Add support for Revoke using CAS.

2020-09-15 18:14:03 -07:00 · 2020-09-15 18:14:03 -07:00 · e17ce39e3a
commit e17ce39e3a
parent 144ffe73dd
3 changed files with 50 additions and 1 deletions
--- a/authority/tls.go
+++ b/authority/tls.go
@ -352,7 +352,28 @@ func (a *Authority) Revoke(ctx context.Context, revokeOpts *RevokeOptions) error

 	if provisioner.MethodFromContext(ctx) == provisioner.SSHRevokeMethod {
 		err = a.db.RevokeSSH(rci)
-	} else { // default to revoke x509
+	} else {
+		// Revoke an X.509 certificate using CAS. If the certificate is not
+		// provided we will try to read it from the db.
+		var revokedCert *x509.Certificate
+		if revokeOpts.Crt != nil {
+			revokedCert = revokeOpts.Crt
+		} else if rci.Serial != "" {
+			revokedCert, _ = a.db.GetCertificate(rci.Serial)
+		}
+
+		// CAS operation, note that SoftCAS (default) is a noop.
+		// The revoke happens when this is stored in the db.
+		_, err = a.x509CAService.RevokeCertificate(&casapi.RevokeCertificateRequest{
+			Certificate: revokedCert,
+			Reason:      rci.Reason,
+			ReasonCode:  rci.ReasonCode,
+		})
+		if err != nil {
+			return errs.Wrap(http.StatusInternalServerError, err, "authority.Revoke", opts...)
+		}
+
+		// Save as revoked in the Db.
 		err = a.db.Revoke(rci)
 	}
 	switch err {
--- a/db/db.go
+++ b/db/db.go
@ -47,6 +47,7 @@ type AuthDB interface {
 	IsSSHRevoked(sn string) (bool, error)
 	Revoke(rci *RevokedCertificateInfo) error
 	RevokeSSH(rci *RevokedCertificateInfo) error
+	GetCertificate(serialNumber string) (*x509.Certificate, error)
 	StoreCertificate(crt *x509.Certificate) error
 	UseToken(id, tok string) (bool, error)
 	IsSSHHost(name string) (bool, error)
@ -187,6 +188,19 @@ func (db *DB) RevokeSSH(rci *RevokedCertificateInfo) error {
 	}
 }

+// GetCertificate retrieves a certificate by the serial number.
+func (db *DB) GetCertificate(serialNumber string) (*x509.Certificate, error) {
+	ans1Data, err := db.Get(certsTable, []byte(serialNumber))
+	if err != nil {
+		return nil, errors.Wrap(err, "database Get error")
+	}
+	cert, err := x509.ParseCertificate(ans1Data)
+	if err != nil {
+		return nil, errors.Wrapf(err, "error parsing certificate with serial number %s", serialNumber)
+	}
+	return cert, nil
+}
+
 // StoreCertificate stores a certificate PEM.
 func (db *DB) StoreCertificate(crt *x509.Certificate) error {
 	if err := db.Set(certsTable, []byte(crt.SerialNumber.String()), crt.Raw); err != nil {
@ -288,6 +302,7 @@ type MockAuthDB struct {
 	MIsSSHRevoked         func(string) (bool, error)
 	MRevoke               func(rci *RevokedCertificateInfo) error
 	MRevokeSSH            func(rci *RevokedCertificateInfo) error
+	MGetCertificate       func(serialNumber string) (*x509.Certificate, error)
 	MStoreCertificate     func(crt *x509.Certificate) error
 	MUseToken             func(id, tok string) (bool, error)
 	MIsSSHHost            func(principal string) (bool, error)
@ -339,6 +354,14 @@ func (m *MockAuthDB) RevokeSSH(rci *RevokedCertificateInfo) error {
 	return m.Err
 }

+// GetCertificate mock.
+func (m *MockAuthDB) GetCertificate(serialNumber string) (*x509.Certificate, error) {
+	if m.MGetCertificate != nil {
+		return m.MGetCertificate(serialNumber)
+	}
+	return m.Ret1.(*x509.Certificate), m.Err
+}
+
 // StoreCertificate mock.
 func (m *MockAuthDB) StoreCertificate(crt *x509.Certificate) error {
 	if m.MStoreCertificate != nil {
--- a/db/simple.go
+++ b/db/simple.go
@ -46,6 +46,11 @@ func (s *SimpleDB) RevokeSSH(rci *RevokedCertificateInfo) error {
 	return ErrNotImplemented
 }

+// GetCertificate returns a "NotImplemented" error.
+func (s *SimpleDB) GetCertificate(serialNumber string) (*x509.Certificate, error) {
+	return nil, ErrNotImplemented
+}
+
 // StoreCertificate returns a "NotImplemented" error.
 func (s *SimpleDB) StoreCertificate(crt *x509.Certificate) error {
 	return ErrNotImplemented