mbiryukova/certificates
1
0
Fork 0
forked from TrueCloudLab/certificates
Code Pull requests Activity

requested changes

Browse source
This commit is contained in:
Raal Goff 2022-03-29 08:51:39 +08:00
parent 222b52db13
commit 45975b061c
3 changed files with 34 additions and 49 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
api/crl.go
View file

@ -45,8 +45,6 @@ func (h *caHandler) CRL(w http.ResponseWriter, r *http.Request) {
_, err = w.Write(crlBytes) _, err = w.Write(crlBytes)
} }
w.WriteHeader(200)
if err != nil { if err != nil {
panic(errors.Wrap(err, "error writing http response")) panic(errors.Wrap(err, "error writing http response"))
} }

77
authority/authority.go
View file

@ -6,6 +6,7 @@ import (
"crypto/sha256" "crypto/sha256"
"crypto/x509" "crypto/x509"
"encoding/hex" "encoding/hex"
"fmt"
"log" "log"
"strings" "strings"
"sync" "sync"
@ -631,57 +632,43 @@ func (a *Authority) GetSCEPService() *scep.Service {
func (a *Authority) startCRLGenerator() error { func (a *Authority) startCRLGenerator() error {
if a.config.CRL.CacheDuration.Duration > time.Duration(0) { if a.config.CRL.CacheDuration.Duration <= 0 {
// Check that there is a valid CRL in the DB right now. If it doesnt exist return nil
// or is expired, generated one now }
crlDB, ok := a.db.(db.CertificateRevocationListDB)
if !ok {
return errors.Errorf("CRL Generation requested, but database does not support CRL generation")
}
crlInfo, err := crlDB.GetCRL() // Check that there is a valid CRL in the DB right now. If it doesn't exist
if err != nil { // or is expired, generate one now
return errors.Wrap(err, "could not retrieve CRL from database") _, ok := a.db.(db.CertificateRevocationListDB)
} if !ok {
return errors.Errorf("CRL Generation requested, but database does not support CRL generation")
}
if crlInfo == nil { // Always create a new CRL on startup in case the CA has been down and the time to next expected CRL
log.Println("No CRL exists in the DB, generating one now") // update is less than the cache duration.
err = a.GenerateCertificateRevocationList() err := a.GenerateCertificateRevocationList()
if err != nil { if err != nil {
return errors.Wrap(err, "could not generate a CRL") return errors.Wrap(err, "could not generate a CRL")
} }
}
if crlInfo.ExpiresAt.Before(time.Now().UTC()) { log.Printf("CRL will be auto-generated every %v", a.config.CRL.CacheDuration)
log.Printf("Existing CRL has expired (at %v), generating a new one", crlInfo.ExpiresAt) tickerDuration := a.config.CRL.CacheDuration.Duration - time.Minute // generate the new CRL 1 minute before it expires
err = a.GenerateCertificateRevocationList() if tickerDuration <= 0 {
if err != nil { panic(fmt.Sprintf("ERROR: Addition of jitter to CRL generation time %v creates a negative duration (%v). Use a CRL generation time of longer than 1 minute.", a.config.CRL.CacheDuration, tickerDuration))
return errors.Wrap(err, "could not generate a CRL") }
} crlTicker := time.NewTicker(tickerDuration)
}
log.Printf("CRL will be auto-generated every %v", a.config.CRL.CacheDuration) go func() {
tickerDuration := a.config.CRL.CacheDuration.Duration - time.Minute // generate the new CRL 1 minute before it expires for {
if tickerDuration <= 0 { select {
log.Printf("WARNING: Addition of jitter to CRL generation time %v creates a negative duration (%v). Using 1 minute cacheDuration", a.config.CRL.CacheDuration, tickerDuration) case <-crlTicker.C:
tickerDuration = time.Minute log.Println("Regenerating CRL")
} err := a.GenerateCertificateRevocationList()
crlTicker := time.NewTicker(tickerDuration) if err != nil {
log.Printf("ERROR: authority.crlGenerator encountered an error when regenerating the CRL: %v", err)
go func() {
for {
select {
case <-crlTicker.C:
log.Println("Regenerating CRL")
err := a.GenerateCertificateRevocationList()
if err != nil {
// TODO: log or panic here?
panic(errors.Wrap(err, "authority.crlGenerator encountered an error"))
}
} }
} }
}() }
} }()
return nil return nil
} }

4
authority/tls.go
View file

@ -480,12 +480,12 @@ func (a *Authority) revokeSSH(crt *ssh.Certificate, rci *db.RevokedCertificateIn
// error if the underlying AuthDB does not support CRLs // error if the underlying AuthDB does not support CRLs
func (a *Authority) GetCertificateRevocationList() ([]byte, error) { func (a *Authority) GetCertificateRevocationList() ([]byte, error) {
if a.config.CRL == nil { if a.config.CRL == nil {
return nil, errs.Wrap(http.StatusInternalServerError, errors.Errorf("Certificate Revocation Lists are not enabled"), "authority.GetCertificateRevocationList") return nil, errs.Wrap(http.StatusNotFound, errors.Errorf("Certificate Revocation Lists are not enabled"), "authority.GetCertificateRevocationList")
} }
crlDB, ok := a.db.(db.CertificateRevocationListDB) crlDB, ok := a.db.(db.CertificateRevocationListDB)
if !ok { if !ok {
return nil, errs.Wrap(http.StatusInternalServerError, errors.Errorf("Database does not support Certificate Revocation Lists"), "authority.GetCertificateRevocationList") return nil, errs.Wrap(http.StatusNotImplemented, errors.Errorf("Database does not support Certificate Revocation Lists"), "authority.GetCertificateRevocationList")
} }
crlInfo, err := crlDB.GetCRL() crlInfo, err := crlDB.GetCRL()