From df54dd233a991b8c7e3cd244dfac13dc7bf8e82c Mon Sep 17 00:00:00 2001 From: Ludovic Fernandez Date: Thu, 21 Oct 2021 20:36:11 +0200 Subject: [PATCH] feat: Allows defining the reason for the certificate revocation (#1511) --- acme/commons.go | 29 +++++++++++++++++++++++------ certificate/certificates.go | 6 ++++++ cmd/cmd_revoke.go | 10 +++++++++- 3 files changed, 38 insertions(+), 7 deletions(-) diff --git a/acme/commons.go b/acme/commons.go index 9635c6bd..721a478d 100644 --- a/acme/commons.go +++ b/acme/commons.go @@ -7,16 +7,33 @@ import ( "time" ) -// Challenge statuses. -// https://tools.ietf.org/html/rfc8555#section-7.1.6 +// ACME status values of Account, Order, Authorization and Challenge objects. +// See https://tools.ietf.org/html/rfc8555#section-7.1.6 for details. const ( - StatusPending = "pending" - StatusInvalid = "invalid" - StatusValid = "valid" - StatusProcessing = "processing" StatusDeactivated = "deactivated" StatusExpired = "expired" + StatusInvalid = "invalid" + StatusPending = "pending" + StatusProcessing = "processing" + StatusReady = "ready" StatusRevoked = "revoked" + StatusUnknown = "unknown" + StatusValid = "valid" +) + +// CRL reason codes as defined in RFC 5280. +// https://datatracker.ietf.org/doc/html/rfc5280#section-5.3.1 +const ( + CRLReasonUnspecified uint = 0 + CRLReasonKeyCompromise uint = 1 + CRLReasonCACompromise uint = 2 + CRLReasonAffiliationChanged uint = 3 + CRLReasonSuperseded uint = 4 + CRLReasonCessationOfOperation uint = 5 + CRLReasonCertificateHold uint = 6 + CRLReasonRemoveFromCRL uint = 8 + CRLReasonPrivilegeWithdrawn uint = 9 + CRLReasonAACompromise uint = 10 ) // Directory the ACME directory object. diff --git a/certificate/certificates.go b/certificate/certificates.go index 497fe3dd..8f1a3d7e 100644 --- a/certificate/certificates.go +++ b/certificate/certificates.go @@ -365,6 +365,11 @@ func (c *Certifier) checkResponse(order acme.ExtendedOrder, certRes *Resource, b // Revoke takes a PEM encoded certificate or bundle and tries to revoke it at the CA. func (c *Certifier) Revoke(cert []byte) error { + return c.RevokeWithReason(cert, nil) +} + +// RevokeWithReason takes a PEM encoded certificate or bundle and tries to revoke it at the CA. +func (c *Certifier) RevokeWithReason(cert []byte, reason *uint) error { certificates, err := certcrypto.ParsePEMBundle(cert) if err != nil { return err @@ -377,6 +382,7 @@ func (c *Certifier) Revoke(cert []byte) error { revokeMsg := acme.RevokeCertMessage{ Certificate: base64.RawURLEncoding.EncodeToString(x509Cert.Raw), + Reason: reason, } return c.core.Certificates.Revoke(revokeMsg) diff --git a/cmd/cmd_revoke.go b/cmd/cmd_revoke.go index 6d2176b3..187baf31 100644 --- a/cmd/cmd_revoke.go +++ b/cmd/cmd_revoke.go @@ -1,6 +1,7 @@ package cmd import ( + "github.com/go-acme/lego/v4/acme" "github.com/go-acme/lego/v4/log" "github.com/urfave/cli" ) @@ -15,6 +16,11 @@ func createRevoke() cli.Command { Name: "keep, k", Usage: "Keep the certificates after the revocation instead of archiving them.", }, + cli.UintFlag{ + Name: "reason", + Usage: "Identifies the reason for the certificate revocation. See https://tools.ietf.org/html/rfc5280#section-5.3.1. 0(unspecified),1(keyCompromise),2(cACompromise),3(affiliationChanged),4(superseded),5(cessationOfOperation),6(certificateHold),8(removeFromCRL),9(privilegeWithdrawn),10(aACompromise)", + Value: acme.CRLReasonUnspecified, + }, }, } } @@ -37,7 +43,9 @@ func revoke(ctx *cli.Context) error { log.Fatalf("Error while revoking the certificate for domain %s\n\t%v", domain, err) } - err = client.Certificate.Revoke(certBytes) + reason := ctx.Uint("reason") + + err = client.Certificate.RevokeWithReason(certBytes, &reason) if err != nil { log.Fatalf("Error while revoking the certificate for domain %s\n\t%v", domain, err) }