def check_revoked():
"""
Function attempts to update Lemur's internal cache with revoked
certificates. This is called periodically by Lemur. It checks both
CRLs and OCSP to see if a certificate is revoked. If Lemur is unable
encounters an issue with verification it marks the certificate status
as `unknown`.
"""
for cert in get_all_certs():
try:
if cert.chain:
status = verify_string(cert.body, cert.chain)
else:
status = verify_string(cert.body, "")
if status is None:
cert.status = 'unknown'
else:
cert.status = 'valid' if status else 'revoked'
except Exception as e:
sentry.captureException()
current_app.logger.exception(e)
cert.status = 'unknown'
database.update(cert)
def check_revoked():
"""
Function attempts to update Lemur's internal cache with revoked
certificates. This is called periodically by Lemur. It checks both
CRLs and OCSP to see if a certificate is revoked. If Lemur is unable
encounters an issue with verification it marks the certificate status
as `unknown`.
"""
log_data = {
"function": f"{__name__}.{sys._getframe().f_code.co_name}",
"message": "Checking for revoked Certificates"
}
certs = get_all_valid_certs(
current_app.config.get("SUPPORTED_REVOCATION_AUTHORITY_PLUGINS", []))
for cert in certs:
try:
if cert.chain:
status = verify_string(cert.body, cert.chain)
elif cert.issuer == '<selfsigned>':
status = True
else:
status = verify_string(cert.body, "")
cert.status = "valid" if status else "revoked"
if cert.status == "revoked":
log_data["valid"] = cert.status
log_data["certificate_name"] = cert.name
log_data["certificate_id"] = cert.id
metrics.send(
"certificate_revoked",
"counter",
1,
metric_tags={
"status": log_data["valid"],
"certificate_name": log_data["certificate_name"],
"certificate_id": log_data["certificate_id"]
},
)
current_app.logger.info(log_data)
except Exception as e:
sentry.captureException()
current_app.logger.exception(e)
cert.status = "unknown"
database.update(cert)
def check_revoked():
"""
Function attempts to update Lemur's internal cache with revoked
certificates. This is called periodically by Lemur. It checks both
CRLs and OCSP to see if a certificate is revoked. If Lemur is unable
encounters an issue with verification it marks the certificate status
as `unknown`.
"""
for cert in cert_service.get_all_certs():
try:
if cert.chain:
status = verify_string(cert.body, cert.chain)
else:
status = verify_string(cert.body, "")
cert.status = 'valid' if status else 'invalid'
except Exception as e:
cert.status = 'unknown'
database.update(cert)
def test_verify_simple_cert():
"""Simple certificate without CRL or OCSP."""
# Verification returns None if there are no means to verify a cert
res, ocsp_err, crl_err = verify_string(INTERMEDIATE_CERT_STR, "")
assert res is None
def test_verify_simple_cert():
"""Simple certificate without CRL or OCSP."""
# Verification raises an exception for "unknown" if there are no means to verify it
with pytest.raises(Exception, match="Failed to verify"):
verify_string(INTERNAL_VALID_LONG_STR, '')
def test_verify_simple_cert():
"""Simple certificate without CRL or OCSP."""
# Verification returns None if there are no means to verify a cert
assert verify_string(INTERMEDIATE_CERT_STR, '') is None
def check_revoked():
"""
Function attempts to update Lemur's internal cache with revoked
certificates. This is called periodically by Lemur. It checks both
CRLs and OCSP to see if a certificate is revoked. If Lemur is unable
encounters an issue with verification it marks the certificate status
as `unknown`.
"""
log_data = {
"function": f"{__name__}.{sys._getframe().f_code.co_name}",
"message": "Checking for revoked Certificates"
}
there_are_still_certs = True
page = 1
count = 1000
ocsp_err_count = 0
crl_err_count = 0
while there_are_still_certs:
# get all valid certs issued until day before. This is to avoid OCSP not knowing about a newly created cert.
certs = get_all_valid_certs(
current_app.config.get("SUPPORTED_REVOCATION_AUTHORITY_PLUGINS",
[]),
paginate=True,
page=page,
count=count,
created_on_or_before=arrow.now().shift(days=-1))
if len(certs) < count:
# this must be tha last page
there_are_still_certs = False
else:
metrics.send("certificate_revoked_progress",
"counter",
1,
metric_tags={"page": page})
page += 1
for cert in certs:
try:
if cert.chain:
status, ocsp_err, crl_err = verify_string(
cert.body, cert.chain)
else:
status, ocsp_err, crl_err = verify_string(cert.body, "")
ocsp_err_count += ocsp_err
crl_err_count += crl_err
if status is None:
cert.status = "unknown"
else:
cert.status = "valid" if status else "revoked"
if cert.status == "revoked":
log_data["valid"] = cert.status
log_data["certificate_name"] = cert.name
log_data["certificate_id"] = cert.id
metrics.send(
"certificate_revoked",
"counter",
1,
metric_tags={
"status": log_data["valid"],
"certificate_name": log_data["certificate_name"],
"certificate_id": log_data["certificate_id"]
},
)
current_app.logger.info(log_data)
except Exception as e:
capture_exception()
current_app.logger.warning(e)
cert.status = "unknown"
try:
database.update(cert)
except Exception as e:
capture_exception()
current_app.logger.warning(e)
metrics.send(
"certificate_revoked_ocsp_error",
"gauge",
ocsp_err_count,
)
metrics.send(
"certificate_revoked_crl_error",
"gauge",
crl_err_count,
)
metrics.send(
"certificate_revoked_checked",
"gauge",
(page - 1) * count + len(certs),
)
def test_verify_simple_cert():
"""Simple certificate without CRL or OCSP."""
# Verification returns None if there are no means to verify a cert
assert verify_string(INTERMEDIATE_CERT_STR, '') is None
