cli.updater: Ignore unverifiable CRLs for next deadline computation.

If an unverifiable CRL is present (ex: its CA expired), then it can be ignored in the computation of the next wake-up time. Also, factorise with similar code in client.CaucaseClient.updateCRLFile .

cli.updater: Ignore unverifiable CRLs for next deadline computation.
If an unverifiable CRL is present (ex: its CA expired), then it can be ignored in the computation of the next wake-up time. Also, factorise with similar code in client.CaucaseClient.updateCRLFile .
f907890c · Vincent Pelletier · 2d147239 · f907890c · f907890c · f907890c
Commit f907890c authored Oct 20, 2021 by Vincent Pelletier
Show whitespace changes
Inline Side-by-side

Showing with 28 additions and 14 deletions

caucase/cli.py caucase/cli.py +5 -5

caucase/client.py caucase/client.py +7 -9

caucase/utils.py caucase/utils.py +16 -0

No files found.
--- a/caucase/cli.py
+++ b/caucase/cli.py
@@ -929,13 +929,13 @@ def updater(argv=None, until=utils.until):
      if RetryingCaucaseClient.updateCRLFile(ca_url, args.crl, ca_crt_list):
        print('Got new CRL')
        updated = True
-      for crl_pem in utils.getCRLList(args.crl):
+      for _, crl in utils.iter_valid_crl_list(
+        crl_pem_list=utils.getCRLList(args.crl),
+        trusted_cert_list=ca_crt_list,
+      ):
        next_deadline = min(
          next_deadline,
-          utils.load_crl(
-            crl_pem,
-            ca_crt_list,
-          ).next_update - crl_threshold,
+          crl.next_update - crl_threshold,
        )
      if args.crt:
        crt_pem, key_pem, key_path = utils.getKeyPair(args.crt, args.key)

--- a/caucase/client.py
+++ b/caucase/client.py
@@ -135,15 +135,13 @@ class CaucaseClient(object):
    Return whether an update happened.
    """
    def _asCRLDict(crl_pem_list):
-      result = {}
-      for crl_pem in crl_pem_list:
-        try:
-          crl = utils.load_crl(crl_pem, ca_list)
-        except cryptography.exceptions.InvalidSignature:
-          continue
-        else:
-          result[utils.getAuthorityKeyIdentifier(crl)] = crl_pem
-      return result
+      return {
+        utils.getAuthorityKeyIdentifier(crl): crl_pem
+        for crl_pem, crl in utils.iter_valid_crl_list(
+          crl_pem_list=crl_pem_list,
+          trusted_cert_list=ca_list,
+        )
+      }
    local_crl_list = utils.getCRLList(crl_path)
    try:
      local_crl_dict = _asCRLDict(crl_pem_list=local_crl_list)

--- a/caucase/utils.py
+++ b/caucase/utils.py
@@ -591,6 +591,22 @@ def load_crl(data, trusted_cert_list):
      return crl
  raise cryptography.exceptions.InvalidSignature

+def iter_valid_crl_list(crl_pem_list, trusted_cert_list):
+  """
+  Load multiple certificate revocation lists from a list of PEM-encoded values.
+
+  Yields the PEM-encoded value along with the loaded CRL.
+
+  Skips items failing to load.
+  """
+  for crl_pem in crl_pem_list:
+    try:
+      crl = load_crl(crl_pem, trusted_cert_list)
+    except cryptography.exceptions.InvalidSignature:
+      continue
+    else:
+      yield (crl_pem, crl)
+
 def _getAuthorityKeyIdentifier(cert):
  return cert.extensions.get_extension_for_class(
    x509.AuthorityKeyIdentifier,