From 6de010a411dcd3bfbec405fb3d2909617045ea2e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= Date: Tue, 29 Mar 2016 13:28:58 +0300 Subject: [PATCH] Make /api/revoked conform to RFC5280 --- certidude/api/revoked.py | 28 +++++++++++++++++-- .../templates/strongswan-site-to-client.conf | 2 ++ 2 files changed, 27 insertions(+), 3 deletions(-) diff --git a/certidude/api/revoked.py b/certidude/api/revoked.py index 1308f65..ffc36f9 100644 --- a/certidude/api/revoked.py +++ b/certidude/api/revoked.py @@ -1,12 +1,34 @@ +import falcon import logging +from certidude import constants from certidude.authority import export_crl +from cryptography import x509 +from cryptography.hazmat.backends import default_backend +from cryptography.hazmat.primitives.serialization import Encoding logger = logging.getLogger("api") class RevocationListResource(object): def on_get(self, req, resp): logger.debug(u"Revocation list requested by %s", req.context.get("remote_addr")) - resp.set_header("Content-Type", "application/x-pkcs7-crl") - resp.append_header("Content-Disposition", "attachment; filename=ca.crl") - resp.body = export_crl() + buf = export_crl() + + # Primarily offer DER encoded CRL as per RFC5280 + # This is also what StrongSwan expects + if req.client_accepts("application/x-pkcs7-crl"): + resp.set_header("Content-Type", "application/x-pkcs7-crl") + resp.append_header( + "Content-Disposition", + ("attachment; filename=%s.crl" % constants.HOSTNAME).encode("ascii")) + # Convert PEM to DER + resp.body = x509.load_pem_x509_crl(buf, default_backend()).public_bytes(Encoding.DER) + elif req.client_accepts("application/x-pem-file"): + resp.set_header("Content-Type", "application/x-pem-file") + resp.append_header( + "Content-Disposition", + ("attachment; filename=%s-crl.pem" % constants.HOSTNAME).encode("ascii")) + resp.body = buf + else: + raise falcon.HTTPUnsupportedMediaType( + "Client did not accept application/x-pkcs7-crl or application/x-pem-file") diff --git a/certidude/templates/strongswan-site-to-client.conf b/certidude/templates/strongswan-site-to-client.conf index 6d838d2..afb5cf9 100644 --- a/certidude/templates/strongswan-site-to-client.conf +++ b/certidude/templates/strongswan-site-to-client.conf @@ -4,6 +4,8 @@ # right/remote = client config setup + cachecrls=yes + strictcrlpolicy=yes conn %default ikelifetime=60m