forked from canada-ca/tracker
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathquery_crlite.py
More file actions
32 lines (28 loc) · 1.14 KB
/
query_crlite.py
File metadata and controls
32 lines (28 loc) · 1.14 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
import logging
import subprocess
def query_crlite(pem_cert: bytes) -> bool:
"""Checks if a PEM encoded certificate has been revoked with Mozilla's CRLite.
Uses https://github.com/mozilla/moz_crlite_query and will raise an error if it is not installed.
Will download a DB of revocations to ~/.crlite_db and update it when needed.
:param bytes pem_cert: A PEM encoded X.509 certificate.
:return: True if cert is revoked, else False.
:rtype: bool
:raises ValueError: if revocation status can't be checked
"""
completed = subprocess.run(
["moz_crlite_query", "-"],
input=pem_cert.decode("ascii"),
capture_output=True,
text=True,
)
# moz_crlite_query prints everything but results to stderr
# Logging at debug level for now to monitor updates to DB
logging.debug(completed.stderr)
if "Revoked" in completed.stdout:
return True
elif "Valid" in completed.stdout:
return False
elif "Not Enrolled" in completed.stdout:
raise ValueError("Cert issuer not enrolled in CRLite")
else:
raise ValueError("Cert revocation status could not be checked")