TODO: Update.

pyca/cryptography 21st release is out and caucase already requires is_signature_valid. Also, literal IPv6 CRL distribution points do not fail anymore - add test. No more known 1.0 blockers ! Weee !

TODO: Update.
pyca/cryptography 21st release is out and caucase already requires is_signature_valid. Also, literal IPv6 CRL distribution points do not fail anymore - add test. No more known 1.0 blockers ! Weee !
b1e05975 · Vincent Pelletier · fa62d787 · b1e05975 · b1e05975 · b1e05975
Commit b1e05975 authored Jul 12, 2018 by Vincent Pelletier
Show whitespace changes
Inline Side-by-side

Showing with 31 additions and 9 deletions

TODO.rst TODO.rst +0 -7

caucase/test.py caucase/test.py +29 -0

caucase/utils.py caucase/utils.py +2 -2

No files found.
--- a/TODO.rst
+++ b/TODO.rst
-Blocker for 1.0
-===============
-
- After pyca/cryptography 21st release: Make is_signature_valid call mandatory in caucase.utils.load_crl .
-
- After pyca/cryptography later release (code not fixed yet): Enable CRL distribution point extension when it tolerates literal IPv6 in the URL.
-
 Eventually
 ==========


--- a/caucase/test.py
+++ b/caucase/test.py
@@ -1959,5 +1959,34 @@ class CaucaseTest(unittest.TestCase):
      updater_event.set()
      updater_thread.join(2)

+  def testHttpNetlocIPv6(self):
+    """
+    Test that it is possible to use a literal IPv6 as netloc.
+    This used to fail because cryptography module would reject bare IPv6
+    address in CRL distribution point extension.
+    """
+    self._stopServer()
+    # Force generation of a new server certificate
+    os.unlink(self._server_key)
+    self._server_netloc = '[::1]:8000'
+    # Would raise
+    self._startServer()
+    # To retrieve CAS CA crt.
+    self._runClient()
+    # Sanity checks
+    self.assertTrue(os.path.exists(self._server_key))
+    distribution_point, = utils.load_certificate(
+      utils.getCert(self._server_key),
+      [
+        utils.load_ca_certificate(x)
+        for x in utils.getCertList(self._client_ca_crt)
+      ],
+      None,
+    ).extensions.get_extension_for_class(
+      x509.CRLDistributionPoints,
+    ).value
+    uri, = distribution_point.full_name
+    self.assertEqual(uri.value, u'http://[::1]:8000/cas/crl')
+
 if __name__ == '__main__':
  unittest.main()
--- a/caucase/utils.py
+++ b/caucase/utils.py
@@ -378,8 +378,8 @@ def load_crl(data, trusted_cert_list):
  """
  Load a certificate revocation list from PEM-encoded data.

-  If cryptography supports it, raises cryptography.exceptions.InvalidSignature
-  if the CRL signature does not match any trusted certificate.
+  Raises cryptography.exceptions.InvalidSignature if the CRL signature does not
+  match any trusted certificate.
  """
  crl = x509.load_pem_x509_crl(data, _cryptography_backend)
  for cert in trusted_cert_list: