def validate_certificate_key_usage(cert_pem_data, is_web_server, is_web_client):
cert = x509.load_pem_x509_certificate(cert_pem_data, default_backend())
try:
key_usage = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
key_usage = key_usage.value
except x509.extensions.ExtensionNotFound:
raise InvalidCertificate("Key usage not specified")
if not key_usage.digital_signature:
raise InvalidCertificate("Not intented for Digital Signature")
if not key_usage.key_encipherment:
raise InvalidCertificate("Not intented for Key Encipherment")
if is_web_server or is_web_client:
try:
exteneded_key_usage = cert.extensions.get_extension_for_oid(ExtensionOID.EXTENDED_KEY_USAGE)
exteneded_key_usage = exteneded_key_usage.value
except x509.extensions.ExtensionNotFound:
raise InvalidCertificate("Extended key usage not specified")
if is_web_server:
if ExtendedKeyUsageOID.SERVER_AUTH not in exteneded_key_usage:
raise InvalidCertificate("Not intented for TLS Web Server Authentication")
if is_web_client:
if ExtendedKeyUsageOID.CLIENT_AUTH not in exteneded_key_usage:
raise InvalidCertificate("Not intented for TLS Web Client Authentication")
评论列表
文章目录
