2015-05-15 16:13:05 +00:00
|
|
|
package pki
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/rand"
|
|
|
|
"crypto/x509"
|
|
|
|
"crypto/x509/pkix"
|
|
|
|
"fmt"
|
2015-06-12 02:28:13 +00:00
|
|
|
"sync"
|
2015-05-15 16:13:05 +00:00
|
|
|
"time"
|
|
|
|
|
|
|
|
"github.com/hashicorp/vault/logical"
|
|
|
|
)
|
|
|
|
|
|
|
|
type revocationInfo struct {
|
|
|
|
CertificateBytes []byte `json:"certificate_bytes"`
|
2015-06-15 17:33:23 +00:00
|
|
|
RevocationTime int64 `json:"revocation_time"`
|
2015-05-15 16:13:05 +00:00
|
|
|
}
|
|
|
|
|
2015-06-12 01:57:05 +00:00
|
|
|
var (
|
2015-06-12 02:28:13 +00:00
|
|
|
crlLifetime = time.Hour * 72
|
|
|
|
revokeStorageLock = &sync.Mutex{}
|
2015-06-12 01:57:05 +00:00
|
|
|
)
|
|
|
|
|
2015-05-15 16:13:05 +00:00
|
|
|
func revokeCert(req *logical.Request, serial string) (*logical.Response, error) {
|
2015-06-12 01:57:05 +00:00
|
|
|
alreadyRevoked := false
|
|
|
|
var err error
|
|
|
|
|
|
|
|
revInfo := revocationInfo{}
|
|
|
|
|
2015-05-15 16:13:05 +00:00
|
|
|
certEntry, userErr, intErr := fetchCertBySerial(req, "revoked/", serial)
|
|
|
|
if certEntry != nil {
|
2015-06-12 01:57:05 +00:00
|
|
|
// Verify that it is also deleted from certs/
|
|
|
|
// in case of partial failure from an earlier run.
|
|
|
|
certEntry, _, _ = fetchCertBySerial(req, "certs/", serial)
|
|
|
|
if certEntry != nil {
|
|
|
|
alreadyRevoked = true
|
2015-05-15 16:13:05 +00:00
|
|
|
|
2015-06-12 01:57:05 +00:00
|
|
|
revEntry, err := req.Storage.Get("revoked/" + serial)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("Error getting existing revocation info")
|
|
|
|
}
|
2015-06-12 02:28:13 +00:00
|
|
|
|
2015-06-12 01:57:05 +00:00
|
|
|
err = revEntry.DecodeJSON(&revInfo)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("Error decoding existing revocation info")
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
return nil, nil
|
|
|
|
}
|
2015-05-15 16:13:05 +00:00
|
|
|
}
|
|
|
|
|
2015-06-12 01:57:05 +00:00
|
|
|
if !alreadyRevoked {
|
|
|
|
certEntry, userErr, intErr = fetchCertBySerial(req, "certs/", serial)
|
|
|
|
switch {
|
|
|
|
case userErr != nil:
|
|
|
|
return logical.ErrorResponse(userErr.Error()), nil
|
|
|
|
case intErr != nil:
|
|
|
|
return nil, intErr
|
|
|
|
}
|
2015-05-15 16:13:05 +00:00
|
|
|
|
2015-06-12 01:57:05 +00:00
|
|
|
cert, err := x509.ParseCertificate(certEntry.Value)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("Error parsing certificate")
|
|
|
|
}
|
|
|
|
if cert == nil {
|
|
|
|
return nil, fmt.Errorf("Got a nil certificate")
|
|
|
|
}
|
2015-05-15 16:13:05 +00:00
|
|
|
|
2015-06-12 01:57:05 +00:00
|
|
|
if cert.NotAfter.Before(time.Now()) {
|
|
|
|
return nil, nil
|
|
|
|
}
|
2015-05-15 16:13:05 +00:00
|
|
|
|
2015-06-12 01:57:05 +00:00
|
|
|
revInfo.CertificateBytes = certEntry.Value
|
|
|
|
revInfo.RevocationTime = time.Now().Unix()
|
2015-05-15 16:13:05 +00:00
|
|
|
|
2015-06-12 01:57:05 +00:00
|
|
|
certEntry, err = logical.StorageEntryJSON("revoked/"+serial, revInfo)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("Error creating revocation entry")
|
|
|
|
}
|
2015-05-15 16:13:05 +00:00
|
|
|
|
2015-06-12 01:57:05 +00:00
|
|
|
err = req.Storage.Put(certEntry)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("Error saving revoked certificate to new location")
|
|
|
|
}
|
2015-05-15 16:13:05 +00:00
|
|
|
|
|
|
|
}
|
|
|
|
|
2015-06-15 17:33:23 +00:00
|
|
|
userErr, intErr = buildCRL(req)
|
|
|
|
switch {
|
|
|
|
case userErr != nil:
|
|
|
|
return logical.ErrorResponse(fmt.Sprintf("Error during CRL building: %s", userErr)), nil
|
|
|
|
case intErr != nil:
|
|
|
|
return nil, fmt.Errorf("Error encountered during CRL building: %s", intErr)
|
2015-05-15 16:13:05 +00:00
|
|
|
}
|
|
|
|
|
2015-06-12 01:57:05 +00:00
|
|
|
err = req.Storage.Delete("certs/" + serial)
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("Error deleting cert from valid-certs location")
|
|
|
|
}
|
|
|
|
|
2015-05-15 16:13:05 +00:00
|
|
|
return &logical.Response{
|
|
|
|
Data: map[string]interface{}{
|
|
|
|
"revocation_time": revInfo.RevocationTime,
|
|
|
|
},
|
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
2015-06-15 17:33:23 +00:00
|
|
|
func buildCRL(req *logical.Request) (error, error) {
|
2015-05-15 16:13:05 +00:00
|
|
|
revokedSerials, err := req.Storage.List("revoked/")
|
|
|
|
if err != nil {
|
2015-06-15 17:33:23 +00:00
|
|
|
return nil, fmt.Errorf("Error fetching list of revoked certs: %s", err)
|
2015-05-15 16:13:05 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
revokedCerts := []pkix.RevokedCertificate{}
|
|
|
|
var revInfo revocationInfo
|
|
|
|
for _, serial := range revokedSerials {
|
|
|
|
revokedEntry, err := req.Storage.Get("revoked/" + serial)
|
|
|
|
if err != nil {
|
2015-06-15 17:33:23 +00:00
|
|
|
return nil, fmt.Errorf("Unable to fetch revoked cert with serial %s: %s", serial, err)
|
2015-05-15 16:13:05 +00:00
|
|
|
}
|
|
|
|
if revokedEntry == nil {
|
2015-06-15 17:33:23 +00:00
|
|
|
return nil, fmt.Errorf("Revoked certificate entry for serial %s is nil", serial)
|
2015-05-15 16:13:05 +00:00
|
|
|
}
|
|
|
|
if revokedEntry.Value == nil || len(revokedEntry.Value) == 0 {
|
|
|
|
// TODO: In this case, remove it and continue? How likely is this to
|
|
|
|
// happen? Alternately, could skip it entirely, or could implement a
|
|
|
|
// delete function so that there is a way to remove these
|
2015-06-15 17:33:23 +00:00
|
|
|
return nil, fmt.Errorf("Found revoked serial but actual certificate is empty")
|
2015-05-15 16:13:05 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
err = revokedEntry.DecodeJSON(&revInfo)
|
|
|
|
if err != nil {
|
2015-06-15 17:33:23 +00:00
|
|
|
return nil, fmt.Errorf("Error decoding revocation entry for serial %s: %s", serial, err)
|
2015-05-15 16:13:05 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
revokedCert, err := x509.ParseCertificate(revInfo.CertificateBytes)
|
|
|
|
if err != nil {
|
2015-06-15 17:33:23 +00:00
|
|
|
return nil, fmt.Errorf("Unable to parse stored revoked certificate with serial %s: %s", serial, err)
|
2015-05-15 16:13:05 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if revokedCert.NotAfter.Before(time.Now()) {
|
|
|
|
err = req.Storage.Delete(serial)
|
|
|
|
if err != nil {
|
2015-06-15 17:33:23 +00:00
|
|
|
return nil, fmt.Errorf("Unable to delete revoked, expired certificate with serial %s: %s", serial, err)
|
2015-05-15 16:13:05 +00:00
|
|
|
}
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
revokedCerts = append(revokedCerts, pkix.RevokedCertificate{
|
|
|
|
SerialNumber: revokedCert.SerialNumber,
|
|
|
|
RevocationTime: time.Unix(revInfo.RevocationTime, 0),
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2015-06-17 16:43:36 +00:00
|
|
|
signingBundle, caCert, userErr, intErr := fetchCAInfo(req)
|
2015-06-15 17:33:23 +00:00
|
|
|
switch {
|
|
|
|
case userErr != nil:
|
|
|
|
return fmt.Errorf("Could not fetch the CA certificate: %s", userErr), nil
|
|
|
|
case intErr != nil:
|
|
|
|
return nil, fmt.Errorf("Error fetching CA certificate: %s", intErr)
|
2015-05-15 16:13:05 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// TODO: Make expiry configurable
|
2015-06-17 16:43:36 +00:00
|
|
|
crlBytes, err := caCert.CreateCRL(rand.Reader, signingBundle.PrivateKey, revokedCerts, time.Now(), time.Now().Add(crlLifetime))
|
2015-05-15 16:13:05 +00:00
|
|
|
if err != nil {
|
2015-06-15 17:33:23 +00:00
|
|
|
return nil, fmt.Errorf("Error creating new CRL: %s", err)
|
2015-05-15 16:13:05 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
err = req.Storage.Put(&logical.StorageEntry{
|
|
|
|
Key: "crl",
|
|
|
|
Value: crlBytes,
|
|
|
|
})
|
|
|
|
if err != nil {
|
2015-06-15 17:33:23 +00:00
|
|
|
return nil, fmt.Errorf("Error storing CRL: %s", err)
|
2015-05-15 16:13:05 +00:00
|
|
|
}
|
|
|
|
|
2015-06-15 17:33:23 +00:00
|
|
|
return nil, nil
|
2015-05-15 16:13:05 +00:00
|
|
|
}
|