def update_crl(crl_file, revoked_certs, ca_crt, pkey):
with open(crl_file, 'rb') as f:
old_crl = x509.load_pem_x509_crl(
data=f.read(),
backend=default_backend()
)
crl = x509.CertificateRevocationListBuilder().issuer_name(
ca_crt.subject
).last_update(
datetime.datetime.utcnow()
).next_update(
datetime.datetime.utcnow() + datetime.timedelta(days=365 * 10)
)
for cert in revoked_certs:
crl = crl.add_revoked_certificate(
x509.RevokedCertificateBuilder().serial_number(
cert.serial
).revocation_date(
datetime.datetime.utcnow()
).build(
default_backend()
)
)
for cert in old_crl:
crl = crl.add_revoked_certificate(cert)
crl = crl.sign(
private_key=pkey,
algorithm=hashes.SHA256(),
backend=default_backend()
)
with open(crl_file, 'wb') as f:
f.write(crl.public_bytes( # pylint: disable=no-member
encoding=serialization.Encoding.PEM,
))
return crl
评论列表
文章目录
