Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement Certificate Revocation List #1379

Closed
wants to merge 1 commit into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 3 additions & 4 deletions certificate-authority/config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ apis:
tokenTrustVerification:
cacheExpiration: 30s
http:
externalAddress: "https://0.0.0.0:9101"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

set to empty string as in coap gw -> you can add comment line about the format.

address: "0.0.0.0:9101"
readTimeout: 8s
readHeaderTimeout: 4s
Expand All @@ -68,10 +69,6 @@ clients:
keyFile: "/secrets/private/cert.key"
certFile: "/secrets/public/cert.crt"
useSystemCAPool: false
bulkWrite:
timeout: 1m0s
throttleTime: 500ms
documentLimit: 1000
cqlDB:
table: "signedCertificateRecords"
hosts: []
Expand Down Expand Up @@ -115,3 +112,5 @@ signer:
certFile: "/secrets/public/intermediateca.crt"
validFrom: "now-1h"
expiresIn: "87600h"
crl:
expiresIn: "10m"
12 changes: 9 additions & 3 deletions certificate-authority/pb/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -89,8 +89,8 @@
| ----------- | ------------ | ------------- | ------------|
| SignIdentityCertificate | [SignCertificateRequest](#certificateauthority-pb-SignCertificateRequest) | [SignCertificateResponse](#certificateauthority-pb-SignCertificateResponse) | SignIdentityCertificate sends a Identity Certificate Signing Request to the certificate authority and obtains a signed certificate. Both in the PEM format. It adds EKU: '1.3.6.1.4.1.44924.1.6' . |
| SignCertificate | [SignCertificateRequest](#certificateauthority-pb-SignCertificateRequest) | [SignCertificateResponse](#certificateauthority-pb-SignCertificateResponse) | SignCertificate sends a Certificate Signing Request to the certificate authority and obtains a signed certificate. Both in the PEM format. |
| GetSigningRecords | [GetSigningRecordsRequest](#certificateauthority-pb-GetSigningRecordsRequest) | [SigningRecord](#certificateauthority-pb-SigningRecord) stream | Get signed certficate records. |
| DeleteSigningRecords | [DeleteSigningRecordsRequest](#certificateauthority-pb-DeleteSigningRecordsRequest) | [DeletedSigningRecords](#certificateauthority-pb-DeletedSigningRecords) | Delete signed certficate records. |
| GetSigningRecords | [GetSigningRecordsRequest](#certificateauthority-pb-GetSigningRecordsRequest) | [SigningRecord](#certificateauthority-pb-SigningRecord) stream | Get signed certificate records. |
| DeleteSigningRecords | [DeleteSigningRecordsRequest](#certificateauthority-pb-DeleteSigningRecordsRequest) | [DeletedSigningRecords](#certificateauthority-pb-DeletedSigningRecords) | Revoke signed certficate or delete expired signed certificate records. |



Expand Down Expand Up @@ -120,6 +120,12 @@
| valid_until_date | [int64](#int64) | | Record valid until date, in unix nanoseconds timestamp format

@gotags: bson:"validUntilDate" |
| serial | [string](#string) | | Serial number of the last certificat issued

@gotags: bson:"serial" |
| issuer_id | [string](#string) | | Issuer id is calculated from the issuer's public certificate, and it is computed as uuid.NewSHA1(uuid.NameSpaceX500, publicKeyRaw)

@gotags: bson:"issuerId" |



Expand All @@ -145,7 +151,7 @@
<a name="certificateauthority-pb-DeletedSigningRecords"></a>

### DeletedSigningRecords

Revoke or delete certificates


| Field | Type | Label | Description |
Expand Down
24 changes: 21 additions & 3 deletions certificate-authority/pb/doc.html
Original file line number Diff line number Diff line change
Expand Up @@ -346,14 +346,14 @@ <h3 id="certificateauthority.pb.CertificateAuthority">CertificateAuthority</h3>
<td>GetSigningRecords</td>
<td><a href="#certificateauthority.pb.GetSigningRecordsRequest">GetSigningRecordsRequest</a></td>
<td><a href="#certificateauthority.pb.SigningRecord">SigningRecord</a> stream</td>
<td><p>Get signed certficate records.</p></td>
<td><p>Get signed certificate records.</p></td>
</tr>

<tr>
<td>DeleteSigningRecords</td>
<td><a href="#certificateauthority.pb.DeleteSigningRecordsRequest">DeleteSigningRecordsRequest</a></td>
<td><a href="#certificateauthority.pb.DeletedSigningRecords">DeletedSigningRecords</a></td>
<td><p>Delete signed certficate records.</p></td>
<td><p>Revoke signed certficate or delete expired signed certificate records.</p></td>
</tr>

</tbody>
Expand Down Expand Up @@ -463,6 +463,24 @@ <h3 id="certificateauthority.pb.CredentialStatus">CredentialStatus</h3>
@gotags: bson:&#34;validUntilDate&#34; </p></td>
</tr>

<tr>
<td>serial</td>
<td><a href="#string">string</a></td>
<td></td>
<td><p>Serial number of the last certificat issued

@gotags: bson:&#34;serial&#34; </p></td>
</tr>

<tr>
<td>issuer_id</td>
<td><a href="#string">string</a></td>
<td></td>
<td><p>Issuer id is calculated from the issuer&#39;s public certificate, and it is computed as uuid.NewSHA1(uuid.NameSpaceX500, publicKeyRaw)

@gotags: bson:&#34;issuerId&#34; </p></td>
</tr>

</tbody>
</table>

Expand Down Expand Up @@ -502,7 +520,7 @@ <h3 id="certificateauthority.pb.DeleteSigningRecordsRequest">DeleteSigningRecord


<h3 id="certificateauthority.pb.DeletedSigningRecords">DeletedSigningRecords</h3>
<p></p>
<p>Revoke or delete certificates</p>


<table class="field-table">
Expand Down
4 changes: 2 additions & 2 deletions certificate-authority/pb/service.proto
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ service CertificateAuthority {
};
}

// Get signed certficate records.
// Get signed certificate records.
rpc GetSigningRecords (GetSigningRecordsRequest) returns (stream SigningRecord) {
option (google.api.http) = {
get: "/api/v1/signing/records"
Expand All @@ -66,7 +66,7 @@ service CertificateAuthority {
};
};

// Delete signed certficate records.
// Revoke signed certficate or delete expired signed certificate records.
rpc DeleteSigningRecords (DeleteSigningRecordsRequest) returns (DeletedSigningRecords) {
option (google.api.http) = {
delete: "/api/v1/signing/records"
Expand Down
17 changes: 14 additions & 3 deletions certificate-authority/pb/service.swagger.json
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@
},
"/api/v1/signing/records": {
"get": {
"summary": "Get signed certficate records.",
"summary": "Get signed certificate records.",
"operationId": "CertificateAuthority_GetSigningRecords",
"responses": {
"200": {
Expand Down Expand Up @@ -163,7 +163,7 @@
]
},
"delete": {
"summary": "Delete signed certficate records.",
"summary": "Revoke signed certficate or delete expired signed certificate records.",
"operationId": "CertificateAuthority_DeleteSigningRecords",
"responses": {
"200": {
Expand Down Expand Up @@ -227,6 +227,16 @@
"format": "int64",
"description": "@gotags: bson:\"validUntilDate\"",
"title": "Record valid until date, in unix nanoseconds timestamp format"
},
"serial": {
"type": "string",
"description": "@gotags: bson:\"serial\"",
"title": "Serial number of the last certificat issued"
},
"issuerId": {
"type": "string",
"description": "@gotags: bson:\"issuerId\"",
"title": "Issuer id is calculated from the issuer's public certificate, and it is computed as uuid.NewSHA1(uuid.NameSpaceX500, publicKeyRaw)"
}
}
},
Expand All @@ -238,7 +248,8 @@
"format": "int64",
"description": "Number of deleted records."
}
}
},
"title": "Revoke or delete certificates"
},
"pbSignCertificateRequest": {
"type": "object",
Expand Down
8 changes: 4 additions & 4 deletions certificate-authority/pb/service_grpc.pb.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

32 changes: 24 additions & 8 deletions certificate-authority/pb/signingRecords.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package pb
import (
"errors"
"fmt"
"math/big"
"sort"

"github.com/google/uuid"
Expand All @@ -17,6 +18,26 @@ func (p SigningRecords) Sort() {
})
}

func (credential *CredentialStatus) Validate() error {
if credential.GetDate() == 0 {
return errors.New("empty signing credential date")
}
if credential.GetValidUntilDate() == 0 {
return errors.New("empty signing record credential expiration date")
}
if credential.GetCertificatePem() == "" {
return errors.New("empty signing record credential certificate")
}
serial := big.Int{}
if _, ok := serial.SetString(credential.GetSerial(), 10); !ok {
return errors.New("invalid signing record credential certificate serial number")
}
if _, err := uuid.Parse(credential.GetIssuerId()); err != nil {
return fmt.Errorf("invalid signing record issuer's ID(%v): %w", credential.GetIssuerId(), err)
}
return nil
}

func (signingRecord *SigningRecord) Marshal() ([]byte, error) {
return proto.Marshal(signingRecord)
}
Expand All @@ -43,14 +64,9 @@ func (signingRecord *SigningRecord) Validate() error {
if signingRecord.GetOwner() == "" {
return errors.New("empty signing record owner")
}
if signingRecord.GetCredential() != nil && signingRecord.GetCredential().GetDate() == 0 {
return errors.New("empty signing credential date")
}
if signingRecord.GetCredential() != nil && signingRecord.GetCredential().GetValidUntilDate() == 0 {
return errors.New("empty signing record credential expiration date")
}
if signingRecord.GetCredential() != nil && signingRecord.GetCredential().GetCertificatePem() == "" {
return errors.New("empty signing record credential certificate")
credential := signingRecord.GetCredential()
if credential != nil {
return credential.Validate()
}
return nil
}
Loading
Loading