From 6de010a411dcd3bfbec405fb3d2909617045ea2e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= <lauri.vosandi@gmail.com>
Date: Tue, 29 Mar 2016 13:28:58 +0300
Subject: [PATCH] Make /api/revoked conform to RFC5280

---
 certidude/api/revoked.py                      | 28 +++++++++++++++++--
 .../templates/strongswan-site-to-client.conf  |  2 ++
 2 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/certidude/api/revoked.py b/certidude/api/revoked.py
index 1308f65..ffc36f9 100644
--- a/certidude/api/revoked.py
+++ b/certidude/api/revoked.py
@@ -1,12 +1,34 @@
 
+import falcon
 import logging
+from certidude import constants
 from certidude.authority import export_crl
+from cryptography import x509
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives.serialization import Encoding
 
 logger = logging.getLogger("api")
 
 class RevocationListResource(object):
     def on_get(self, req, resp):
         logger.debug(u"Revocation list requested by %s", req.context.get("remote_addr"))
-        resp.set_header("Content-Type", "application/x-pkcs7-crl")
-        resp.append_header("Content-Disposition", "attachment; filename=ca.crl")
-        resp.body = export_crl()
+        buf = export_crl()
+
+        # Primarily offer DER encoded CRL as per RFC5280
+        # This is also what StrongSwan expects
+        if req.client_accepts("application/x-pkcs7-crl"):
+            resp.set_header("Content-Type", "application/x-pkcs7-crl")
+            resp.append_header(
+                "Content-Disposition",
+                ("attachment; filename=%s.crl" % constants.HOSTNAME).encode("ascii"))
+            # Convert PEM to DER
+            resp.body = x509.load_pem_x509_crl(buf, default_backend()).public_bytes(Encoding.DER)
+        elif req.client_accepts("application/x-pem-file"):
+            resp.set_header("Content-Type", "application/x-pem-file")
+            resp.append_header(
+                "Content-Disposition",
+                ("attachment; filename=%s-crl.pem" % constants.HOSTNAME).encode("ascii"))
+            resp.body = buf
+        else:
+            raise falcon.HTTPUnsupportedMediaType(
+                "Client did not accept application/x-pkcs7-crl or application/x-pem-file")
diff --git a/certidude/templates/strongswan-site-to-client.conf b/certidude/templates/strongswan-site-to-client.conf
index 6d838d2..afb5cf9 100644
--- a/certidude/templates/strongswan-site-to-client.conf
+++ b/certidude/templates/strongswan-site-to-client.conf
@@ -4,6 +4,8 @@
 # right/remote = client
 
 config setup
+    cachecrls=yes
+    strictcrlpolicy=yes
 
 conn %default
 	ikelifetime=60m