forked from TrueCloudLab/certificates
change GenerateCertificateRevocationList to return DER, store DER in db instead of PEM, nicer PEM encoding of CRL, add Mock stubs
This commit is contained in:
Raal Goff
parent
e8fdb703c9
commit
7d024cc4cb
4 changed files with 36 additions and 20 deletions
|
|
@ -50,7 +50,7 @@ type Authority interface {
|
|||
GetRoots() ([]*x509.Certificate, error)
|
||||
GetFederation() ([]*x509.Certificate, error)
|
||||
Version() authority.Version
|
||||
GenerateCertificateRevocationList(force bool) (string, error)
|
||||
GenerateCertificateRevocationList(force bool) ([]byte, error)
|
||||
}
|
||||
|
||||
// TimeDuration is an alias of provisioner.TimeDuration
|
||||
|
|
|
|||
16
api/crl.go
16
api/crl.go
|
|
@ -1,16 +1,24 @@
|
|||
package api
|
||||
|
||||
import "net/http"
|
||||
import (
|
||||
"encoding/pem"
|
||||
"net/http"
|
||||
)
|
||||
|
||||
// CRL is an HTTP handler that returns the current CRL
|
||||
// CRL is an HTTP handler that returns the current CRL in PEM format
|
||||
func (h *caHandler) CRL(w http.ResponseWriter, r *http.Request) {
|
||||
crl, err := h.Authority.GenerateCertificateRevocationList(false)
|
||||
crlBytes, err := h.Authority.GenerateCertificateRevocationList(false)
|
||||
|
||||
if err != nil {
|
||||
w.WriteHeader(500)
|
||||
return
|
||||
}
|
||||
|
||||
pemBytes := pem.EncodeToMemory(&pem.Block{
|
||||
Type: "X509 CRL",
|
||||
Bytes: crlBytes,
|
||||
})
|
||||
|
||||
w.WriteHeader(200)
|
||||
_, err = w.Write([]byte(crl))
|
||||
_, err = w.Write(pemBytes)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -514,24 +514,24 @@ func (a *Authority) revokeSSH(crt *ssh.Certificate, rci *db.RevokedCertificateIn
|
|||
// a new CRL on demand if it has expired (or a CRL does not already exist).
|
||||
//
|
||||
// force set to true will force regeneration of the CRL regardless of whether it has actually expired
|
||||
func (a *Authority) GenerateCertificateRevocationList(force bool) (string, error) {
|
||||
func (a *Authority) GenerateCertificateRevocationList(force bool) ([]byte, error) {
|
||||
|
||||
// check for an existing CRL in the database, and return that if its valid
|
||||
crlInfo, err := a.db.GetCRL()
|
||||
|
||||
if err != nil {
|
||||
return "", err
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if !force && crlInfo != nil && crlInfo.ExpiresAt.After(time.Now().UTC()) {
|
||||
return crlInfo.PEM, nil
|
||||
return crlInfo.DER, nil
|
||||
}
|
||||
|
||||
// some CAS may not implement the CRLGenerator interface, so check before we proceed
|
||||
caCRLGenerator, ok := a.x509CAService.(casapi.CertificateAuthorityCRLGenerator)
|
||||
|
||||
if !ok {
|
||||
return "", errors.Errorf("CRL Generator not implemented")
|
||||
return nil, errors.Errorf("CRL Generator not implemented")
|
||||
}
|
||||
|
||||
revokedList, err := a.db.GetRevokedCertificates()
|
||||
|
|
@ -574,28 +574,24 @@ func (a *Authority) GenerateCertificateRevocationList(force bool) (string, error
|
|||
|
||||
certificateRevocationList, err := caCRLGenerator.CreateCertificateRevocationList(&revocationList)
|
||||
if err != nil {
|
||||
return "", err
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Quick and dirty PEM encoding
|
||||
// TODO: clean this up
|
||||
pemCRL := fmt.Sprintf("-----BEGIN X509 CRL-----\n%s\n-----END X509 CRL-----\n", base64.StdEncoding.EncodeToString(certificateRevocationList))
|
||||
|
||||
// Create a new db.CertificateRevocationListInfo, which stores the new Number we just generated, the
|
||||
// expiry time, and the byte-encoded CRL - then store it in the DB
|
||||
newCRLInfo := db.CertificateRevocationListInfo{
|
||||
Number: n,
|
||||
ExpiresAt: revocationList.NextUpdate,
|
||||
PEM: pemCRL,
|
||||
DER: certificateRevocationList,
|
||||
}
|
||||
|
||||
err = a.db.StoreCRL(&newCRLInfo)
|
||||
if err != nil {
|
||||
return "", err
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Finally, return our CRL PEM
|
||||
return pemCRL, nil
|
||||
return certificateRevocationList, nil
|
||||
}
|
||||
|
||||
// GetTLSCertificate creates a new leaf certificate to be used by the CA HTTPS server.
|
||||
|
|
|
|||
18
db/db.go
18
db/db.go
|
|
@ -114,12 +114,12 @@ type RevokedCertificateInfo struct {
|
|||
ACME bool
|
||||
}
|
||||
|
||||
// CertificateRevocationListInfo contains a CRL in PEM and associated metadata to allow a decision on whether
|
||||
// to regenerate the CRL or not easier
|
||||
// CertificateRevocationListInfo contains a CRL in DER format and associated
|
||||
// metadata to allow a decision on whether to regenerate the CRL or not easier
|
||||
type CertificateRevocationListInfo struct {
|
||||
Number int64
|
||||
ExpiresAt time.Time
|
||||
PEM string
|
||||
DER []byte
|
||||
}
|
||||
|
||||
// IsRevoked returns whether or not a certificate with the given identifier
|
||||
|
|
@ -379,6 +379,18 @@ type MockAuthDB struct {
|
|||
MShutdown func() error
|
||||
}
|
||||
|
||||
func (m *MockAuthDB) GetRevokedCertificates() (*[]RevokedCertificateInfo, error) {
|
||||
panic("implement me")
|
||||
}
|
||||
|
||||
func (m *MockAuthDB) GetCRL() (*CertificateRevocationListInfo, error) {
|
||||
panic("implement me")
|
||||
}
|
||||
|
||||
func (m *MockAuthDB) StoreCRL(info *CertificateRevocationListInfo) error {
|
||||
panic("implement me")
|
||||
}
|
||||
|
||||
// IsRevoked mock.
|
||||
func (m *MockAuthDB) IsRevoked(sn string) (bool, error) {
|
||||
if m.MIsRevoked != nil {
|
||||
|
|
|
|||
Loading…
Reference in a new issue