add CRL functionality from authnid

script/sync-crls

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# script/sync-crls: update the DOD CRLs and place them where authnid expects them
+set -e
+cd "$(dirname "$0")/.."
+
+mkdir -p crl-tmp
+pipenv run python ./authnid/crl/util.py crl-tmp
+mkdir -p crl
+rsync -rq crl-tmp/. crl/.
+rm -rf crl-tmp
+
+if [[ $FLASK_ENV != "production" ]]; then
+  # place our test CRL there
+  cp ssl/client-certs/client-ca.der.crl crl/
+fi

script/sync-dod-certs

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# script/sync-dod-certs: update the CA bundle with DOD intermediate and root CAs
+
+CAS_FILE_NAME="Certificates_PKCS7_v5.3_DoD"
+CA_CHAIN="ssl/server-certs/ca-chain.pem"
+
+echo "Resetting CA bundle..."
+rm ssl/server-certs/ca-chain.pem &> /dev/null || true
+touch $CA_CHAIN
+
+if [[ $FLASK_ENV != "production" ]]; then
+  # only for testing and development
+  echo "Copy in testing client CA..."
+  cat ssl/client-certs/client-ca.crt >> $CA_CHAIN
+fi
+
+# dod intermediate certs
+echo "Adding DoD root certs"
+rm -rf tmp || true
+mkdir tmp
+curl --silent -o tmp/dod-cas.zip "https://iasecontent.disa.mil/pki-pke/$CAS_FILE_NAME.zip"
+unzip tmp/dod-cas.zip -d tmp/ &> /dev/null
+openssl pkcs7 -in "tmp/$CAS_FILE_NAME/$CAS_FILE_NAME.pem.p7b" -print_certs >> $CA_CHAIN
+rm -rf tmp