pk/atst
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
atst/tests/fixtures
History
dandds 0b5acde4c4 Stream-parse CRLs for caching file locations. 
AT-AT needs to maintain a key-value CRL cache where each key is the DER
byte-string of the issuer and the value is a dictionary of the CRL file
path and expiration. This way when it checks a client certificate, it
can load the correct CRL by comparing the issuers. This is preferable to
loading all of the CRLs in-memory. However, it still requires that AT-AT
load and parse each CRL when the application boots. Because of the size
of the CRLs and their parsed, in-memory size, this leads to the
application spiking to use nearly 900MB of memory (resting usage is
around 50MB).

This change introduces a small function to ad-hoc parse the CRL and
obtain the information in the CRL we need: the issuer and the
expiration. It does this by reading the CRL byte-by-byte until it
reaches the ASN1 sequence that corresponds to the issuer, and then looks
ahead to find the nextUpdate field (i.e., the expiration date). The
CRLCache class uses this function to build its cache and JSON-serializes
the cache to disk. If another AT-AT application process finds the
serialized version, it will load that copy instead of rebuilding it. It
also entails a change to the function signature for the init method of
CRLCache: now it expects the CRL directory as its second argument,
instead of a list of locations.

The Python script invoked by `script/sync-crls` will rebuild the
location cache each time it's run. This means that when the Kubernetes
CronJob for CRLs runs, it will refresh the cache each time. When a new
application container boots, it will get the refreshed cache.

This also adds a nightly CircleCI job to sync the CRLs and test that the
ad-hoc parsing function returns the same result as a proper parsing
using the Python cryptography library. This provides extra insurance
that the function is returning correct results on real data.
2019-11-04 08:36:03 -05:00
..
chain
Fix more tests broken by expiring CRL.
2019-08-21 05:47:54 -04:00
crl
Stream-parse CRLs for caching file locations.
2019-11-04 08:36:03 -05:00
artgarfunkel@uso.mil.crt
utility function for getting user email from x509 certificate
2018-08-09 15:01:06 -04:00
disa-pki.html
add CRL functionality from authnid
2018-08-06 10:44:00 -04:00
eda_contract.xml
get CLIN info from EDA XML
2018-10-17 15:59:20 -04:00
no-email.crt
utility function for getting user email from x509 certificate
2018-08-09 15:01:06 -04:00
no-san.crt
utility function for getting user email from x509 certificate
2018-08-09 15:01:06 -04:00
README.md
readme for regenerating client cert fixtures
2018-08-09 15:02:09 -04:00
sally-darth-signed.pdf
Verify PDF signatures
2019-03-20 13:11:12 -04:00
sample2.pdf
Fix PDF clearing bug
2018-11-12 10:37:26 -05:00
sample.pdf
initial uploader and some form work
2018-08-27 13:04:41 -04:00
sample.png
Update funding form to handle uploading pdf/png
2019-01-23 11:16:54 -05:00
signed-expired-cert.pdf
Verify PDF signatures
2019-03-20 13:11:12 -04:00
signed-pdf-not-dod.pdf
Verify PDF signatures
2019-03-20 13:11:12 -04:00
test.der.crl
build individual x509 stores for each CRL
2018-08-16 14:21:03 -04:00

README.md

Regenerating Fixture Certificates

You don't need to keep the key file generated by this process.

  1. Certificate with an email as subjectAltName:
openssl req -x509 \
    -newkey rsa:4096 \
    -sha256 \
    -nodes \
    -days 3650 \
    -keyout _foo.key \
    -out artgarfunkel@uso.mil.crt \
    -subj "/CN=GARFUNKEL.ART.G.5892460358" \
    -extensions SAN \
    -config <(cat /etc/ssl/openssl.cnf; echo '[SAN]'; echo 'subjectAltName=email:artgarfunkel@uso.mil')
  1. Certificate with a DNS name as subjectAltName:
openssl req -x509 \
    -newkey rsa:4096 \
    -sha256 \
    -nodes \
    -days 3650 \
    -keyout _foo.key \
    -out no-email.crt \
    -subj "/CN=GARFUNKEL.ART.G.5892460358" \
    -extensions SAN \
    -config <(cat /etc/ssl/openssl.cnf; echo '[SAN]'; echo 'subjectAltName=DNS:artgarfunkel.com')
  1. Certificate with no subjectAltName:
openssl req -x509 \
    -newkey rsa:4096 \
    -sha256 \
    -nodes \
    -days 3650 \
    -keyout _foo.key \
    -out no-san.crt \
    -subj "/CN=GARFUNKEL.ART.G.5892460358"