1
0
mirror of https://github.com/laurivosandi/certidude synced 2024-12-23 00:25:18 +00:00

Make /api/revoked conform to RFC5280

This commit is contained in:
Lauri Võsandi 2016-03-29 13:28:58 +03:00
parent 1475828899
commit 6de010a411
2 changed files with 27 additions and 3 deletions

View File

@ -1,12 +1,34 @@
import falcon
import logging import logging
from certidude import constants
from certidude.authority import export_crl from certidude.authority import export_crl
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.serialization import Encoding
logger = logging.getLogger("api") logger = logging.getLogger("api")
class RevocationListResource(object): class RevocationListResource(object):
def on_get(self, req, resp): def on_get(self, req, resp):
logger.debug(u"Revocation list requested by %s", req.context.get("remote_addr")) logger.debug(u"Revocation list requested by %s", req.context.get("remote_addr"))
resp.set_header("Content-Type", "application/x-pkcs7-crl") buf = export_crl()
resp.append_header("Content-Disposition", "attachment; filename=ca.crl")
resp.body = export_crl() # Primarily offer DER encoded CRL as per RFC5280
# This is also what StrongSwan expects
if req.client_accepts("application/x-pkcs7-crl"):
resp.set_header("Content-Type", "application/x-pkcs7-crl")
resp.append_header(
"Content-Disposition",
("attachment; filename=%s.crl" % constants.HOSTNAME).encode("ascii"))
# Convert PEM to DER
resp.body = x509.load_pem_x509_crl(buf, default_backend()).public_bytes(Encoding.DER)
elif req.client_accepts("application/x-pem-file"):
resp.set_header("Content-Type", "application/x-pem-file")
resp.append_header(
"Content-Disposition",
("attachment; filename=%s-crl.pem" % constants.HOSTNAME).encode("ascii"))
resp.body = buf
else:
raise falcon.HTTPUnsupportedMediaType(
"Client did not accept application/x-pkcs7-crl or application/x-pem-file")

View File

@ -4,6 +4,8 @@
# right/remote = client # right/remote = client
config setup config setup
cachecrls=yes
strictcrlpolicy=yes
conn %default conn %default
ikelifetime=60m ikelifetime=60m