Pass the OCSP responder uri to CSR method

pvarki · Feb 7, 2024 · 89a4bbd · 89a4bbd
1 parent 39c2b0f
commit 89a4bbd
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 4 deletions.
diff --git a/src/rasenmaeher_api/db/people.py b/src/rasenmaeher_api/db/people.py
@@ -18,7 +18,6 @@
 from .base import ORMBaseModel, DBModel, utcnow, db
 from ..web.api.middleware.datatypes import MTLSorJWTPayload
 from .errors import NotFound, Deleted, BackendError, CallsignReserved
-from ..rmsettings import switchme_to_singleton_call
 from ..cfssl.private import sign_csr, revoke_pem, validate_reason, ReasonTypes
 from ..cfssl.public import get_bundle
 from ..prodcutapihelpers import post_to_all_products
@@ -54,7 +53,8 @@ async def by_pk_or_callsign(cls, inval: Union[str, uuid.UUID], allow_deleted: bo
     @classmethod
     async def create_with_cert(cls, callsign: str, extra: Optional[Dict[str, Any]] = None) -> "Person":
         """Create the cert etc and save the person"""
-        if callsign in RMSettings.singleton().valid_product_cns:
+        cnf = RMSettings.singleton()
+        if callsign in cnf.valid_product_cns:
             raise CallsignReserved("Using product CNs as callsigns is forbidden")
         try:
             await Person.by_callsign(callsign)
@@ -64,14 +64,16 @@ async def create_with_cert(cls, callsign: str, extra: Optional[Dict[str, Any]] =
         async with db.acquire() as conn:
             async with conn.transaction():  # do it in a transaction so if something fails we can roll back
                 puuid = uuid.uuid4()
-                certspath = Path(switchme_to_singleton_call.persistent_data_dir) / "private" / "people" / str(puuid)
+                certspath = Path(cnf.persistent_data_dir) / "private" / "people" / str(puuid)
                 certspath.mkdir(parents=True)
                 certspath.chmod(PRIVDIR_MODE)
                 try:
                     newperson = Person(pk=puuid, callsign=callsign, certspath=str(certspath), extra=extra)
                     await newperson.create()
                     ckp = await async_create_keypair(newperson.privkeyfile, newperson.pubkeyfile)
-                    csrpem = await async_create_client_csr(ckp, newperson.csrfile, newperson.certsubject)
+                    csrpem = await async_create_client_csr(
+                        ckp, newperson.csrfile, newperson.certsubject, ocsp_uri=cnf.ocscp_responder
+                    )
                     certpem = (await sign_csr(csrpem)).replace("\\n", "\n")
                     bundlepem = (await get_bundle(certpem)).replace("\\n", "\n")
                     newperson.certfile.write_text(bundlepem)

diff --git a/src/rasenmaeher_api/rmsettings.py b/src/rasenmaeher_api/rmsettings.py
@@ -82,6 +82,7 @@ class Config:  # pylint: disable=too-few-public-methods
     cfssl_port: str = "8888"
     ocsprest_host: str = "http://127.0.0.1"
     ocsprest_port: str = "8887"
+    ocscp_responder: str = "https://localmaeher.pvarki.fi:4439/ca/ocsp"  # needs to be the public URL
 
     persistent_data_dir = "/data/persistent"