Validate revocation serial number

This commit is contained in:
max furman 2022-08-09 11:04:00 -07:00
parent 3e2729e391
commit 7052a32c2c
3 changed files with 19 additions and 8 deletions

View file

@ -19,6 +19,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
### Changed ### Changed
- Certificates signed by an issuer using an RSA key will be signed using the same algorithm as the issuer certificate was signed with. The signature will no longer default to PKCS #1. For example, if the issuer certificate was signed using RSA-PSS with SHA-256, a new certificate will also be signed using RSA-PSS with SHA-256. - Certificates signed by an issuer using an RSA key will be signed using the same algorithm as the issuer certificate was signed with. The signature will no longer default to PKCS #1. For example, if the issuer certificate was signed using RSA-PSS with SHA-256, a new certificate will also be signed using RSA-PSS with SHA-256.
- Support two latest versions of Go (1.18, 1.19) - Support two latest versions of Go (1.18, 1.19)
- Vadlidate revocation serial number (either base 10 or prefixed with an appropriate base)
## [0.20.0] - 2022-05-26 ## [0.20.0] - 2022-05-26
### Added ### Added

View file

@ -1,6 +1,7 @@
package api package api
import ( import (
"math/big"
"net/http" "net/http"
"golang.org/x/crypto/ocsp" "golang.org/x/crypto/ocsp"
@ -33,6 +34,11 @@ func (r *RevokeRequest) Validate() (err error) {
if r.Serial == "" { if r.Serial == "" {
return errs.BadRequest("missing serial") return errs.BadRequest("missing serial")
} }
sn, ok := new(big.Int).SetString(r.Serial, 0)
if !ok {
return errs.BadRequest("'%s' is not a valid serial number - use a base 10 representation or add a prefix indicating the base", r.Serial)
}
r.Serial = sn.String()
if r.ReasonCode < ocsp.Unspecified || r.ReasonCode > ocsp.AACompromise { if r.ReasonCode < ocsp.Unspecified || r.ReasonCode > ocsp.AACompromise {
return errs.BadRequest("reasonCode out of bounds") return errs.BadRequest("reasonCode out of bounds")
} }

View file

@ -31,9 +31,13 @@ func TestRevokeRequestValidate(t *testing.T) {
rr: &RevokeRequest{}, rr: &RevokeRequest{},
err: &errs.Error{Err: errors.New("missing serial"), Status: http.StatusBadRequest}, err: &errs.Error{Err: errors.New("missing serial"), Status: http.StatusBadRequest},
}, },
"error/bad sn": {
rr: &RevokeRequest{Serial: "sn"},
err: &errs.Error{Err: errors.New("'sn' is not a valid serial number - use a base 10 representation or add a prefix indicating the base"), Status: http.StatusBadRequest},
},
"error/bad reasonCode": { "error/bad reasonCode": {
rr: &RevokeRequest{ rr: &RevokeRequest{
Serial: "sn", Serial: "10",
ReasonCode: 15, ReasonCode: 15,
Passive: true, Passive: true,
}, },
@ -41,7 +45,7 @@ func TestRevokeRequestValidate(t *testing.T) {
}, },
"error/non-passive not implemented": { "error/non-passive not implemented": {
rr: &RevokeRequest{ rr: &RevokeRequest{
Serial: "sn", Serial: "10",
ReasonCode: 8, ReasonCode: 8,
Passive: false, Passive: false,
}, },
@ -49,7 +53,7 @@ func TestRevokeRequestValidate(t *testing.T) {
}, },
"ok": { "ok": {
rr: &RevokeRequest{ rr: &RevokeRequest{
Serial: "sn", Serial: "10",
ReasonCode: 9, ReasonCode: 9,
Passive: true, Passive: true,
}, },
@ -97,7 +101,7 @@ func Test_caHandler_Revoke(t *testing.T) {
}, },
"200/ott": func(t *testing.T) test { "200/ott": func(t *testing.T) test {
input, err := json.Marshal(RevokeRequest{ input, err := json.Marshal(RevokeRequest{
Serial: "sn", Serial: "10",
ReasonCode: 4, ReasonCode: 4,
Reason: "foo", Reason: "foo",
OTT: "valid", OTT: "valid",
@ -114,7 +118,7 @@ func Test_caHandler_Revoke(t *testing.T) {
revoke: func(ctx context.Context, opts *authority.RevokeOptions) error { revoke: func(ctx context.Context, opts *authority.RevokeOptions) error {
assert.True(t, opts.PassiveOnly) assert.True(t, opts.PassiveOnly)
assert.False(t, opts.MTLS) assert.False(t, opts.MTLS)
assert.Equals(t, opts.Serial, "sn") assert.Equals(t, opts.Serial, "10")
assert.Equals(t, opts.ReasonCode, 4) assert.Equals(t, opts.ReasonCode, 4)
assert.Equals(t, opts.Reason, "foo") assert.Equals(t, opts.Reason, "foo")
return nil return nil
@ -125,7 +129,7 @@ func Test_caHandler_Revoke(t *testing.T) {
}, },
"400/no OTT and no peer certificate": func(t *testing.T) test { "400/no OTT and no peer certificate": func(t *testing.T) test {
input, err := json.Marshal(RevokeRequest{ input, err := json.Marshal(RevokeRequest{
Serial: "sn", Serial: "10",
ReasonCode: 4, ReasonCode: 4,
Passive: true, Passive: true,
}) })
@ -176,7 +180,7 @@ func Test_caHandler_Revoke(t *testing.T) {
}, },
"500/ott authority.Revoke": func(t *testing.T) test { "500/ott authority.Revoke": func(t *testing.T) test {
input, err := json.Marshal(RevokeRequest{ input, err := json.Marshal(RevokeRequest{
Serial: "sn", Serial: "10",
ReasonCode: 4, ReasonCode: 4,
Reason: "foo", Reason: "foo",
OTT: "valid", OTT: "valid",
@ -198,7 +202,7 @@ func Test_caHandler_Revoke(t *testing.T) {
}, },
"403/ott authority.Revoke": func(t *testing.T) test { "403/ott authority.Revoke": func(t *testing.T) test {
input, err := json.Marshal(RevokeRequest{ input, err := json.Marshal(RevokeRequest{
Serial: "sn", Serial: "10",
ReasonCode: 4, ReasonCode: 4,
Reason: "foo", Reason: "foo",
OTT: "valid", OTT: "valid",