add CRL functionality from authnid
This commit is contained in:
parent
0f8e303afa
commit
f0a7bfcd0e
2
Pipfile
2
Pipfile
@ -18,6 +18,8 @@ flask-sqlalchemy = "*"
|
|||||||
flask-assets = "*"
|
flask-assets = "*"
|
||||||
flask-session = "*"
|
flask-session = "*"
|
||||||
flask-wtf = "*"
|
flask-wtf = "*"
|
||||||
|
pyopenssl = "*"
|
||||||
|
requests = "*"
|
||||||
|
|
||||||
[dev-packages]
|
[dev-packages]
|
||||||
bandit = "*"
|
bandit = "*"
|
||||||
|
130
Pipfile.lock
generated
130
Pipfile.lock
generated
@ -1,7 +1,7 @@
|
|||||||
{
|
{
|
||||||
"_meta": {
|
"_meta": {
|
||||||
"hash": {
|
"hash": {
|
||||||
"sha256": "0738d50fa0153e356ddd9ce23bcc781914ed0fe860044457a9db9fc0e1cff46b"
|
"sha256": "647d98b5384d1942bbe6bfe7930b1cd249886da2f47645802cd6f93369f44538"
|
||||||
},
|
},
|
||||||
"pipfile-spec": 6,
|
"pipfile-spec": 6,
|
||||||
"requires": {
|
"requires": {
|
||||||
@ -24,6 +24,64 @@
|
|||||||
"index": "pypi",
|
"index": "pypi",
|
||||||
"version": "==1.0.0"
|
"version": "==1.0.0"
|
||||||
},
|
},
|
||||||
|
"asn1crypto": {
|
||||||
|
"hashes": [
|
||||||
|
"sha256:2f1adbb7546ed199e3c90ef23ec95c5cf3585bac7d11fb7eb562a3fe89c64e87",
|
||||||
|
"sha256:9d5c20441baf0cb60a4ac34cc447c6c189024b6b4c6cd7877034f4965c464e49"
|
||||||
|
],
|
||||||
|
"version": "==0.24.0"
|
||||||
|
},
|
||||||
|
"certifi": {
|
||||||
|
"hashes": [
|
||||||
|
"sha256:13e698f54293db9f89122b0581843a782ad0934a4fe0172d2a980ba77fc61bb7",
|
||||||
|
"sha256:9fa520c1bacfb634fa7af20a76bcbd3d5fb390481724c597da32c719a7dca4b0"
|
||||||
|
],
|
||||||
|
"version": "==2018.4.16"
|
||||||
|
},
|
||||||
|
"cffi": {
|
||||||
|
"hashes": [
|
||||||
|
"sha256:151b7eefd035c56b2b2e1eb9963c90c6302dc15fbd8c1c0a83a163ff2c7d7743",
|
||||||
|
"sha256:1553d1e99f035ace1c0544050622b7bc963374a00c467edafac50ad7bd276aef",
|
||||||
|
"sha256:1b0493c091a1898f1136e3f4f991a784437fac3673780ff9de3bcf46c80b6b50",
|
||||||
|
"sha256:2ba8a45822b7aee805ab49abfe7eec16b90587f7f26df20c71dd89e45a97076f",
|
||||||
|
"sha256:3bb6bd7266598f318063e584378b8e27c67de998a43362e8fce664c54ee52d30",
|
||||||
|
"sha256:3c85641778460581c42924384f5e68076d724ceac0f267d66c757f7535069c93",
|
||||||
|
"sha256:3eb6434197633b7748cea30bf0ba9f66727cdce45117a712b29a443943733257",
|
||||||
|
"sha256:495c5c2d43bf6cebe0178eb3e88f9c4aa48d8934aa6e3cddb865c058da76756b",
|
||||||
|
"sha256:4c91af6e967c2015729d3e69c2e51d92f9898c330d6a851bf8f121236f3defd3",
|
||||||
|
"sha256:57b2533356cb2d8fac1555815929f7f5f14d68ac77b085d2326b571310f34f6e",
|
||||||
|
"sha256:770f3782b31f50b68627e22f91cb182c48c47c02eb405fd689472aa7b7aa16dc",
|
||||||
|
"sha256:79f9b6f7c46ae1f8ded75f68cf8ad50e5729ed4d590c74840471fc2823457d04",
|
||||||
|
"sha256:7a33145e04d44ce95bcd71e522b478d282ad0eafaf34fe1ec5bbd73e662f22b6",
|
||||||
|
"sha256:857959354ae3a6fa3da6651b966d13b0a8bed6bbc87a0de7b38a549db1d2a359",
|
||||||
|
"sha256:87f37fe5130574ff76c17cab61e7d2538a16f843bb7bca8ebbc4b12de3078596",
|
||||||
|
"sha256:95d5251e4b5ca00061f9d9f3d6fe537247e145a8524ae9fd30a2f8fbce993b5b",
|
||||||
|
"sha256:9d1d3e63a4afdc29bd76ce6aa9d58c771cd1599fbba8cf5057e7860b203710dd",
|
||||||
|
"sha256:a36c5c154f9d42ec176e6e620cb0dd275744aa1d804786a71ac37dc3661a5e95",
|
||||||
|
"sha256:a6a5cb8809091ec9ac03edde9304b3ad82ad4466333432b16d78ef40e0cce0d5",
|
||||||
|
"sha256:ae5e35a2c189d397b91034642cb0eab0e346f776ec2eb44a49a459e6615d6e2e",
|
||||||
|
"sha256:b0f7d4a3df8f06cf49f9f121bead236e328074de6449866515cea4907bbc63d6",
|
||||||
|
"sha256:b75110fb114fa366b29a027d0c9be3709579602ae111ff61674d28c93606acca",
|
||||||
|
"sha256:ba5e697569f84b13640c9e193170e89c13c6244c24400fc57e88724ef610cd31",
|
||||||
|
"sha256:be2a9b390f77fd7676d80bc3cdc4f8edb940d8c198ed2d8c0be1319018c778e1",
|
||||||
|
"sha256:ca1bd81f40adc59011f58159e4aa6445fc585a32bb8ac9badf7a2c1aa23822f2",
|
||||||
|
"sha256:d5d8555d9bfc3f02385c1c37e9f998e2011f0db4f90e250e5bc0c0a85a813085",
|
||||||
|
"sha256:e55e22ac0a30023426564b1059b035973ec82186ddddbac867078435801c7801",
|
||||||
|
"sha256:e90f17980e6ab0f3c2f3730e56d1fe9bcba1891eeea58966e89d352492cc74f4",
|
||||||
|
"sha256:ecbb7b01409e9b782df5ded849c178a0aa7c906cf8c5a67368047daab282b184",
|
||||||
|
"sha256:ed01918d545a38998bfa5902c7c00e0fee90e957ce036a4000a88e3fe2264917",
|
||||||
|
"sha256:edabd457cd23a02965166026fd9bfd196f4324fe6032e866d0f3bd0301cd486f",
|
||||||
|
"sha256:fdf1c1dc5bafc32bc5d08b054f94d659422b05aba244d6be4ddc1c72d9aa70fb"
|
||||||
|
],
|
||||||
|
"version": "==1.11.5"
|
||||||
|
},
|
||||||
|
"chardet": {
|
||||||
|
"hashes": [
|
||||||
|
"sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae",
|
||||||
|
"sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691"
|
||||||
|
],
|
||||||
|
"version": "==3.0.4"
|
||||||
|
},
|
||||||
"click": {
|
"click": {
|
||||||
"hashes": [
|
"hashes": [
|
||||||
"sha256:29f99fc6125fbc931b758dc053b3114e55c77a6e4c6c3a2674a2dc986016381d",
|
"sha256:29f99fc6125fbc931b758dc053b3114e55c77a6e4c6c3a2674a2dc986016381d",
|
||||||
@ -31,6 +89,30 @@
|
|||||||
],
|
],
|
||||||
"version": "==6.7"
|
"version": "==6.7"
|
||||||
},
|
},
|
||||||
|
"cryptography": {
|
||||||
|
"hashes": [
|
||||||
|
"sha256:21af753934f2f6d1a10fe8f4c0a64315af209ef6adeaee63ca349797d747d687",
|
||||||
|
"sha256:27bb401a20a838d6d0ea380f08c6ead3ccd8c9d8a0232dc9adcc0e4994576a66",
|
||||||
|
"sha256:29720c4253263cff9aea64585adbbe85013ba647f6e98367efff9db2d7193ded",
|
||||||
|
"sha256:2a35b7570d8f247889784010aac8b384fd2e4a47b33e15c4a60b45a7c1944120",
|
||||||
|
"sha256:42c531a6a354407f42ee07fda5c2c0dc822cf6d52744949c182f2b295fbd4183",
|
||||||
|
"sha256:5eb86f03f9c4f0ac2336ac5431271072ddf7ecc76b338e26366732cfac58aa19",
|
||||||
|
"sha256:67f7f57eae8dede577f3f7775957f5bec93edd6bdb6ce597bb5b28e1bdf3d4fb",
|
||||||
|
"sha256:6ec84edcbc966ae460560a51a90046503ff0b5b66157a9efc61515c68059f6c8",
|
||||||
|
"sha256:7ba834564daef87557e7fcd35c3c3183a4147b0b3a57314e53317360b9b201b3",
|
||||||
|
"sha256:7d7f084cbe1fdb82be5a0545062b59b1ad3637bc5a48612ac2eb428ff31b31ea",
|
||||||
|
"sha256:82409f5150e529d699e5c33fa8fd85e965104db03bc564f5f4b6a9199e591f7c",
|
||||||
|
"sha256:87d092a7c2a44e5f7414ab02fb4145723ebba411425e1a99773531dd4c0e9b8d",
|
||||||
|
"sha256:8c56ef989342e42b9fcaba7c74b446f0cc9bed546dd00034fa7ad66fc00307ef",
|
||||||
|
"sha256:9449f5d4d7c516a6118fa9210c4a00f34384cb1d2028672100ee0c6cce49d7f6",
|
||||||
|
"sha256:bc2301170986ad82d9349a91eb8884e0e191209c45f5541b16aa7c0cfb135978",
|
||||||
|
"sha256:c132bab45d4bd0fff1d3fe294d92b0a6eb8404e93337b3127bdec9f21de117e6",
|
||||||
|
"sha256:c3d945b7b577f07a477700f618f46cbc287af3a9222cd73035c6ef527ef2c363",
|
||||||
|
"sha256:cee18beb4c807b5c0b178f4fa2fae03cef9d51821a358c6890f8b23465b7e5d2",
|
||||||
|
"sha256:d01dfc5c2b3495184f683574e03c70022674ca9a7be88589c5aba130d835ea90"
|
||||||
|
],
|
||||||
|
"version": "==2.3"
|
||||||
|
},
|
||||||
"flask": {
|
"flask": {
|
||||||
"hashes": [
|
"hashes": [
|
||||||
"sha256:2271c0070dbcb5275fad4a82e29f23ab92682dc45f9dfbc22c02ba9b9322ce48",
|
"sha256:2271c0070dbcb5275fad4a82e29f23ab92682dc45f9dfbc22c02ba9b9322ce48",
|
||||||
@ -70,6 +152,13 @@
|
|||||||
"index": "pypi",
|
"index": "pypi",
|
||||||
"version": "==0.14.2"
|
"version": "==0.14.2"
|
||||||
},
|
},
|
||||||
|
"idna": {
|
||||||
|
"hashes": [
|
||||||
|
"sha256:156a6814fb5ac1fc6850fb002e0852d56c0c8d2531923a51032d1b70760e186e",
|
||||||
|
"sha256:684a38a6f903c1d71d6d5fac066b58d7768af4de2b832e426ec79c30daa94a16"
|
||||||
|
],
|
||||||
|
"version": "==2.7"
|
||||||
|
},
|
||||||
"itsdangerous": {
|
"itsdangerous": {
|
||||||
"hashes": [
|
"hashes": [
|
||||||
"sha256:cbb3fcf8d3e33df861709ecaf89d9e6629cff0a217bc2848f1b41cd30d360519"
|
"sha256:cbb3fcf8d3e33df861709ecaf89d9e6629cff0a217bc2848f1b41cd30d360519"
|
||||||
@ -150,6 +239,20 @@
|
|||||||
"index": "pypi",
|
"index": "pypi",
|
||||||
"version": "==2.7.5"
|
"version": "==2.7.5"
|
||||||
},
|
},
|
||||||
|
"pycparser": {
|
||||||
|
"hashes": [
|
||||||
|
"sha256:99a8ca03e29851d96616ad0404b4aad7d9ee16f25c9f9708a11faf2810f7b226"
|
||||||
|
],
|
||||||
|
"version": "==2.18"
|
||||||
|
},
|
||||||
|
"pyopenssl": {
|
||||||
|
"hashes": [
|
||||||
|
"sha256:26ff56a6b5ecaf3a2a59f132681e2a80afcc76b4f902f612f518f92c2a1bf854",
|
||||||
|
"sha256:6488f1423b00f73b7ad5167885312bb0ce410d3312eb212393795b53c8caa580"
|
||||||
|
],
|
||||||
|
"index": "pypi",
|
||||||
|
"version": "==18.0.0"
|
||||||
|
},
|
||||||
"python-dateutil": {
|
"python-dateutil": {
|
||||||
"hashes": [
|
"hashes": [
|
||||||
"sha256:1adb80e7a782c12e52ef9a8182bebeb73f1d7e24e374397af06fb4956c8dc5c0",
|
"sha256:1adb80e7a782c12e52ef9a8182bebeb73f1d7e24e374397af06fb4956c8dc5c0",
|
||||||
@ -168,7 +271,6 @@
|
|||||||
"sha256:1d936da41ee06216d89fdc7ead1ee9a5da2811a8787515a976b646e110c3f622",
|
"sha256:1d936da41ee06216d89fdc7ead1ee9a5da2811a8787515a976b646e110c3f622",
|
||||||
"sha256:e4ef42e82b0b493c5849eed98b5ab49d6767caf982127e9a33167f1153b36cc5"
|
"sha256:e4ef42e82b0b493c5849eed98b5ab49d6767caf982127e9a33167f1153b36cc5"
|
||||||
],
|
],
|
||||||
"markers": "python_version != '3.2.*' and python_version != '3.3.*' and python_version != '3.0.*' and python_version != '3.1.*' and python_version >= '2.7'",
|
|
||||||
"version": "==2018.5"
|
"version": "==2018.5"
|
||||||
},
|
},
|
||||||
"redis": {
|
"redis": {
|
||||||
@ -179,6 +281,14 @@
|
|||||||
"index": "pypi",
|
"index": "pypi",
|
||||||
"version": "==2.10.6"
|
"version": "==2.10.6"
|
||||||
},
|
},
|
||||||
|
"requests": {
|
||||||
|
"hashes": [
|
||||||
|
"sha256:63b52e3c866428a224f97cab011de738c36aec0185aa91cfacd418b5d58911d1",
|
||||||
|
"sha256:ec22d826a36ed72a7358ff3fe56cbd4ba69dd7a6718ffd450ff0e9df7a47ce6a"
|
||||||
|
],
|
||||||
|
"index": "pypi",
|
||||||
|
"version": "==2.19.1"
|
||||||
|
},
|
||||||
"six": {
|
"six": {
|
||||||
"hashes": [
|
"hashes": [
|
||||||
"sha256:70e8a77beed4562e7f14fe23a786b54f6296e34344c23bc42f07b15018ff98e9",
|
"sha256:70e8a77beed4562e7f14fe23a786b54f6296e34344c23bc42f07b15018ff98e9",
|
||||||
@ -214,6 +324,13 @@
|
|||||||
"index": "pypi",
|
"index": "pypi",
|
||||||
"version": "==1.1"
|
"version": "==1.1"
|
||||||
},
|
},
|
||||||
|
"urllib3": {
|
||||||
|
"hashes": [
|
||||||
|
"sha256:a68ac5e15e76e7e5dd2b8f94007233e01effe3e50e8daddf69acfd81cb686baf",
|
||||||
|
"sha256:b5725a0bd4ba422ab0e66e89e030c806576753ea3ee08554382c14e685d117b5"
|
||||||
|
],
|
||||||
|
"version": "==1.23"
|
||||||
|
},
|
||||||
"webassets": {
|
"webassets": {
|
||||||
"hashes": [
|
"hashes": [
|
||||||
"sha256:e7d9c8887343123fd5b32309b33167428cb1318cdda97ece12d0907fd69d38db"
|
"sha256:e7d9c8887343123fd5b32309b33167428cb1318cdda97ece12d0907fd69d38db"
|
||||||
@ -402,7 +519,6 @@
|
|||||||
"sha256:b9c40e9750f3d77e6e4d441d8b0266cf555e7cdabdcff33c4fd06366ca761ef8",
|
"sha256:b9c40e9750f3d77e6e4d441d8b0266cf555e7cdabdcff33c4fd06366ca761ef8",
|
||||||
"sha256:ec9ef8f4a9bc6f71eec99e1806bfa2de401650d996c59330782b89a5555c1497"
|
"sha256:ec9ef8f4a9bc6f71eec99e1806bfa2de401650d996c59330782b89a5555c1497"
|
||||||
],
|
],
|
||||||
"markers": "python_version != '3.2.*' and python_version != '3.1.*' and python_version != '3.3.*' and python_version >= '2.7' and python_version != '3.0.*'",
|
|
||||||
"version": "==4.3.4"
|
"version": "==4.3.4"
|
||||||
},
|
},
|
||||||
"itsdangerous": {
|
"itsdangerous": {
|
||||||
@ -520,7 +636,6 @@
|
|||||||
"sha256:6e3836e39f4d36ae72840833db137f7b7d35105079aee6ec4a62d9f80d594dd1",
|
"sha256:6e3836e39f4d36ae72840833db137f7b7d35105079aee6ec4a62d9f80d594dd1",
|
||||||
"sha256:95eb8364a4708392bae89035f45341871286a333f749c3141c20573d2b3876e1"
|
"sha256:95eb8364a4708392bae89035f45341871286a333f749c3141c20573d2b3876e1"
|
||||||
],
|
],
|
||||||
"markers": "python_version != '3.2.*' and python_version != '3.1.*' and python_version != '3.3.*' and python_version >= '2.7' and python_version != '3.0.*'",
|
|
||||||
"version": "==0.7.1"
|
"version": "==0.7.1"
|
||||||
},
|
},
|
||||||
"prompt-toolkit": {
|
"prompt-toolkit": {
|
||||||
@ -543,7 +658,6 @@
|
|||||||
"sha256:3fd59af7435864e1a243790d322d763925431213b6b8529c6ca71081ace3bbf7",
|
"sha256:3fd59af7435864e1a243790d322d763925431213b6b8529c6ca71081ace3bbf7",
|
||||||
"sha256:e31fb2767eb657cbde86c454f02e99cb846d3cd9d61b318525140214fdc0e98e"
|
"sha256:e31fb2767eb657cbde86c454f02e99cb846d3cd9d61b318525140214fdc0e98e"
|
||||||
],
|
],
|
||||||
"markers": "python_version != '3.2.*' and python_version != '3.1.*' and python_version != '3.3.*' and python_version >= '2.7' and python_version != '3.0.*'",
|
|
||||||
"version": "==1.5.4"
|
"version": "==1.5.4"
|
||||||
},
|
},
|
||||||
"pygments": {
|
"pygments": {
|
||||||
@ -593,11 +707,15 @@
|
|||||||
},
|
},
|
||||||
"pyyaml": {
|
"pyyaml": {
|
||||||
"hashes": [
|
"hashes": [
|
||||||
|
"sha256:1cbc199009e78f92d9edf554be4fe40fb7b0bef71ba688602a00e97a51909110",
|
||||||
"sha256:254bf6fda2b7c651837acb2c718e213df29d531eebf00edb54743d10bcb694eb",
|
"sha256:254bf6fda2b7c651837acb2c718e213df29d531eebf00edb54743d10bcb694eb",
|
||||||
"sha256:3108529b78577327d15eec243f0ff348a0640b0c3478d67ad7f5648f93bac3e2",
|
"sha256:3108529b78577327d15eec243f0ff348a0640b0c3478d67ad7f5648f93bac3e2",
|
||||||
"sha256:3c17fb92c8ba2f525e4b5f7941d850e7a48c3a59b32d331e2502a3cdc6648e76",
|
"sha256:3c17fb92c8ba2f525e4b5f7941d850e7a48c3a59b32d331e2502a3cdc6648e76",
|
||||||
|
"sha256:6f89b5c95e93945b597776163403d47af72d243f366bf4622ff08bdfd1c950b7",
|
||||||
"sha256:8d6d96001aa7f0a6a4a95e8143225b5d06e41b1131044913fecb8f85a125714b",
|
"sha256:8d6d96001aa7f0a6a4a95e8143225b5d06e41b1131044913fecb8f85a125714b",
|
||||||
"sha256:c8a88edd93ee29ede719080b2be6cb2333dfee1dccba213b422a9c8e97f2967b"
|
"sha256:be622cc81696e24d0836ba71f6272a2b5767669b0d79fdcf0295d51ac2e156c8",
|
||||||
|
"sha256:c8a88edd93ee29ede719080b2be6cb2333dfee1dccba213b422a9c8e97f2967b",
|
||||||
|
"sha256:f39411e380e2182ad33be039e8ee5770a5d9efe01a2bfb7ae58d9ba31c4a2a9d"
|
||||||
],
|
],
|
||||||
"version": "==4.2b4"
|
"version": "==4.2b4"
|
||||||
},
|
},
|
||||||
|
0
atst/domain/authnid/__init__.py
Normal file
0
atst/domain/authnid/__init__.py
Normal file
72
atst/domain/authnid/crl/util.py
Normal file
72
atst/domain/authnid/crl/util.py
Normal file
@ -0,0 +1,72 @@
|
|||||||
|
import requests
|
||||||
|
import re
|
||||||
|
import os
|
||||||
|
from html.parser import HTMLParser
|
||||||
|
|
||||||
|
_DISA_CRLS = "https://iasecontent.disa.mil/pki-pke/data/crls/dod_crldps.htm"
|
||||||
|
|
||||||
|
|
||||||
|
def fetch_disa():
|
||||||
|
response = requests.get(_DISA_CRLS)
|
||||||
|
return response.text
|
||||||
|
|
||||||
|
|
||||||
|
class DISAParser(HTMLParser):
|
||||||
|
crl_list = []
|
||||||
|
_CRL_MATCH = re.compile("DOD(ROOT|EMAIL|ID)?CA")
|
||||||
|
|
||||||
|
def handle_starttag(self, tag, attrs):
|
||||||
|
if tag == "a":
|
||||||
|
href = [pair[1] for pair in attrs if pair[0] == "href"].pop()
|
||||||
|
if re.search(self._CRL_MATCH, href):
|
||||||
|
self.crl_list.append(href)
|
||||||
|
|
||||||
|
|
||||||
|
def crl_list_from_disa_html(html):
|
||||||
|
parser = DISAParser()
|
||||||
|
parser.reset()
|
||||||
|
parser.feed(html)
|
||||||
|
return parser.crl_list
|
||||||
|
|
||||||
|
|
||||||
|
def write_crl(out_dir, crl_location):
|
||||||
|
name = re.split("/", crl_location)[-1]
|
||||||
|
crl = os.path.join(out_dir, name)
|
||||||
|
with requests.get(crl_location, stream=True) as r:
|
||||||
|
with open(crl, "wb") as crl_file:
|
||||||
|
for chunk in r.iter_content(chunk_size=1024):
|
||||||
|
if chunk:
|
||||||
|
crl_file.write(chunk)
|
||||||
|
|
||||||
|
|
||||||
|
def refresh_crls(out_dir, logger=None):
|
||||||
|
disa_html = fetch_disa()
|
||||||
|
crl_list = crl_list_from_disa_html(disa_html)
|
||||||
|
for crl_location in crl_list:
|
||||||
|
if logger:
|
||||||
|
logger.info("updating CRL from {}".format(crl_location))
|
||||||
|
try:
|
||||||
|
write_crl(out_dir, crl_location)
|
||||||
|
except requests.exceptions.ChunkedEncodingError:
|
||||||
|
if logger:
|
||||||
|
logger.error(
|
||||||
|
"Error downloading {}, continuing anyway".format(crl_location)
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
import sys
|
||||||
|
import datetime
|
||||||
|
import logging
|
||||||
|
|
||||||
|
logging.basicConfig(
|
||||||
|
level=logging.INFO, format="[%(asctime)s]:%(levelname)s: %(message)s"
|
||||||
|
)
|
||||||
|
logger = logging.getLogger()
|
||||||
|
logger.info("Updating CRLs")
|
||||||
|
try:
|
||||||
|
refresh_crls(sys.argv[1], logger=logger)
|
||||||
|
except Exception as err:
|
||||||
|
logger.exception("Fatal error encountered, stopping")
|
||||||
|
sys.exit(1)
|
||||||
|
logger.info("Finished updating CRLs")
|
124
atst/domain/authnid/crl/validator.py
Normal file
124
atst/domain/authnid/crl/validator.py
Normal file
@ -0,0 +1,124 @@
|
|||||||
|
import sys
|
||||||
|
import os
|
||||||
|
import re
|
||||||
|
import hashlib
|
||||||
|
from OpenSSL import crypto, SSL
|
||||||
|
|
||||||
|
|
||||||
|
def sha256_checksum(filename, block_size=65536):
|
||||||
|
sha256 = hashlib.sha256()
|
||||||
|
with open(filename, "rb") as f:
|
||||||
|
for block in iter(lambda: f.read(block_size), b""):
|
||||||
|
sha256.update(block)
|
||||||
|
return sha256.hexdigest()
|
||||||
|
|
||||||
|
|
||||||
|
class Validator:
|
||||||
|
|
||||||
|
_PEM_RE = re.compile(
|
||||||
|
b"-----BEGIN CERTIFICATE-----\r?.+?\r?-----END CERTIFICATE-----\r?\n?",
|
||||||
|
re.DOTALL,
|
||||||
|
)
|
||||||
|
|
||||||
|
def __init__(self, crl_locations=[], roots=[], base_store=crypto.X509Store):
|
||||||
|
self.errors = []
|
||||||
|
self.crl_locations = crl_locations
|
||||||
|
self.roots = roots
|
||||||
|
self.base_store = base_store
|
||||||
|
self._reset()
|
||||||
|
|
||||||
|
def _reset(self):
|
||||||
|
self.cache = {}
|
||||||
|
self.store = self.base_store()
|
||||||
|
self._add_crls(self.crl_locations)
|
||||||
|
self._add_roots(self.roots)
|
||||||
|
self.store.set_flags(crypto.X509StoreFlags.CRL_CHECK)
|
||||||
|
|
||||||
|
def _add_crls(self, locations):
|
||||||
|
for filename in locations:
|
||||||
|
try:
|
||||||
|
self._add_crl(filename)
|
||||||
|
except crypto.Error as err:
|
||||||
|
self.errors.append(
|
||||||
|
"CRL could not be parsed. Filename: {}, Error: {}, args: {}".format(
|
||||||
|
filename, type(err), err.args
|
||||||
|
)
|
||||||
|
)
|
||||||
|
|
||||||
|
# This caches the CRL issuer with the CRL filepath and a checksum, in addition to adding the CRL to the store.
|
||||||
|
|
||||||
|
def _add_crl(self, filename):
|
||||||
|
with open(filename, "rb") as crl_file:
|
||||||
|
crl = crypto.load_crl(crypto.FILETYPE_ASN1, crl_file.read())
|
||||||
|
self.cache[crl.get_issuer().der()] = (filename, sha256_checksum(filename))
|
||||||
|
self._add_carefully("add_crl", crl)
|
||||||
|
|
||||||
|
def _parse_roots(self, root_str):
|
||||||
|
return [match.group(0) for match in self._PEM_RE.finditer(root_str)]
|
||||||
|
|
||||||
|
def _add_roots(self, roots):
|
||||||
|
for filename in roots:
|
||||||
|
with open(filename, "rb") as f:
|
||||||
|
for raw_ca in self._parse_roots(f.read()):
|
||||||
|
ca = crypto.load_certificate(crypto.FILETYPE_PEM, raw_ca)
|
||||||
|
self._add_carefully("add_cert", ca)
|
||||||
|
|
||||||
|
# in testing, it seems that openssl is maintaining a local cache of certs
|
||||||
|
# in a hash table and throws errors if you try to add redundant certs or
|
||||||
|
# CRLs. For now, we catch and ignore that error with great specificity.
|
||||||
|
|
||||||
|
def _add_carefully(self, method_name, obj):
|
||||||
|
try:
|
||||||
|
getattr(self.store, method_name)(obj)
|
||||||
|
except crypto.Error as error:
|
||||||
|
if self._is_preloaded_error(error):
|
||||||
|
pass
|
||||||
|
else:
|
||||||
|
raise error
|
||||||
|
|
||||||
|
PRELOADED_CRL = (
|
||||||
|
[
|
||||||
|
(
|
||||||
|
"x509 certificate routines",
|
||||||
|
"X509_STORE_add_crl",
|
||||||
|
"cert already in hash table",
|
||||||
|
)
|
||||||
|
],
|
||||||
|
)
|
||||||
|
PRELOADED_CERT = (
|
||||||
|
[
|
||||||
|
(
|
||||||
|
"x509 certificate routines",
|
||||||
|
"X509_STORE_add_cert",
|
||||||
|
"cert already in hash table",
|
||||||
|
)
|
||||||
|
],
|
||||||
|
)
|
||||||
|
|
||||||
|
def _is_preloaded_error(self, error):
|
||||||
|
return error.args == self.PRELOADED_CRL or error.args == self.PRELOADED_CERT
|
||||||
|
|
||||||
|
# Checks that the CRL currently in-memory is up-to-date via the checksum.
|
||||||
|
|
||||||
|
def refresh_cache(self, cert):
|
||||||
|
der = cert.get_issuer().der()
|
||||||
|
if der in self.cache:
|
||||||
|
filename, checksum = self.cache[der]
|
||||||
|
if sha256_checksum(filename) != checksum:
|
||||||
|
self._reset()
|
||||||
|
|
||||||
|
def validate(self, cert):
|
||||||
|
parsed = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
|
||||||
|
self.refresh_cache(parsed)
|
||||||
|
context = crypto.X509StoreContext(self.store, parsed)
|
||||||
|
try:
|
||||||
|
context.verify_certificate()
|
||||||
|
return True
|
||||||
|
|
||||||
|
except crypto.X509StoreContextError as err:
|
||||||
|
self.errors.append(
|
||||||
|
"Certificate revoked or errored. Error: {}. Args: {}".format(
|
||||||
|
type(err), err.args
|
||||||
|
)
|
||||||
|
)
|
||||||
|
return False
|
16
script/sync-crls
Executable file
16
script/sync-crls
Executable file
@ -0,0 +1,16 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# script/sync-crls: update the DOD CRLs and place them where authnid expects them
|
||||||
|
set -e
|
||||||
|
cd "$(dirname "$0")/.."
|
||||||
|
|
||||||
|
mkdir -p crl-tmp
|
||||||
|
pipenv run python ./authnid/crl/util.py crl-tmp
|
||||||
|
mkdir -p crl
|
||||||
|
rsync -rq crl-tmp/. crl/.
|
||||||
|
rm -rf crl-tmp
|
||||||
|
|
||||||
|
if [[ $FLASK_ENV != "production" ]]; then
|
||||||
|
# place our test CRL there
|
||||||
|
cp ssl/client-certs/client-ca.der.crl crl/
|
||||||
|
fi
|
25
script/sync-dod-certs
Executable file
25
script/sync-dod-certs
Executable file
@ -0,0 +1,25 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# script/sync-dod-certs: update the CA bundle with DOD intermediate and root CAs
|
||||||
|
|
||||||
|
CAS_FILE_NAME="Certificates_PKCS7_v5.3_DoD"
|
||||||
|
CA_CHAIN="ssl/server-certs/ca-chain.pem"
|
||||||
|
|
||||||
|
echo "Resetting CA bundle..."
|
||||||
|
rm ssl/server-certs/ca-chain.pem &> /dev/null || true
|
||||||
|
touch $CA_CHAIN
|
||||||
|
|
||||||
|
if [[ $FLASK_ENV != "production" ]]; then
|
||||||
|
# only for testing and development
|
||||||
|
echo "Copy in testing client CA..."
|
||||||
|
cat ssl/client-certs/client-ca.crt >> $CA_CHAIN
|
||||||
|
fi
|
||||||
|
|
||||||
|
# dod intermediate certs
|
||||||
|
echo "Adding DoD root certs"
|
||||||
|
rm -rf tmp || true
|
||||||
|
mkdir tmp
|
||||||
|
curl --silent -o tmp/dod-cas.zip "https://iasecontent.disa.mil/pki-pke/$CAS_FILE_NAME.zip"
|
||||||
|
unzip tmp/dod-cas.zip -d tmp/ &> /dev/null
|
||||||
|
openssl pkcs7 -in "tmp/$CAS_FILE_NAME/$CAS_FILE_NAME.pem.p7b" -print_certs >> $CA_CHAIN
|
||||||
|
rm -rf tmp
|
25
ssl/certificate-authority/ca.crt
Normal file
25
ssl/certificate-authority/ca.crt
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIEJDCCAwygAwIBAgIJAK4JGo3BBGhVMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNV
|
||||||
|
BAYTAlVTMRUwEwYDVQQIEwxQZW5uc3lsdmFuaWExFTATBgNVBAcTDFBoaWxhZGVs
|
||||||
|
cGhpYTEMMAoGA1UEChMDRG9EMQwwCgYDVQQLEwNERFMxEDAOBgNVBAMTB0FUQVQg
|
||||||
|
Q0EwHhcNMTgwNjAxMTk0NjIyWhcNMzgwNTI3MTk0NjIyWjBpMQswCQYDVQQGEwJV
|
||||||
|
UzEVMBMGA1UECBMMUGVubnN5bHZhbmlhMRUwEwYDVQQHEwxQaGlsYWRlbHBoaWEx
|
||||||
|
DDAKBgNVBAoTA0RvRDEMMAoGA1UECxMDRERTMRAwDgYDVQQDEwdBVEFUIENBMIIB
|
||||||
|
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzYU7UbstArnnVliaC/TB6Vir
|
||||||
|
kVWMnAEYMUZA1BKP8DZaNEKbzFH2+mMw7O0BY7Ph9x0hEZ1kXLr6U93xcKyUWNPo
|
||||||
|
13i5EwUUCSh2MdPfS8ZZt8DUIIKC7XzFnKyKSKQmr0Mt9dC44rryPKTBvmI60rQ8
|
||||||
|
VZkFEgvs8FCP0M4Ar6/gtJ24ZLEtilu5dQBSlru4nPGXg07r2C2JgEZWshtMBtbH
|
||||||
|
LkOM2gtp/pkYCCG0zqeU+0s3H8IqDq0uYkONOfVeCumbg1/AtjgrZu7aOVPKyibk
|
||||||
|
aI6sTTooXE5aSZkfkx0z6+fKM2nPSe30HgiBODtb7G+44ln08d0isjpQ67OvGQID
|
||||||
|
AQABo4HOMIHLMB0GA1UdDgQWBBSl7CUAWPbx8XqotKKKAufPh0wn4DCBmwYDVR0j
|
||||||
|
BIGTMIGQgBSl7CUAWPbx8XqotKKKAufPh0wn4KFtpGswaTELMAkGA1UEBhMCVVMx
|
||||||
|
FTATBgNVBAgTDFBlbm5zeWx2YW5pYTEVMBMGA1UEBxMMUGhpbGFkZWxwaGlhMQww
|
||||||
|
CgYDVQQKEwNEb0QxDDAKBgNVBAsTA0REUzEQMA4GA1UEAxMHQVRBVCBDQYIJAK4J
|
||||||
|
Go3BBGhVMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBABguwdFk42YP
|
||||||
|
8U6Du5HQ6Is1jfc1KEOowdh0d2MCH8q0KNktqiu6kWzjH1gRjRwc07bAkAWqXPB6
|
||||||
|
6gkRGYe/FRgi2Rn+Uo5UC5ahI4cXkE8OitCIEP3Br9fUw+vj/3Iiov0QZ6Hv81Kl
|
||||||
|
ZTZhLiZbjAg5maL/vufnUp+n15qzm67APh3/2hcgO93UlE9o9vXohWy1lHs8u12o
|
||||||
|
hPLxghSmGc9eKalEWEs61OrohpOtCHUEd1isq76WhaiXSwSUrBxgy89Z517A7ffC
|
||||||
|
BjzLo5AVo6a9ou+ONVeZk8qw6YR6X9J7axy8YuTWt+Z82WFvOF0ubkqjm72d001M
|
||||||
|
7R9zCOQ3O+g=
|
||||||
|
-----END CERTIFICATE-----
|
27
ssl/certificate-authority/ca.key
Normal file
27
ssl/certificate-authority/ca.key
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
MIIEpAIBAAKCAQEAzYU7UbstArnnVliaC/TB6VirkVWMnAEYMUZA1BKP8DZaNEKb
|
||||||
|
zFH2+mMw7O0BY7Ph9x0hEZ1kXLr6U93xcKyUWNPo13i5EwUUCSh2MdPfS8ZZt8DU
|
||||||
|
IIKC7XzFnKyKSKQmr0Mt9dC44rryPKTBvmI60rQ8VZkFEgvs8FCP0M4Ar6/gtJ24
|
||||||
|
ZLEtilu5dQBSlru4nPGXg07r2C2JgEZWshtMBtbHLkOM2gtp/pkYCCG0zqeU+0s3
|
||||||
|
H8IqDq0uYkONOfVeCumbg1/AtjgrZu7aOVPKyibkaI6sTTooXE5aSZkfkx0z6+fK
|
||||||
|
M2nPSe30HgiBODtb7G+44ln08d0isjpQ67OvGQIDAQABAoIBAHR4EInc3UEyQVu5
|
||||||
|
knM8Hbgzu+b86FZweFlUSuDkNBYZdz0ukkRUHvb+x3c9SRBLnL8CDv+AhqPWgo6M
|
||||||
|
tIr6Aofkb4vMqnWQ5y3ZdEIApAa5PZbY/F4AGFql3wdO8H8CJ7ojBCTOSDiVYTnk
|
||||||
|
1Lcjy9okshyAP1Ne1sPJo/bdB56HtXs+wqok1NntIQwiXjjD9xUuc1EZk0J4M97L
|
||||||
|
vBUjUGNX942UjtRiey5zwhRp3bTPasTduHcA01NaIbOVYlRFwc2W+cflz0l6ml2p
|
||||||
|
14TNEEvIMMMCNKnlPrpGI23n0psAvE4nbuxZQGVYAFvXrWn+Gyvz0Yag2EoMUCEs
|
||||||
|
ziLED9ECgYEA6IByu+xqIuIAhj/PwIIxV4+lkuV4TXIlfAFLR4JuokOVfbRsmu2e
|
||||||
|
9EfeOUD9LfQ4KsG5mu4Abpja0k/VKRKRGRjV6Oe2C6VK942HFP6Kpn0hgIuomZkD
|
||||||
|
eVv8naDezZjAvVace38zjRWB2GXTpapwBAgf/YflPPsDZ8bi/weqZCMCgYEA4kqx
|
||||||
|
Ka489Rr7+cSXpMeS5lLufhlaE5OVQc5HVFREDAI5vXU8BM2sLiHTC/BHjis2JvLm
|
||||||
|
aRJ0UsxUoIUURl2KjTbx3zns4HDVkzBrSpoDXWxBjAo0oEg7JVc+6+qEqbDHHS1L
|
||||||
|
/UJ6mlUegsE42MkFWG3YJQuHxyLZqPXIwNAyhZMCgYEA5cxnGnSt5rJoAEi7xzMn
|
||||||
|
H7s71Hf3stw6TlldFV3GiZyw+aDFo09vR1RtQTuJwczbYu88yvOn+6gax7neHo1a
|
||||||
|
WmrgqiWzGcmS0iDRPZ/kXG/bGBlxV/cTpvSTNx0UejMbdUhQvANaaXyzbLYgPWK6
|
||||||
|
+lEphUW2/tG+aOj73UOvVu8CgYA5L8sJz4CUKJeZDTeNauoSzs56i4mZ/OfxU2Hv
|
||||||
|
S8ROjJlu6ZubUya6Gc4t7DEJGp56xVO5JfLDoeOZFUiEZ8tF2KbTVN4p8hnnMotK
|
||||||
|
tRU4nM0LyOB3yQk5bIz4LbIM+CG5m+LiQ9Sb//rP7GijUFnLeSbwZbOQfZwn+MUd
|
||||||
|
BQBfhQKBgQDmuX8tJdPkjE133IhQhZHbHHt6AEQA3aXkFdvPvbYD9VbGTZ8wnpFO
|
||||||
|
VJrDDWnIKAgO2FerIX9oq+H9a5fggYtTMeAX1cOA6b9SnLmFjt0utxrQKxf7p5I+
|
||||||
|
n+EsmcAWfb+KRQwoB0L/mE9Ool14AeJ15kHyNIrCrMPv0J4zoC0Jdg==
|
||||||
|
-----END RSA PRIVATE KEY-----
|
1
ssl/certificate-authority/ca.srl
Normal file
1
ssl/certificate-authority/ca.srl
Normal file
@ -0,0 +1 @@
|
|||||||
|
F4D74F1607DD3C83
|
30
ssl/client-certs/README.md
Normal file
30
ssl/client-certs/README.md
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
Right now, we have two client certificates:
|
||||||
|
|
||||||
|
- atat.mil.crt: beautiful, good, works great
|
||||||
|
- bad-atat.mil.crt: banned, very bad, is on the CRL
|
||||||
|
|
||||||
|
I more or less used [this article](https://access.redhat.com/documentation/en-us/red_hat_update_infrastructure/2.1/html/administration_guide/chap-red_hat_update_infrastructure-administration_guide-certification_revocation_list_crl) to generate the CRL. Note that I departed from it slightly and used a variation on the openssl config recommended by the ca man page (`man ca`).
|
||||||
|
|
||||||
|
I added the new crl:
|
||||||
|
|
||||||
|
```
|
||||||
|
openssl crl -inform pem -in ssl/client-certs/client-ca.crl -outform der -out crl/simon.crl
|
||||||
|
```
|
||||||
|
|
||||||
|
Running the scripts verifies that the good one is good and the bad one is bad.
|
||||||
|
|
||||||
|
We can also verify with OpenSSL. First concatenate the CA Bundle and the CRL:
|
||||||
|
|
||||||
|
```
|
||||||
|
cat ssl/server-certs/ca-chain.pem ssl/client-certs/client-ca.crl > /tmp/test.pem
|
||||||
|
```
|
||||||
|
|
||||||
|
Verify the certs:
|
||||||
|
|
||||||
|
```
|
||||||
|
openssl verify -verbose -CAfile /tmp/test.pem -crl_check ssl/client-certs/bad-atat.mil.crt
|
||||||
|
> error 23 at 0 depth lookup:certificate revoked
|
||||||
|
openssl verify -verbose -CAfile /tmp/test.pem -crl_check ssl/client-certs/atat.mil.crt
|
||||||
|
> atat.mil.crt: OK
|
||||||
|
```
|
||||||
|
|
22
ssl/client-certs/atat.mil.crt
Normal file
22
ssl/client-certs/atat.mil.crt
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDqTCCApECCQCoSzDcVuoXYzANBgkqhkiG9w0BAQsFADCBjTELMAkGA1UEBhMC
|
||||||
|
VVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTEVMBMGA1UEBxMMUGhpbGFkZWxwaGlh
|
||||||
|
MRAwDgYDVQQKEwdGYXV4RG9EMQswCQYDVQQLEwJQVzERMA8GA1UEAxMIRmF1eCBE
|
||||||
|
b0QxHjAcBgkqhkiG9w0BCQEWD2ZhdXhkb2RAZG9kLmNvbTAeFw0xODA3MjQyMDM0
|
||||||
|
MDJaFw0xOTA3MjQyMDM0MDJaMIGeMQswCQYDVQQGEwJVUzEVMBMGA1UECBMMUGVu
|
||||||
|
bnN5bHZhbmlhMRUwEwYDVQQHEwxQaGlsYWRlbHBoaWExDDAKBgNVBAoTA0RvRDEL
|
||||||
|
MAkGA1UECxMCUFcxITAfBgNVBAMTGEFSVC5HQVJGVU5LRUwuMTIzNDU2Nzg5MDEj
|
||||||
|
MCEGCSqGSIb3DQEJARYUYWdhcmZ1bmtlbEBzYW5kZy5jb20wggEiMA0GCSqGSIb3
|
||||||
|
DQEBAQUAA4IBDwAwggEKAoIBAQDCRftouylCKDN9GoKRJMWA3gnfEshRxi4P1xU9
|
||||||
|
xm0qgPIzTpeZCNUcDbSQzovXQ58ElrDTdUeMv0OV/RLOnNFKgPSAd2f1F4BE1rJR
|
||||||
|
WHLFjG6mPj769Wl1BhGAwOY/zdhfHYjTKZSApUfP6MuKsD2nciOnJFlqJ439R4LC
|
||||||
|
S8Fv3RnnKMQlSTMiudOMhtzr8v1poDlxVzu9IF7i/MZKCBFz3e1G2LFIr5ZL+djg
|
||||||
|
4rsI4lNPVNt1sRiXy/+kltBY8RIbPPP70iT+zmrr6PmEeDSwDSKgW+TBCGK3yFCr
|
||||||
|
kPXjMZhWOt+7eLanL2KJNrohEkJFzI3tb7zVm6zg5SC1GTIFAgMBAAEwDQYJKoZI
|
||||||
|
hvcNAQELBQADggEBAKm4W2mAqtRUpwCstCqJCdoOsIgW9pZKTczLERbODHvbfXZA
|
||||||
|
MfGGnYQiuoOddu9K9UJQIHZLMUYmF9gj9HdY60ttNWeH5XRXIXn6t1Pn8W7q042Q
|
||||||
|
RqeJ/uOtNG1UXRtHQhK1j73xD3ZSTGw7rTIA2qDgRQMp1h28405kZIiNVRFdNjFh
|
||||||
|
irAvtQkIXWhIGSr/Lwop98RmTsV17v4iK14Uf2i5QUjdIECiGqGSlk9Jmj8dajzN
|
||||||
|
cSarkhWDuQmlCplF1lTNcXenC66d1bE/KXb3dEGg+h99KfZVw1+9c5DbWag6IVgG
|
||||||
|
Xts4GcPhuiKF/pJWRO11L2CfyCveoGM9Osz/vvc=
|
||||||
|
-----END CERTIFICATE-----
|
18
ssl/client-certs/atat.mil.csr
Normal file
18
ssl/client-certs/atat.mil.csr
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
-----BEGIN CERTIFICATE REQUEST-----
|
||||||
|
MIIC5DCCAcwCAQAwgZ4xCzAJBgNVBAYTAlVTMRUwEwYDVQQIEwxQZW5uc3lsdmFu
|
||||||
|
aWExFTATBgNVBAcTDFBoaWxhZGVscGhpYTEMMAoGA1UEChMDRG9EMQswCQYDVQQL
|
||||||
|
EwJQVzEhMB8GA1UEAxMYQVJULkdBUkZVTktFTC4xMjM0NTY3ODkwMSMwIQYJKoZI
|
||||||
|
hvcNAQkBFhRhZ2FyZnVua2VsQHNhbmRnLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
|
||||||
|
ggEPADCCAQoCggEBAMJF+2i7KUIoM30agpEkxYDeCd8SyFHGLg/XFT3GbSqA8jNO
|
||||||
|
l5kI1RwNtJDOi9dDnwSWsNN1R4y/Q5X9Es6c0UqA9IB3Z/UXgETWslFYcsWMbqY+
|
||||||
|
Pvr1aXUGEYDA5j/N2F8diNMplIClR8/oy4qwPadyI6ckWWonjf1HgsJLwW/dGeco
|
||||||
|
xCVJMyK504yG3Ovy/WmgOXFXO70gXuL8xkoIEXPd7UbYsUivlkv52ODiuwjiU09U
|
||||||
|
23WxGJfL/6SW0FjxEhs88/vSJP7Oauvo+YR4NLANIqBb5MEIYrfIUKuQ9eMxmFY6
|
||||||
|
37t4tqcvYok2uiESQkXMje1vvNWbrODlILUZMgUCAwEAAaAAMA0GCSqGSIb3DQEB
|
||||||
|
BQUAA4IBAQCvnKvR8agOyJmLFcrROWGWLdGsr6CFmkcQe1eJ2GFP9XsIbuIjxssn
|
||||||
|
K2yEK1hY6BAAPl76Arh3WkHOXVQjuzW3hlsu+uwKJnYDecG3I9btP+NkPNyKWrbr
|
||||||
|
S2GIqa71oKadncV/P9DKsc2+KL2BFo8+IbvwVSPGj63JlJh2T9JFPeAqxeKCUiuO
|
||||||
|
ac+dgxNtMQRSEYwE1kgdaJu5yRBfepZaeNGJ2KjCivQdsgnlVllPCNwtjciIRLWl
|
||||||
|
UBdt8kh6Dx0RVIkck5fViFiJodxbfw9filjYITgRuANEJHytNzo3ChsWflZ0UYi/
|
||||||
|
j8jAvoqL2d+D/a2ijaxlQeCqu5MUB4wR
|
||||||
|
-----END CERTIFICATE REQUEST-----
|
27
ssl/client-certs/atat.mil.key
Normal file
27
ssl/client-certs/atat.mil.key
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
MIIEpQIBAAKCAQEAwkX7aLspQigzfRqCkSTFgN4J3xLIUcYuD9cVPcZtKoDyM06X
|
||||||
|
mQjVHA20kM6L10OfBJaw03VHjL9Dlf0SzpzRSoD0gHdn9ReARNayUVhyxYxupj4+
|
||||||
|
+vVpdQYRgMDmP83YXx2I0ymUgKVHz+jLirA9p3IjpyRZaieN/UeCwkvBb90Z5yjE
|
||||||
|
JUkzIrnTjIbc6/L9aaA5cVc7vSBe4vzGSggRc93tRtixSK+WS/nY4OK7COJTT1Tb
|
||||||
|
dbEYl8v/pJbQWPESGzzz+9Ik/s5q6+j5hHg0sA0ioFvkwQhit8hQq5D14zGYVjrf
|
||||||
|
u3i2py9iiTa6IRJCRcyN7W+81Zus4OUgtRkyBQIDAQABAoIBAQC0+nSmsBRTaRfu
|
||||||
|
J1AS3mqPDkmr4ddzNmeaogdLsRnpSo5WdZSMH8pHhAz+CSwEsR3mLGs10j+BQnw3
|
||||||
|
sbZfe38NJOyg8JuLmwUHG+qqFPd2SMibXclWCGDhf3G2u/zC24QBt4XLESUiYtZv
|
||||||
|
PLLA1EXbQ10rS5VwasC/fmq1jdT52yEi4viXdMOSfjYCWg+xIwBsyCQs/lWLsqWD
|
||||||
|
ZKLYfUAFsYqQ1Axz96yiscgNfPfoPRMoTvU3TuQlGhiQ1ygG5f4xlLEuHXpj1yWw
|
||||||
|
/liSZVq/a+WQlVAKdlA4IXiC8szPagNSa/beEaj3R+ifoCad5hp/Fsj2JQlHmm30
|
||||||
|
D8PAAVFRAoGBAPnRytHsicCuqck0oa2c2nE7gExrZhrO+rZoDHPBXjQiTFstil8r
|
||||||
|
wK1OCjeeX9TV18szPhkimCVel+goNhSmW4n3BcAM1HTFdZlKY7dwVN/tvtl852Sw
|
||||||
|
gVhGd3kFDkjUBTlK7W+IW7dzW3KwoSbcBpPRtIX9kKR5Braek4h4pUv3AoGBAMcU
|
||||||
|
ZMqlHB6k1HH+3bZhyTk1BBAF2PcocqOkI9ahSQjDmVGMSa+nVxC7qE0l+hRRpaFd
|
||||||
|
Ck6zn41p87Yos1nwNwOBcT3AIk0CNYGTJXJQQnkVzjB2yTdKDC/nAH++WOE2daw6
|
||||||
|
0n1kIygOeL6na6r+jCQbsmwmORlqZ1nLPjCIPlrjAoGASpNiJICkLqz1amcXzKgC
|
||||||
|
XcMRbb6x4FbhaQpujS+wW4fRm3Zg1EBPaGzfh/LzUKn1nWdSplY5bQ5r8pXubwOq
|
||||||
|
V+kyAj7SPXmkvXoDgoM6Ew755hrvSJOYSS3gBHSJ6xu/43aGosDmAEGjjv1DXkJY
|
||||||
|
hFAZv9YOE8s9Qc7c4+SAE8kCgYEAm+JPLhJtW11r8LtF9orJWt81iCpcAuSMJ7De
|
||||||
|
UzDFlHQ8uIsmI8Hfvf2DQq2rDYAFNr441Pl3xO6i5A8oqRMcsMUJ2/V3pl9FcGm9
|
||||||
|
F67a7h9x7acF1iJIOrYiQOTWibrwF2WT7pWbpcD3MSq9dw6Mw7VgV6jyawFTXg90
|
||||||
|
aeI1GUsCgYEA2/7tNN0Of5W/Ff/2lm9ePhYsZSr+9NoBBQvai7+m5qpSzvoE304Q
|
||||||
|
1qPW+T5pA4Da34nG+fGJMop0QX9rRTdyE9Ct++8ybIdLFAf35fDxgciohkziji8+
|
||||||
|
0BHK7f+GqTDF+KoIZDZYPQgJX17/h8XNtBBSbP7WX8WZHIco/0BtOrc=
|
||||||
|
-----END RSA PRIVATE KEY-----
|
22
ssl/client-certs/bad-atat.mil.crt
Normal file
22
ssl/client-certs/bad-atat.mil.crt
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDljCCAn4CCQDe7V0Kcecn2TANBgkqhkiG9w0BAQUFADCBjTELMAkGA1UEBhMC
|
||||||
|
VVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTEVMBMGA1UEBxMMUGhpbGFkZWxwaGlh
|
||||||
|
MRAwDgYDVQQKEwdGYXV4RG9EMQswCQYDVQQLEwJQVzERMA8GA1UEAxMIRmF1eCBE
|
||||||
|
b0QxHjAcBgkqhkiG9w0BCQEWD2ZhdXhkb2RAZG9kLmNvbTAeFw0xODA2MjAyMDQz
|
||||||
|
MTlaFw0xODA3MjAyMDQzMTlaMIGLMQswCQYDVQQGEwJVUzEVMBMGA1UECBMMUGVu
|
||||||
|
bnN5bHZhbmlhMRUwEwYDVQQHEwxQaGlsYWRlbHBoaWExDDAKBgNVBAoUA1MmRzEe
|
||||||
|
MBwGA1UEAxMVU0lNT04uUEFVTC4zODU2MTM1OTAxMSAwHgYJKoZIhvcNAQkBFhFz
|
||||||
|
aW1vbkBzX2FuZF9nLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
|
||||||
|
AKao36qwC9Sk5hMujFQm5h7B6WoRFqbWpTw7VSAZeW2ykwWbOBmsEAfgOJ+ctyHq
|
||||||
|
oMG0S23zJxSkfjO1PLXvu9r1ML0zXtm0uUiTJOMEMyrUBbfCV8zJ3TMuA7voWLi7
|
||||||
|
QKsXh1bHdDIXbYP6dLC3w3CnBnr9VihzLth5KLEpz9ePX5gZljHVGldNY4ZR3UbD
|
||||||
|
IeL7GD0z/jdcNuHxLYsI9gnnfxrOx8LmzDHDwTNsvKYNRjkdu+pja0ojDrE3T61g
|
||||||
|
nKrWQsDwP9T7v27AfhrF1sxy+5K3YiQkDGtbvwFtKBIG3DJBw8qAqEPbtXw9FpYt
|
||||||
|
7p8Ti/QYM5SGr/+w3yOgvrkCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAgVarfkoj
|
||||||
|
YtZ4X/uNzaSTYO10nyPblebmCGdJW4Cwgk7tcyB+ufLKPrWaC0+Y6XPZwCkAM8UF
|
||||||
|
KqwYVnMWTkYdUI2ff1vst9tZRiANGXuQLgbdGAP2TrcBk/N5Glm6J4wrpT5VAXjR
|
||||||
|
gBeVxMIWkGb5geDXISJujzrQU26roxEm3F4oUwvAgvMQd/Ha/pzXioaLycc0k91J
|
||||||
|
apCafD39u5A+X/Y4QG/GfLG0kqOS2ioJDIlb+EJRzIL7s4cvv530p+VLu+AYEgKx
|
||||||
|
MmGOnmML3qO/+oeL3Y32TP4Hzm2asNScseoi8a1ygyV88rLjLaVrsj7CFp9zJL0O
|
||||||
|
Ksoovip0wuSVdQ==
|
||||||
|
-----END CERTIFICATE-----
|
18
ssl/client-certs/bad-atat.mil.csr
Normal file
18
ssl/client-certs/bad-atat.mil.csr
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
-----BEGIN CERTIFICATE REQUEST-----
|
||||||
|
MIIC0TCCAbkCAQAwgYsxCzAJBgNVBAYTAlVTMRUwEwYDVQQIEwxQZW5uc3lsdmFu
|
||||||
|
aWExFTATBgNVBAcTDFBoaWxhZGVscGhpYTEMMAoGA1UEChQDUyZHMR4wHAYDVQQD
|
||||||
|
ExVTSU1PTi5QQVVMLjM4NTYxMzU5MDExIDAeBgkqhkiG9w0BCQEWEXNpbW9uQHNf
|
||||||
|
YW5kX2cuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApqjfqrAL
|
||||||
|
1KTmEy6MVCbmHsHpahEWptalPDtVIBl5bbKTBZs4GawQB+A4n5y3IeqgwbRLbfMn
|
||||||
|
FKR+M7U8te+72vUwvTNe2bS5SJMk4wQzKtQFt8JXzMndMy4Du+hYuLtAqxeHVsd0
|
||||||
|
Mhdtg/p0sLfDcKcGev1WKHMu2HkosSnP149fmBmWMdUaV01jhlHdRsMh4vsYPTP+
|
||||||
|
N1w24fEtiwj2Ced/Gs7HwubMMcPBM2y8pg1GOR276mNrSiMOsTdPrWCcqtZCwPA/
|
||||||
|
1Pu/bsB+GsXWzHL7krdiJCQMa1u/AW0oEgbcMkHDyoCoQ9u1fD0Wli3unxOL9Bgz
|
||||||
|
lIav/7DfI6C+uQIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAHQg3idmnhAX9CyO
|
||||||
|
xbzfrTQ989vs110lTRh8VY+64ufkS2bxGO4fQik+VfSi9wFshTGaUlhtgiBrdfAt
|
||||||
|
9udaQprWmZabBmiDnoUWiM5srJfYHL5yytrYynwpVe7Y3kPvPT/Zd+B9NBr+G0aq
|
||||||
|
SxIDce7236vAcjocgCv8gmkdrfkpOTR87gx5q3b1BBv/we4+dUKysloC1Aw23/de
|
||||||
|
Fi49SH9Xt8ZWUBsW5MesrmTfCXPTauYgYRt8bKtA0qvzzmiE5Ydihpi9HilGuCMr
|
||||||
|
2LKBQETR6m4FgNXNcsRIlqPR+EY8llTYMEu7LvvHn2RmVpeIT2v5TADV0AighQyB
|
||||||
|
++ZbkbE=
|
||||||
|
-----END CERTIFICATE REQUEST-----
|
27
ssl/client-certs/bad-atat.mil.key
Normal file
27
ssl/client-certs/bad-atat.mil.key
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
MIIEpgIBAAKCAQEApqjfqrAL1KTmEy6MVCbmHsHpahEWptalPDtVIBl5bbKTBZs4
|
||||||
|
GawQB+A4n5y3IeqgwbRLbfMnFKR+M7U8te+72vUwvTNe2bS5SJMk4wQzKtQFt8JX
|
||||||
|
zMndMy4Du+hYuLtAqxeHVsd0Mhdtg/p0sLfDcKcGev1WKHMu2HkosSnP149fmBmW
|
||||||
|
MdUaV01jhlHdRsMh4vsYPTP+N1w24fEtiwj2Ced/Gs7HwubMMcPBM2y8pg1GOR27
|
||||||
|
6mNrSiMOsTdPrWCcqtZCwPA/1Pu/bsB+GsXWzHL7krdiJCQMa1u/AW0oEgbcMkHD
|
||||||
|
yoCoQ9u1fD0Wli3unxOL9BgzlIav/7DfI6C+uQIDAQABAoIBAQCJUEiAzO3idT7v
|
||||||
|
fQG38BjYLLLRZmUAb4fS2Zvoh7SpsmE6VEpjtIW8x3w/3hJxSmzLTG59l8KSWnl0
|
||||||
|
xxXPXUetPym6KZIz05h5eGsC9Jnn5qsTXXeTzpqHKZmAAA7hnb7JeOhUkp9lCjJ8
|
||||||
|
dCYi2DWaIrPPL94GE+j8CM+DMM0Db9QmShQC5XbZPgsHiHvvffuvd4G90XcANEM/
|
||||||
|
KHuwSoZ9xgySZDG+ENlqYu93GGrL3DYUozjMUChzVKZYyYySxII1ja11oznXcAyG
|
||||||
|
nj5xeBmKv6KzYD5LOMIapWfVTNHLG1FM7bhVccrWKIAVKW4Lqd+gcMC+/wU2YIx9
|
||||||
|
K9WGV8RlAoGBANWTrGCvaM9r2piXlGB6VB/KmZXFI9R7wjE+waW+3XBZ6YVZiMGQ
|
||||||
|
jebeT+PPbeaggaDMIxZ70vJ+rNbS2MYrI44AIIueq636PoT7JtjfhakgZ7LBqc37
|
||||||
|
F56rvObPTuFCElVKS1/nIaNAnvoNUoSqt42t7+VzkNfLYCalkHHpsXxHAoGBAMfD
|
||||||
|
eUhuUaPTDT02NVjrNAA0yIkRIoyrbv7KGKuJStoPy7W4L6aZC0iFWZmwXTYBuC73
|
||||||
|
ulZQ88X3bexKS0NkfQJBLPTQFYNUYS/H+OCwkuFj160tysZbG8rx/IsfZwWqoitH
|
||||||
|
wR1Bgz++k5AApcgjMEWmt8l0NT5Mr6M0waylWGz/AoGBALQa3giCo14XU7XOTZ+2
|
||||||
|
SO6uSSoVnwt2eeJRS7fb5pzyFY0QXdTtc9y2qKQxrjoILIhO3V/+d3tq+5IFKCyl
|
||||||
|
AEylKszSt2/1UXeO28mTZQGkhA4oZmt/TQHPTXNOavRmZVNrXXi4TpN+0RGI3odl
|
||||||
|
93gQr/bMp95ycNjmUZLeQX/NAoGBAI6PT5SDNjwFuCMA9p1YbSnggWRgGBnvliy6
|
||||||
|
qVRxjDuGnkg3A7qO6eB9We42UK7kFz9dh1tmNjIHXCkO9BtKMXRUcvLbNR8eLqVc
|
||||||
|
vp4LJSc4i4iJb3aTOohgnWvjozAGD+l3MbfhMvtg1AomjCkCA8cRLYPVLNIjBA0i
|
||||||
|
7zx4W1ydAoGBAKS26yBJT9ZbIKLtoqZ6wOdz0l4r+ZaHmO+LjiGuFUh7w2s2MsPR
|
||||||
|
Q1JwE5aXaXP9gY7md/gz7Fcm3ebjwRkdcvGvIQyncv4mF64b+FFnpgjQFHg5+OqD
|
||||||
|
A57e0VDFI2LYhFstVHNZ1sRA+tBKQygd7Hzlz4BZdSD6EY7fvWNSJ7/j
|
||||||
|
-----END RSA PRIVATE KEY-----
|
27
ssl/client-certs/client-ca.crt
Normal file
27
ssl/client-certs/client-ca.crt
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIElTCCA32gAwIBAgIJAN5qDki+VlfPMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYD
|
||||||
|
VQQGEwJVUzEVMBMGA1UECBMMUGVubnN5bHZhbmlhMRUwEwYDVQQHEwxQaGlsYWRl
|
||||||
|
bHBoaWExEDAOBgNVBAoTB0ZhdXhEb0QxCzAJBgNVBAsTAlBXMREwDwYDVQQDEwhG
|
||||||
|
YXV4IERvRDEeMBwGCSqGSIb3DQEJARYPZmF1eGRvZEBkb2QuY29tMB4XDTE4MDYy
|
||||||
|
MDIwMzg0N1oXDTE5MDYyMDIwMzg0N1owgY0xCzAJBgNVBAYTAlVTMRUwEwYDVQQI
|
||||||
|
EwxQZW5uc3lsdmFuaWExFTATBgNVBAcTDFBoaWxhZGVscGhpYTEQMA4GA1UEChMH
|
||||||
|
RmF1eERvRDELMAkGA1UECxMCUFcxETAPBgNVBAMTCEZhdXggRG9EMR4wHAYJKoZI
|
||||||
|
hvcNAQkBFg9mYXV4ZG9kQGRvZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
|
||||||
|
ggEKAoIBAQDyQUFcuQ+YKOEJtv4XjKOTpOLp8IdbsaFwU8YgenMdvAc1ONZRL/2o
|
||||||
|
jaCZx+kB2QSCVH2jaLUQ/2i4uz4rE21Ngpx+EHa1hgDQANle3d5CWrn2Q10/pdPe
|
||||||
|
rJHYkMSiZ3cNWfFPBfHDtJrLlRUwJkgy+lUSLnOaipmBZMYXbV8/qUh69nWJQNXi
|
||||||
|
AvmSUw8jwUPfTrpQVzftkOYz+0HVJyvKijTsj1LaPZTR3D8OhbFnvZWIlhIUjJZO
|
||||||
|
jap/xQ3YEOcNF+gfx8hDQG2SnltWgecPsgiBRXmZK2IqDv39DE2DNiukEclZLhbN
|
||||||
|
SpTibNZwkVzcTSRV2mSOHKXqTcH0wTvpAgMBAAGjgfUwgfIwHQYDVR0OBBYEFAo/
|
||||||
|
6auHcKMK1ItTElg1Kk4MyoB5MIHCBgNVHSMEgbowgbeAFAo/6auHcKMK1ItTElg1
|
||||||
|
Kk4MyoB5oYGTpIGQMIGNMQswCQYDVQQGEwJVUzEVMBMGA1UECBMMUGVubnN5bHZh
|
||||||
|
bmlhMRUwEwYDVQQHEwxQaGlsYWRlbHBoaWExEDAOBgNVBAoTB0ZhdXhEb0QxCzAJ
|
||||||
|
BgNVBAsTAlBXMREwDwYDVQQDEwhGYXV4IERvRDEeMBwGCSqGSIb3DQEJARYPZmF1
|
||||||
|
eGRvZEBkb2QuY29tggkA3moOSL5WV88wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
|
||||||
|
AQUFAAOCAQEAp4fVYeSKYJICBQt37NOF6qZ+dv8GBDI+oZy7vC+VcjiRaODkiz9w
|
||||||
|
IO5dBZxx/ldH5sD24Oc2SH+48S6UjE/D5kDpM/nIddfVfL2f222sE14RsqgrhmbG
|
||||||
|
qRaEB8NXWiSQyKOKX63v8scioUqb9hFY+gtwb8HDFiOZFx+67L/NaXSh6VA8BbLj
|
||||||
|
o55EafjTgr+Yad7SrZI5f6Q2iQ+uuHcJsf7fEe3Kts5Uwt5KXBBfMxeaSyQRxNX+
|
||||||
|
JBBmy6MaxddPtus3MH+eIgI2Wp2rofH/PtGnSoizBj5IZXBkc18x1DG5pAJL4205
|
||||||
|
EKQoicsafE27XBw45dK3cRBLXPWt8JrCBg==
|
||||||
|
-----END CERTIFICATE-----
|
BIN
ssl/client-certs/client-ca.der.crl
Normal file
BIN
ssl/client-certs/client-ca.der.crl
Normal file
Binary file not shown.
27
ssl/client-certs/client-ca.key
Normal file
27
ssl/client-certs/client-ca.key
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
MIIEpQIBAAKCAQEA8kFBXLkPmCjhCbb+F4yjk6Ti6fCHW7GhcFPGIHpzHbwHNTjW
|
||||||
|
US/9qI2gmcfpAdkEglR9o2i1EP9ouLs+KxNtTYKcfhB2tYYA0ADZXt3eQlq59kNd
|
||||||
|
P6XT3qyR2JDEomd3DVnxTwXxw7Say5UVMCZIMvpVEi5zmoqZgWTGF21fP6lIevZ1
|
||||||
|
iUDV4gL5klMPI8FD3066UFc37ZDmM/tB1Scryoo07I9S2j2U0dw/DoWxZ72ViJYS
|
||||||
|
FIyWTo2qf8UN2BDnDRfoH8fIQ0Btkp5bVoHnD7IIgUV5mStiKg79/QxNgzYrpBHJ
|
||||||
|
WS4WzUqU4mzWcJFc3E0kVdpkjhyl6k3B9ME76QIDAQABAoIBAQCC7bnBv1MqTY2y
|
||||||
|
jnAtkhkmRstM3G6LpCk4aE6AZy2oOGM85IcQQfu6CTFva5gHI59IQRnWI1UY5rFW
|
||||||
|
hfxHk6xTY+/oQkWmPdJamNriZs8k1ZwD+MyBBcLIakQ446UikQDK+n1s1C2iNA4l
|
||||||
|
UWGuMEJ9KsanmOtp7tagFDLrnnUIFgyfQv5JI/QBZSMd9UReRv3xQrdv+KK58zJE
|
||||||
|
/zsuFFO00YS0xzDYwikuwabDXaWCt8/9rDDlthIEaJRzTxZiLK90k6DaywRnO7rJ
|
||||||
|
Q4Q/1WUGzdA7wfkQOWLozP1To2d6Q/KK1TiRaY0uieGvTvT7kXVDne4+lb3zAmAW
|
||||||
|
IxdyNYBxAoGBAPtgEjGapRzPLcgJqVuup5W+/gc8NWcSK4NJWAwFWN9n6wOf+jQu
|
||||||
|
YkwVUoF0KN0g9a1rymvnv+fHdvqQ+uDtdqCMcU3DNVx1uwTf0V/kPsxSwhTjrQ3h
|
||||||
|
4tMXL4EzOUhYV1us/PtrmSlKS1SuQXbBdgNM7n71X0zWgsHeDvIf4YQTAoGBAPa2
|
||||||
|
OqNOUFiA8Yz7wG/Aw1LiPX+DJZVmH05yXDSWicwSyrhorxktweMNd1e+syYW+5Qe
|
||||||
|
GFu3qaxmOlPL9M5IvbUiAV7nmiVcezBnLxBLmOdc9rk8CU8qakZDESsy/pC741/U
|
||||||
|
y6MQZzsbKIhxG4djbl+9Mr8wom+DGQtkFJ7RvqeTAoGBAOrJRLUIGAfcioo4W/LC
|
||||||
|
Isz+4w2m8soecn3hV1eC9wtTaHKuTWfHmxAtKi63bCN90Xn1H8/BWcEG0N4f4/OK
|
||||||
|
WC6Efp9/IKwHWnKnCkxiRzVYZuZT8SLyRIWdNkWarnof6Rg7bt72FMw4FDw3tfVR
|
||||||
|
pQRYKrpyPFzsTpz850DG/j/5AoGAZ5BxpxH96lkejRc1XfQmSknMlRWBlmiLJcwd
|
||||||
|
5rl22OLelHDlaAVsSZriiUP1Qj0NmMzVXtMHd+Zl/70zY9DnSf0fZC6G574dvGDk
|
||||||
|
QcvqQN0mePW51rCwchQ/RcofULR+q0DRxv7gxtAMwNHyQ3A66herENUiqvr2bXCy
|
||||||
|
s0TK6t8CgYEA7IS8e3x9SvXwfjGyJslbxhI4P7cBuVU5aL1SqYpaNx61JdmnPct4
|
||||||
|
ruQntKHL5DvPNNRwFUvySkH93zjvjOWqF1g8kSO2ZPDj+WajStAHwA1TmVYIfkpV
|
||||||
|
xfv5mlcKUfyLmoJ6nKuCf/pt49Gmp3vRsmxZrEcbBqGAVBI7LslQQr4=
|
||||||
|
-----END RSA PRIVATE KEY-----
|
13
ssl/client-certs/client-ca.pem.crl
Normal file
13
ssl/client-certs/client-ca.pem.crl
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
-----BEGIN X509 CRL-----
|
||||||
|
MIIB8jCB2zANBgkqhkiG9w0BAQQFADCBjTELMAkGA1UEBhMCVVMxFTATBgNVBAgT
|
||||||
|
DFBlbm5zeWx2YW5pYTEVMBMGA1UEBxMMUGhpbGFkZWxwaGlhMRAwDgYDVQQKEwdG
|
||||||
|
YXV4RG9EMQswCQYDVQQLEwJQVzERMA8GA1UEAxMIRmF1eCBEb0QxHjAcBgkqhkiG
|
||||||
|
9w0BCQEWD2ZhdXhkb2RAZG9kLmNvbRcNMTgwNzMwMjEyOTAxWhcNMTgwODI5MjEy
|
||||||
|
OTAxWjAcMBoCCQDe7V0Kcecn2RcNMTgwNjIwMjA0NjExWjANBgkqhkiG9w0BAQQF
|
||||||
|
AAOCAQEAfZSS51Axnx04iSfMd1k5/TvH1R6NvUM20S/rZjJYt/uLqRElnJd7R7aI
|
||||||
|
lLQQzSdbsuHm8HcfcMS7ZUMv989chKXMbPml+ZXkK/zp7LdjaL5THs09ek0NOM2l
|
||||||
|
yhJcdE3K5bntk6qSgbsUpBOWLHzrp20is3BPl6gY+JRb0nnZ/SXTr4zfDctGfcot
|
||||||
|
fSAGs3QA0Q/dpJOlSkGzxlzjB7dXDuoHTaJwy2s48IriNvvtVktM2AS+B/843vMC
|
||||||
|
ToI5ZUh3RkSCgGvKexobg85Ke1QwWTYuj392JhakpIu/Qc71BK0jtbY9mVuFLwqW
|
||||||
|
RFXDKIzRiL4S7iZWu/bpqTYyqmCmeA==
|
||||||
|
-----END X509 CRL-----
|
26
ssl/client-certs/crl_openssl.conf
Normal file
26
ssl/client-certs/crl_openssl.conf
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
[ ca ]
|
||||||
|
default_ca = CA_default # The default ca section
|
||||||
|
|
||||||
|
[ CA_default ]
|
||||||
|
|
||||||
|
dir = ./ # top dir
|
||||||
|
database = $dir/index.txt # index file.
|
||||||
|
# new_certs_dir = $dir/newcerts # new certs dir
|
||||||
|
|
||||||
|
default_days = 365 # how long to certify for
|
||||||
|
default_crl_days= 30 # how long before next CRL
|
||||||
|
default_md = md5 # md to use
|
||||||
|
|
||||||
|
policy = policy_any # default policy
|
||||||
|
email_in_dn = no # Don't add the email into cert DN
|
||||||
|
name_opt = ca_default # Subject name display option
|
||||||
|
cert_opt = ca_default # Certificate display option
|
||||||
|
copy_extensions = none # Don't copy extensions from request
|
||||||
|
|
||||||
|
[ policy_any ]
|
||||||
|
countryName = supplied
|
||||||
|
stateOrProvinceName = optional
|
||||||
|
organizationName = optional
|
||||||
|
organizationalUnitName = optional
|
||||||
|
commonName = supplied
|
||||||
|
emailAddress = optional
|
1
ssl/client-certs/index.txt
Normal file
1
ssl/client-certs/index.txt
Normal file
@ -0,0 +1 @@
|
|||||||
|
R 180720204319Z 180620204611Z DEED5D0A71E727D9 unknown /C=US/ST=Pennsylvania/L=Philadelphia/O=S&G/CN=SIMON.PAUL.3856135901/emailAddress=simon@s_and_g.com
|
1
ssl/client-certs/index.txt.attr
Normal file
1
ssl/client-certs/index.txt.attr
Normal file
@ -0,0 +1 @@
|
|||||||
|
unique_subject = yes
|
0
ssl/client-certs/index.txt.old
Normal file
0
ssl/client-certs/index.txt.old
Normal file
18
ssl/make-certs.sh
Executable file
18
ssl/make-certs.sh
Executable file
@ -0,0 +1,18 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# Generate the root (GIVE IT A PASSWORD IF YOU'RE NOT AUTOMATING SIGNING!):
|
||||||
|
echo 'MAKING CA'
|
||||||
|
openssl genrsa -out certificate-authority/ca.key 2048
|
||||||
|
openssl req -new -x509 -days 7300 -key certificate-authority/ca.key -sha256 -extensions v3_ca -out certificate-authority/ca.crt
|
||||||
|
|
||||||
|
# Generate the domain key:
|
||||||
|
openssl genrsa -out server-certs/dev.cac.atat.codes.key 2048
|
||||||
|
|
||||||
|
echo 'MAKING CSR'
|
||||||
|
# Generate the certificate signing request
|
||||||
|
openssl req -nodes -sha256 -new -key server-certs/dev.cac.atat.codes.key -out server-certs/dev.cac.atat.codes.csr -reqexts SAN -config <(cat req.cnf <(printf "[SAN]\nsubjectAltName=DNS.1:dev.cac.atat.codes,DNS.2:cac.atat.codes,DNS.3:backend"))
|
||||||
|
|
||||||
|
# Sign the request with your root key
|
||||||
|
openssl x509 -sha256 -req -in server-certs/dev.cac.atat.codes.csr -CA certificate-authority/ca.crt -CAkey certificate-authority/ca.key -CAcreateserial -out server-certs/dev.cac.atat.codes.crt -days 7300 -extfile <(cat req.cnf <(printf "[SAN]\nsubjectAltName=DNS.1:dev.cac.atat.codes,DNS.2:cac.atat.codes,DNS.3:backend")) -extensions SAN
|
||||||
|
|
||||||
|
# Check your homework:
|
||||||
|
openssl verify -CAfile certificate-authority/ca.crt server-certs/dev.cac.atat.codes.crt
|
26
ssl/req.cnf
Normal file
26
ssl/req.cnf
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
[req]
|
||||||
|
|
||||||
|
distinguished_name = req_distinguished_name
|
||||||
|
x509_extensions = v3_req
|
||||||
|
prompt = no
|
||||||
|
|
||||||
|
[req_distinguished_name]
|
||||||
|
|
||||||
|
C = US
|
||||||
|
ST = VA
|
||||||
|
L = SomeCity
|
||||||
|
O = MyCompany
|
||||||
|
OU = MyDivision
|
||||||
|
CN = dev.cac.atat.codes
|
||||||
|
|
||||||
|
[v3_req]
|
||||||
|
|
||||||
|
keyUsage = keyEncipherment, dataEncipherment
|
||||||
|
extendedKeyUsage = serverAuth
|
||||||
|
subjectAltName = @alt_names
|
||||||
|
|
||||||
|
[alt_names]
|
||||||
|
|
||||||
|
DNS.1 = dev.cac.atat.codes
|
||||||
|
DNS.2 = cac.atat.codes
|
||||||
|
DNS.3 = backend
|
1352
ssl/server-certs/ca-chain.pem
Normal file
1352
ssl/server-certs/ca-chain.pem
Normal file
File diff suppressed because it is too large
Load Diff
22
ssl/server-certs/dev.cac.atat.codes.crt
Normal file
22
ssl/server-certs/dev.cac.atat.codes.crt
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDmTCCAoGgAwIBAgIJAPTXTxYH3TyDMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNV
|
||||||
|
BAYTAlVTMRUwEwYDVQQIEwxQZW5uc3lsdmFuaWExFTATBgNVBAcTDFBoaWxhZGVs
|
||||||
|
cGhpYTEMMAoGA1UEChMDRG9EMQwwCgYDVQQLEwNERFMxEDAOBgNVBAMTB0FUQVQg
|
||||||
|
Q0EwHhcNMTgwNjAxMTk0NjIyWhcNMzgwNTI3MTk0NjIyWjBzMQswCQYDVQQGEwJV
|
||||||
|
UzELMAkGA1UECAwCVkExETAPBgNVBAcMCFNvbWVDaXR5MRIwEAYDVQQKDAlNeUNv
|
||||||
|
bXBhbnkxEzARBgNVBAsMCk15RGl2aXNpb24xGzAZBgNVBAMMEmRldi5jYWMuYXRh
|
||||||
|
dC5jb2RlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOGjINZSzsSH
|
||||||
|
MP0e+PxJhuM7v0juaB51UyzEp1tnrICKygQ+JaVLUmvZTiwsILfAFJ0Atxr50nga
|
||||||
|
CG5R+QN+JAOBJ6v1tKW/NQ7kWCM8tyC5f1aU0rf5Yvl6dhZXJKszOTROG+3Qg/cH
|
||||||
|
DM57/YrbOBnm30PaEAFD/s13hKEZklVgX3wYyaB2oRmXBbvWog9uFl3PLQBmnCPr
|
||||||
|
q7aFlr2S3THO46PqHITtijwEDQViXgE+K5wm6ogi/cXzuD4aYq0PVk+6WaorXBOZ
|
||||||
|
pOWnRyyX2OaJMyFzjuTBKQ80NMivcuh+fRQIhviSepeNuXeyZkWzQtixZPh22/Rv
|
||||||
|
3lmWW4mY3D0CAwEAAaM6MDgwNgYDVR0RBC8wLYISZGV2LmNhYy5hdGF0LmNvZGVz
|
||||||
|
gg5jYWMuYXRhdC5jb2Rlc4IHYmFja2VuZDANBgkqhkiG9w0BAQsFAAOCAQEALeJM
|
||||||
|
LAPCxoqi/RirJcY5beiHZgLGLgolDHJEE8ZzKtuNqJvGWPwrTRGmr+mm31Qnl8IP
|
||||||
|
M/skIC5CtYTdJRHD3AYNyFOFWmTuDS929mWxg50eZr8xdpS5sQ5AqiBclToXgOTI
|
||||||
|
qRje/ojofTVl8RdT1q1gH0f+Ul60fywckngtSzJu2EkMTjy1xRCzmm137PakGuwc
|
||||||
|
IZE+4trl2adE7GVWhYsF+SaroiLMIxFCcJqeqtbPK3OfuGMLUUr20O42fWfZskqa
|
||||||
|
xenWST0R4M5ixMx1L3mou3vqQxHjihRpCaFDgpVJ0EbHbw2j3gqSiVF7q6N0mxFk
|
||||||
|
RZ088LtbYUr/LL3TCg==
|
||||||
|
-----END CERTIFICATE-----
|
19
ssl/server-certs/dev.cac.atat.codes.csr
Normal file
19
ssl/server-certs/dev.cac.atat.codes.csr
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
-----BEGIN CERTIFICATE REQUEST-----
|
||||||
|
MIIDATCCAekCAQAwczELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAlZBMREwDwYDVQQH
|
||||||
|
DAhTb21lQ2l0eTESMBAGA1UECgwJTXlDb21wYW55MRMwEQYDVQQLDApNeURpdmlz
|
||||||
|
aW9uMRswGQYDVQQDDBJkZXYuY2FjLmF0YXQuY29kZXMwggEiMA0GCSqGSIb3DQEB
|
||||||
|
AQUAA4IBDwAwggEKAoIBAQDhoyDWUs7EhzD9Hvj8SYbjO79I7mgedVMsxKdbZ6yA
|
||||||
|
isoEPiWlS1Jr2U4sLCC3wBSdALca+dJ4GghuUfkDfiQDgSer9bSlvzUO5FgjPLcg
|
||||||
|
uX9WlNK3+WL5enYWVySrMzk0Thvt0IP3BwzOe/2K2zgZ5t9D2hABQ/7Nd4ShGZJV
|
||||||
|
YF98GMmgdqEZlwW71qIPbhZdzy0AZpwj66u2hZa9kt0xzuOj6hyE7Yo8BA0FYl4B
|
||||||
|
PiucJuqIIv3F87g+GmKtD1ZPulmqK1wTmaTlp0csl9jmiTMhc47kwSkPNDTIr3Lo
|
||||||
|
fn0UCIb4knqXjbl3smZFs0LYsWT4dtv0b95ZlluJmNw9AgMBAAGgSTBHBgkqhkiG
|
||||||
|
9w0BCQ4xOjA4MDYGA1UdEQQvMC2CEmRldi5jYWMuYXRhdC5jb2Rlc4IOY2FjLmF0
|
||||||
|
YXQuY29kZXOCB2JhY2tlbmQwDQYJKoZIhvcNAQELBQADggEBAJgWiXenFnBMAL+H
|
||||||
|
tM3RvgsVXVd5ccAL0tiiRplm88JrtEPylDmN4HG1pp7Y11ziMoZvP5TZBJEVrArw
|
||||||
|
ONT6VacOs+5UBw9lQDU7KYNbUEZlcCfPBA/cfxdWUgV0pDV/tOVUeB16HOZjIrNA
|
||||||
|
3s6r2GhI7fnUEWhbmEKe7DvUyX0seMmpMl/E48b7FQ4i+1frhSjH5SC1GwKJLM3P
|
||||||
|
Sq5JALYUFUdn9yNCMc4tGtRwrJkPoUAzUQRlczJ4KsHl0ma5uAQ+B80H3spWgb/j
|
||||||
|
/25+mQl8vzLE3m/mVcCGikAapJTyA56EQhxp2Zrmy29bXsWhaR7xzRxWtrIGUXlE
|
||||||
|
g8vKEEc=
|
||||||
|
-----END CERTIFICATE REQUEST-----
|
27
ssl/server-certs/dev.cac.atat.codes.key
Normal file
27
ssl/server-certs/dev.cac.atat.codes.key
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
MIIEpQIBAAKCAQEA4aMg1lLOxIcw/R74/EmG4zu/SO5oHnVTLMSnW2esgIrKBD4l
|
||||||
|
pUtSa9lOLCwgt8AUnQC3GvnSeBoIblH5A34kA4Enq/W0pb81DuRYIzy3ILl/VpTS
|
||||||
|
t/li+Xp2FlckqzM5NE4b7dCD9wcMznv9its4GebfQ9oQAUP+zXeEoRmSVWBffBjJ
|
||||||
|
oHahGZcFu9aiD24WXc8tAGacI+urtoWWvZLdMc7jo+ochO2KPAQNBWJeAT4rnCbq
|
||||||
|
iCL9xfO4PhpirQ9WT7pZqitcE5mk5adHLJfY5okzIXOO5MEpDzQ0yK9y6H59FAiG
|
||||||
|
+JJ6l425d7JmRbNC2LFk+Hbb9G/eWZZbiZjcPQIDAQABAoIBAQDDpyxGLC/XAlNc
|
||||||
|
aYsFWMx6JcjMeM4X+yxQWYW1IMTYAYEDBNCn8BRcKGY8r1b/frNhIMmlvpLeSdSd
|
||||||
|
tL70ZGDeGRRJbBlkz9Q2QZKbm35ABhmA/jNqC/ni0mmrHY1SVmx4CnL1WCXWAmr8
|
||||||
|
cU99JHIVI7jdoSzXrBo6GDUNbJsTI4kLmJO31zTnO3A10r6eTG6+t0kqdprcG3oE
|
||||||
|
pTpJnycy+z5cXf/8gv+yMicDpSzts0YjeSFvG0TPNVrvINsoXK837M0DycotUsik
|
||||||
|
0I1TyWMR66b8ceP34A86eWPjVQw/jU0kdDD0AN4Key/EymS21vGVml1vVNP3ZvkH
|
||||||
|
A6pE9scRAoGBAPmwb6VfRtJRPIieexqatilO6hH5B+A05FvopGdFEs7aDdnsBKXS
|
||||||
|
FalEp0ArR0DRu65c4nF0NNBUkciq5VrEdoNyz5OKIV6ypl+FOtoDpaDlgQEGctE/
|
||||||
|
fjjw4EAt0uvCJYMjrSpeiS6aIHb9QPU5kTEjfJrIvkorRxGa4XQzvcBPAoGBAOdX
|
||||||
|
EZEEZP9Qy0GE60j12VQ9jkVrmCfWyDd1qR09iN0fXFcTr1mj5E+nQimI+3OX1ymg
|
||||||
|
EgPOqTxxGj7W9erEEpT2xlERuBVP9CnBQPjl4llTJtMNpYsX76OLCRe9QYvCkVsE
|
||||||
|
1rvCu9Kdbrok/GZIyZxPShMsxg0SnFsEKvpu2AuzAoGBAPCuv2AUcEspnYU/5wBl
|
||||||
|
I7S76et7NrlLothpb5hQP+n+zR1EYdKJqPGqSOIVFbEIurY/uNOOJZ6v9nsNKNqO
|
||||||
|
yIK6+BaLLtF+udsXrPwcSdrHf8vCMIk9f+lZX4Dd6xPw6IH5sOFHkUrHrQWl56i6
|
||||||
|
XheU0nbNjIgoIXB58Fs3yPAHAoGAGYdCKP6TJpmD1HcWf7ahhOpGCOMWp07MSVJy
|
||||||
|
lwdzUvNi/Tju4LV1PFT4uBylotveonlHg6QKiODyRHz0JjP82PNibw/FgJSSHQl2
|
||||||
|
YgD8OV8zqZaX7gF2MFXnavc3hHS0FZczGwUiNNuqnF/4elEN7nHResw2Drs/Bcwv
|
||||||
|
8fLJZIECgYEA17uHOALkj6m9oFeepMddgVzfTtEzhjwJIB3/dhv9K5Y6UkxOrwvE
|
||||||
|
d813gvlXziZ6StMMbbwW+TPU87Z8B92y2rMP/e3ui4Z3/ObMfeSCWX6892M3jfAu
|
||||||
|
RB4FLpR4us5RWZ7rpSyZzmA4/4NaBMxz8b6fD8vImjbbwYfJbq7oKFI=
|
||||||
|
-----END RSA PRIVATE KEY-----
|
39
ssl/ssl.conf
Normal file
39
ssl/ssl.conf
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
|
ssl_certificate /etc/ssl/dev.cac.atat.codes.crt;
|
||||||
|
ssl_certificate_key /etc/ssl/dev.cac.atat.codes.key;
|
||||||
|
ssl_session_timeout 1d;
|
||||||
|
ssl_session_cache shared:SSL:50m;
|
||||||
|
ssl_session_tickets off;
|
||||||
|
|
||||||
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||||
|
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
|
ssl_verify_client optional;
|
||||||
|
ssl_verify_depth 10;
|
||||||
|
ssl_client_certificate /etc/ssl/ca-chain.pem;
|
||||||
|
error_log /var/log/nginx/authnid.error.log debug;
|
||||||
|
|
||||||
|
add_header Strict-Transport-Security max-age=15768000;
|
||||||
|
#ssl_stapling on;
|
||||||
|
#ssl_stapling_verify on;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
try_files $uri @app;
|
||||||
|
}
|
||||||
|
|
||||||
|
location @app {
|
||||||
|
include uwsgi_params;
|
||||||
|
uwsgi_pass unix:///tmp/uwsgi.sock;
|
||||||
|
uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify;
|
||||||
|
uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert;
|
||||||
|
uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /static {
|
||||||
|
alias /app/static;
|
||||||
|
}
|
||||||
|
}
|
86
tests/domain/authnid/test_crl.py
Normal file
86
tests/domain/authnid/test_crl.py
Normal file
@ -0,0 +1,86 @@
|
|||||||
|
# Import installed packages
|
||||||
|
import pytest
|
||||||
|
import re
|
||||||
|
import os
|
||||||
|
import shutil
|
||||||
|
from OpenSSL import crypto, SSL
|
||||||
|
from atst.domain.authnid.crl.validator import Validator
|
||||||
|
import atst.domain.authnid.crl.util as util
|
||||||
|
|
||||||
|
|
||||||
|
class MockX509Store():
|
||||||
|
def __init__(self):
|
||||||
|
self.crls = []
|
||||||
|
self.certs = []
|
||||||
|
|
||||||
|
def add_crl(self, crl):
|
||||||
|
self.crls.append(crl)
|
||||||
|
|
||||||
|
def add_cert(self, cert):
|
||||||
|
self.certs.append(cert)
|
||||||
|
|
||||||
|
def set_flags(self, flag):
|
||||||
|
pass
|
||||||
|
|
||||||
|
def test_can_build_crl_list(monkeypatch):
|
||||||
|
location = 'ssl/client-certs/client-ca.der.crl'
|
||||||
|
validator = Validator(crl_locations=[location], base_store=MockX509Store)
|
||||||
|
assert len(validator.store.crls) == 1
|
||||||
|
|
||||||
|
def test_can_build_trusted_root_list():
|
||||||
|
location = 'ssl/server-certs/ca-chain.pem'
|
||||||
|
validator = Validator(roots=[location], base_store=MockX509Store)
|
||||||
|
with open(location) as f:
|
||||||
|
content = f.read()
|
||||||
|
assert len(validator.store.certs) == content.count('BEGIN CERT')
|
||||||
|
|
||||||
|
def test_can_validate_certificate():
|
||||||
|
validator = Validator(
|
||||||
|
roots=['ssl/server-certs/ca-chain.pem'],
|
||||||
|
crl_locations=['ssl/client-certs/client-ca.der.crl']
|
||||||
|
)
|
||||||
|
good_cert = open('ssl/client-certs/atat.mil.crt', 'rb').read()
|
||||||
|
bad_cert = open('ssl/client-certs/bad-atat.mil.crt', 'rb').read()
|
||||||
|
assert validator.validate(good_cert)
|
||||||
|
assert validator.validate(bad_cert) == False
|
||||||
|
|
||||||
|
def test_can_dynamically_update_crls(tmpdir):
|
||||||
|
crl_file = tmpdir.join('test.crl')
|
||||||
|
shutil.copyfile('ssl/client-certs/client-ca.der.crl', crl_file)
|
||||||
|
validator = Validator(
|
||||||
|
roots=['ssl/server-certs/ca-chain.pem'],
|
||||||
|
crl_locations=[crl_file]
|
||||||
|
)
|
||||||
|
cert = open('ssl/client-certs/atat.mil.crt', 'rb').read()
|
||||||
|
assert validator.validate(cert)
|
||||||
|
# override the original CRL with one that revokes atat.mil.crt
|
||||||
|
shutil.copyfile('tests/fixtures/test.der.crl', crl_file)
|
||||||
|
assert validator.validate(cert) == False
|
||||||
|
|
||||||
|
def test_parse_disa_pki_list():
|
||||||
|
with open('tests/fixtures/disa-pki.html') as disa:
|
||||||
|
disa_html = disa.read()
|
||||||
|
crl_list = util.crl_list_from_disa_html(disa_html)
|
||||||
|
href_matches = re.findall('DOD(ROOT|EMAIL|ID)?CA', disa_html)
|
||||||
|
assert len(crl_list) > 0
|
||||||
|
assert len(crl_list) == len(href_matches)
|
||||||
|
|
||||||
|
class MockStreamingResponse():
|
||||||
|
def __init__(self, content_chunks):
|
||||||
|
self.content_chunks = content_chunks
|
||||||
|
|
||||||
|
def iter_content(self, chunk_size=0):
|
||||||
|
return self.content_chunks
|
||||||
|
|
||||||
|
def __enter__(self):
|
||||||
|
return self
|
||||||
|
|
||||||
|
def __exit__(self, *args):
|
||||||
|
pass
|
||||||
|
|
||||||
|
def test_write_crl(tmpdir, monkeypatch):
|
||||||
|
monkeypatch.setattr('requests.get', lambda u, **kwargs: MockStreamingResponse([b'it worked']))
|
||||||
|
crl = 'crl_1'
|
||||||
|
util.write_crl(tmpdir, crl)
|
||||||
|
assert [p.basename for p in tmpdir.listdir()] == [crl]
|
||||||
|
assert [p.read() for p in tmpdir.listdir()] == ['it worked']
|
75
tests/fixtures/disa-pki.html
vendored
Normal file
75
tests/fixtures/disa-pki.html
vendored
Normal file
@ -0,0 +1,75 @@
|
|||||||
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|
||||||
|
|
||||||
|
<html lang="en">
|
||||||
|
<head>
|
||||||
|
<title>DoD PKI CRLDPs</title>
|
||||||
|
</head>
|
||||||
|
|
||||||
|
<body>
|
||||||
|
<p>UNCLASSIFIED<br>
|
||||||
|
|
||||||
|
<p>This list is provided by DoD PKE Engineering. It is updated as new CAs come online.<br>
|
||||||
|
This is a list of CRL Distribution Points (CRLDPs) for all DoD CAs.</p>
|
||||||
|
<p><small>Updated April 5, 2018</small></p>
|
||||||
|
|
||||||
|
<a href="http://crl.disa.mil/crl/DODROOTCA2.crl">DoD Root CA 2</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODROOTCA3.crl">DoD Root CA 3</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODROOTCA4.crl">DoD Root CA 4</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODROOTCA5.crl">DoD Root CA 5</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODINTEROPERABILITYROOTCA1.crl">DoD Interoperability Root CA 1</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODINTEROPERABILITYROOTCA2.crl">DoD Interoperability Root CA 2</a><br>
|
||||||
|
<a href="https://crl.gds.disa.mil/getcrl?DOD+NIPR+INTERNAL+NPE+ROOT+CA+1">NIPR INTERNAL NPE ROOT CA 1</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODNPEROOTCA1.crl">DoD NPE Root CA 1</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODWCFROOTCA1.crl">DoD WCF Root CA 1</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/USDODCCEBINTEROPERABILITYROOTCA1.crl">DoD CCEB Interoperability Root CA 1</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/USDODCCEBINTEROPERABILITYROOTCA2.crl">DoD CCEB Interoperability Root CA 2</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DMDNSIGNINGCA_1.crl">DoD DMDN Signing CA 1</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODCA_31.crl">DoD CA-31</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODCA_32.crl">DoD CA-32</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODCA_33.crl">DoD ID CA-33</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODCA_34.crl">DoD ID CA-34</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODCA_35.crl">DoD ID SW CA-35</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODCA_36.crl">DoD ID SW CA-36</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODCA_37.crl">DoD ID SW CA-37</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODCA_38.crl">DoD ID SW CA-38</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODCA_39.crl">DoD ID CA-39</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODCA_40.crl">DoD ID CA-40</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODCA_41.crl">DoD ID CA-41</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODCA_42.crl">DoD ID CA-42</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODCA_43.crl">DoD ID CA-43</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODCA_44.crl">DoD ID CA-44</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODIDSWCA_45.crl">DoD ID SW CA-45</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODIDSWCA_46.crl">DoD ID SW CA-46</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODIDSWCA_47.crl">DoD ID SW CA-47</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODIDSWCA_48.crl">DoD ID SW CA-48</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODIDCA_49.crl">DoD ID CA-49</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODIDCA_50.crl">DoD ID CA-50</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODIDCA_51.crl">DoD ID CA-51</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODIDCA_52.crl">DoD ID CA-52</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODEMAILCA_31.crl">DoD EMAIL CA-31</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODEMAILCA_32.crl">DoD EMAIL CA-32</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODEMAILCA_33.crl">DoD EMAIL CA-33</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODEMAILCA_34.crl">DoD EMAIL CA-34</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODEMAILCA_39.crl">DoD EMAIL CA-39</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODEMAILCA_40.crl">DoD EMAIL CA-40</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODEMAILCA_41.crl">DoD EMAIL CA-41</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODEMAILCA_42.crl">DoD EMAIL CA-42</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODEMAILCA_43.crl">DoD EMAIL CA-43</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODEMAILCA_44.crl">DoD EMAIL CA-44</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODEMAILCA_49.crl">DoD EMAIL CA-49</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODEMAILCA_50.crl">DoD EMAIL CA-50</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODEMAILCA_51.crl">DoD EMAIL CA-51</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODEMAILCA_52.crl">DoD EMAIL CA-52</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODSWCA_53.crl">DoD SW CA-53</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODSWCA_54.crl">DoD SW CA-54</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODSWCA_55.crl">DoD SW CA-55</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODSWCA_56.crl">DoD SW CA-56</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODSWCA_57.crl">DoD SW CA-57</a><br>
|
||||||
|
<a href="http://crl.disa.mil/crl/DODSWCA_58.crl">DoD SW CA-58</a><br>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<p>UNCLASSIFIED<br>
|
||||||
|
</body>
|
||||||
|
</html>
|
14
tests/fixtures/test.der.crl
vendored
Normal file
14
tests/fixtures/test.der.crl
vendored
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
-----BEGIN X509 CRL-----
|
||||||
|
MIICDjCB9zANBgkqhkiG9w0BAQQFADCBjTELMAkGA1UEBhMCVVMxFTATBgNVBAgT
|
||||||
|
DFBlbm5zeWx2YW5pYTEVMBMGA1UEBxMMUGhpbGFkZWxwaGlhMRAwDgYDVQQKEwdG
|
||||||
|
YXV4RG9EMQswCQYDVQQLEwJQVzERMA8GA1UEAxMIRmF1eCBEb0QxHjAcBgkqhkiG
|
||||||
|
9w0BCQEWD2ZhdXhkb2RAZG9kLmNvbRcNMTgwNzMwMjEzMzQ3WhcNMTgwODI5MjEz
|
||||||
|
MzQ3WjA4MBoCCQCoSzDcVuoXYxcNMTgwNzMwMjEzMzAxWjAaAgkA3u1dCnHnJ9kX
|
||||||
|
DTE4MDYyMDIwNDYxMVowDQYJKoZIhvcNAQEEBQADggEBAIYH2GbZUfqbqAaNJW2W
|
||||||
|
jREAbHnk2x5PSUri/YL9nH7ZAviZARtjuy5WKmu4hhAc/RwarwITT3NtP3BddLTF
|
||||||
|
RCd1vdsKWh4s7QqEZQSXaXb4/uEP2rsLVmbWoZxIp2gXrQXSA5kkKx0N3pY3kETg
|
||||||
|
vuMax8E2GdoJLNJe0xm0+hk4C9HcOf+WPL26n1+J4ZIhKf67BfZli0eFZue1PeVA
|
||||||
|
Ow2XBnKI/yw4GA9+OFcZ4JzJnRMdx/O9bjbzj3gkx9t22Ukzo66BVklplqWmb4YQ
|
||||||
|
PaRl0LxZtP/GLE6Ej8QmwK2SC26M60F6ceIFtgY3gor5J3oWmXGYz5xm4PWLj5fp
|
||||||
|
v2w=
|
||||||
|
-----END X509 CRL-----
|
Loading…
x
Reference in New Issue
Block a user