Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
C
caucase
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Labels
Merge Requests
2
Merge Requests
2
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Jobs
Commits
Open sidebar
nexedi
caucase
Commits
2e401b99
Commit
2e401b99
authored
Jun 04, 2020
by
Vincent Pelletier
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
ca: Renew CRL at half its life time.
Allowing clients to have a period of CRL validity overlap.
parent
3a00d7bf
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
32 additions
and
1 deletion
+32
-1
caucase/ca.py
caucase/ca.py
+5
-1
caucase/test.py
caucase/test.py
+27
-0
No files found.
caucase/ca.py
View file @
2e401b99
...
@@ -182,6 +182,10 @@ class CertificateAuthority(object):
...
@@ -182,6 +182,10 @@ class CertificateAuthority(object):
crt_life_time
*
crl_renew_period
,
crt_life_time
*
crl_renew_period
,
0
,
0
,
)
)
self
.
_crl_renew_time
=
datetime
.
timedelta
(
crt_life_time
*
crl_renew_period
*
.
5
,
0
,
)
self
.
_ca_life_time
=
datetime
.
timedelta
(
crt_life_time
*
ca_life_period
,
0
)
self
.
_ca_life_time
=
datetime
.
timedelta
(
crt_life_time
*
ca_life_period
,
0
)
self
.
_loadCAKeyPairList
()
self
.
_loadCAKeyPairList
()
self
.
_renewCAIfNeeded
()
self
.
_renewCAIfNeeded
()
...
@@ -772,7 +776,7 @@ class CertificateAuthority(object):
...
@@ -772,7 +776,7 @@ class CertificateAuthority(object):
crl_pem
=
crl
.
public_bytes
(
serialization
.
Encoding
.
PEM
)
crl_pem
=
crl
.
public_bytes
(
serialization
.
Encoding
.
PEM
)
self
.
_storage
.
storeCertificateRevocationList
(
self
.
_storage
.
storeCertificateRevocationList
(
crl_pem
,
crl_pem
,
expiration_date
=
utils
.
datetime2timestamp
(
crl
.
next_updat
e
),
expiration_date
=
utils
.
datetime2timestamp
(
now
+
self
.
_crl_renew_tim
e
),
)
)
return
crl_pem
return
crl_pem
...
...
caucase/test.py
View file @
2e401b99
...
@@ -491,6 +491,13 @@ class CaucaseTest(unittest.TestCase):
...
@@ -491,6 +491,13 @@ class CaucaseTest(unittest.TestCase):
backend
=
_cryptography_backend
,
backend
=
_cryptography_backend
,
)
)
def
_getClientCRL
(
self
):
with
open
(
self
.
_client_crl
)
as
crl_pem_file
:
return
x509
.
load_pem_x509_crl
(
crl_pem_file
.
read
(),
_cryptography_backend
)
def
_skipIfOpenSSLDoesNotSupportIPContraints
(
self
):
def
_skipIfOpenSSLDoesNotSupportIPContraints
(
self
):
ca_key
,
ca_crt
=
self
.
_getCAKeyPair
(
ca_key
,
ca_crt
=
self
.
_getCAKeyPair
(
extension_list
=
[
extension_list
=
[
...
@@ -1095,6 +1102,26 @@ class CaucaseTest(unittest.TestCase):
...
@@ -1095,6 +1102,26 @@ class CaucaseTest(unittest.TestCase):
csr_id
+
' not found - maybe CSR was rejected ?'
csr_id
+
' not found - maybe CSR was rejected ?'
],
out
)
],
out
)
# Renewing CRL
self
.
_stopServer
()
reference_crl
=
self
.
_getClientCRL
()
now
=
datetime
.
datetime
.
utcnow
()
# x509 certificates have second-level accuracy
now
=
now
.
replace
(
microsecond
=
0
)
# Sanity check: pre-existing CRL creation should be strictly in the past
self
.
assertLess
(
reference_crl
.
last_update
,
now
)
# Store a dummy, already expired CRL, just to force a new one to be
# generated on next server start.
SQLite3Storage
(
self
.
_server_db
,
table_prefix
=
'cas'
,
).
storeCertificateRevocationList
(
''
,
0
)
self
.
_startServer
()
self
.
_runClient
()
new_crl
=
self
.
_getClientCRL
()
# May be equal due to lack of timestamp accuracy.
self
.
assertLessEqual
(
now
,
new_crl
.
last_update
)
def
testBadCSR
(
self
):
def
testBadCSR
(
self
):
"""
"""
Submitting an invalid CSR.
Submitting an invalid CSR.
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment