def check_revoked(): """ Function attempts to update Lemur's internal cache with revoked certificates. This is called periodically by Lemur. It checks both CRLs and OCSP to see if a certificate is revoked. If Lemur is unable encounters an issue with verification it marks the certificate status as `unknown`. """ for cert in get_all_certs(): try: if cert.chain: status = verify_string(cert.body, cert.chain) else: status = verify_string(cert.body, "") if status is None: cert.status = 'unknown' else: cert.status = 'valid' if status else 'revoked' except Exception as e: sentry.captureException() current_app.logger.exception(e) cert.status = 'unknown' database.update(cert)
def check_revoked(): """ Function attempts to update Lemur's internal cache with revoked certificates. This is called periodically by Lemur. It checks both CRLs and OCSP to see if a certificate is revoked. If Lemur is unable encounters an issue with verification it marks the certificate status as `unknown`. """ log_data = { "function": f"{__name__}.{sys._getframe().f_code.co_name}", "message": "Checking for revoked Certificates" } certs = get_all_valid_certs( current_app.config.get("SUPPORTED_REVOCATION_AUTHORITY_PLUGINS", [])) for cert in certs: try: if cert.chain: status = verify_string(cert.body, cert.chain) elif cert.issuer == '<selfsigned>': status = True else: status = verify_string(cert.body, "") cert.status = "valid" if status else "revoked" if cert.status == "revoked": log_data["valid"] = cert.status log_data["certificate_name"] = cert.name log_data["certificate_id"] = cert.id metrics.send( "certificate_revoked", "counter", 1, metric_tags={ "status": log_data["valid"], "certificate_name": log_data["certificate_name"], "certificate_id": log_data["certificate_id"] }, ) current_app.logger.info(log_data) except Exception as e: sentry.captureException() current_app.logger.exception(e) cert.status = "unknown" database.update(cert)
def check_revoked(): """ Function attempts to update Lemur's internal cache with revoked certificates. This is called periodically by Lemur. It checks both CRLs and OCSP to see if a certificate is revoked. If Lemur is unable encounters an issue with verification it marks the certificate status as `unknown`. """ for cert in cert_service.get_all_certs(): try: if cert.chain: status = verify_string(cert.body, cert.chain) else: status = verify_string(cert.body, "") cert.status = 'valid' if status else 'invalid' except Exception as e: cert.status = 'unknown' database.update(cert)
def test_verify_simple_cert(): """Simple certificate without CRL or OCSP.""" # Verification returns None if there are no means to verify a cert res, ocsp_err, crl_err = verify_string(INTERMEDIATE_CERT_STR, "") assert res is None
def test_verify_simple_cert(): """Simple certificate without CRL or OCSP.""" # Verification raises an exception for "unknown" if there are no means to verify it with pytest.raises(Exception, match="Failed to verify"): verify_string(INTERNAL_VALID_LONG_STR, '')
def test_verify_simple_cert(): """Simple certificate without CRL or OCSP.""" # Verification returns None if there are no means to verify a cert assert verify_string(INTERMEDIATE_CERT_STR, '') is None
def check_revoked(): """ Function attempts to update Lemur's internal cache with revoked certificates. This is called periodically by Lemur. It checks both CRLs and OCSP to see if a certificate is revoked. If Lemur is unable encounters an issue with verification it marks the certificate status as `unknown`. """ log_data = { "function": f"{__name__}.{sys._getframe().f_code.co_name}", "message": "Checking for revoked Certificates" } there_are_still_certs = True page = 1 count = 1000 ocsp_err_count = 0 crl_err_count = 0 while there_are_still_certs: # get all valid certs issued until day before. This is to avoid OCSP not knowing about a newly created cert. certs = get_all_valid_certs( current_app.config.get("SUPPORTED_REVOCATION_AUTHORITY_PLUGINS", []), paginate=True, page=page, count=count, created_on_or_before=arrow.now().shift(days=-1)) if len(certs) < count: # this must be tha last page there_are_still_certs = False else: metrics.send("certificate_revoked_progress", "counter", 1, metric_tags={"page": page}) page += 1 for cert in certs: try: if cert.chain: status, ocsp_err, crl_err = verify_string( cert.body, cert.chain) else: status, ocsp_err, crl_err = verify_string(cert.body, "") ocsp_err_count += ocsp_err crl_err_count += crl_err if status is None: cert.status = "unknown" else: cert.status = "valid" if status else "revoked" if cert.status == "revoked": log_data["valid"] = cert.status log_data["certificate_name"] = cert.name log_data["certificate_id"] = cert.id metrics.send( "certificate_revoked", "counter", 1, metric_tags={ "status": log_data["valid"], "certificate_name": log_data["certificate_name"], "certificate_id": log_data["certificate_id"] }, ) current_app.logger.info(log_data) except Exception as e: capture_exception() current_app.logger.warning(e) cert.status = "unknown" try: database.update(cert) except Exception as e: capture_exception() current_app.logger.warning(e) metrics.send( "certificate_revoked_ocsp_error", "gauge", ocsp_err_count, ) metrics.send( "certificate_revoked_crl_error", "gauge", crl_err_count, ) metrics.send( "certificate_revoked_checked", "gauge", (page - 1) * count + len(certs), )
def test_verify_simple_cert(): """Simple certificate without CRL or OCSP.""" # Verification returns None if there are no means to verify a cert assert verify_string(INTERMEDIATE_CERT_STR, '') is None