- 07 Apr, 2021 2 commits
-
-
Vincent Pelletier authored
Otherwise, the expired CA causes an error when it is being loaded, before the time comparison. Also, CRL signed by that CA also causes an error (as its signature cannot be checked). Catch these errors so the corresponding unusable PEMs are discarded.
-
Vincent Pelletier authored
Make python3 resource leak detector happy.
-
- 02 Mar, 2021 2 commits
-
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
- 22 Feb, 2021 1 commit
-
-
Vincent Pelletier authored
Prevent the (very unlikely at a 10MB given the manipulated data structures) risk of a partial read accidentally containing producing a well-formed result. Also, only accept base-10 content lengths.
-
- 15 Feb, 2021 2 commits
-
-
Vincent Pelletier authored
This fixes late-trust-bootstrap clients' ability to trust certificates issued by an older CA.
-
Vincent Pelletier authored
Emit Certificate Revocation Lists signed by all valid CAs. Apparently openssl (or at least how it is used in stunnel4) fails to validate a certificate when CRL validation is enabled and the key which signed the CRL differs from the key which signed the certificate. Also, add Authority Key Identifier CRL extension, required to be standard- compliant. Also, fix revocation entry expiration: the RFC requires them to be kept at least one renewal cycle after the certificate's expiration. As a consequence of this whole change: - the protocol for retrieving the curren CRL changes to return the concatenated list of CRLs, which breaks the CRL distribution (...but the distributed CRLs were invalid anyway) - stop storing the CRL PEM in caucased's database so that it gets re-generated with fresh code. As caucased is not expected to be restarted very often, the extra CRL generation on every start should not make a difference.
-
- 12 Feb, 2021 9 commits
-
-
Vincent Pelletier authored
-
Vincent Pelletier authored
So it can be reused elsewhere.
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
Vincent Pelletier authored
Also, some word-wrapping.
-
Vincent Pelletier authored
Makes the code easier to read.
-
Vincent Pelletier authored
-
Vincent Pelletier authored
The only one present is not intended to be internally assigned.
-
- 03 Feb, 2021 5 commits
-
-
Vincent Pelletier authored
datetime.datetime.fromtimestamp applies timezones, which is unintended. Fixes a time drift on revoked certificates.
-
Vincent Pelletier authored
-
Vincent Pelletier authored
Also, this provides a handy location to log all queries when debugging. Also, some minor cleanups.
-
Vincent Pelletier authored
So they can be reused for more PEM-encoded types.
-
Vincent Pelletier authored
-
- 02 Feb, 2021 10 commits
-
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
Vincent Pelletier authored
Because this is not the job of an import/export tool.
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
Vincent Pelletier authored
Tests are supposed to help spot errors, and caucased access traces help with this too.
-
Vincent Pelletier authored
So that stdout may be more reliably used for scripting.
-
Vincent Pelletier authored
bad-option-value has an effect on the "disable" line, but somehow none on the "enable" line. So remove it altogether.
-
- 01 Feb, 2021 4 commits
-
-
Vincent Pelletier authored
python2.7 with pylint 1.9.5 python3.9 with pylint 2.6.0 Also, reduce the script of unused argument silencing.
-
Vincent Pelletier authored
-
Vincent Pelletier authored
It is redundant, but regular runner output does not display the test class.
-
Vincent Pelletier authored
Thanks, modern pylint !
-
- 29 Jan, 2021 2 commits
-
-
Vincent Pelletier authored
Otherwise, client certificates issued before a new CA is used get rejected once the new CA becomes current.
-
Vincent Pelletier authored
This extension is required by rfc5280 (see section 5.2.1) but was overlooked.
-
- 25 Nov, 2020 3 commits
-
-
Vincent Pelletier authored
-
Vincent Pelletier authored
The result only changes when CA certificates are reloaded, so prepare this valuein _loadCAKeyPairList.
-
Vincent Pelletier authored
"expires" takes an absolute date, "max-age" takes a number of seconds until expiration. So switch to "max-age": according to Mozilla Developer Network, it is supported by all major browsers, and by IE since version 8.
-