- 07 Jul, 2022 1 commit
-
-
Vincent Pelletier authored
This was indirectly satisfied by cryptography depending on ipaddress, so no functional change is expected. This is just to be pedantic.
-
- 22 Dec, 2021 4 commits
-
-
Vincent Pelletier authored
Traversal to the root makes is unreasonable. Rely on "shell" directory being a sibling of test.py's container.
-
Vincent Pelletier authored
-
Vincent Pelletier authored
Break requested sleep period into smaller chunks, to try to compensate for extended suspension periods. The chosen values seem to be a reasonable trade-off between accuracy and number of wake-ups.
-
Vincent Pelletier authored
Positional arguments are comparatively a lot harder to understand.
-
- 15 Dec, 2021 1 commit
-
-
Vincent Pelletier authored
caucase.test: Increase the caucased start timeout for test_databaseUpgradeFrom_0_9_8_{with,no}_revoked This step needs to generate certificates, so it may reach the shorter, default timeout.
-
- 09 Nov, 2021 9 commits
-
-
Vincent Pelletier authored
-
Vincent Pelletier authored
If environment points us at a specific python interpreter, use it to run caucased, even if caucased is present reachable from PATH.
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
Vincent Pelletier authored
As seen at least on cryptography 35.0.0 . Ideally this should be on a 63 or 64bits cutoff, but somehow the breakage is a lot lower. Bug reported upstream: https://github.com/pyca/cryptography/issues/6573
-
Vincent Pelletier authored
Because: - Non-blocking lock acquisition does not work with a context manager. - subprocess is not a context manager in python 2.7 .
-
Boxiang Sun authored
-
Boxiang Sun authored
-
Vincent Pelletier authored
The test should not need to sanitise the environment of this test in particular (if we do not trust the environment then there would be a lot more to sanitise for the python part of the test as well), and the intent was just to add the CAUCASE_PYTHON variable so caucase.sh runs the expected python executable and not one possibly picked from PATH. So copy environment, edit the copy and pass this to the caucase.sh subprocess.
-
- 08 Nov, 2021 2 commits
-
-
Vincent Pelletier authored
-
Vincent Pelletier authored
This codebase must remain py2 compatible for some more, so do not complain about backward-compatible code.
-
- 20 Oct, 2021 3 commits
-
-
Vincent Pelletier authored
-
Vincent Pelletier authored
Fixes cli.updater crashing when one of the locally-stored CA is expired. Also, explicitly raise when there are CAs in the local trust store but all fail loading.
-
Vincent Pelletier authored
If an unverifiable CRL is present (ex: its CA expired), then it can be ignored in the computation of the next wake-up time. Also, factorise with similar code in client.CaucaseClient.updateCRLFile .
-
- 07 Oct, 2021 4 commits
-
-
Vincent Pelletier authored
-
Vincent Pelletier authored
Preserve py2.7 compatibility. Also, make pylint happier with the result.
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
- 07 Apr, 2021 3 commits
-
-
Vincent Pelletier authored
-
Vincent Pelletier authored
Otherwise, the expired CA causes an error when it is being loaded, before the time comparison. Also, CRL signed by that CA also causes an error (as its signature cannot be checked). Catch these errors so the corresponding unusable PEMs are discarded.
-
Vincent Pelletier authored
Make python3 resource leak detector happy.
-
- 02 Mar, 2021 2 commits
-
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
- 22 Feb, 2021 1 commit
-
-
Vincent Pelletier authored
Prevent the (very unlikely at a 10MB given the manipulated data structures) risk of a partial read accidentally containing producing a well-formed result. Also, only accept base-10 content lengths.
-
- 15 Feb, 2021 2 commits
-
-
Vincent Pelletier authored
This fixes late-trust-bootstrap clients' ability to trust certificates issued by an older CA.
-
Vincent Pelletier authored
Emit Certificate Revocation Lists signed by all valid CAs. Apparently openssl (or at least how it is used in stunnel4) fails to validate a certificate when CRL validation is enabled and the key which signed the CRL differs from the key which signed the certificate. Also, add Authority Key Identifier CRL extension, required to be standard- compliant. Also, fix revocation entry expiration: the RFC requires them to be kept at least one renewal cycle after the certificate's expiration. As a consequence of this whole change: - the protocol for retrieving the curren CRL changes to return the concatenated list of CRLs, which breaks the CRL distribution (...but the distributed CRLs were invalid anyway) - stop storing the CRL PEM in caucased's database so that it gets re-generated with fresh code. As caucased is not expected to be restarted very often, the extra CRL generation on every start should not make a difference.
-
- 12 Feb, 2021 8 commits
-
-
Vincent Pelletier authored
-
Vincent Pelletier authored
So it can be reused elsewhere.
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
Vincent Pelletier authored
Also, some word-wrapping.
-
Vincent Pelletier authored
Makes the code easier to read.
-
Vincent Pelletier authored
-