Infra
/
lemur
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

More specific exception catch for cert parsing. line shortening.

This commit is contained in:
Mike Culbertson 2018-08-31 12:19:55 -04:00
parent 7dbca821c3
commit 34c88494b8
1 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
lemur/certificates/verify.py
View File

@ -36,7 +36,9 @@ def ocsp_verify(cert_path, issuer_chain_path):
return None return None
p2 = subprocess.Popen(['openssl', 'ocsp', '-issuer', issuer_chain_path, p2 = subprocess.Popen(['openssl', 'ocsp', '-issuer', issuer_chain_path,
'-cert', cert_path, "-url", url.strip()], stdout=subprocess.PIPE, stderr=subprocess.PIPE) '-cert', cert_path, "-url", url.strip()],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
message, err = p2.communicate() message, err = p2.communicate()
@ -65,7 +67,7 @@ def crl_verify(cert_path):
with open(cert_path, 'rt') as c: with open(cert_path, 'rt') as c:
try: try:
cert = parse_certificate(c.read()) cert = parse_certificate(c.read())
except Exception as e: except ValueError as e:
current_app.logger.error(e) current_app.logger.error(e)
return None return None
@ -92,14 +94,17 @@ def crl_verify(cert_path):
except ConnectionError: except ConnectionError:
raise Exception("Unable to retrieve CRL: {0}".format(point)) raise Exception("Unable to retrieve CRL: {0}".format(point))
crl_cache[point] = x509.load_der_x509_crl(response.content, backend=default_backend()) crl_cache[point] = x509.load_der_x509_crl(response.content,
backend=default_backend())
for r in crl_cache[point]: for r in crl_cache[point]:
if cert.serial_number == r.serial_number: if cert.serial_number == r.serial_number:
try: try:
reason = r.extensions.get_extension_for_class(x509.CRLReason).value reason = r.extensions.get_extension_for_class(x509.CRLReason).value
# Handle "removeFromCRL" revoke reason as unrevoked; continue with the next distribution point. # Handle "removeFromCRL" revoke reason as unrevoked;
# Per RFC 5280 section 6.3.3 (k): https://tools.ietf.org/html/rfc5280#section-6.3.3 # continue with the next distribution point.
# Per RFC 5280 section 6.3.3 (k):
# https://tools.ietf.org/html/rfc5280#section-6.3.3
if reason == x509.ReasonFlags.remove_from_crl: if reason == x509.ReasonFlags.remove_from_crl:
break break
except x509.ExtensionNotFound: except x509.ExtensionNotFound: