mirror of
https://github.com/laurivosandi/certidude
synced 2024-12-23 00:25:18 +00:00
Make /api/revoked conform to RFC5280
This commit is contained in:
parent
1475828899
commit
6de010a411
@ -1,12 +1,34 @@
|
||||
|
||||
import falcon
|
||||
import logging
|
||||
from certidude import constants
|
||||
from certidude.authority import export_crl
|
||||
from cryptography import x509
|
||||
from cryptography.hazmat.backends import default_backend
|
||||
from cryptography.hazmat.primitives.serialization import Encoding
|
||||
|
||||
logger = logging.getLogger("api")
|
||||
|
||||
class RevocationListResource(object):
|
||||
def on_get(self, req, resp):
|
||||
logger.debug(u"Revocation list requested by %s", req.context.get("remote_addr"))
|
||||
buf = export_crl()
|
||||
|
||||
# Primarily offer DER encoded CRL as per RFC5280
|
||||
# This is also what StrongSwan expects
|
||||
if req.client_accepts("application/x-pkcs7-crl"):
|
||||
resp.set_header("Content-Type", "application/x-pkcs7-crl")
|
||||
resp.append_header("Content-Disposition", "attachment; filename=ca.crl")
|
||||
resp.body = export_crl()
|
||||
resp.append_header(
|
||||
"Content-Disposition",
|
||||
("attachment; filename=%s.crl" % constants.HOSTNAME).encode("ascii"))
|
||||
# Convert PEM to DER
|
||||
resp.body = x509.load_pem_x509_crl(buf, default_backend()).public_bytes(Encoding.DER)
|
||||
elif req.client_accepts("application/x-pem-file"):
|
||||
resp.set_header("Content-Type", "application/x-pem-file")
|
||||
resp.append_header(
|
||||
"Content-Disposition",
|
||||
("attachment; filename=%s-crl.pem" % constants.HOSTNAME).encode("ascii"))
|
||||
resp.body = buf
|
||||
else:
|
||||
raise falcon.HTTPUnsupportedMediaType(
|
||||
"Client did not accept application/x-pkcs7-crl or application/x-pem-file")
|
||||
|
@ -4,6 +4,8 @@
|
||||
# right/remote = client
|
||||
|
||||
config setup
|
||||
cachecrls=yes
|
||||
strictcrlpolicy=yes
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
|
Loading…
Reference in New Issue
Block a user