1. 22 Dec, 2021 2 commits
  2. 15 Dec, 2021 1 commit
  3. 09 Nov, 2021 6 commits
  4. 20 Oct, 2021 2 commits
  5. 07 Oct, 2021 1 commit
  6. 07 Apr, 2021 1 commit
    • Vincent Pelletier's avatar
      client: Fix CA and CRL update when a CA is expired. · 21f38e4b
      Vincent Pelletier authored
      Otherwise, the expired CA causes an error when it is being loaded, before
      the time comparison.
      Also, CRL signed by that CA also causes an error (as its signature cannot
      be checked).
      Catch these errors so the corresponding unusable PEMs are discarded.
      21f38e4b
  7. 22 Feb, 2021 1 commit
  8. 15 Feb, 2021 2 commits
    • Vincent Pelletier's avatar
      ca: Make getCACertificate return the *oldest* still-valid CA cert. · 0b871b56
      Vincent Pelletier authored
      This fixes late-trust-bootstrap clients' ability to trust certificates
      issued by an older CA.
      0b871b56
    • Vincent Pelletier's avatar
      caucase: Fix CRL support. · 3aefb18a
      Vincent Pelletier authored
      Emit Certificate Revocation Lists signed by all valid CAs.
      Apparently openssl (or at least how it is used in stunnel4) fails to
      validate a certificate when CRL validation is enabled and the key which
      signed the CRL differs from the key which signed the certificate.
      Also, add Authority Key Identifier CRL extension, required to be standard-
      compliant.
      Also, fix revocation entry expiration: the RFC requires them to be kept
      at least one renewal cycle after the certificate's expiration.
      As a consequence of this whole change:
      - the protocol for retrieving the curren CRL changes to return the
        concatenated list of CRLs, which breaks the CRL distribution (...but
        the distributed CRLs were invalid anyway)
      - stop storing the CRL PEM in caucased's database so that it gets
        re-generated with fresh code. As caucased is not expected to be
        restarted very often, the extra CRL generation on every start should
        not make a difference.
      3aefb18a
  9. 03 Feb, 2021 3 commits
  10. 01 Feb, 2021 2 commits
  11. 29 Jan, 2021 1 commit
  12. 25 Nov, 2020 1 commit
  13. 27 Jun, 2020 2 commits
  14. 26 Jun, 2020 7 commits
  15. 25 Jun, 2020 2 commits
  16. 23 Jun, 2020 2 commits
    • Vincent Pelletier's avatar
      all: Finalise python3 support. · e9de51f0
      Vincent Pelletier authored
      Basically, wrap stdout and stderr whenever they do not have an encoding
      with an ascii-encoding writer, and write unicode to stdout & stderr.
      wsgi.errors is defined in the reference implementation as being a StringIO,
      so follow that.
      Stop using argparse.FileType to get rid of python3 "file not closed"
      errors.
      Also, fix setup access to CHANGES.txt .
      Also, fix 2to3 involvement.
      Also, replace test.captureStdout with extra tool arguments.
      e9de51f0
    • Vincent Pelletier's avatar
      {ca,test}: Extend backup tests. · bf6a336a
      Vincent Pelletier authored
      Test backup chunk boundaries.
      Test absence of a backup before the first user is created.
      bf6a336a
  17. 22 Jun, 2020 2 commits
    • Vincent Pelletier's avatar
      test: Fix a few coverage pragma. · 09be616d
      Vincent Pelletier authored
      09be616d
    • Vincent Pelletier's avatar
      {ca,text}: Fix from_issuer_subject_key_identifier usage. · 3369b98b
      Vincent Pelletier authored
      Resolve deprecation warnings in tests:
      caucase/ca.py:548: CryptographyDeprecationWarning: Extension objects are deprecated as arguments to from_issuer_subject_key_identifier and support will be removed soon. Please migrate to passing a SubjectKeyIdentifier directly.
        critical=False,
      caucase/ca.py:326: CryptographyDeprecationWarning: Extension objects are deprecated as arguments to from_issuer_subject_key_identifier and support will be removed soon. Please migrate to passing a SubjectKeyIdentifier directly.
        x509.SubjectKeyIdentifier,
      caucase/test.py:422: CryptographyDeprecationWarning: Extension objects are deprecated as arguments to from_issuer_subject_key_identifier and support will be removed soon. Please migrate to passing a SubjectKeyIdentifier directly.
        critical=False,
      3369b98b
  18. 04 Jun, 2020 2 commits