From 7f2729e6f4c9ae46b1a3dee937ab83219064a3ba Mon Sep 17 00:00:00 2001 From: Priit Laes Date: Sat, 3 Feb 2018 12:45:07 +0200 Subject: [PATCH] api: ocsp: drop usage of global authority import --- certidude/api/__init__.py | 2 +- certidude/api/ocsp.py | 11 +++++++---- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/certidude/api/__init__.py b/certidude/api/__init__.py index 945a684..7b3176f 100644 --- a/certidude/api/__init__.py +++ b/certidude/api/__init__.py @@ -262,7 +262,7 @@ def certidude_app(log_handlers=[]): if config.OCSP_SUBNETS: from .ocsp import OCSPResource - app.add_sink(OCSPResource(), prefix="/api/ocsp") + app.add_sink(OCSPResource(authority), prefix="/api/ocsp") # Set up log handlers if config.LOGGING_BACKEND == "sql": diff --git a/certidude/api/ocsp.py b/certidude/api/ocsp.py index 26c2f4a..e4b6d9a 100644 --- a/certidude/api/ocsp.py +++ b/certidude/api/ocsp.py @@ -6,13 +6,16 @@ from asn1crypto.util import timezone from asn1crypto import cms, algos, x509, ocsp from base64 import b64decode, b64encode from certbuilder import pem_armor_certificate -from certidude import authority, push, config +from certidude import push, config from certidude.firewall import whitelist_subnets from datetime import datetime, timedelta from oscrypto import keys, asymmetric, symmetric from oscrypto.errors import SignatureError class OCSPResource(object): + def __init__(self, authority): + self.authority = authority + @whitelist_subnets(config.OCSP_SUBNETS) def __call__(self, req, resp): try: @@ -55,14 +58,14 @@ class OCSPResource(object): link_target = os.readlink(os.path.join(config.SIGNED_BY_SERIAL_DIR, "%x.pem" % serial)) assert link_target.startswith("../") assert link_target.endswith(".pem") - path, buf, cert, signed, expires = authority.get_signed(link_target[3:-4]) + path, buf, cert, signed, expires = self.authority.get_signed(link_target[3:-4]) if serial != cert.serial_number: logger.error("Certificate store integrity check failed, %s refers to certificate with serial %x" % (link_target, cert.serial_number)) raise EnvironmentError("Integrity check failed") status = ocsp.CertStatus(name='good', value=None) except EnvironmentError: try: - path, buf, cert, signed, expires, revoked = authority.get_revoked(serial) + path, buf, cert, signed, expires, revoked = self.authority.get_revoked(serial) status = ocsp.CertStatus( name='revoked', value={ @@ -102,7 +105,7 @@ class OCSPResource(object): 'certs': [server_certificate.asn1], 'signature_algorithm': {'algorithm': "sha1_rsa"}, 'signature': asymmetric.rsa_pkcs1v15_sign( - authority.private_key, + self.authority.private_key, response_data.dump(), "sha1" )