Commit f907890c authored by Vincent Pelletier's avatar Vincent Pelletier

cli.updater: Ignore unverifiable CRLs for next deadline computation.

If an unverifiable CRL is present (ex: its CA expired), then it can be
ignored in the computation of the next wake-up time.
Also, factorise with similar code in client.CaucaseClient.updateCRLFile .
parent 2d147239
......@@ -929,13 +929,13 @@ def updater(argv=None, until=utils.until):
if RetryingCaucaseClient.updateCRLFile(ca_url, args.crl, ca_crt_list):
print('Got new CRL')
updated = True
for crl_pem in utils.getCRLList(args.crl):
for _, crl in utils.iter_valid_crl_list(
crl_pem_list=utils.getCRLList(args.crl),
trusted_cert_list=ca_crt_list,
):
next_deadline = min(
next_deadline,
utils.load_crl(
crl_pem,
ca_crt_list,
).next_update - crl_threshold,
crl.next_update - crl_threshold,
)
if args.crt:
crt_pem, key_pem, key_path = utils.getKeyPair(args.crt, args.key)
......
......@@ -135,15 +135,13 @@ class CaucaseClient(object):
Return whether an update happened.
"""
def _asCRLDict(crl_pem_list):
result = {}
for crl_pem in crl_pem_list:
try:
crl = utils.load_crl(crl_pem, ca_list)
except cryptography.exceptions.InvalidSignature:
continue
else:
result[utils.getAuthorityKeyIdentifier(crl)] = crl_pem
return result
return {
utils.getAuthorityKeyIdentifier(crl): crl_pem
for crl_pem, crl in utils.iter_valid_crl_list(
crl_pem_list=crl_pem_list,
trusted_cert_list=ca_list,
)
}
local_crl_list = utils.getCRLList(crl_path)
try:
local_crl_dict = _asCRLDict(crl_pem_list=local_crl_list)
......
......@@ -591,6 +591,22 @@ def load_crl(data, trusted_cert_list):
return crl
raise cryptography.exceptions.InvalidSignature
def iter_valid_crl_list(crl_pem_list, trusted_cert_list):
"""
Load multiple certificate revocation lists from a list of PEM-encoded values.
Yields the PEM-encoded value along with the loaded CRL.
Skips items failing to load.
"""
for crl_pem in crl_pem_list:
try:
crl = load_crl(crl_pem, trusted_cert_list)
except cryptography.exceptions.InvalidSignature:
continue
else:
yield (crl_pem, crl)
def _getAuthorityKeyIdentifier(cert):
return cert.extensions.get_extension_for_class(
x509.AuthorityKeyIdentifier,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment