Commit b1e05975 authored by Vincent Pelletier's avatar Vincent Pelletier

TODO: Update.

pyca/cryptography 21st release is out and caucase already requires
is_signature_valid.
Also, literal IPv6 CRL distribution points do not fail anymore - add test.
No more known 1.0 blockers ! Weee !
parent fa62d787
Blocker for 1.0
===============
- After pyca/cryptography 21st release: Make is_signature_valid call mandatory in caucase.utils.load_crl .
- After pyca/cryptography later release (code not fixed yet): Enable CRL distribution point extension when it tolerates literal IPv6 in the URL.
Eventually Eventually
========== ==========
......
...@@ -1959,5 +1959,34 @@ class CaucaseTest(unittest.TestCase): ...@@ -1959,5 +1959,34 @@ class CaucaseTest(unittest.TestCase):
updater_event.set() updater_event.set()
updater_thread.join(2) updater_thread.join(2)
def testHttpNetlocIPv6(self):
"""
Test that it is possible to use a literal IPv6 as netloc.
This used to fail because cryptography module would reject bare IPv6
address in CRL distribution point extension.
"""
self._stopServer()
# Force generation of a new server certificate
os.unlink(self._server_key)
self._server_netloc = '[::1]:8000'
# Would raise
self._startServer()
# To retrieve CAS CA crt.
self._runClient()
# Sanity checks
self.assertTrue(os.path.exists(self._server_key))
distribution_point, = utils.load_certificate(
utils.getCert(self._server_key),
[
utils.load_ca_certificate(x)
for x in utils.getCertList(self._client_ca_crt)
],
None,
).extensions.get_extension_for_class(
x509.CRLDistributionPoints,
).value
uri, = distribution_point.full_name
self.assertEqual(uri.value, u'http://[::1]:8000/cas/crl')
if __name__ == '__main__': if __name__ == '__main__':
unittest.main() unittest.main()
...@@ -378,8 +378,8 @@ def load_crl(data, trusted_cert_list): ...@@ -378,8 +378,8 @@ def load_crl(data, trusted_cert_list):
""" """
Load a certificate revocation list from PEM-encoded data. Load a certificate revocation list from PEM-encoded data.
If cryptography supports it, raises cryptography.exceptions.InvalidSignature Raises cryptography.exceptions.InvalidSignature if the CRL signature does not
if the CRL signature does not match any trusted certificate. match any trusted certificate.
""" """
crl = x509.load_pem_x509_crl(data, _cryptography_backend) crl = x509.load_pem_x509_crl(data, _cryptography_backend)
for cert in trusted_cert_list: for cert in trusted_cert_list:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment