ca: Renew CRL at half its life time.

Allowing clients to have a period of CRL validity overlap.

ca: Renew CRL at half its life time.
Allowing clients to have a period of CRL validity overlap.
2e401b99 · Vincent Pelletier · 3a00d7bf · 2e401b99 · 2e401b99
Commit 2e401b99 authored Jun 04, 2020 by Vincent Pelletier
Hide whitespace changes
Inline Side-by-side

Showing with 32 additions and 1 deletion

caucase/ca.py caucase/ca.py +5 -1

caucase/test.py caucase/test.py +27 -0

No files found.
--- a/caucase/ca.py
+++ b/caucase/ca.py
@@ -182,6 +182,10 @@ class CertificateAuthority(object):
      crt_life_time * crl_renew_period,
      0,
    )
+    self._crl_renew_time = datetime.timedelta(
+      crt_life_time * crl_renew_period * .5,
+      0,
+    )
    self._ca_life_time = datetime.timedelta(crt_life_time * ca_life_period, 0)
    self._loadCAKeyPairList()
    self._renewCAIfNeeded()
@@ -772,7 +776,7 @@ class CertificateAuthority(object):
      crl_pem = crl.public_bytes(serialization.Encoding.PEM)
      self._storage.storeCertificateRevocationList(
        crl_pem,
-        expiration_date=utils.datetime2timestamp(crl.next_update),
+        expiration_date=utils.datetime2timestamp(now + self._crl_renew_time),
      )
    return crl_pem


--- a/caucase/test.py
+++ b/caucase/test.py
@@ -491,6 +491,13 @@ class CaucaseTest(unittest.TestCase):
      backend=_cryptography_backend,
    )

+  def _getClientCRL(self):
+    with open(self._client_crl) as crl_pem_file:
+      return x509.load_pem_x509_crl(
+        crl_pem_file.read(),
+        _cryptography_backend
+      )
+
  def _skipIfOpenSSLDoesNotSupportIPContraints(self):
    ca_key, ca_crt = self._getCAKeyPair(
      extension_list=[
@@ -1095,6 +1102,26 @@ class CaucaseTest(unittest.TestCase):
      csr_id + ' not found - maybe CSR was rejected ?'
    ], out)

+    # Renewing CRL
+    self._stopServer()
+    reference_crl = self._getClientCRL()
+    now = datetime.datetime.utcnow()
+    # x509 certificates have second-level accuracy
+    now = now.replace(microsecond=0)
+    # Sanity check: pre-existing CRL creation should be strictly in the past
+    self.assertLess(reference_crl.last_update, now)
+    # Store a dummy, already expired CRL, just to force a new one to be
+    # generated on next server start.
+    SQLite3Storage(
+      self._server_db,
+      table_prefix='cas',
+    ).storeCertificateRevocationList('', 0)
+    self._startServer()
+    self._runClient()
+    new_crl = self._getClientCRL()
+    # May be equal due to lack of timestamp accuracy.
+    self.assertLessEqual(now, new_crl.last_update)
+
  def testBadCSR(self):
    """
    Submitting an invalid CSR.