mirror of
https://github.com/laurivosandi/certidude
synced 2024-12-22 16:25:17 +00:00
api: ocsp: drop usage of global authority import
This commit is contained in:
parent
be454d7a65
commit
7f2729e6f4
@ -262,7 +262,7 @@ def certidude_app(log_handlers=[]):
|
|||||||
|
|
||||||
if config.OCSP_SUBNETS:
|
if config.OCSP_SUBNETS:
|
||||||
from .ocsp import OCSPResource
|
from .ocsp import OCSPResource
|
||||||
app.add_sink(OCSPResource(), prefix="/api/ocsp")
|
app.add_sink(OCSPResource(authority), prefix="/api/ocsp")
|
||||||
|
|
||||||
# Set up log handlers
|
# Set up log handlers
|
||||||
if config.LOGGING_BACKEND == "sql":
|
if config.LOGGING_BACKEND == "sql":
|
||||||
|
@ -6,13 +6,16 @@ from asn1crypto.util import timezone
|
|||||||
from asn1crypto import cms, algos, x509, ocsp
|
from asn1crypto import cms, algos, x509, ocsp
|
||||||
from base64 import b64decode, b64encode
|
from base64 import b64decode, b64encode
|
||||||
from certbuilder import pem_armor_certificate
|
from certbuilder import pem_armor_certificate
|
||||||
from certidude import authority, push, config
|
from certidude import push, config
|
||||||
from certidude.firewall import whitelist_subnets
|
from certidude.firewall import whitelist_subnets
|
||||||
from datetime import datetime, timedelta
|
from datetime import datetime, timedelta
|
||||||
from oscrypto import keys, asymmetric, symmetric
|
from oscrypto import keys, asymmetric, symmetric
|
||||||
from oscrypto.errors import SignatureError
|
from oscrypto.errors import SignatureError
|
||||||
|
|
||||||
class OCSPResource(object):
|
class OCSPResource(object):
|
||||||
|
def __init__(self, authority):
|
||||||
|
self.authority = authority
|
||||||
|
|
||||||
@whitelist_subnets(config.OCSP_SUBNETS)
|
@whitelist_subnets(config.OCSP_SUBNETS)
|
||||||
def __call__(self, req, resp):
|
def __call__(self, req, resp):
|
||||||
try:
|
try:
|
||||||
@ -55,14 +58,14 @@ class OCSPResource(object):
|
|||||||
link_target = os.readlink(os.path.join(config.SIGNED_BY_SERIAL_DIR, "%x.pem" % serial))
|
link_target = os.readlink(os.path.join(config.SIGNED_BY_SERIAL_DIR, "%x.pem" % serial))
|
||||||
assert link_target.startswith("../")
|
assert link_target.startswith("../")
|
||||||
assert link_target.endswith(".pem")
|
assert link_target.endswith(".pem")
|
||||||
path, buf, cert, signed, expires = authority.get_signed(link_target[3:-4])
|
path, buf, cert, signed, expires = self.authority.get_signed(link_target[3:-4])
|
||||||
if serial != cert.serial_number:
|
if serial != cert.serial_number:
|
||||||
logger.error("Certificate store integrity check failed, %s refers to certificate with serial %x" % (link_target, cert.serial_number))
|
logger.error("Certificate store integrity check failed, %s refers to certificate with serial %x" % (link_target, cert.serial_number))
|
||||||
raise EnvironmentError("Integrity check failed")
|
raise EnvironmentError("Integrity check failed")
|
||||||
status = ocsp.CertStatus(name='good', value=None)
|
status = ocsp.CertStatus(name='good', value=None)
|
||||||
except EnvironmentError:
|
except EnvironmentError:
|
||||||
try:
|
try:
|
||||||
path, buf, cert, signed, expires, revoked = authority.get_revoked(serial)
|
path, buf, cert, signed, expires, revoked = self.authority.get_revoked(serial)
|
||||||
status = ocsp.CertStatus(
|
status = ocsp.CertStatus(
|
||||||
name='revoked',
|
name='revoked',
|
||||||
value={
|
value={
|
||||||
@ -102,7 +105,7 @@ class OCSPResource(object):
|
|||||||
'certs': [server_certificate.asn1],
|
'certs': [server_certificate.asn1],
|
||||||
'signature_algorithm': {'algorithm': "sha1_rsa"},
|
'signature_algorithm': {'algorithm': "sha1_rsa"},
|
||||||
'signature': asymmetric.rsa_pkcs1v15_sign(
|
'signature': asymmetric.rsa_pkcs1v15_sign(
|
||||||
authority.private_key,
|
self.authority.private_key,
|
||||||
response_data.dump(),
|
response_data.dump(),
|
||||||
"sha1"
|
"sha1"
|
||||||
)
|
)
|
||||||
|
Loading…
Reference in New Issue
Block a user