Commit 2a434732 authored by Vincent Pelletier's avatar Vincent Pelletier

app: Add support for multiple CRLs.

caucase.util.load_crl API changed in an incompatible way in caucase 0.9.9 .
This change fixes the API breakage and adds support for mor than one CRL
in kedifa.app.http .
parent 1e38bcb3
...@@ -302,13 +302,14 @@ class Kedifa(object): ...@@ -302,13 +302,14 @@ class Kedifa(object):
GET (no auth required) one time access URL which returns auth key GET (no auth required) one time access URL which returns auth key
content-type: text/plain content-type: text/plain
""" """
def loadCertificate(self, ca_certificate, crl): def loadCertificate(self, ca_certificate_path, crl_path):
self.ca_certificate_list = [ self.ca_certificate_list = [
caucase.utils.load_ca_certificate(x) caucase.utils.load_ca_certificate(x)
for x in caucase.utils.getCertList(ca_certificate.name)] for x in caucase.utils.getCertList(ca_certificate_path)]
self.crl = caucase.utils.load_crl( self.crl_list = [
crl.read(), self.ca_certificate_list).public_bytes(encoding=Encoding.PEM) caucase.utils.load_crl(x, self.ca_certificate_list)
for x in caucase.utils.getCRLList(crl_path)]
def __init__(self, pocket, ca_certificate, crl): def __init__(self, pocket, ca_certificate, crl):
self.pocket_db = SQLite3Storage(pocket) self.pocket_db = SQLite3Storage(pocket)
...@@ -348,10 +349,7 @@ class Kedifa(object): ...@@ -348,10 +349,7 @@ class Kedifa(object):
caucase.utils.load_certificate( caucase.utils.load_certificate(
environ.get('SSL_CLIENT_CERT', b''), environ.get('SSL_CLIENT_CERT', b''),
trusted_cert_list=self.ca_certificate_list, trusted_cert_list=self.ca_certificate_list,
crl=caucase.utils.load_crl( crl_list=self.crl_list,
self.crl,
self.ca_certificate_list,
),
) )
except (caucase.exceptions.CertificateVerificationError, ValueError): except (caucase.exceptions.CertificateVerificationError, ValueError):
raise Unauthroized raise Unauthroized
...@@ -506,8 +504,7 @@ class Reloader(object): ...@@ -506,8 +504,7 @@ class Reloader(object):
self.app = app self.app = app
def handle(self, signum, frame): def handle(self, signum, frame):
with open(self.ca_certificate_path) as ca, open(self.crl_path) as crl: self.app.loadCertificate(self.ca_certificate_path, self.crl_path)
self.app.loadCertificate(ca, crl)
ssl_context = getSSLContext( ssl_context = getSSLContext(
self.server_key_path, self.ca_certificate_path, self.crl_path) self.server_key_path, self.ca_certificate_path, self.crl_path)
ssl_socket = self.httpd.socket ssl_socket = self.httpd.socket
...@@ -574,7 +571,7 @@ def http(host, port, pocket, certificate, ca_certificate, crl, pidfile, ...@@ -574,7 +571,7 @@ def http(host, port, pocket, certificate, ca_certificate, crl, pidfile,
pid = str(os.getpid()) pid = str(os.getpid())
pidfile.write(pid) pidfile.write(pid)
pidfile.close() pidfile.close()
kedifa = Kedifa(pocket, ca_certificate, crl) kedifa = Kedifa(pocket, ca_certificate.name, crl.name)
if ':' in host: if ':' in host:
access_format = 'https://[%s]:%s/' access_format = 'https://[%s]:%s/'
else: else:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment