diff --git a/certidude/api/revoked.py b/certidude/api/revoked.py index c19a1e4..6fcc64b 100644 --- a/certidude/api/revoked.py +++ b/certidude/api/revoked.py @@ -2,7 +2,7 @@ import falcon import json import logging -from certidude import const +from certidude import const, config from certidude.authority import export_crl, list_revoked from certidude.decorators import MyEncoder from cryptography import x509 @@ -26,11 +26,17 @@ class RevocationListResource(object): resp.body = x509.load_pem_x509_crl(export_crl(), default_backend()).public_bytes(Encoding.DER) elif req.client_accepts("application/x-pem-file"): - resp.set_header("Content-Type", "application/x-pem-file") - resp.append_header( - "Content-Disposition", - ("attachment; filename=%s-crl.pem" % const.HOSTNAME).encode("ascii")) - resp.body = export_crl() + if req.get_param_as_bool("wait"): + url = config.PUSH_LONG_POLL % "crl" + resp.status = falcon.HTTP_SEE_OTHER + resp.set_header("Location", url.encode("ascii")) + logger.debug(u"Redirecting to CRL request to %s", url) + else: + resp.set_header("Content-Type", "application/x-pem-file") + resp.append_header( + "Content-Disposition", + ("attachment; filename=%s-crl.pem" % const.HOSTNAME).encode("ascii")) + resp.body = export_crl() elif req.accept.startswith("application/json"): resp.set_header("Content-Type", "application/json") resp.set_header("Content-Disposition", "inline") diff --git a/certidude/authority.py b/certidude/authority.py index aea94f6..fb2ccaa 100644 --- a/certidude/authority.py +++ b/certidude/authority.py @@ -131,6 +131,14 @@ def revoke_certificate(common_name): revoked_filename = os.path.join(config.REVOKED_DIR, "%s.pem" % cert.serial_number) os.rename(cert.path, revoked_filename) push.publish("certificate-revoked", cert.common_name) + + # Publish CRL for long polls + if config.PUSH_PUBLISH: + url = config.PUSH_PUBLISH % "crl" + click.echo("Publishing CRL at %s ..." % url) + requests.post(url, data=export_crl(), + headers={"User-Agent": "Certidude API", "Content-Type": "application/x-pem-file"}) + mailer.send("certificate-revoked.md", attachments=(cert,), certificate=cert) diff --git a/certidude/static/views/authority.html b/certidude/static/views/authority.html index df68903..77b17f5 100644 --- a/certidude/static/views/authority.html +++ b/certidude/static/views/authority.html @@ -181,7 +181,8 @@ cat example.csr

Revoked certificates

To fetch certificate revocation list:

-
curl {{window.location.href}}api/revoked/ | openssl crl -inform der -text -noout
+
curl {{window.location.href}}api/revoked/ > crl.der
+curl http://ca2.koodur.lan/api/revoked/?wait=yes -H "Accept: application/x-pem-file" > crl.pem