- 27 Jun, 2020 4 commits
-
-
Vincent Pelletier authored
Makes it harder for a compromised certificate to escape revocation by renewing itself faster than it can be identified and revoked. TODO: - fix tests - coverage - maybe just refuse to renew any cert more than once, to prevent "lineage forks" without introducing such new deadline ? (probably not a good idea, losing one's certificate happens and should not cause such punishment) - only enable for CAU certificates ? - distinguish issuance tracking between renewal and user issuance ? - auto-revoke certificates issued by renewal, but not those issued by user cert ? - 10 days is way too long. above an hour it will get in the way, and revoking multiple should not take too long... if there was a way to recognise serials (cf. previous commit)
-
Vincent Pelletier authored
And use this tracking to to warn about surviving certificates which are related to the one just revoked - they may need some attention too. NOTE: While this should be correctly implemented, I think this is not usable, and hence probably not worth the extra complexity: what can one do when given a list of serials ? This version discards old tracking entries, but even if it did not how is one supposed to browse these ?
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
- 26 Jun, 2020 9 commits
-
-
Vincent Pelletier authored
4 branches depend on how tests are written, and are indeed not currently used. 1 branch depend on test process environment.
-
Vincent Pelletier authored
caucase.http will be re-generating its https certificate, so it can be slower than a normal non-initial start.
-
Vincent Pelletier authored
It would be the sign of a inconsistency in the dispatcher dict. Do not transform it into a user error (404).
-
Vincent Pelletier authored
Not all programs support having multiple CA certificates per file, so add support for creating and maintaining certificate directories containing a single certificate each.
-
Vincent Pelletier authored
Reference machine: Raspberry Pi 1 B+. caucased can take around 40s to start (CA generation, ...).
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
Vincent Pelletier authored
wsgi.input is specified to be a bytes object, not a string object.
-
Vincent Pelletier authored
-
- 25 Jun, 2020 9 commits
-
-
Vincent Pelletier authored
So caucase.sh gets some regular exercise.
-
Vincent Pelletier authored
Otherwise, this will trigger if a test takes more than 10s to run, causing caucased to exit prematurely, as only _stopServer triggers this event.
-
Vincent Pelletier authored
-
Vincent Pelletier authored
Also, encode/decode json in utf-8, not ascii, as per standard.
-
Vincent Pelletier authored
Consistently with how doBackup encodes the result of json.dumps .
-
Vincent Pelletier authored
-
Vincent Pelletier authored
Avoid repeating function name in these.
-
Vincent Pelletier authored
Get an auto-issued user certificate and use it to exercise an authenticated action.
-
Vincent Pelletier authored
Should have been part of: commit 17325dc0 Author: Vincent Pelletier <plr.vincent@gmail.com> Date: Sat Jul 14 18:40:41 2018 +0900 all: Make caucased https certificate independent from CAS. Also, remove CURL, PUT and PUTNoOut aliases. They are replaced with private function with a naming consistent with the rest of this script.
-
- 24 Jun, 2020 5 commits
-
-
Vincent Pelletier authored
Is no value is provided to a return statement, the status of the last command ran is returned, making "$?" superfluous.
-
Vincent Pelletier authored
If there is no return statement, shell functions return the status of the last command they ran. So "return $?" as last function statement is superfluous.
-
Vincent Pelletier authored
Simplify code a bit. Change directory when starting caucased, so all files are stored inside test's temporary directory (and not just the database). Tolerate caucased not immediately starting. Fix CA presence tests (well this is embarrassing). List test directory content when failing, as it will get deleted shortly after.
-
Vincent Pelletier authored
-
Vincent Pelletier authored
In shell/caucase.sh line 1134: trap "kill \"$caucased_pid\"; wait; rm -rf \"$tmp_dir\"" EXIT ^-----------^ SC2064: Use single quotes, otherwise this expands now rather than when signalled. ^------^ SC2064: Use single quotes, otherwise this expands now rather than when signalled. These variables are local, so immediate expantion is expected.
-
- 23 Jun, 2020 5 commits
-
-
Vincent Pelletier authored
Basically, wrap stdout and stderr whenever they do not have an encoding with an ascii-encoding writer, and write unicode to stdout & stderr. wsgi.errors is defined in the reference implementation as being a StringIO, so follow that. Stop using argparse.FileType to get rid of python3 "file not closed" errors. Also, fix setup access to CHANGES.txt . Also, fix 2to3 involvement. Also, replace test.captureStdout with extra tool arguments.
-
Vincent Pelletier authored
Make coverage tests tolerate the no-op code path where the backup ends right on a block boundary not being exercised.
-
Vincent Pelletier authored
Test backup chunk boundaries. Test absence of a backup before the first user is created.
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
- 22 Jun, 2020 2 commits
-
-
Vincent Pelletier authored
-
Vincent Pelletier authored
Resolve deprecation warnings in tests: caucase/ca.py:548: CryptographyDeprecationWarning: Extension objects are deprecated as arguments to from_issuer_subject_key_identifier and support will be removed soon. Please migrate to passing a SubjectKeyIdentifier directly. critical=False, caucase/ca.py:326: CryptographyDeprecationWarning: Extension objects are deprecated as arguments to from_issuer_subject_key_identifier and support will be removed soon. Please migrate to passing a SubjectKeyIdentifier directly. x509.SubjectKeyIdentifier, caucase/test.py:422: CryptographyDeprecationWarning: Extension objects are deprecated as arguments to from_issuer_subject_key_identifier and support will be removed soon. Please migrate to passing a SubjectKeyIdentifier directly. critical=False,
-
- 15 Jun, 2020 1 commit
-
-
Vincent Pelletier authored
-
- 06 Jun, 2020 1 commit
-
-
Vincent Pelletier authored
Always wait at least 60 seconds between consecutive wake-ups. Avoids spamming server and local logs with attempts in case of temporary issues (ex: network).
-
- 04 Jun, 2020 3 commits
-
-
Vincent Pelletier authored
-
Vincent Pelletier authored
Load CRL expiration date even when it has not just been renewed. Also, request a newer CRL before local one expires (7 days by default).
-
Vincent Pelletier authored
Allowing clients to have a period of CRL validity overlap.
-
- 06 May, 2020 1 commit
-
-
Kirill Smelkov authored
Rerun with updated nxd-relicense. This actually changes license text in every file. Before: W: caucase/__init__.py: cannot find license start W: caucase/_version.py: no copyright W: caucase/ca.py: cannot find license start W: caucase/cli.py: cannot find license start W: caucase/client.py: cannot find license start W: caucase/exceptions.py: cannot find license start W: caucase/http.py: cannot find license start W: caucase/http_wsgibase.py: cannot find license start W: caucase/storage.py: cannot find license start W: caucase/test.py: cannot find license start W: caucase/utils.py: cannot find license start W: caucase/version.py: cannot find license start W: caucase/wsgi.py: cannot find license start W: setup.py: cannot find license start W: shell/caucase.sh: cannot find license start W: versioneer.py: no copyright After: W: caucase/_version.py: no copyright W: versioneer.py: no copyright
-