pk/atst
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Ugly implementation for CRLInvalidException

Browse Source
This commit is contained in:
Montana 2019-03-04 10:59:20 -05:00
parent 5f30b347c7
commit 720859efb6
2 changed files with 27 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
atst/domain/authnid/crl/__init__.py
View File

@ -16,6 +16,12 @@ class CRLRevocationException(Exception):
pass pass
class CRLInvalidException(Exception):
# CRL expired
# CRL missing
pass
class CRLInterface: class CRLInterface:
def __init__(self, *args, logger=None, **kwargs): def __init__(self, *args, logger=None, **kwargs):
self.logger = logger self.logger = logger
@ -111,7 +117,7 @@ class CRLCache(CRLInterface):
issuer_name = get_common_name(issuer) issuer_name = get_common_name(issuer)
if not crl_info: if not crl_info:
raise CRLRevocationException( raise CRLInvalidException(
"Could not find matching CRL for issuer with Common Name {}".format( "Could not find matching CRL for issuer with Common Name {}".format(
issuer_name issuer_name
) )
@ -170,6 +176,10 @@ class CRLCache(CRLInterface):
return True return True
except crypto.X509StoreContextError as err: except crypto.X509StoreContextError as err:
if (
err.args[0][2] == "CRL has expired"
): # there has to be a better way than this
raise CRLInvalidException("CRL expired. Args: {}".format(err.args))
raise CRLRevocationException( raise CRLRevocationException(
"Certificate revoked or errored. Error: {}. Args: {}".format( "Certificate revoked or errored. Error: {}. Args: {}".format(
type(err), err.args type(err), err.args

17
tests/domain/authnid/test_crl.py
View File

@ -12,7 +12,12 @@ from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives.serialization import Encoding from cryptography.hazmat.primitives.serialization import Encoding
from cryptography.x509.oid import NameOID from cryptography.x509.oid import NameOID
from atst.domain.authnid.crl import CRLCache, CRLRevocationException, NoOpCRLCache from atst.domain.authnid.crl import (
CRLCache,
CRLRevocationException,
CRLInvalidException,
NoOpCRLCache,
)
from tests.mocks import FIXTURE_EMAIL_ADDRESS, DOD_CN from tests.mocks import FIXTURE_EMAIL_ADDRESS, DOD_CN
@ -233,6 +238,16 @@ def test_no_op_crl_cache_logs_common_name():
assert "ART.GARFUNKEL.1234567890" in logger.messages[-1] assert "ART.GARFUNKEL.1234567890" in logger.messages[-1]
def test_expired_crl_raises_CRLInvalidException(
ca_file, expired_crl_file, ca_key, make_x509
):
client_cert = make_x509(rsa_key(), signer_key=ca_key, cn="chewbacca")
client_pem = client_cert.public_bytes(Encoding.PEM)
crl_cache = CRLCache(ca_file, crl_locations=[expired_crl_file])
with pytest.raises(CRLInvalidException):
crl_cache.crl_check(client_pem)
def test_updates_expired_certs(ca_file, expired_crl_file, crl_file, ca_key, make_x509): def test_updates_expired_certs(ca_file, expired_crl_file, crl_file, ca_key, make_x509):
""" """
Given a CRLCache object with an expired CRL and a function for updating the Given a CRLCache object with an expired CRL and a function for updating the