pyOpenSSL

CRL - certificate revocation

Asked by Deni Bertovic

I've looked through the docs but I can't seem to find a way to revoke a given certificate

This does not appear to work, in the sense that i messes up the crl.pem file and nothing works any more.

def revoke_certificates(certificates):
    # load files
    try:
        with open(settings.CERT_CA_FILE) as ca_file:
            ca = crypto.load_certificate(crypto.FILETYPE_PEM, ca_file.read())
        with open(settings.CERT_CA_KEY_FILE) as ca_key_file:
            ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, ca_key_file.read())
    except IOError as e:
        log.error(e)
        raise

    with open(settings.CERT_REVOKE_FILE, 'r') as f:
        crl = crypto.load_crl(crypto.FILETYPE_PEM, f.read())
        for cert in certificates:
            x509 = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
            revoked = crypto.Revoked()
            revoked.set_serial(str(x509.get_serial_number()))
            crl.add_revoked(revoked)
        crl_text = crl.export(ca, ca_key)
    with open(settings.CERT_REVOKE_FILE, 'a') as f:
        f.write(crl_text)

Whay am I doing wrong?
Does any one have an example to which you could point me to?

Question information

Language:
English Edit question
Status:
Solved
For:
pyOpenSSL Edit question
Assignee:
No assignee Edit question
Solved by:
Deni Bertovic
Solved:
Last query:
Last reply:
Revision history for this message
Shane Hansen (shanemhansen) said : 		#1

The datatypes for X509.get_serial_number and Revoked.set_serial are different. Revoked expects a hex string.
http://pythonhosted.org/pyOpenSSL/revoked.html

X509 works with integers.
http://bazaar.launchpad.net/~exarkun/pyopenssl/trunk/view/head:/OpenSSL/crypto/x509.c#L62

str() is not the proper way to convert between hex and integers. You probably want to use the hex() function. However you have to strip of the beginning '0x'. So the example would be:

revoked.set_serial(hex(x509.get_serial_number())[2:])

Revision history for this message
Deni Bertovic (denibertovic) said : 		#2

Awesome. Shane, thank you so much.