Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix crl deprecation
Browse files Browse the repository at this point in the history 
Signed-off-by: Alice Wasko <[email protected]>
Alice Wasko committed Nov 15, 2023

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode
1 parent 63222e2 commit 0b0aea5
Showing 1 changed file with 37 additions and 20 deletions.
57 changes: 37 additions & 20 deletions python/tests/utils.py
View file
Original file line number Diff line number Diff line change
@@ -7,7 +7,12 @@
from collections import namedtuple

import pytest
from OpenSSL import crypto
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from datetime import datetime

from ambassador import IR, Cache, Config, EnvoyConfig
from ambassador.compile import Compile
@@ -80,7 +85,7 @@ def default_http3_listener_manifest():
securityModel: XFP
hostBinding:
namespace:
from: ALL
from: ALL
"""


@@ -100,7 +105,7 @@ def default_udp_listener_manifest():
securityModel: XFP
hostBinding:
namespace:
from: ALL
from: ALL
"""


@@ -120,7 +125,7 @@ def default_tcp_listener_manifest():
securityModel: XFP
hostBinding:
namespace:
from: ALL
from: ALL
"""


@@ -342,24 +347,36 @@ def assert_valid_envoy_config(config_dict, extra_dirs=[]):


def create_crl_pem_b64(issuerCert, issuerKey, revokedCerts):
when = b"20220516010101Z"
crl = crypto.CRL()
crl.set_lastUpdate(when)
when = datetime(2022, 5, 16, 1, 1, 1)
issuer_cert = x509.load_pem_x509_certificate(bytes(issuerCert, "utf-8"), default_backend())
issuer_key = serialization.load_pem_private_key(
bytes(issuerKey, "utf-8"), password=None, backend=default_backend()
)

revoked_cert_objects = []
for revokedCert in revokedCerts:
clientCert = crypto.load_certificate(crypto.FILETYPE_PEM, bytes(revokedCert, "utf-8"))
r = crypto.Revoked()
r.set_serial(bytes("{:x}".format(clientCert.get_serial_number()), "ascii"))
r.set_rev_date(when)
r.set_reason(None)
crl.add_revoked(r)

cert = crypto.load_certificate(crypto.FILETYPE_PEM, bytes(issuerCert, "utf-8"))
key = crypto.load_privatekey(crypto.FILETYPE_PEM, bytes(issuerKey, "utf-8"))
crl.sign(cert, key, b"sha256")
return b64encode(
(crypto.dump_crl(crypto.FILETYPE_PEM, crl).decode("utf-8") + "\n").encode("utf-8")
).decode("utf-8")
revoked_cert = x509.load_pem_x509_certificate(
bytes(revokedCert, "utf-8"), default_backend()
)
revoked_cert_objects.append(revoked_cert)

builder = x509.CertificateRevocationListBuilder()
builder = builder.issuer_name(issuer_cert.issuer)
builder = builder.last_update(when)
builder = builder.next_update(when)

for revoked_cert in revoked_cert_objects:
builder = builder.add_revoked_certificate(
x509.RevokedCertificateBuilder()
.serial_number(revoked_cert.serial_number)
.revocation_date(when)
.build()
)

crl = builder.sign(private_key=issuer_key, algorithm=hashes.SHA256(), backend=default_backend())

crl_pem = crl.public_bytes(serialization.Encoding.PEM)
return crl_pem.decode("utf-8")


def skip_edgestack():

0 comments on commit 0b0aea5

Please sign in to comment.