def _verify_date(certificate):
"""
Checks date boundaries in the certificate (actual time must be inside).
"""
tbs = cert_finder._get_tbs_certificate(certificate)
validity = tbs.getComponentByName("validity")
start = validity.getComponentByName("notBefore").getComponentByPosition(0)._value
start_time = timeutil.to_time(start) # time.strptime(start, format)
end = validity.getComponentByName("notAfter").getComponentByPosition(0)._value
end_time = timeutil.to_time(end) # time.strptime(end, format)
now = timeutil.now() # time.gmtime()
if (start_time < now) and (end_time > now):
return True
logger.warning("Out of boundaries of validity: %s - %s." % (start, end))
return False
def refresh_dist_point(self, url, verification=None, force_download=False):
'''
Refreshes CRL of distribution point specified by url.
If the time of thisUpdate of downloaded CRL is the same
as time in lastUpdate of current version, does not do anything.
Returns boolean value telling the result of download attempt and number of added certificates
'''
dpoint = self.find_dpoint(url)
if dpoint is not None:
last_updated = dpoint.lastUpdated
logger.debug("Refreshing dpoint %s", url)
# check time of next update - if it is in the future, return True,0
# download only in case when nextUpdate time passed
if force_download:
logger.debug("Force download parameter set, ignoring nextUpdate parameter of CRL")
else:
# if force download was not set, check the nextUpdate parameter
if dpoint.nextUpdate:
next_time = timeutil.to_time(dpoint.nextUpdate)
current_time = timeutil.now()
if current_time >= next_time:
logger.info("Next update time passed, downloading CRL")
else:
logger.info("Next update scheduled on %s, not downloading anything" % dpoint.nextUpdate)
return True, 0
else:
logger.info("No previous download recorded, downloading CRL")
# download CRL
downloaded = self.__download_crl(url)
if downloaded is None:
return False, 0
# decode it and get the update time
crl = self.__decode_crl(downloaded)
if (verification is not None):
verified = crl_verifier.verify_crl(crl, verification)
if not verified:
logger.warning('CRL verification failed')
return True, 0
else:
logger.info("CRL verified")
else:
logger.info("CRL verification not performed, no certificate provided")
downloaded_update_time = str(crl.getComponentByName("tbsCertList").getComponentByName("thisUpdate"))
# if there was new crl issued, commit changes to local copy
if dpoint.lastUpdated != downloaded_update_time:
logger.info("New CRL detected, current version: %s, new version: %s",\
dpoint.lastUpdated, downloaded_update_time)
added_certs = dpoint.update_revoked_list(crl)
logger.info("Added %d new revoked certificate serial numbers" % added_certs)
if added_certs:
self.changed = True
return True, added_certs
else:
logger.info("Downloaded CRL is the same as current, no changes in list of revoked certificates")
return True, 0
