Ignore bad signature certificates with message

When list of signature certificates is processed any of them can result with not using a cache while download, which is bad situation. Just ignore bad certificates while checking the list, so any other good ones can be used. /reviewed-on nexedi/slapos.libnetworkcache!4

Ignore bad signature certificates with message
When list of signature certificates is processed any of them can result with not using a cache while download, which is bad situation. Just ignore bad certificates while checking the list, so any other good ones can be used. /reviewed-on nexedi/slapos.libnetworkcache!4
0578762b · Łukasz Nowak · f47b10af · 0578762b · 0578762b
Commit 0578762b authored Dec 03, 2019 by Łukasz Nowak
Hide whitespace changes
Inline Side-by-side

Showing with 29 additions and 3 deletions

slapos/libnetworkcache.py slapos/libnetworkcache.py +7 -3

slapos/libnetworkcachetests.py slapos/libnetworkcachetests.py +22 -0

No files found.
--- a/slapos/libnetworkcache.py
+++ b/slapos/libnetworkcache.py
@@ -212,9 +212,13 @@ class NetworkcacheClient(object):
      signature_certificate_list = [cert_marker + '\n' + q.strip() \
        for q in signature_certificate_list.split(cert_marker) \
          if q.strip()]
-    self.signature_certificate_list = [
+    self.signature_certificate_list = []
-      crypto.load_certificate(crypto.FILETYPE_PEM, certificate)
+    for certificate in signature_certificate_list or ():
-      for certificate in signature_certificate_list or ()]
+      try:
+        loaded_certificate = crypto.load_certificate(crypto.FILETYPE_PEM, certificate)
+      except Exception as e:
+        logger.info('Ignored wrong certificate, reason:\n%s, offending certificate:\n%s', e.message, certificate)
+      self.signature_certificate_list.append(loaded_certificate)
  # NetworkcacheClient context manager catches all exceptions and logs them
  # with INFO severity. This provides a easy way to use a networkcache safely

--- a/slapos/libnetworkcachetests.py
+++ b/slapos/libnetworkcachetests.py
@@ -274,6 +274,21 @@ MME4ERnBbgy6Q0GBxceic+XAPBKPjqUP1DSS/qA7tagtKjhrkuViGB7frAs3hrgi
 kVeHJCQRw/7QzQMf99Sp6Ii3eoYmGK4nYDwjxq7w6jeDSykata35Qs//ZVv0eStt
 ZnQT1pVLar+DmUyaX9rehBM57JSnE0zvprgsVHSL0PRHH8fImdOJ
 -----END CERTIFICATE-----
+"""
+  bad_certificate = """-----BEGIN CERTIFICATE-----
+MIIB4DCCAUkCADANBgkqhkiG9w0BAQsFADA5MQswCQYDVQQGEwJGUjEZMBcGA1UE
+CBMQRGVmYXVsdCBQcm92aW5jZTEPMA0GA1UEChMGTmV4ZWRpMB4XDTExMDkxNTA5
+MDAwMloXDTEyMDkxNTA5MDAwMlowOTELMAkGA1UEBhMCRlIxGTAXBgNVBAgTEERl
+ZmF1bHQgUHJvdmluY2UxDzANBgNVBAoTBk5leGVkaTCBnzANBgkqhkiG9w0BAQEF
+AAOBjQAwgYkCgYEApYZv6OstoqNzxG1KI6iE5U4Ts2Xx9lgLeUGAMyfJLyMmRLhw
+boKOyJ9Xke4dncoBAyNPokUR6iWOcnPHtMvNOsBFZ2f7VA28em3+E1JRYdeNUEtX
+Z0s3HjcouaNAnPfjFTXHYj4um1wOw2cURSPuU5dpzKBbV+/QCb5DLheynisCAwEA
+ATANBgkqhkiG9w0BAQsFAAOBgQBCZLbTVdrw3RZlVVMFezSHrhBYKAukTwZrNmJX
+mHqi2tN8tNo6FX+wmxUUAf3e8R2Ymbdbn2bfbPpcKQ2fG7PuKGvhwMG3BlF9paEC
+q7jdfWO18Zp/BG7tagz0jmmC4y/8akzHsVlruo2+2du2freE8dK746uoMlXlP93g
+QUUGLQ==
+-----END CERTIFICATE-----
 """
  ca_cert = """-----BEGIN CERTIFICATE-----
@@ -545,6 +560,13 @@ class OnlineTest(OnlineMixin, unittest.TestCase):
      json.dump(hacked_json, f)
    self.assertEqual(self.select(signed_nc, key), None)
+  def test_NetworkcacheClient_handle_bad_certificates(self):
+    signed_nc = slapos.libnetworkcache.NetworkcacheClient(
+      self.shacache, self.shadir, signature_certificate_list=[
+          self.certificate,
+          self.bad_certificate])
+    self.assertLog('Ignored wrong certificate, reason')
  def test_DirectoryNotFound_non_trustable_entry(self):
    key_file = tempfile.NamedTemporaryFile('w+')
    key_file.write(self.key)