feat: Allows defining the reason for the certificate revocation (#1511)

This commit is contained in:
Ludovic Fernandez 2021-10-21 20:36:11 +02:00 committed by GitHub
parent 88f62f106d
commit df54dd233a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 38 additions and 7 deletions

View file

@ -7,16 +7,33 @@ import (
"time" "time"
) )
// Challenge statuses. // ACME status values of Account, Order, Authorization and Challenge objects.
// https://tools.ietf.org/html/rfc8555#section-7.1.6 // See https://tools.ietf.org/html/rfc8555#section-7.1.6 for details.
const ( const (
StatusPending = "pending"
StatusInvalid = "invalid"
StatusValid = "valid"
StatusProcessing = "processing"
StatusDeactivated = "deactivated" StatusDeactivated = "deactivated"
StatusExpired = "expired" StatusExpired = "expired"
StatusInvalid = "invalid"
StatusPending = "pending"
StatusProcessing = "processing"
StatusReady = "ready"
StatusRevoked = "revoked" StatusRevoked = "revoked"
StatusUnknown = "unknown"
StatusValid = "valid"
)
// CRL reason codes as defined in RFC 5280.
// https://datatracker.ietf.org/doc/html/rfc5280#section-5.3.1
const (
CRLReasonUnspecified uint = 0
CRLReasonKeyCompromise uint = 1
CRLReasonCACompromise uint = 2
CRLReasonAffiliationChanged uint = 3
CRLReasonSuperseded uint = 4
CRLReasonCessationOfOperation uint = 5
CRLReasonCertificateHold uint = 6
CRLReasonRemoveFromCRL uint = 8
CRLReasonPrivilegeWithdrawn uint = 9
CRLReasonAACompromise uint = 10
) )
// Directory the ACME directory object. // Directory the ACME directory object.

View file

@ -365,6 +365,11 @@ func (c *Certifier) checkResponse(order acme.ExtendedOrder, certRes *Resource, b
// Revoke takes a PEM encoded certificate or bundle and tries to revoke it at the CA. // Revoke takes a PEM encoded certificate or bundle and tries to revoke it at the CA.
func (c *Certifier) Revoke(cert []byte) error { func (c *Certifier) Revoke(cert []byte) error {
return c.RevokeWithReason(cert, nil)
}
// RevokeWithReason takes a PEM encoded certificate or bundle and tries to revoke it at the CA.
func (c *Certifier) RevokeWithReason(cert []byte, reason *uint) error {
certificates, err := certcrypto.ParsePEMBundle(cert) certificates, err := certcrypto.ParsePEMBundle(cert)
if err != nil { if err != nil {
return err return err
@ -377,6 +382,7 @@ func (c *Certifier) Revoke(cert []byte) error {
revokeMsg := acme.RevokeCertMessage{ revokeMsg := acme.RevokeCertMessage{
Certificate: base64.RawURLEncoding.EncodeToString(x509Cert.Raw), Certificate: base64.RawURLEncoding.EncodeToString(x509Cert.Raw),
Reason: reason,
} }
return c.core.Certificates.Revoke(revokeMsg) return c.core.Certificates.Revoke(revokeMsg)

View file

@ -1,6 +1,7 @@
package cmd package cmd
import ( import (
"github.com/go-acme/lego/v4/acme"
"github.com/go-acme/lego/v4/log" "github.com/go-acme/lego/v4/log"
"github.com/urfave/cli" "github.com/urfave/cli"
) )
@ -15,6 +16,11 @@ func createRevoke() cli.Command {
Name: "keep, k", Name: "keep, k",
Usage: "Keep the certificates after the revocation instead of archiving them.", Usage: "Keep the certificates after the revocation instead of archiving them.",
}, },
cli.UintFlag{
Name: "reason",
Usage: "Identifies the reason for the certificate revocation. See https://tools.ietf.org/html/rfc5280#section-5.3.1. 0(unspecified),1(keyCompromise),2(cACompromise),3(affiliationChanged),4(superseded),5(cessationOfOperation),6(certificateHold),8(removeFromCRL),9(privilegeWithdrawn),10(aACompromise)",
Value: acme.CRLReasonUnspecified,
},
}, },
} }
} }
@ -37,7 +43,9 @@ func revoke(ctx *cli.Context) error {
log.Fatalf("Error while revoking the certificate for domain %s\n\t%v", domain, err) log.Fatalf("Error while revoking the certificate for domain %s\n\t%v", domain, err)
} }
err = client.Certificate.Revoke(certBytes) reason := ctx.Uint("reason")
err = client.Certificate.RevokeWithReason(certBytes, &reason)
if err != nil { if err != nil {
log.Fatalf("Error while revoking the certificate for domain %s\n\t%v", domain, err) log.Fatalf("Error while revoking the certificate for domain %s\n\t%v", domain, err)
} }