|
8 | 8 | from cryptography import x509 |
9 | 9 | from cryptography.hazmat.backends import default_backend |
10 | 10 | from cryptography.hazmat.primitives import hashes, serialization |
11 | | -from cryptography.hazmat.primitives.asymmetric import rsa |
| 11 | +from cryptography.hazmat.primitives.asymmetric import dh, dsa, ec, rsa |
12 | 12 | from cryptography.x509 import load_pem_x509_certificate |
13 | 13 | from cryptography.x509.oid import NameOID |
14 | 14 |
|
@@ -126,13 +126,33 @@ def create_ca_trust_store( |
126 | 126 | private_key = serialization.load_pem_private_key( |
127 | 127 | private_key_data, password=None, backend=default_backend() |
128 | 128 | ) |
129 | | - # Check the public/private key match |
130 | | - if ( |
131 | | - private_key.public_key().public_numbers() |
132 | | - != public_cert.public_key().public_numbers() |
| 129 | + private_pub = private_key.public_key() |
| 130 | + cert_pub = public_cert.public_key() |
| 131 | + |
| 132 | + if isinstance( |
| 133 | + private_pub, |
| 134 | + ( |
| 135 | + rsa.RSAPublicKey, |
| 136 | + dsa.DSAPublicKey, |
| 137 | + ec.EllipticCurvePublicKey, |
| 138 | + dh.DHPublicKey, |
| 139 | + ), |
| 140 | + ) and isinstance( |
| 141 | + cert_pub, |
| 142 | + ( |
| 143 | + rsa.RSAPublicKey, |
| 144 | + dsa.DSAPublicKey, |
| 145 | + ec.EllipticCurvePublicKey, |
| 146 | + dh.DHPublicKey, |
| 147 | + ), |
133 | 148 | ): |
134 | | - raise ValueError( |
135 | | - "Public certificate does not match the private key." |
| 149 | + if private_pub.public_numbers() != cert_pub.public_numbers(): |
| 150 | + raise ValueError( |
| 151 | + "Public certificate does not match the private key." |
| 152 | + ) |
| 153 | + else: |
| 154 | + logger.warning( |
| 155 | + "Key type does not support public_numbers(). Skipping strict public key match." |
136 | 156 | ) |
137 | 157 |
|
138 | 158 | # Step 4: Add the public certificate to the new trust store |
|
0 commit comments