add tiered auto-expiry based on auth level

2025-12-21 21:55:30 +01:00
parent 3fe631f6b9
commit e8a99d5bdd
4 changed files with 68 additions and 10 deletions
--- a/app/pki.py
+++ b/app/pki.py
@@ -1061,6 +1061,30 @@ def is_admin_certificate(fingerprint: str) -> bool:
    return bool(row and row["is_admin"])


+def is_trusted_certificate(fingerprint: str) -> bool:
+    """Check if a certificate is trusted (registered in PKI system).
+
+    Trusted certificates are those issued by our PKI system and still valid.
+    External certificates (valid for auth but not issued by us) are not trusted.
+
+    Args:
+        fingerprint: SHA1 fingerprint of the certificate
+
+    Returns:
+        True if the certificate is registered and valid in our PKI
+    """
+    from app.database import get_db
+
+    db = get_db()
+    row = db.execute(
+        """SELECT status FROM issued_certificates
+           WHERE fingerprint_sha1 = ? AND status = 'valid'""",
+        (fingerprint,),
+    ).fetchone()
+
+    return row is not None
+
+
 def revoke_certificate(serial: str) -> bool:
    """Revoke a certificate by serial number.