mbiryukova/certificates
1
0
Fork 0
forked from TrueCloudLab/certificates
Code Pull requests Activity

Add /crl and /1.0/crl to the insecure HTTP handler

Browse source
This commit is contained in:
Herman Slatman 2023-05-02 14:58:32 +02:00
parent cb1dc8055d
commit 60a4512abe
No known key found for this signature in database
GPG key ID: F4D8A44EA0A75A4F
1 changed files with 24 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
ca/ca.go
View file

@ -196,7 +196,11 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
api.Route(r)
})
//Add ACME api endpoints in /acme and /1.0/acme
// Mount the CRL to the insecure mux
insecureMux.Get("/crl", api.CRL)
insecureMux.Get("/1.0/crl", api.CRL)
// Add ACME api endpoints in /acme and /1.0/acme
dns := cfg.DNSNames[0]
u, err := url.Parse("https://" + cfg.Address)
if err != nil {
@ -276,6 +280,7 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
// helpful routine for logging all routes
//dumpRoutes(mux)
//dumpRoutes(insecureMux)
// Add monitoring if configured
if len(cfg.Monitoring) > 0 {
@ -307,7 +312,7 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
// only start the insecure server if the insecure address is configured
// and, currently, also only when it should serve SCEP endpoints.
if ca.shouldServeSCEPEndpoints() && cfg.InsecureAddress != "" {
if ca.shouldServeInsecureServer() {
// TODO: instead opt for having a single server.Server but two
// http.Servers handling the HTTP and HTTPS handler? The latter
// will probably introduce more complexity in terms of graceful
@ -321,6 +326,23 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
return ca, nil
}
// shouldServeInsecureServer returns whether or not the insecure
// server should also be started. This is (currently) only the case
// if the insecure address has been configured AND when a SCEP
// provisioner is configured or when a CRL is configured.
func (ca *CA) shouldServeInsecureServer() bool {
switch {
case ca.config.InsecureAddress == "":
return false
case ca.shouldServeSCEPEndpoints():
return true
case ca.config.CRL != nil && ca.config.CRL.Enabled:
return true
default:
return false
}
}
// buildContext builds the server base context.
func buildContext(a *authority.Authority, scepAuthority *scep.Authority, acmeDB acme.DB, acmeLinker acme.Linker) context.Context {
ctx := authority.NewContext(context.Background(), a)