def verifyCert(cert, signCert):
"""
Verifies that a certificate has been signed with another. Note that this
function only verifies the cryptographic signature and is probably wrong and
dangerous. Do not use it to verify certificates. This function only supports
ECDSA and RSA+PKCS1 signatures, all other signature types will fail.
:param cert: The certificate whose signature we want to verify as a
cryptography certificate object.
:param signCert: The certificate that was used to sign the first certificate
as a cryptography certificate object.
:return: True if the signature is a valid ECDSA signature, False otherwise.
"""
# FIXME: This is very likely wrong and we should find a better way to verify certs.
halg = cert.signature_hash_algorithm
sig = cert.signature
data = cert.tbs_certificate_bytes
pubKey = signCert.public_key()
alg = None
# We only support ECDSA and RSA+PKCS1
if isinstance(pubKey, ec.EllipticCurvePublicKey):
alg = ec.ECDSA(halg)
ver = pubKey.verifier(sig, alg)
elif isinstance(pubKey, rsa.RSAPublicKey):
pad = padding.PKCS1v15()
ver = pubKey.verifier(sig, pad, halg)
else:
return False
ver.update(data)
try:
ver.verify()
return True
except InvalidSignature as e:
return False
评论列表
文章目录
