1. 09 Nov, 2021 1 commit
    • Vincent Pelletier's avatar
      caucase.test: Propagate our environment to caucase.sh . · 4e2c2fe9
      Vincent Pelletier authored
      The test should not need to sanitise the environment of this test in
      particular (if we do not trust the environment then there would be a lot
      more to sanitise for the python part of the test as well), and the intent
      was just to add the CAUCASE_PYTHON variable so caucase.sh runs the expected
      python executable and not one possibly picked from PATH.
      So copy environment, edit the copy and pass this to the caucase.sh
      subprocess.
      4e2c2fe9
  2. 08 Nov, 2021 2 commits
  3. 20 Oct, 2021 3 commits
  4. 07 Oct, 2021 4 commits
  5. 07 Apr, 2021 3 commits
  6. 02 Mar, 2021 2 commits
  7. 22 Feb, 2021 1 commit
  8. 15 Feb, 2021 2 commits
    • Vincent Pelletier's avatar
      ca: Make getCACertificate return the *oldest* still-valid CA cert. · 0b871b56
      Vincent Pelletier authored
      This fixes late-trust-bootstrap clients' ability to trust certificates
      issued by an older CA.
      0b871b56
    • Vincent Pelletier's avatar
      caucase: Fix CRL support. · 3aefb18a
      Vincent Pelletier authored
      Emit Certificate Revocation Lists signed by all valid CAs.
      Apparently openssl (or at least how it is used in stunnel4) fails to
      validate a certificate when CRL validation is enabled and the key which
      signed the CRL differs from the key which signed the certificate.
      Also, add Authority Key Identifier CRL extension, required to be standard-
      compliant.
      Also, fix revocation entry expiration: the RFC requires them to be kept
      at least one renewal cycle after the certificate's expiration.
      As a consequence of this whole change:
      - the protocol for retrieving the curren CRL changes to return the
        concatenated list of CRLs, which breaks the CRL distribution (...but
        the distributed CRLs were invalid anyway)
      - stop storing the CRL PEM in caucased's database so that it gets
        re-generated with fresh code. As caucased is not expected to be
        restarted very often, the extra CRL generation on every start should
        not make a difference.
      3aefb18a
  9. 12 Feb, 2021 9 commits
  10. 03 Feb, 2021 5 commits
  11. 02 Feb, 2021 8 commits