Commit f5f7c68e authored by Łukasz Nowak's avatar Łukasz Nowak

app: Select only valid CRLs

Not all provided CRLs might match the CA, thus use only ones coming from
given CA.
parent 7f6bdd71
...@@ -309,8 +309,12 @@ class Kedifa(object): ...@@ -309,8 +309,12 @@ class Kedifa(object):
for x in caucase.utils.getCertList(ca_certificate_path)] for x in caucase.utils.getCertList(ca_certificate_path)]
self.crl_list = [ self.crl_list = [
caucase.utils.load_crl(x, self.ca_certificate_list) crl
for x in caucase.utils.getCRLList(crl_path)] for _, crl in caucase.utils.iter_valid_crl_list(
crl_pem_list=caucase.utils.getCRLList(crl_path),
trusted_cert_list=self.ca_certificate_list,
)
]
def __init__(self, pocket, ca_certificate, crl): def __init__(self, pocket, ca_certificate, crl):
self.pocket_db = SQLite3Storage(pocket) self.pocket_db = SQLite3Storage(pocket)
......
...@@ -1255,6 +1255,31 @@ class KedifaIntegrationTest(KedifaCaucaseMixin, unittest.TestCase): ...@@ -1255,6 +1255,31 @@ class KedifaIntegrationTest(KedifaCaucaseMixin, unittest.TestCase):
result.text result.text
) )
def test_crl_handling(self):
rouge_crl = """-----BEGIN X509 CRL-----
MIIBqjCBkwIBATANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDDCVDYXVjYXNlIENB
UyBhdCBodHRwOi8vWzo6Ml06NDI3MDkvY2FzFw0yMzEwMDUxMTExMzdaFw0yMzEx
MDUwMzQ1MTNaoC8wLTAKBgNVHRQEAwIBATAfBgNVHSMEGDAWgBQYhu+Q06gDzByH
IsV0n5V6mIX3TjANBgkqhkiG9w0BAQsFAAOCAQEAGMUYKMcvEiwZB5bsLd2q5Wm8
sQ/H/NPoTcNWm0kP7Ob3TyhLTy3j4IYn1K0WWjXSJngsjrfnx7mXAA5dYyCNlQmv
5T1S1NM6Hyrt8St6xCrlHIR9hnrxrvoRowJxj7OSUjaxbF8MpzwJFL6b5U8iYoFc
v1p2GFZ/g5vI1eUsytyCtnxud3DKcQr96/o0YGMrE3h+nGTk/+joz7b+MgKNVjQW
nqbcI9BaJFS5NBV3X2+//ngzcmcWL5jTsVT+i4x0jUQWodR28Vs2S+VktoRNSZdi
LfuavKg5tJO0ZO3U3RTmcBu6govcO2pvemKksxtd+FeVCwLpp4I+ePwJuVQ67Q==
-----END X509 CRL-----"""
orig_crl = self.crl + '.orig'
shutil.copy(self.crl, orig_crl)
self.addCleanup(shutil.move, orig_crl, self.crl)
with open(self.crl, 'a+') as fh:
fh.write(rouge_crl)
with open(self.pidfile) as pidfile:
os.kill(int(pidfile.read()), signal.SIGHUP)
# give some time for KeDiFa to react
time.sleep(1)
self.assertLastLogEntry('WARNING - KeDiFa reloaded.')
class KedifaUpdaterMixin(KedifaMixin): class KedifaUpdaterMixin(KedifaMixin):
def setUp(self): def setUp(self):
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment