Fix validation for DER files

.gitignore

@@ -167,4 +167,5 @@ certs/
 *.key
 *.csr
 *.der
+*.cer
 .vscode

README.md

@@ -8,20 +8,32 @@ This library provides some useful functions for working with IEEE 2030.5 (SEP2).
 pip install sep2tools
 ```
 
-## Certificate Usage
+## Certificate Creation
 
-Create a SERCA, and MICA .
+
+Note the below CLI commands are only approproiate for testing purposes.
+For production certificates, use the actual functions to set appropriate policies and settings.
+
+
+Create a SERCA, and a MICA.
 
 ```sh
 python -m sep2tools create-serca
 python -m sep2tools create-mica certs/serca.pem certs/serca.key
 ```
 
-To create a device certificate, first create a key and CSR.
+To create a device certificate, first create a Key and CSR.
 And then sign using the MICA.
 
 ```sh
 python -m sep2tools create-key --key-file certs/dev-ABC.key
 python -m sep2tools create-cert certs/dev-ABC.csr certs/mica.pem certs/mica.key --pen 12345 --serno ABC
+```
+
+## Certificate Inspection
+
+Get the LFDI for a certificate. It will also do some validation checks.
+
+```sh
 python -m sep2tools cert-lfdi certs/dev-ABC-cert.pem
 ```

sep2tools/cert_create.py

@@ -99,7 +99,7 @@ def convert_pem_to_der(pem_file: Path, der_file: Path | None = None) -> Path:
     der_data = cert.public_bytes(encoding=serialization.Encoding.DER)
 
     if not der_file:
-        der_file = pem_file.with_suffix(".der")
+        der_file = pem_file.with_suffix(".cer")
     with open(der_file, "wb") as fh:
         fh.write(der_data)
         log.info("Created %s from %s", der_file, pem_file)

sep2tools/cert_validate.py

@@ -3,17 +3,30 @@
 from pathlib import Path
 
 from cryptography import x509
+from cryptography.x509 import Certificate
+
+from .cert_id import is_pem_certificate
 
 log = logging.getLogger(__name__)
 INDEF_EXPIRY = datetime(9999, 12, 31, 23, 59, 59, 0)  # As per standard
 
 
+def load_certificate(cert_path: Path) -> Certificate:
+    if not cert_path.exists():
+        raise ValueError(f"Cert not found at {cert_path}")
+    with open(cert_path, "rb") as pem_file:
+        cert_data = pem_file.read()
+    if is_pem_certificate(cert_path):
+        cert = x509.load_pem_x509_certificate(cert_data)
+    else:
+        cert = x509.load_der_x509_certificate(cert_data)
+    return cert
+
+
 def get_pem_certificate_policy_oids(cert_path: Path) -> list[str]:
     """Load X.509 DER Certificate in PEM format and return Policy OIDs"""
 
-    with open(cert_path, "rb") as pem_file:
-        cert_data = pem_file.read()
-    cert = x509.load_pem_x509_certificate(cert_data)
+    cert = load_certificate(cert_path)
 
     oids = []
     cert_policies = cert.extensions.get_extension_for_oid(
@@ -28,14 +41,8 @@ def get_pem_certificate_policy_oids(cert_path: Path) -> list[str]:
 def validate_pem_certificate(cert_path: Path) -> bool:
     """Load X.509 DER Certificate in PEM format and validate"""
 
-    if not cert_path.exists():
-        raise ValueError(f"Cert not found at {cert_path}")
-
-    with open(cert_path, "rb") as pem_file:
-        cert_data = pem_file.read()
-
+    cert = load_certificate(cert_path)
     valid = True
-    cert = x509.load_pem_x509_certificate(cert_data)
 
     # Check the validity period
     current_time = datetime.utcnow()

sep2tools/version.py

@@ -1 +1 @@
-__version__ = "0.2.0"
+__version__ = "0.2.1"