caucase.http: Accept user certificates signed by non-current CA.

Otherwise, client certificates issued before a new CA is used get rejected once the new CA becomes current.

caucase.http: Accept user certificates signed by non-current CA.
Otherwise, client certificates issued before a new CA is used get rejected once the new CA becomes current.
4c1fc325 · Vincent Pelletier · 03807a53 · 4c1fc325 · 4c1fc325
Commit 4c1fc325 authored Jan 29, 2021 by Vincent Pelletier
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 1 deletion

caucase/http.py caucase/http.py +4 -1

caucase/test.py caucase/test.py +5 -0

No files found.
--- a/caucase/http.py
+++ b/caucase/http.py
@@ -308,7 +308,10 @@ def getSSLContext(
  # certificate.
  #ssl_context.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF
  ssl_context.load_verify_locations(
-    cadata=utils.toUnicode(cau.getCACertificate()),
+    cadata=utils.toUnicode(b'\n'.join(
+      utils.dump_certificate(x)
+      for x in cau.getCACertificateList()
+    )),
  )
  http_cas_certificate_list = http_cas.getCACertificateList()
  threshold_delta = datetime.timedelta(threshold, 0)

--- a/caucase/test.py
+++ b/caucase/test.py
@@ -1523,6 +1523,11 @@ class CaucaseTest(unittest.TestCase):
      datetime.timedelta(100, 0),
    )
    self._startServer()
+    # A user certificate signed by the old CA must still be accetped
+    self._runClient(
+      '--user-key', new_user_key,
+      '--list-csr', # Whatever restricted operation
+    )
    self._runClient(
      '--mode', 'user',
      # 100 days is longer than certificate life, so it will be immediately