Raise Error Code 008 for invalid CRLs

2019-03-12 16:42:58 -04:00
parent d6906c8504
commit effec85cf9
5 changed files with 29 additions and 10 deletions
--- a/atst/domain/authnid/init.py
+++ b/atst/domain/authnid/init.py
@@ -47,8 +47,6 @@ class AuthenticationContext:
    def _crl_check(self):
        try:
            self.crl_cache.crl_check(self.cert)
-        except CRLInvalidException as exc:
-            raise UnauthenticatedError("CRL expired. " + str(exc))
        except CRLRevocationException as exc:
            raise UnauthenticatedError("CRL check failed. " + str(exc))

--- a/atst/domain/authnid/crl/init.py
+++ b/atst/domain/authnid/crl/init.py
@@ -2,9 +2,13 @@ import sys
 import os
 import re
 import hashlib
+from flask import current_app as app
 from datetime import datetime
 from OpenSSL import crypto, SSL

+# error codes from OpenSSL: https://github.com/openssl/openssl/blob/2c75f03b39de2fa7d006bc0f0d7c58235a54d9bb/include/openssl/x509_vfy.h#L111
+CRL_EXPIRED_ERROR_CODE = 12
+

 def get_common_name(x509_name_object):
    for comp in x509_name_object.get_components():
@@ -176,10 +180,11 @@ class CRLCache(CRLInterface):
            return True

        except crypto.X509StoreContextError as err:
-            if (
-                err.args[0][2] == "CRL has expired"
-            ):  # there has to be a better way than this
-                raise CRLInvalidException("CRL expired. Args: {}".format(err.args))
+            if err.args[0][0] == CRL_EXPIRED_ERROR_CODE:
+                if app.config.get("CRL_FAIL_OPEN"):
+                    return True
+                else:
+                    raise CRLInvalidException("CRL expired. Args: {}".format(err.args))
            raise CRLRevocationException(
                "Certificate revoked or errored. Error: {}. Args: {}".format(
                    type(err), err.args
--- a/atst/routes/errors.py
+++ b/atst/routes/errors.py
@@ -8,6 +8,7 @@ from atst.domain.invitations import (
    ExpiredError as InvitationExpiredError,
    WrongUserError as InvitationWrongUserError,
 )
+from atst.domain.authnid.crl import CRLInvalidException
 from atst.domain.portfolios import PortfolioError
 from atst.utils.flash import formatted_flash as flash

@@ -32,6 +33,11 @@ def make_error_pages(app):
    def not_found(e):
        return handle_error(e)

+    @app.errorhandler(CRLInvalidException)
+    # pylint: disable=unused-variable
+    def missing_crl(e):
+        return handle_error(e, message="Error Code 008", code=401)
+
    @app.errorhandler(exceptions.UnauthenticatedError)
    # pylint: disable=unused-variable
    def unauthorized(e):