feat(RELEASE-2031): Advanced certificate check script#671
feat(RELEASE-2031): Advanced certificate check script#671midnightercz wants to merge 2 commits intomainfrom
Conversation
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
|
Hey, could you please update the commit and the PR title with the Jira? |
midnightercz
force-pushed
the
advanced-cert-check
branch
from
c039f58 to
4963dea
Compare
Yeah, I hesitated as this one is not that much relevant to the JIRA where it came from. But I guess it doesn't matter that much and eventually one can find original reason why this was implemented |
midnightercz
changed the title
midnightercz
force-pushed
the
advanced-cert-check
branch
5 times, most recently
from
4f611dc to
5ca6dd7
Compare
Supports expiration, key-cert mismatch check, revocation check Assisted-by: Claude Signed-off-by: Jindrich Luza <jluza@redhat.com>
midnightercz
force-pushed
the
advanced-cert-check
branch
from
5ca6dd7 to
eeb8703
Compare
There was a problem hiding this comment.
It would be nice if there was some description at the top, explaining what this script is and what it can do and also have some examples of usage.
| # with open(ca_path, "rb") as f: | ||
| # ca_cert = load_cert(ca_path) |
There was a problem hiding this comment.
A remnant from testing? Should this be removed?
| # If your key has a password, provide it in 'password=' | ||
| private_key = serialization.load_pem_private_key(key_data, password=None) | ||
| # 3. Check if they match | ||
| # We compare the public key derived from the cert vs the one from the private key |
There was a problem hiding this comment.
When I see "check cert", I assume it only works with certs. But this will definitely need the private key as well, right? Would it make sense to call this script check-key-cert or something similar then?
There was a problem hiding this comment.
it needs private key if you want to check cert+key mismatch. I'll put description on the top with examples and how it works for more clarity
| "Accept": "application/ocsp-response", | ||
| } | ||
|
|
||
| response = requests.post(ocsp_url, data=ocsp_request_bytes, headers=headers) |
There was a problem hiding this comment.
We should probably add a timeout here ?
| # if issuer and CA was provided, we can also check OCSP status (revocation) | ||
|
|
||
| with open(issuer_path, "rb") as f: | ||
| issuer_cert = load_cert(issuer_path) |
There was a problem hiding this comment.
f is never used load_cert() reopens the file by path. So do we need with open?
| ) | ||
| parser.add_argument("--key", help="Path to the private key file (PEM format)") | ||
| parser.add_argument("--issuer", help="Path to the issuer certificate file (PEM format)") | ||
| parser.add_argument("--ca", help="Path to the CA certificate file (PEM format)") |
There was a problem hiding this comment.
args.ca is never used anywhere
| ) | ||
| print(cert_info_result) | ||
| if is_valid: | ||
| print("Certification check succesfull", file=sys.stderr) |
3 participants
Supports expiration, key-cert mismatch check, revocation check