root):
|
||||
with open(root, "rb") as f:
|
||||
parts.append(f.read())
|
||||
for name in sorted(os.listdir(ca_dir)):
|
||||
if name == "ca_cert.pem" or not name.endswith("_cert.pem"):
|
||||
continue
|
||||
path = os.path.join(ca_dir, name)
|
||||
if os.path.isfile(path):
|
||||
with open(path, "rb") as f:
|
||||
parts.append(f.read())
|
||||
with open(bundle_path, "wb") as f:
|
||||
f.write(b"".join(parts))
|
||||
|
||||
|
||||
def make_ca(ca_dir, ca_name, days=3650, issuing_ca=None, aia_base_url=None):
|
||||
@@ -119,7 +110,7 @@ def make_ca(ca_dir, ca_name, days=3650, issuing_ca=None, aia_base_url=None):
|
||||
_err("Failed to generate CA certificate and key.")
|
||||
return False
|
||||
|
||||
make_hash_link(root_ca_cert_path)
|
||||
_rebuild_ca_bundle(ca_dir)
|
||||
|
||||
if aia_base_url:
|
||||
with open(aia_file, "w") as f:
|
||||
@@ -157,7 +148,7 @@ def make_ca(ca_dir, ca_name, days=3650, issuing_ca=None, aia_base_url=None):
|
||||
_err("Failed to generate issuing CA certificate and key.")
|
||||
return False
|
||||
|
||||
make_hash_link(ca_cert_path)
|
||||
_rebuild_ca_bundle(ca_dir)
|
||||
|
||||
if aia_base_url:
|
||||
with open(aia_file, "w") as f:
|
||||
|
||||
Reference in New Issue
Block a user