2 files changed, 36 insertions, 0 deletions

diff --git a/netlib/certutils.py b/netlib/certutils.py
index 9eb41d03..bdc2b77e 100644
--- a/netlib/certutils.py
+++ b/netlib/certutils.py
@@ -169,6 +169,7 @@ class CertStore(object):
     """
         Implements an in-memory certificate store.
     """
+    STORE_CAP = 100
 
     def __init__(
             self,
@@ -181,6 +182,15 @@ class CertStore(object):
         self.default_chain_file = default_chain_file
         self.dhparams = dhparams
         self.certs = dict()
+        self.expire_queue = []
+
+    def expire(self, entry):
+        self.expire_queue.append(entry)
+        if len(self.expire_queue) > self.STORE_CAP:
+            d = self.expire_queue.pop(0)
+            for k, v in list(self.certs.items()):
+                if v == d:
+                    del self.certs[k]
 
     @staticmethod
     def load_dhparam(path):
@@ -342,6 +352,7 @@ class CertStore(object):
                 privatekey=self.default_privatekey,
                 chain_file=self.default_chain_file)
             self.certs[(commonname, tuple(sans))] = entry
+            self.expire(entry)
 
         return entry.cert, entry.privatekey, entry.chain_file
 
diff --git a/test/netlib/test_certutils.py b/test/netlib/test_certutils.py
index 027dcc93..cf9a671b 100644
--- a/test/netlib/test_certutils.py
+++ b/test/netlib/test_certutils.py
@@ -74,6 +74,31 @@ class TestCertStore:
             cert, key, chain_file = ca.get_cert(b"foo.bar.com", [b"*.baz.com"])
             assert b"*.baz.com" in cert.altnames
 
+    def test_expire(self):
+        with tutils.tmpdir() as d:
+            ca = certutils.CertStore.from_store(d, "test")
+            ca.STORE_CAP = 3
+            ca.get_cert(b"one.com", [])
+            ca.get_cert(b"two.com", [])
+            ca.get_cert(b"three.com", [])
+
+            assert (b"one.com", ()) in ca.certs
+            assert (b"two.com", ()) in ca.certs
+            assert (b"three.com", ()) in ca.certs
+
+            ca.get_cert(b"one.com", [])
+
+            assert (b"one.com", ()) in ca.certs
+            assert (b"two.com", ()) in ca.certs
+            assert (b"three.com", ()) in ca.certs
+
+            ca.get_cert(b"four.com", [])
+
+            assert (b"one.com", ()) not in ca.certs
+            assert (b"two.com", ()) in ca.certs
+            assert (b"three.com", ()) in ca.certs
+            assert (b"four.com", ()) in ca.certs
+
     def test_overrides(self):
         with tutils.tmpdir() as d:
             ca1 = certutils.CertStore.from_store(os.path.join(d, "ca1"), "test")