open-vault/builtin/logical/pki/crl_util.go

179 lines
4.6 KiB
Go
Raw Normal View History

package pki
import (
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
"fmt"
"sync"
"time"
"github.com/hashicorp/vault/logical"
)
type revocationInfo struct {
CertificateBytes []byte `json:"certificate_bytes"`
RevocationTime int64 `json:"unix_time"`
}
var (
crlLifetime = time.Hour * 72
revokeStorageLock = &sync.Mutex{}
)
func revokeCert(req *logical.Request, serial string) (*logical.Response, error) {
alreadyRevoked := false
var err error
revInfo := revocationInfo{}
certEntry, userErr, intErr := fetchCertBySerial(req, "revoked/", serial)
if certEntry != nil {
// Verify that it is also deleted from certs/
// in case of partial failure from an earlier run.
certEntry, _, _ = fetchCertBySerial(req, "certs/", serial)
if certEntry != nil {
alreadyRevoked = true
revEntry, err := req.Storage.Get("revoked/" + serial)
if err != nil {
return nil, fmt.Errorf("Error getting existing revocation info")
}
err = revEntry.DecodeJSON(&revInfo)
if err != nil {
return nil, fmt.Errorf("Error decoding existing revocation info")
}
} else {
return nil, nil
}
}
if !alreadyRevoked {
certEntry, userErr, intErr = fetchCertBySerial(req, "certs/", serial)
switch {
case userErr != nil:
return logical.ErrorResponse(userErr.Error()), nil
case intErr != nil:
return nil, intErr
}
cert, err := x509.ParseCertificate(certEntry.Value)
if err != nil {
return nil, fmt.Errorf("Error parsing certificate")
}
if cert == nil {
return nil, fmt.Errorf("Got a nil certificate")
}
if cert.NotAfter.Before(time.Now()) {
return nil, nil
}
revInfo.CertificateBytes = certEntry.Value
revInfo.RevocationTime = time.Now().Unix()
certEntry, err = logical.StorageEntryJSON("revoked/"+serial, revInfo)
if err != nil {
return nil, fmt.Errorf("Error creating revocation entry")
}
err = req.Storage.Put(certEntry)
if err != nil {
return nil, fmt.Errorf("Error saving revoked certificate to new location")
}
}
err = buildCRL(req)
if err != nil {
return nil, fmt.Errorf("Error encountered during CRL building: %s", err)
}
err = req.Storage.Delete("certs/" + serial)
if err != nil {
return nil, fmt.Errorf("Error deleting cert from valid-certs location")
}
return &logical.Response{
Data: map[string]interface{}{
"revocation_time": revInfo.RevocationTime,
},
}, nil
}
func buildCRL(req *logical.Request) error {
revokedSerials, err := req.Storage.List("revoked/")
if err != nil {
return fmt.Errorf("Error fetching list of revoked certs: %s", err)
}
revokedCerts := []pkix.RevokedCertificate{}
var revInfo revocationInfo
for _, serial := range revokedSerials {
revokedEntry, err := req.Storage.Get("revoked/" + serial)
if err != nil {
return fmt.Errorf("Unable to fetch revoked cert with serial %s: %s", serial, err)
}
if revokedEntry == nil {
return fmt.Errorf("Revoked certificate entry for serial %s is nil", serial)
}
if revokedEntry.Value == nil || len(revokedEntry.Value) == 0 {
// TODO: In this case, remove it and continue? How likely is this to
// happen? Alternately, could skip it entirely, or could implement a
// delete function so that there is a way to remove these
return fmt.Errorf("Found revoked serial but actual certificate is empty")
}
err = revokedEntry.DecodeJSON(&revInfo)
if err != nil {
return fmt.Errorf("Error decoding revocation entry for serial %s: %s", serial, err)
}
revokedCert, err := x509.ParseCertificate(revInfo.CertificateBytes)
if err != nil {
return fmt.Errorf("Unable to parse stored revoked certificate with serial %s: %s", serial, err)
}
if revokedCert.NotAfter.Before(time.Now()) {
err = req.Storage.Delete(serial)
if err != nil {
return fmt.Errorf("Unable to delete revoked, expired certificate with serial %s: %s", serial, err)
}
continue
}
revokedCerts = append(revokedCerts, pkix.RevokedCertificate{
SerialNumber: revokedCert.SerialNumber,
RevocationTime: time.Unix(revInfo.RevocationTime, 0),
})
}
rawSigningBundle, caCert, err := fetchCAInfo(req)
if err != nil {
return fmt.Errorf("Could not fetch the CA certificate")
}
signingPrivKey, err := rawSigningBundle.getSigner()
if err != nil {
return fmt.Errorf("Unable to get signing private key: %s", err)
}
// TODO: Make expiry configurable
crlBytes, err := caCert.CreateCRL(rand.Reader, signingPrivKey, revokedCerts, time.Now(), time.Now().Add(crlLifetime))
if err != nil {
return fmt.Errorf("Error creating new CRL: %s", err)
}
err = req.Storage.Put(&logical.StorageEntry{
Key: "crl",
Value: crlBytes,
})
if err != nil {
return fmt.Errorf("Error storing CRL: %s", err)
}
return nil
}