Raise Error Code 008 for invalid CRLs

2019-03-12 16:42:58 -04:00
parent d6906c8504
commit effec85cf9
5 changed files with 29 additions and 10 deletions
--- a/atst/domain/authnid/init.py
+++ b/atst/domain/authnid/init.py
@@ -47,8 +47,6 @@ class AuthenticationContext:
    def _crl_check(self):
        try:
            self.crl_cache.crl_check(self.cert)
-        except CRLInvalidException as exc:
-            raise UnauthenticatedError("CRL expired. " + str(exc))
        except CRLRevocationException as exc:
            raise UnauthenticatedError("CRL check failed. " + str(exc))

--- a/atst/domain/authnid/crl/init.py
+++ b/atst/domain/authnid/crl/init.py
@@ -2,9 +2,13 @@ import sys
 import os
 import re
 import hashlib
+from flask import current_app as app
 from datetime import datetime
 from OpenSSL import crypto, SSL

+# error codes from OpenSSL: https://github.com/openssl/openssl/blob/2c75f03b39de2fa7d006bc0f0d7c58235a54d9bb/include/openssl/x509_vfy.h#L111
+CRL_EXPIRED_ERROR_CODE = 12
+

 def get_common_name(x509_name_object):
    for comp in x509_name_object.get_components():
@@ -176,10 +180,11 @@ class CRLCache(CRLInterface):
            return True

        except crypto.X509StoreContextError as err:
-            if (
-                err.args[0][2] == "CRL has expired"
-            ):  # there has to be a better way than this
-                raise CRLInvalidException("CRL expired. Args: {}".format(err.args))
+            if err.args[0][0] == CRL_EXPIRED_ERROR_CODE:
+                if app.config.get("CRL_FAIL_OPEN"):
+                    return True
+                else:
+                    raise CRLInvalidException("CRL expired. Args: {}".format(err.args))
            raise CRLRevocationException(
                "Certificate revoked or errored. Error: {}. Args: {}".format(
                    type(err), err.args