Commit b1e05975 by Vincent Pelletier

TODO: Update.

pyca/cryptography 21st release is out and caucase already requires
is_signature_valid.
Also, literal IPv6 CRL distribution points do not fail anymore - add test.
No more known 1.0 blockers ! Weee !
1 parent fa62d787
Blocker for 1.0
===============
- After pyca/cryptography 21st release: Make is_signature_valid call mandatory in caucase.utils.load_crl .
- After pyca/cryptography later release (code not fixed yet): Enable CRL distribution point extension when it tolerates literal IPv6 in the URL.
Eventually
==========
......
......@@ -1959,5 +1959,34 @@ class CaucaseTest(unittest.TestCase):
updater_event.set()
updater_thread.join(2)
def testHttpNetlocIPv6(self):
"""
Test that it is possible to use a literal IPv6 as netloc.
This used to fail because cryptography module would reject bare IPv6
address in CRL distribution point extension.
"""
self._stopServer()
# Force generation of a new server certificate
os.unlink(self._server_key)
self._server_netloc = '[::1]:8000'
# Would raise
self._startServer()
# To retrieve CAS CA crt.
self._runClient()
# Sanity checks
self.assertTrue(os.path.exists(self._server_key))
distribution_point, = utils.load_certificate(
utils.getCert(self._server_key),
[
utils.load_ca_certificate(x)
for x in utils.getCertList(self._client_ca_crt)
],
None,
).extensions.get_extension_for_class(
x509.CRLDistributionPoints,
).value
uri, = distribution_point.full_name
self.assertEqual(uri.value, u'http://[::1]:8000/cas/crl')
if __name__ == '__main__':
unittest.main()
......@@ -378,8 +378,8 @@ def load_crl(data, trusted_cert_list):
"""
Load a certificate revocation list from PEM-encoded data.
If cryptography supports it, raises cryptography.exceptions.InvalidSignature
if the CRL signature does not match any trusted certificate.
Raises cryptography.exceptions.InvalidSignature if the CRL signature does not
match any trusted certificate.
"""
crl = x509.load_pem_x509_crl(data, _cryptography_backend)
for cert in trusted_cert_list:
......
Styling with Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!