requested changes
This commit is contained in:
Raal Goff
parent
d417ce3232
commit
a607ab189a
3 changed files with 34 additions and 49 deletions
|
|
@ -45,8 +45,6 @@ func (h *caHandler) CRL(w http.ResponseWriter, r *http.Request) {
|
||||||
_, err = w.Write(crlBytes)
|
_, err = w.Write(crlBytes)
|
||||||
}
|
}
|
||||||
|
|
||||||
w.WriteHeader(200)
|
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
panic(errors.Wrap(err, "error writing http response"))
|
panic(errors.Wrap(err, "error writing http response"))
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -6,6 +6,7 @@ import (
|
||||||
"crypto/sha256"
|
"crypto/sha256"
|
||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
"encoding/hex"
|
"encoding/hex"
|
||||||
|
"fmt"
|
||||||
"log"
|
"log"
|
||||||
"strings"
|
"strings"
|
||||||
"sync"
|
"sync"
|
||||||
|
|
@ -662,40 +663,28 @@ func (a *Authority) GetSCEPService() *scep.Service {
|
||||||
|
|
||||||
func (a *Authority) startCRLGenerator() error {
|
func (a *Authority) startCRLGenerator() error {
|
||||||
|
|
||||||
if a.config.CRL.CacheDuration.Duration > time.Duration(0) {
|
if a.config.CRL.CacheDuration.Duration <= 0 {
|
||||||
// Check that there is a valid CRL in the DB right now. If it doesnt exist
|
return nil
|
||||||
// or is expired, generated one now
|
}
|
||||||
crlDB, ok := a.db.(db.CertificateRevocationListDB)
|
|
||||||
|
// Check that there is a valid CRL in the DB right now. If it doesn't exist
|
||||||
|
// or is expired, generate one now
|
||||||
|
_, ok := a.db.(db.CertificateRevocationListDB)
|
||||||
if !ok {
|
if !ok {
|
||||||
return errors.Errorf("CRL Generation requested, but database does not support CRL generation")
|
return errors.Errorf("CRL Generation requested, but database does not support CRL generation")
|
||||||
}
|
}
|
||||||
|
|
||||||
crlInfo, err := crlDB.GetCRL()
|
// Always create a new CRL on startup in case the CA has been down and the time to next expected CRL
|
||||||
if err != nil {
|
// update is less than the cache duration.
|
||||||
return errors.Wrap(err, "could not retrieve CRL from database")
|
err := a.GenerateCertificateRevocationList()
|
||||||
}
|
|
||||||
|
|
||||||
if crlInfo == nil {
|
|
||||||
log.Println("No CRL exists in the DB, generating one now")
|
|
||||||
err = a.GenerateCertificateRevocationList()
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return errors.Wrap(err, "could not generate a CRL")
|
return errors.Wrap(err, "could not generate a CRL")
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
if crlInfo.ExpiresAt.Before(time.Now().UTC()) {
|
|
||||||
log.Printf("Existing CRL has expired (at %v), generating a new one", crlInfo.ExpiresAt)
|
|
||||||
err = a.GenerateCertificateRevocationList()
|
|
||||||
if err != nil {
|
|
||||||
return errors.Wrap(err, "could not generate a CRL")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
log.Printf("CRL will be auto-generated every %v", a.config.CRL.CacheDuration)
|
log.Printf("CRL will be auto-generated every %v", a.config.CRL.CacheDuration)
|
||||||
tickerDuration := a.config.CRL.CacheDuration.Duration - time.Minute // generate the new CRL 1 minute before it expires
|
tickerDuration := a.config.CRL.CacheDuration.Duration - time.Minute // generate the new CRL 1 minute before it expires
|
||||||
if tickerDuration <= 0 {
|
if tickerDuration <= 0 {
|
||||||
log.Printf("WARNING: Addition of jitter to CRL generation time %v creates a negative duration (%v). Using 1 minute cacheDuration", a.config.CRL.CacheDuration, tickerDuration)
|
panic(fmt.Sprintf("ERROR: Addition of jitter to CRL generation time %v creates a negative duration (%v). Use a CRL generation time of longer than 1 minute.", a.config.CRL.CacheDuration, tickerDuration))
|
||||||
tickerDuration = time.Minute
|
|
||||||
}
|
}
|
||||||
crlTicker := time.NewTicker(tickerDuration)
|
crlTicker := time.NewTicker(tickerDuration)
|
||||||
|
|
||||||
|
|
@ -706,13 +695,11 @@ func (a *Authority) startCRLGenerator() error {
|
||||||
log.Println("Regenerating CRL")
|
log.Println("Regenerating CRL")
|
||||||
err := a.GenerateCertificateRevocationList()
|
err := a.GenerateCertificateRevocationList()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
// TODO: log or panic here?
|
log.Printf("ERROR: authority.crlGenerator encountered an error when regenerating the CRL: %v", err)
|
||||||
panic(errors.Wrap(err, "authority.crlGenerator encountered an error"))
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}()
|
}()
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -526,12 +526,12 @@ func (a *Authority) revokeSSH(crt *ssh.Certificate, rci *db.RevokedCertificateIn
|
||||||
// error if the underlying AuthDB does not support CRLs
|
// error if the underlying AuthDB does not support CRLs
|
||||||
func (a *Authority) GetCertificateRevocationList() ([]byte, error) {
|
func (a *Authority) GetCertificateRevocationList() ([]byte, error) {
|
||||||
if a.config.CRL == nil {
|
if a.config.CRL == nil {
|
||||||
return nil, errs.Wrap(http.StatusInternalServerError, errors.Errorf("Certificate Revocation Lists are not enabled"), "authority.GetCertificateRevocationList")
|
return nil, errs.Wrap(http.StatusNotFound, errors.Errorf("Certificate Revocation Lists are not enabled"), "authority.GetCertificateRevocationList")
|
||||||
}
|
}
|
||||||
|
|
||||||
crlDB, ok := a.db.(db.CertificateRevocationListDB)
|
crlDB, ok := a.db.(db.CertificateRevocationListDB)
|
||||||
if !ok {
|
if !ok {
|
||||||
return nil, errs.Wrap(http.StatusInternalServerError, errors.Errorf("Database does not support Certificate Revocation Lists"), "authority.GetCertificateRevocationList")
|
return nil, errs.Wrap(http.StatusNotImplemented, errors.Errorf("Database does not support Certificate Revocation Lists"), "authority.GetCertificateRevocationList")
|
||||||
}
|
}
|
||||||
|
|
||||||
crlInfo, err := crlDB.GetCRL()
|
crlInfo, err := crlDB.GetCRL()
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue