Commit f907890c authored by Vincent Pelletier's avatar Vincent Pelletier

cli.updater: Ignore unverifiable CRLs for next deadline computation.

If an unverifiable CRL is present (ex: its CA expired), then it can be
ignored in the computation of the next wake-up time.
Also, factorise with similar code in client.CaucaseClient.updateCRLFile .
parent 2d147239
...@@ -929,13 +929,13 @@ def updater(argv=None, until=utils.until): ...@@ -929,13 +929,13 @@ def updater(argv=None, until=utils.until):
if RetryingCaucaseClient.updateCRLFile(ca_url, args.crl, ca_crt_list): if RetryingCaucaseClient.updateCRLFile(ca_url, args.crl, ca_crt_list):
print('Got new CRL') print('Got new CRL')
updated = True updated = True
for crl_pem in utils.getCRLList(args.crl): for _, crl in utils.iter_valid_crl_list(
crl_pem_list=utils.getCRLList(args.crl),
trusted_cert_list=ca_crt_list,
):
next_deadline = min( next_deadline = min(
next_deadline, next_deadline,
utils.load_crl( crl.next_update - crl_threshold,
crl_pem,
ca_crt_list,
).next_update - crl_threshold,
) )
if args.crt: if args.crt:
crt_pem, key_pem, key_path = utils.getKeyPair(args.crt, args.key) crt_pem, key_pem, key_path = utils.getKeyPair(args.crt, args.key)
......
...@@ -135,15 +135,13 @@ class CaucaseClient(object): ...@@ -135,15 +135,13 @@ class CaucaseClient(object):
Return whether an update happened. Return whether an update happened.
""" """
def _asCRLDict(crl_pem_list): def _asCRLDict(crl_pem_list):
result = {} return {
for crl_pem in crl_pem_list: utils.getAuthorityKeyIdentifier(crl): crl_pem
try: for crl_pem, crl in utils.iter_valid_crl_list(
crl = utils.load_crl(crl_pem, ca_list) crl_pem_list=crl_pem_list,
except cryptography.exceptions.InvalidSignature: trusted_cert_list=ca_list,
continue )
else: }
result[utils.getAuthorityKeyIdentifier(crl)] = crl_pem
return result
local_crl_list = utils.getCRLList(crl_path) local_crl_list = utils.getCRLList(crl_path)
try: try:
local_crl_dict = _asCRLDict(crl_pem_list=local_crl_list) local_crl_dict = _asCRLDict(crl_pem_list=local_crl_list)
......
...@@ -591,6 +591,22 @@ def load_crl(data, trusted_cert_list): ...@@ -591,6 +591,22 @@ def load_crl(data, trusted_cert_list):
return crl return crl
raise cryptography.exceptions.InvalidSignature raise cryptography.exceptions.InvalidSignature
def iter_valid_crl_list(crl_pem_list, trusted_cert_list):
"""
Load multiple certificate revocation lists from a list of PEM-encoded values.
Yields the PEM-encoded value along with the loaded CRL.
Skips items failing to load.
"""
for crl_pem in crl_pem_list:
try:
crl = load_crl(crl_pem, trusted_cert_list)
except cryptography.exceptions.InvalidSignature:
continue
else:
yield (crl_pem, crl)
def _getAuthorityKeyIdentifier(cert): def _getAuthorityKeyIdentifier(cert):
return cert.extensions.get_extension_for_class( return cert.extensions.get_extension_for_class(
x509.AuthorityKeyIdentifier, x509.AuthorityKeyIdentifier,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment