feat: Allows defining the reason for the certificate revocation (#1511)

2021-10-21 20:36:11 +02:00 · 2021-10-21 20:36:11 +02:00 · df54dd233a
commit df54dd233a
parent 88f62f106d
3 changed files with 38 additions and 7 deletions
--- a/acme/commons.go
+++ b/acme/commons.go
@ -7,16 +7,33 @@ import (
 	"time"
 )

-// Challenge statuses.
-// https://tools.ietf.org/html/rfc8555#section-7.1.6
+// ACME status values of Account, Order, Authorization and Challenge objects.
+// See https://tools.ietf.org/html/rfc8555#section-7.1.6 for details.
 const (
-	StatusPending     = "pending"
-	StatusInvalid     = "invalid"
-	StatusValid       = "valid"
-	StatusProcessing  = "processing"
 	StatusDeactivated = "deactivated"
 	StatusExpired     = "expired"
+	StatusInvalid     = "invalid"
+	StatusPending     = "pending"
+	StatusProcessing  = "processing"
+	StatusReady       = "ready"
 	StatusRevoked     = "revoked"
+	StatusUnknown     = "unknown"
+	StatusValid       = "valid"
+)
+
+// CRL reason codes as defined in RFC 5280.
+// https://datatracker.ietf.org/doc/html/rfc5280#section-5.3.1
+const (
+	CRLReasonUnspecified          uint = 0
+	CRLReasonKeyCompromise        uint = 1
+	CRLReasonCACompromise         uint = 2
+	CRLReasonAffiliationChanged   uint = 3
+	CRLReasonSuperseded           uint = 4
+	CRLReasonCessationOfOperation uint = 5
+	CRLReasonCertificateHold      uint = 6
+	CRLReasonRemoveFromCRL        uint = 8
+	CRLReasonPrivilegeWithdrawn   uint = 9
+	CRLReasonAACompromise         uint = 10
 )

 // Directory the ACME directory object.
--- a/certificate/certificates.go
+++ b/certificate/certificates.go
@ -365,6 +365,11 @@ func (c *Certifier) checkResponse(order acme.ExtendedOrder, certRes *Resource, b

 // Revoke takes a PEM encoded certificate or bundle and tries to revoke it at the CA.
 func (c *Certifier) Revoke(cert []byte) error {
+	return c.RevokeWithReason(cert, nil)
+}
+
+// RevokeWithReason takes a PEM encoded certificate or bundle and tries to revoke it at the CA.
+func (c *Certifier) RevokeWithReason(cert []byte, reason *uint) error {
 	certificates, err := certcrypto.ParsePEMBundle(cert)
 	if err != nil {
 		return err
@ -377,6 +382,7 @@ func (c *Certifier) Revoke(cert []byte) error {

 	revokeMsg := acme.RevokeCertMessage{
 		Certificate: base64.RawURLEncoding.EncodeToString(x509Cert.Raw),
+		Reason:      reason,
 	}

 	return c.core.Certificates.Revoke(revokeMsg)
--- a/cmd/cmd_revoke.go
+++ b/cmd/cmd_revoke.go
@ -1,6 +1,7 @@
 package cmd

 import (
+	"github.com/go-acme/lego/v4/acme"
 	"github.com/go-acme/lego/v4/log"
 	"github.com/urfave/cli"
 )
@ -15,6 +16,11 @@ func createRevoke() cli.Command {
 				Name:  "keep, k",
 				Usage: "Keep the certificates after the revocation instead of archiving them.",
 			},
+			cli.UintFlag{
+				Name:  "reason",
+				Usage: "Identifies the reason for the certificate revocation. See https://tools.ietf.org/html/rfc5280#section-5.3.1. 0(unspecified),1(keyCompromise),2(cACompromise),3(affiliationChanged),4(superseded),5(cessationOfOperation),6(certificateHold),8(removeFromCRL),9(privilegeWithdrawn),10(aACompromise)",
+				Value: acme.CRLReasonUnspecified,
+			},
 		},
 	}
 }
@ -37,7 +43,9 @@ func revoke(ctx *cli.Context) error {
 			log.Fatalf("Error while revoking the certificate for domain %s\n\t%v", domain, err)
 		}

-		err = client.Certificate.Revoke(certBytes)
+		reason := ctx.Uint("reason")
+
+		err = client.Certificate.RevokeWithReason(certBytes, &reason)
 		if err != nil {
 			log.Fatalf("Error while revoking the certificate for domain %s\n\t%v", domain, err)
 		}