For easier use when renewing a single certificate after restoring
backups, for example.

Also, makes them not count against the maximum number of auto-emitted
certificates.

Also, inline createCAKeyPair method in its only caller. This was not
intended to be part of the API.
Prepares support for externally-provided CA certificates.

This is called from many places which make sense to call independently
and should not conflict. So protect against parallel CA renewal.
Result code will never block: a single thread will process renewal,
concurrent threads will just use the still-valid latest CA.

This is fixed in latest cryptography module.
Forgotten when cryptography minimal version was bumped to 2.1.1 .

For python-hostile and python-deprived audiences.

While identifiers are integers, they could just as well be treated as
opaque identifiers by external applications.

Instead, use a thread-safe way. Current code using it is not threaded, but
future code will be.

Current tests have no extra dependencies.
This takes some time before running caucase tests, especially on slower
machines.

To accommodate with slower machines, which are a reasonable target for
caucase.
Caucase tests do not timeout anymore on a Raspberry Pi B+.

Allows running tests without setup.py around.

Remove special handling of first folder level.
Generalise CAU/CAS context decision.
Split functionalities further, making each method shorter.
Factorise subpath checks.
Factorise response generation when producing a body.

The resulting data structure, if more verbose than the original one, is
not harder to traverse and more extensible.

Chunk size is not bounded. So instead of remembering chunk tail, remember
how much there is to read in current chunk.

As per WSGI specs, transfer encoding (and other hop-by-hop headers) must
not be processed by WSGI applications.

Allows introducing more reasons to reject authentication, with different
WWW-Authenticate values.

So "wsgi.url_scheme" gets the correct value.

Needed by curl with --upload-file .
Curl also asks us to return "100 Continue" responses, but WSGI (as of
python 2.7 reference implementation) does not allow that. Gah.

So that wsgi layer can convert it into a 4xx error, and it stops being a
5xx error + traceback.
Add a test.

Allows enforcing CRL signature checking.