import falcon import logging from pinecrypt.server import authority, const, errors from .utils.firewall import whitelist_subnets logger = logging.getLogger(__name__) class RevocationListResource(object): @whitelist_subnets(const.CRL_SUBNETS) def on_get(self, req, resp): # Primarily offer DER encoded CRL as per RFC5280 # This is also what StrongSwan expects if req.client_accepts("application/x-pkcs7-crl"): resp.set_header("Content-Type", "application/x-pkcs7-crl") resp.append_header( "Content-Disposition", ("attachment; filename=%s.crl" % const.HOSTNAME)) # Convert PEM to DER logger.debug("Serving revocation list (DER) to %s", req.context["remote"]["addr"]) resp.text = authority.export_crl(pem=False) elif req.client_accepts("application/x-pem-file"): resp.set_header("Content-Type", "application/x-pem-file") resp.append_header( "Content-Disposition", ("attachment; filename=%s-crl.pem" % const.HOSTNAME)) logger.debug("Serving revocation list (PEM) to %s", req.context["remote"]["addr"]) resp.text = authority.export_crl() else: logger.debug("Client %s asked revocation list in unsupported format" % req.context["remote"]["addr"]) raise falcon.HTTPUnsupportedMediaType( "Client did not accept application/x-pkcs7-crl or application/x-pem-file") class RevokedCertificateDetailResource(object): def on_get(self, req, resp, serial_number): try: cert_doc, buf = authority.get_revoked(serial_number) except errors.CertificateDoesNotExist: logger.warning("Failed to serve non-existant revoked certificate with serial %s to %s", serial_number, req.context["remote"]["addr"]) raise falcon.HTTPNotFound() resp.set_header("Content-Type", "application/x-pem-file") resp.set_header("Content-Disposition", ("attachment; filename=%s.pem" % cert_doc["serial_number"])) resp.text = buf logger.debug("Served revoked certificate with serial %s to %s", cert_doc["serial_number"], req.context["remote"]["addr"])