forked from TrueCloudLab/lego
feat: Allows defining the reason for the certificate revocation (#1511)
This commit is contained in:
parent
88f62f106d
commit
df54dd233a
3 changed files with 38 additions and 7 deletions
|
@ -7,16 +7,33 @@ import (
|
||||||
"time"
|
"time"
|
||||||
)
|
)
|
||||||
|
|
||||||
// Challenge statuses.
|
// ACME status values of Account, Order, Authorization and Challenge objects.
|
||||||
// https://tools.ietf.org/html/rfc8555#section-7.1.6
|
// See https://tools.ietf.org/html/rfc8555#section-7.1.6 for details.
|
||||||
const (
|
const (
|
||||||
StatusPending = "pending"
|
|
||||||
StatusInvalid = "invalid"
|
|
||||||
StatusValid = "valid"
|
|
||||||
StatusProcessing = "processing"
|
|
||||||
StatusDeactivated = "deactivated"
|
StatusDeactivated = "deactivated"
|
||||||
StatusExpired = "expired"
|
StatusExpired = "expired"
|
||||||
|
StatusInvalid = "invalid"
|
||||||
|
StatusPending = "pending"
|
||||||
|
StatusProcessing = "processing"
|
||||||
|
StatusReady = "ready"
|
||||||
StatusRevoked = "revoked"
|
StatusRevoked = "revoked"
|
||||||
|
StatusUnknown = "unknown"
|
||||||
|
StatusValid = "valid"
|
||||||
|
)
|
||||||
|
|
||||||
|
// CRL reason codes as defined in RFC 5280.
|
||||||
|
// https://datatracker.ietf.org/doc/html/rfc5280#section-5.3.1
|
||||||
|
const (
|
||||||
|
CRLReasonUnspecified uint = 0
|
||||||
|
CRLReasonKeyCompromise uint = 1
|
||||||
|
CRLReasonCACompromise uint = 2
|
||||||
|
CRLReasonAffiliationChanged uint = 3
|
||||||
|
CRLReasonSuperseded uint = 4
|
||||||
|
CRLReasonCessationOfOperation uint = 5
|
||||||
|
CRLReasonCertificateHold uint = 6
|
||||||
|
CRLReasonRemoveFromCRL uint = 8
|
||||||
|
CRLReasonPrivilegeWithdrawn uint = 9
|
||||||
|
CRLReasonAACompromise uint = 10
|
||||||
)
|
)
|
||||||
|
|
||||||
// Directory the ACME directory object.
|
// Directory the ACME directory object.
|
||||||
|
|
|
@ -365,6 +365,11 @@ func (c *Certifier) checkResponse(order acme.ExtendedOrder, certRes *Resource, b
|
||||||
|
|
||||||
// Revoke takes a PEM encoded certificate or bundle and tries to revoke it at the CA.
|
// Revoke takes a PEM encoded certificate or bundle and tries to revoke it at the CA.
|
||||||
func (c *Certifier) Revoke(cert []byte) error {
|
func (c *Certifier) Revoke(cert []byte) error {
|
||||||
|
return c.RevokeWithReason(cert, nil)
|
||||||
|
}
|
||||||
|
|
||||||
|
// RevokeWithReason takes a PEM encoded certificate or bundle and tries to revoke it at the CA.
|
||||||
|
func (c *Certifier) RevokeWithReason(cert []byte, reason *uint) error {
|
||||||
certificates, err := certcrypto.ParsePEMBundle(cert)
|
certificates, err := certcrypto.ParsePEMBundle(cert)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
|
@ -377,6 +382,7 @@ func (c *Certifier) Revoke(cert []byte) error {
|
||||||
|
|
||||||
revokeMsg := acme.RevokeCertMessage{
|
revokeMsg := acme.RevokeCertMessage{
|
||||||
Certificate: base64.RawURLEncoding.EncodeToString(x509Cert.Raw),
|
Certificate: base64.RawURLEncoding.EncodeToString(x509Cert.Raw),
|
||||||
|
Reason: reason,
|
||||||
}
|
}
|
||||||
|
|
||||||
return c.core.Certificates.Revoke(revokeMsg)
|
return c.core.Certificates.Revoke(revokeMsg)
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
package cmd
|
package cmd
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"github.com/go-acme/lego/v4/acme"
|
||||||
"github.com/go-acme/lego/v4/log"
|
"github.com/go-acme/lego/v4/log"
|
||||||
"github.com/urfave/cli"
|
"github.com/urfave/cli"
|
||||||
)
|
)
|
||||||
|
@ -15,6 +16,11 @@ func createRevoke() cli.Command {
|
||||||
Name: "keep, k",
|
Name: "keep, k",
|
||||||
Usage: "Keep the certificates after the revocation instead of archiving them.",
|
Usage: "Keep the certificates after the revocation instead of archiving them.",
|
||||||
},
|
},
|
||||||
|
cli.UintFlag{
|
||||||
|
Name: "reason",
|
||||||
|
Usage: "Identifies the reason for the certificate revocation. See https://tools.ietf.org/html/rfc5280#section-5.3.1. 0(unspecified),1(keyCompromise),2(cACompromise),3(affiliationChanged),4(superseded),5(cessationOfOperation),6(certificateHold),8(removeFromCRL),9(privilegeWithdrawn),10(aACompromise)",
|
||||||
|
Value: acme.CRLReasonUnspecified,
|
||||||
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -37,7 +43,9 @@ func revoke(ctx *cli.Context) error {
|
||||||
log.Fatalf("Error while revoking the certificate for domain %s\n\t%v", domain, err)
|
log.Fatalf("Error while revoking the certificate for domain %s\n\t%v", domain, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
err = client.Certificate.Revoke(certBytes)
|
reason := ctx.Uint("reason")
|
||||||
|
|
||||||
|
err = client.Certificate.RevokeWithReason(certBytes, &reason)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Fatalf("Error while revoking the certificate for domain %s\n\t%v", domain, err)
|
log.Fatalf("Error while revoking the certificate for domain %s\n\t%v", domain, err)
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue