caucase:e07425329eee5b3f3986872fcc079e86fb42f337 commitshttps://lab.nexedi.com/nexedi/caucase/-/commits/e07425329eee5b3f3986872fcc079e86fb42f3372021-10-20T17:28:25+09:00https://lab.nexedi.com/nexedi/caucase/-/commit/e07425329eee5b3f3986872fcc079e86fb42f337{cli,client}: Ignore CA certificates which fail loading.2021-10-20T17:28:25+09:00Vincent Pelletiervincent@nexedi.com
Fixes cli.updater crashing when one of the locally-stored CA is expired.
Also, explicitly raise when there are CAs in the local trust store but all
fail loading.https://lab.nexedi.com/nexedi/caucase/-/commit/f907890c936e57d1cce6765ee07a1d8af08d1dc9cli.updater: Ignore unverifiable CRLs for next deadline computation.2021-10-20T17:19:04+09:00Vincent Pelletiervincent@nexedi.com
If an unverifiable CRL is present (ex: its CA expired), then it can be
ignored in the computation of the next wake-up time.
Also, factorise with similar code in client.CaucaseClient.updateCRLFile .https://lab.nexedi.com/nexedi/caucase/-/commit/2d14723917d2842e68f32a336be4c5a7d4c7be1eCHANGES.txt: Catch up with 0.9.11 release .2021-10-07T18:01:08+09:00Vincent Pelletiervincent@nexedi.comhttps://lab.nexedi.com/nexedi/caucase/-/commit/cb4ea281269c4b64fa344162e14796ba30c3bd24all: Drop the need for install-time 2to3.2021-10-07T17:35:03+09:00Vincent Pelletiervincent@nexedi.com
Preserve py2.7 compatibility.
Also, make pylint happier with the result.https://lab.nexedi.com/nexedi/caucase/-/commit/9466242bc51713643ebf295987a44d34fe4dc5bfcaucase.ca: Coding style.2021-10-07T16:17:19+09:00Vincent Pelletiervincent@nexedi.comhttps://lab.nexedi.com/nexedi/caucase/-/commit/810e7ec21daf1c3c3d13cc1afefc42f0efd09faacaucase.storage: Fix docstring typo.2021-10-07T16:17:05+09:00Vincent Pelletiervincent@nexedi.comhttps://lab.nexedi.com/nexedi/caucase/-/commit/5d8b9602b423ac4831f36a693ffa5cec0af906dbsetup.py: Fix twine warning.2021-04-07T15:32:04+09:00Vincent Pelletiervincent@nexedi.comhttps://lab.nexedi.com/nexedi/caucase/-/commit/21f38e4beb9145c9acfa4451d271e00c16a3d2a9client: Fix CA and CRL update when a CA is expired.2021-04-07T15:29:53+09:00Vincent Pelletiervincent@nexedi.com
Otherwise, the expired CA causes an error when it is being loaded, before
the time comparison.
Also, CRL signed by that CA also causes an error (as its signature cannot
be checked).
Catch these errors so the corresponding unusable PEMs are discarded.https://lab.nexedi.com/nexedi/caucase/-/commit/f7d8281da7f4d0be3dcc7deefb9286b9c56a0b13client: Close http connection after each request.2021-04-07T15:29:53+09:00Vincent Pelletiervincent@nexedi.com
Make python3 resource leak detector happy.https://lab.nexedi.com/nexedi/caucase/-/commit/bd633a1e3938194c724ff428acd93098bfe169d7CHANGES.txt: Release 0.9.9 .2021-03-02T10:11:55+09:00Vincent Pelletiervincent@nexedi.comhttps://lab.nexedi.com/nexedi/caucase/-/commit/a9c801e0bd5118178c49eb2bab334d6847dcf1a0CHANGES.txt: Catch up.2021-03-02T10:11:34+09:00Vincent Pelletiervincent@nexedi.comhttps://lab.nexedi.com/nexedi/caucase/-/commit/d2f4fc9b0df0371c5320bc654107076c3f725516wsgi: Raise TooLarge even when Content-Length is not provided.2021-02-22T14:05:19+09:00Vincent Pelletiervincent@nexedi.com
Prevent the (very unlikely at a 10MB given the manipulated data structures)
risk of a partial read accidentally containing producing a well-formed
result.
Also, only accept base-10 content lengths.https://lab.nexedi.com/nexedi/caucase/-/commit/0b871b56942df8f960057a330331c181b7377c8eca: Make getCACertificate return the *oldest* still-valid CA cert.2021-02-15T15:40:46+09:00Vincent Pelletiervincent@nexedi.com
This fixes late-trust-bootstrap clients' ability to trust certificates
issued by an older CA.https://lab.nexedi.com/nexedi/caucase/-/commit/3aefb18a57dff4eb24027c280bcc07955b9f5bddcaucase: Fix CRL support.2021-02-15T15:40:43+09:00Vincent Pelletiervincent@nexedi.com
Emit Certificate Revocation Lists signed by all valid CAs.
Apparently openssl (or at least how it is used in stunnel4) fails to
validate a certificate when CRL validation is enabled and the key which
signed the CRL differs from the key which signed the certificate.
Also, add Authority Key Identifier CRL extension, required to be standard-
compliant.
Also, fix revocation entry expiration: the RFC requires them to be kept
at least one renewal cycle after the certificate's expiration.
As a consequence of this whole change:
- the protocol for retrieving the curren CRL changes to return the
concatenated list of CRLs, which breaks the CRL distribution (...but
the distributed CRLs were invalid anyway)
- stop storing the CRL PEM in caucased's database so that it gets
re-generated with fresh code. As caucased is not expected to be
restarted very often, the extra CRL generation on every start should
not make a difference.https://lab.nexedi.com/nexedi/caucase/-/commit/58c51150d6be4cc2a7a3a4685cafda020a6278daCHANGES.txt: Catch up with changed since 0.9.8 .2021-02-12T17:53:27+09:00Vincent Pelletiervincent@nexedi.comhttps://lab.nexedi.com/nexedi/caucase/-/commit/bfbe1061909a25fb29beafbd818484c94c70b72dshell/caucase.sh: Split file-or-folder detection from updateCACertificate.2021-02-12T16:24:57+09:00Vincent Pelletiervincent@nexedi.com
So it can be reused elsewhere.https://lab.nexedi.com/nexedi/caucase/-/commit/b30927be5467b862a857388e69e31f617e5e4f97shell/caucase.sh: Add support for CRL PEM chunk iteration.2021-02-12T16:24:57+09:00Vincent Pelletiervincent@nexedi.comhttps://lab.nexedi.com/nexedi/caucase/-/commit/d30818efff4fade0392d51694e82754122a364feshell/caucase.sh: Simplify renewCertificate locals declaration.2021-02-12T16:24:57+09:00Vincent Pelletiervincent@nexedi.comhttps://lab.nexedi.com/nexedi/caucase/-/commit/56ae57a25bfc5a5687607d8825f3e825166c4efcshell/caucase.sh: Fix a shellcheck warning.2021-02-12T16:24:57+09:00Vincent Pelletiervincent@nexedi.comhttps://lab.nexedi.com/nexedi/caucase/-/commit/c6531df2a138b159356f46fb1fc99d35d8eee77dshell/caucase.sh: Simplify most return-on-error cases.2021-02-12T16:24:57+09:00Vincent Pelletiervincent@nexedi.com
Also, some word-wrapping.https://lab.nexedi.com/nexedi/caucase/-/commit/dc024644547d37a15f4af2a7d1bcba95552db756shell/cahcase.sh: Move cas_found initialisation closer to usage.2021-02-12T16:24:57+09:00Vincent Pelletiervincent@nexedi.com
Makes the code easier to read.https://lab.nexedi.com/nexedi/caucase/-/commit/87cae25cf4afd05f3517309fe3cf853538c78df4shell/caucase.sh: Factorise self-test failure codepath.2021-02-12T16:24:57+09:00Vincent Pelletiervincent@nexedi.comhttps://lab.nexedi.com/nexedi/caucase/-/commit/e5e13cd03fadaf9d3144f7c2558c0933ceda8d53.shellchrckrc: Silence unassigned uppercase variables.2021-02-12T16:24:57+09:00Vincent Pelletiervincent@nexedi.com
The only one present is not intended to be internally assigned.https://lab.nexedi.com/nexedi/caucase/-/commit/f0606a8fa450bd316ecb0f6be079d1e3a416a4fcall: Use utils.timestamp2datetime .2021-02-03T19:19:21+09:00Vincent Pelletiervincent@nexedi.com
datetime.datetime.fromtimestamp applies timezones, which is unintended.
Fixes a time drift on revoked certificates.https://lab.nexedi.com/nexedi/caucase/-/commit/849a7e37f7ea5c028a35ced671a0a7886de5f7c8test: Consistently update post-shift user CA in testCACertRenewal.2021-02-03T15:10:16+09:00Vincent Pelletiervincent@nexedi.comhttps://lab.nexedi.com/nexedi/caucase/-/commit/edfe5b61e5e2fd08d2dd44ca47ecd73442d9c924storage: Factorise self._table_prefix application.2021-02-03T15:08:35+09:00Vincent Pelletiervincent@nexedi.com
Also, this provides a handy location to log all queries when debugging.
Also, some minor cleanups.https://lab.nexedi.com/nexedi/caucase/-/commit/9c772060b3b489f8531571d73cdc4cd0119b65a8utils: Genericise getCertList and saveCertList.2021-02-03T12:25:05+09:00Vincent Pelletiervincent@nexedi.com
So they can be reused for more PEM-encoded types.https://lab.nexedi.com/nexedi/caucase/-/commit/05ca7a95ffa0e9ddd5b194c0a9c8855c0d67303fpylint: Get rid of the last disable=unused-argument places.2021-02-03T12:25:05+09:00Vincent Pelletiervincent@nexedi.comhttps://lab.nexedi.com/nexedi/caucase/-/commit/39cf48a0cda03df84b52256242a93d789fc012cestorage: Exclude subtransaction detector from coverage.2021-02-02T16:04:04+09:00Vincent Pelletiervincent@nexedi.comhttps://lab.nexedi.com/nexedi/caucase/-/commit/b5eab640960d30fd586d4118b146737fd8dbaf4bclient: Catch SSL errors.2021-02-02T15:19:37+09:00Vincent Pelletiervincent@nexedi.comhttps://lab.nexedi.com/nexedi/caucase/-/commit/3751896f7be10f787847fd3fc7f74e21ab7fc7cehttp.manage: Try to reuse a previously-input passphrase before asking.2021-02-02T15:19:37+09:00Vincent Pelletiervincent@nexedi.comhttps://lab.nexedi.com/nexedi/caucase/-/commit/88e9b8d0761dfddadf748c62b233dedadb8d855dhttp.manage: Fix passphrase prompt caption in --import-ca .2021-02-02T15:19:37+09:00Vincent Pelletiervincent@nexedi.comhttps://lab.nexedi.com/nexedi/caucase/-/commit/3f04238d9be4317c3211e605e753a484c8f29e1bhttp.manage: Do not prune expired certificates from ca table.2021-02-02T15:19:37+09:00Vincent Pelletiervincent@nexedi.com
Because this is not the job of an import/export tool.https://lab.nexedi.com/nexedi/caucase/-/commit/7a7d038313a058993c2419ed1f6aa1f8e5b3b4cbhttp.manage: Avoid overwriting an existing file with --export-ca.2021-02-02T15:19:37+09:00Vincent Pelletiervincent@nexedi.comhttps://lab.nexedi.com/nexedi/caucase/-/commit/3de956d354a9e0473359d6f63fb5915075b66f75http.manage: Ask passphrase twice during --export-ca.2021-02-02T15:19:30+09:00Vincent Pelletiervincent@nexedi.comhttps://lab.nexedi.com/nexedi/caucase/-/commit/c2aa954a22b27def448846fccc747244d407ba72shell/caucase.sh: Make caucased verbose in tests.2021-02-02T10:43:41+09:00Vincent Pelletiervincent@nexedi.com
Tests are supposed to help spot errors, and caucased access traces help
with this too.https://lab.nexedi.com/nexedi/caucase/-/commit/49dd6e318d34c4eb691ea3208a50ef0e0e29c663shell/caucase.sh: Emit CRL signature check errors to stderr.2021-02-02T10:43:41+09:00Vincent Pelletiervincent@nexedi.com
So that stdout may be more reliably used for scripting.https://lab.nexedi.com/nexedi/caucase/-/commit/2eb358be00d6b37700bb0290307a74d2e98f5b05caucase: Simplify pylint rules.2021-02-02T10:12:32+09:00Vincent Pelletiervincent@nexedi.com
bad-option-value has an effect on the "disable" line, but somehow none on the
"enable" line. So remove it altogether.https://lab.nexedi.com/nexedi/caucase/-/commit/d14f02226555c5a9228a2a603db17bad60c4aedeall: Make modern pylint happier.2021-02-01T12:12:08+09:00Vincent Pelletiervincent@nexedi.com
python2.7 with pylint 1.9.5
python3.9 with pylint 2.6.0
Also, reduce the script of unused argument silencing.https://lab.nexedi.com/nexedi/caucase/-/commit/e8fa4135f97b96337a073c2a9f9933b2cc0c4218doc: Fix PUT /crt/{crt-id} definition.2021-02-01T10:40:42+09:00Vincent Pelletiervincent@nexedi.com