app: Fix behaviour with more than on CA certificate

By inserting other CA certificate as first one in the list, the problem is reproduced in the test.

app: Fix behaviour with more than on CA certificate
By inserting other CA certificate as first one in the list, the problem is reproduced in the test.
1e38bcb3 · Łukasz Nowak · 4b187130 · 1e38bcb3 · 1e38bcb3
Commit 1e38bcb3 authored Jan 27, 2021 by Łukasz Nowak
Hide whitespace changes
Inline Side-by-side

Showing with 32 additions and 5 deletions

kedifa/app.py kedifa/app.py +7 -5

kedifa/test.py kedifa/test.py +25 -0

No files found.
--- a/kedifa/app.py
+++ b/kedifa/app.py
@@ -303,10 +303,12 @@ class Kedifa(object):
  content-type: text/plain
 """
  def loadCertificate(self, ca_certificate, crl):
-    self.ca_certificate = caucase.utils.load_ca_certificate(
-      ca_certificate.read())
+    self.ca_certificate_list = [
+      caucase.utils.load_ca_certificate(x)
+      for x in caucase.utils.getCertList(ca_certificate.name)]
+
    self.crl = caucase.utils.load_crl(
-      crl.read(), [self.ca_certificate]).public_bytes(encoding=Encoding.PEM)
+      crl.read(), self.ca_certificate_list).public_bytes(encoding=Encoding.PEM)

  def __init__(self, pocket, ca_certificate, crl):
    self.pocket_db = SQLite3Storage(pocket)
@@ -345,10 +347,10 @@ class Kedifa(object):
    try:
      caucase.utils.load_certificate(
        environ.get('SSL_CLIENT_CERT', b''),
-        trusted_cert_list=[self.ca_certificate],
+        trusted_cert_list=self.ca_certificate_list,
        crl=caucase.utils.load_crl(
          self.crl,
-          [self.ca_certificate],
+          self.ca_certificate_list,
        ),
      )
    except (caucase.exceptions.CertificateVerificationError, ValueError):

--- a/kedifa/test.py
+++ b/kedifa/test.py
@@ -209,6 +209,31 @@ class KedifaMixinCaucase(KedifaMixin):
       '--get-crt', csr_id, kedifa_key_pem
    ])

+    # inject other root CA
+    other_root_CA = """-----BEGIN CERTIFICATE-----
+MIIDCTCCAfGgAwIBAgIUN7GPhb+YU5u+1f+OZWEuSwrgv/owDQYJKoZIhvcNAQEL
+BQAwEzERMA8GA1UEAwwIUm91Z2UgQ0EwIBcNMjEwMTI3MTIwNDIzWhgPMjEyMTAx
+MDMxMjA0MjNaMBMxETAPBgNVBAMMCFJvdWdlIENBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAsztfeLyiAx/jnAzSsr89vKZB1e+zhSMv+QSOGaIDo1W3
+ucSHw9Krz5MgJJF5ZL85UeV/eSAu9dn1CvcGSjiv7+3uUdk+uJ0IsJ9d7q2x8Alh
+AylWP+ShXdu8fVN9TSBPNdiDk8+kcwCOs89MNkoMgW7U4o0F+TbP9xzDEAT4b2KT
+rxNTptI2W46w5UZQuAS6E7fTn3EM3Y4M+3re39SNQjj3U8tSjtWPvPQoDWL47z39
+GOdq7tcsT5jZX/OiMEFPIHqvwFq2G4HkZedHfR6WSAjqu4Z2Ci1QEzAUH/ajOhbz
+uExuHxiKe7F4edjiksROVRQQyv3jSR2mDO1wSPkckQIDAQABo1MwUTAdBgNVHQ4E
+FgQU0yc0olTa5mt5Y3/Wko8ODOe7z0QwHwYDVR0jBBgwFoAU0yc0olTa5mt5Y3/W
+ko8ODOe7z0QwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAe80b
+kROYreF41GCaSLZrd9As/HjBJPHBT1fgOFuFIlEk/T2Xp5XvIZr4nU+dalPUZwA6
+WiOD6+POPxZmNsSeSpJwUfTmK5qjkskfOPunwqyXjLkcJs+tKXnmpMiKdxwhwPmL
+N0Iil+OCl0gc1gfXHBrZnXb+1AKHwvVmyFDrv1it7jr7/7Ou/OKNpnpLpKCXO7U5
+Ba/KebT9rPJhwFF9nPiF6cP4+rOKAVPy4PJpQd5kfVlLXO1wnf053XWlCrE2cVPV
+5+CMzKNm9zDGlYcyokK32Itv2LNrqatRlAetExXU+5ydkP+5pVKcLpSWI8qOJN9k
+ez+ONyvetfvjD8cxyQ==
+-----END CERTIFICATE-----"""
+    with open(self.ca_crt_pem, 'r') as fh:
+      ca_crt_pem = fh.read()
+    ca_crt_pem = other_root_CA + '\n' + ca_crt_pem
+    with open(self.ca_crt_pem, 'w') as fh:
+      fh.write(ca_crt_pem)
    return kedifa_key_pem

  def setUpKedifaKey(self, common_name):