lauri
/
certidude
mirror of https://github.com/laurivosandi/certidude
1
0
Fork 0
Code Issues Activity

api: ocsp: drop usage of global authority import

This commit is contained in:
Priit Laes 2018-02-03 12:45:07 +02:00
parent be454d7a65
commit 7f2729e6f4
2 changed files with 8 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
certidude/api/__init__.py
View File

@ -262,7 +262,7 @@ def certidude_app(log_handlers=[]):
if config.OCSP_SUBNETS: if config.OCSP_SUBNETS:
from .ocsp import OCSPResource from .ocsp import OCSPResource
app.add_sink(OCSPResource(), prefix="/api/ocsp") app.add_sink(OCSPResource(authority), prefix="/api/ocsp")
# Set up log handlers # Set up log handlers
if config.LOGGING_BACKEND == "sql": if config.LOGGING_BACKEND == "sql":

11
certidude/api/ocsp.py
View File

@ -6,13 +6,16 @@ from asn1crypto.util import timezone
from asn1crypto import cms, algos, x509, ocsp from asn1crypto import cms, algos, x509, ocsp
from base64 import b64decode, b64encode from base64 import b64decode, b64encode
from certbuilder import pem_armor_certificate from certbuilder import pem_armor_certificate
from certidude import authority, push, config from certidude import push, config
from certidude.firewall import whitelist_subnets from certidude.firewall import whitelist_subnets
from datetime import datetime, timedelta from datetime import datetime, timedelta
from oscrypto import keys, asymmetric, symmetric from oscrypto import keys, asymmetric, symmetric
from oscrypto.errors import SignatureError from oscrypto.errors import SignatureError
class OCSPResource(object): class OCSPResource(object):
def __init__(self, authority):
self.authority = authority
@whitelist_subnets(config.OCSP_SUBNETS) @whitelist_subnets(config.OCSP_SUBNETS)
def __call__(self, req, resp): def __call__(self, req, resp):
try: try:
@ -55,14 +58,14 @@ class OCSPResource(object):
link_target = os.readlink(os.path.join(config.SIGNED_BY_SERIAL_DIR, "%x.pem" % serial)) link_target = os.readlink(os.path.join(config.SIGNED_BY_SERIAL_DIR, "%x.pem" % serial))
assert link_target.startswith("../") assert link_target.startswith("../")
assert link_target.endswith(".pem") assert link_target.endswith(".pem")
path, buf, cert, signed, expires = authority.get_signed(link_target[3:-4]) path, buf, cert, signed, expires = self.authority.get_signed(link_target[3:-4])
if serial != cert.serial_number: if serial != cert.serial_number:
logger.error("Certificate store integrity check failed, %s refers to certificate with serial %x" % (link_target, cert.serial_number)) logger.error("Certificate store integrity check failed, %s refers to certificate with serial %x" % (link_target, cert.serial_number))
raise EnvironmentError("Integrity check failed") raise EnvironmentError("Integrity check failed")
status = ocsp.CertStatus(name='good', value=None) status = ocsp.CertStatus(name='good', value=None)
except EnvironmentError: except EnvironmentError:
try: try:
path, buf, cert, signed, expires, revoked = authority.get_revoked(serial) path, buf, cert, signed, expires, revoked = self.authority.get_revoked(serial)
status = ocsp.CertStatus( status = ocsp.CertStatus(
name='revoked', name='revoked',
value={ value={
@ -102,7 +105,7 @@ class OCSPResource(object):
'certs': [server_certificate.asn1], 'certs': [server_certificate.asn1],
'signature_algorithm': {'algorithm': "sha1_rsa"}, 'signature_algorithm': {'algorithm': "sha1_rsa"},
'signature': asymmetric.rsa_pkcs1v15_sign( 'signature': asymmetric.rsa_pkcs1v15_sign(
authority.private_key, self.authority.private_key,
response_data.dump(), response_data.dump(),
"sha1" "sha1"
) )