Пример #1
0
    def revoke_callback(revocation):
        serial = revocation.get("metadata",{}).get("cert_serial",None)
        if revocation.get('type',None) != 'revocation' or serial is None:
            logger.error("Unsupported revocation message: %s"%revocation)
            return

        logger.info("Revoking certificate: %s"%serial)
        server.setcrl(cmd_revoke(workingdir, None, serial))
Пример #2
0
        def revoke_callback(revocation):
            json_meta = json.loads(revocation['meta_data'])
            serial = json_meta['cert_serial']
            if revocation.get('type',None) != 'revocation' or serial is None:
                logger.error("Unsupported revocation message: %s"%revocation)
                return

            logger.info("Revoking certificate: %s"%serial)
            server.setcrl(cmd_revoke(workingdir, None, serial))
Пример #3
0
def cmd_listen(workingdir,cert_path):
    #just load up the password for later
    read_private()

    serveraddr = ('', common.CRL_PORT)
    server = ThreadedCRLServer(serveraddr,CRLHandler)
    if os.path.exists('%s/cacrl.der'%workingdir):
        logger.info("Loading existing crl: %s/cacrl.der"%workingdir)
        with open('%s/cacrl.der'%workingdir,'rb') as f:
            server.setcrl(f.read())
    t = threading.Thread(target=server.serve_forever)
    logger.info("Hosting CRL on %s:%d"%(socket.getfqdn(),common.CRL_PORT))
    t.start()

    def check_expiration():
        logger.info("checking CRL for expiration every hour")
        while True:
            try:
                if os.path.exists('%s/cacrl.der'%workingdir):
                    retout = cmd_exec.run("openssl crl -inform der -in %s/cacrl.der -text -noout"%workingdir,lock=False)['retout']
                    for line in retout:
                        line = line.strip()
                        if line.startswith(b"Next Update:"):
                            expire = datetime.datetime.strptime(line[13:].decode('utf-8'),"%b %d %H:%M:%S %Y %Z")
                            # check expiration within 6 hours
                            in1hour = datetime.datetime.utcnow()+datetime.timedelta(hours=6)
                            if expire<=in1hour:
                                logger.info("Certificate to expire soon %s, re-issuing"%expire)
                                cmd_regencrl(workingdir)
                # check a little less than every hour
                time.sleep(3540)

            except KeyboardInterrupt:
                logger.info("TERM Signal received, shutting down...")
                #server.shutdown()
                break

    t2 = threading.Thread(target=check_expiration)
    t2.setDaemon(True)
    t2.start()

    def revoke_callback(revocation):
        serial = revocation.get("metadata",{}).get("cert_serial",None)
        if revocation.get('type',None) != 'revocation' or serial is None:
            logger.error("Unsupported revocation message: %s"%revocation)
            return

        logger.info("Revoking certificate: %s"%serial)
        server.setcrl(cmd_revoke(workingdir, None, serial))

    try:
        while True:
            try:
                revocation_notifier.await_notifications(revoke_callback,revocation_cert_path=cert_path)
            except Exception as e:
                logger.exception(e)
                logger.warning("No connection to revocation server, retrying in 10s...")
                time.sleep(10)
    except KeyboardInterrupt:
        logger.info("TERM Signal received, shutting down...")
        server.shutdown()
        sys.exit()