1. 07 Oct, 2021 1 commit
  2. 07 Apr, 2021 1 commit
  3. 15 Feb, 2021 1 commit
    • Vincent Pelletier's avatar
      caucase: Fix CRL support. · 3aefb18a
      Vincent Pelletier authored
      Emit Certificate Revocation Lists signed by all valid CAs.
      Apparently openssl (or at least how it is used in stunnel4) fails to
      validate a certificate when CRL validation is enabled and the key which
      signed the CRL differs from the key which signed the certificate.
      Also, add Authority Key Identifier CRL extension, required to be standard-
      compliant.
      Also, fix revocation entry expiration: the RFC requires them to be kept
      at least one renewal cycle after the certificate's expiration.
      As a consequence of this whole change:
      - the protocol for retrieving the curren CRL changes to return the
        concatenated list of CRLs, which breaks the CRL distribution (...but
        the distributed CRLs were invalid anyway)
      - stop storing the CRL PEM in caucased's database so that it gets
        re-generated with fresh code. As caucased is not expected to be
        restarted very often, the extra CRL generation on every start should
        not make a difference.
      3aefb18a
  4. 27 Jun, 2020 1 commit
  5. 23 Jun, 2020 1 commit
    • Vincent Pelletier's avatar
      all: Finalise python3 support. · e9de51f0
      Vincent Pelletier authored
      Basically, wrap stdout and stderr whenever they do not have an encoding
      with an ascii-encoding writer, and write unicode to stdout & stderr.
      wsgi.errors is defined in the reference implementation as being a StringIO,
      so follow that.
      Stop using argparse.FileType to get rid of python3 "file not closed"
      errors.
      Also, fix setup access to CHANGES.txt .
      Also, fix 2to3 involvement.
      Also, replace test.captureStdout with extra tool arguments.
      e9de51f0
  6. 06 May, 2020 2 commits
    • Kirill Smelkov's avatar
      fixup! all: Update license and copyright. · 3a00d7bf
      Kirill Smelkov authored
      Rerun with updated nxd-relicense. This actually changes license text in
      every file.
      
      Before:
      
      	W: caucase/__init__.py: cannot find license start
      	W: caucase/_version.py: no copyright
      	W: caucase/ca.py: cannot find license start
      	W: caucase/cli.py: cannot find license start
      	W: caucase/client.py: cannot find license start
      	W: caucase/exceptions.py: cannot find license start
      	W: caucase/http.py: cannot find license start
      	W: caucase/http_wsgibase.py: cannot find license start
      	W: caucase/storage.py: cannot find license start
      	W: caucase/test.py: cannot find license start
      	W: caucase/utils.py: cannot find license start
      	W: caucase/version.py: cannot find license start
      	W: caucase/wsgi.py: cannot find license start
      	W: setup.py: cannot find license start
      	W: shell/caucase.sh: cannot find license start
      	W: versioneer.py: no copyright
      
      After:
      
      	W: caucase/_version.py: no copyright
      	W: versioneer.py: no copyright
      3a00d7bf
    • Vincent Pelletier's avatar
      all: Update license and copyright. · fe861043
      Vincent Pelletier authored
      Add FOSS licence exception.
      Fix copyright holder name.
      fe861043
  7. 03 Jan, 2019 1 commit
  8. 26 Sep, 2018 3 commits
    • Vincent Pelletier's avatar
      1a47410e
    • Vincent Pelletier's avatar
      wsgi: Become web-friendly · 719959e0
      Vincent Pelletier authored
      Self-describe site structure in application/hal+json format.
      Add Cross-Origin Resource Sharing support: pre-flight request support,
      same-origin-only origin access control minimal html page. Access control
      decision is stored client-side in a signed & time-limited cookie
      supporting multiple concurrent origins. Origins may be pre-allowed (ex:
      when caucase GUI is served from a trusted server).
      719959e0
    • Vincent Pelletier's avatar
      http: Constrain the certificates caucased https CA may sign. · 7ff81404
      Vincent Pelletier authored
      This makes it safer to trust this CA certificate in general-purpose https
      clients, like web browsers, as it prevents such trusted CA certificate
      from issuing rogue certificates.
      Bump pyOpenSSL to latest version (and, as a consequence of pyOpenSSL
      18.0.0 itself requiring cryptography 2.1.1, bump it as well) as it seems to
      fix a bug related to validating NameConstraints - and anyway fixes
      worrying use-after-free errors.
      7ff81404
  9. 15 Jul, 2018 2 commits
  10. 12 Jul, 2018 1 commit
  11. 04 Nov, 2017 1 commit
  12. 03 Nov, 2017 1 commit
  13. 27 Oct, 2017 1 commit
    • Vincent Pelletier's avatar
      setup: Drop tests_require · 855de2c2
      Vincent Pelletier authored
      Current tests have no extra dependencies.
      This takes some time before running caucase tests, especially on slower
      machines.
      855de2c2
  14. 20 Oct, 2017 1 commit
  15. 21 Sep, 2017 3 commits
  16. 23 Aug, 2017 1 commit
    • Vincent Pelletier's avatar
      all: Major rework. · ecd07d22
      Vincent Pelletier authored
      - Re-evaluate feature set and REST API.
      - switch duration units to days, which are more meaningful than sticking to
        ISO units in this context.
      - Implement the "cau" half of "caucase".
        As a consequence flask password authentication mechanism is not needed
        anymore. As HTML UI is not required internally to caucase, and as
        sqlalchemy is not used to its full extend, get rid of these
        dependencies altogether.
      - Implement REST HTTP/HTTPS stand-alone server as a layer above WSGI
        application, and integrate HTTPS certificate issuance and renewal
        mechanism to simplify deployment: no middleware needed, so from
        gunicorn dependency.
      - Use standard python modules for http client needs.
      - Re-evaluate data retention options:
        - unsigned CSRs are kept forever
        - CRTs are stored in CSR table, and a 24 hour expiration is set
        - CA CRTs: (unchanged, expire when past validity period)
        - CRLs: (unchanged, expire when past validity period)
      - Redispatch housekeeping tasks:
        - CA renewal happens when caucase is used and renewal is needed
        - CRL is flushed when re-generated
        - CSR table (containing CRTs) is cleaned when a new CSR is received
        removing completely the need for these special periodic tasks.
      - Storage parameters are not stored persistently anymore, instead their
        effect (time offsets) is applied before storing (to protect against
        transient retention period reconfiguration from wiping data).
      - Rework storage schema.
      - Implement certificate extension propagation & filtering.
      - Implement "Certificate was auto-signed" extension.
      - More docstrings.
      - Use a CSR as a subject & extensions template instead of only allowing
        to override the subject. Useful when renewing a certificate and when
        authenticated client wants to force (ex) a CommonName in the subject.
      - Reorganise cli executable arguments to have more possible actions.
        Especially, make CA renewal systematic on command start (helps
        validating caucase URL).
      - Increase the amount of sanity checks against user-provided data (ex:
        do not upload a private key which would be in the same file as the CRT
        to renew).
      - Extend package classifiers.
      - Get rid of revocation reason, as it seems unlikely to be filled, and
        even less likely to be read later.
      - (almost) stop using pyOpenSSL. Use cryptography module instead.
        cryptography has many more features than pyOpenSSL (except for certificate
        validation, sadly), so use it. It completely removes the need to poke
        at ASN.1 ourselves, which significantly simplifies utils module, and
        certificate signature. Code is a bit more verbose when signing, but much
        simpler than before.
      - add the possibility to revoke by certificate serial
      - update gitignore
      - include coverage configuration
      - include pylint configuration
      - integrate several secondary command:
        - caucase-probe to quickly check server presence and basic
          functionality, so automated deployments can easily auto-check
        - caucase-monitor to automate key initial request and renewal
        - caucase-rerequest to allow full flexibility over certificate request
          content without ever transfering private keys
      - add a secure backup generation mechanism
      - add a README describing the design
      ecd07d22
  17. 21 Jul, 2017 1 commit
  18. 30 Jun, 2017 1 commit
  19. 30 May, 2017 1 commit
  20. 12 May, 2017 2 commits
  21. 27 Apr, 2017 3 commits
  22. 29 Mar, 2017 2 commits