-
Notifications
You must be signed in to change notification settings - Fork 1
/
crl.go
163 lines (141 loc) · 4.34 KB
/
crl.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
// Copyright certyaml authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package certyaml
import (
"bytes"
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"fmt"
"math/big"
"os"
"sync"
"time"
)
// CRL defines properties for generating CRL files.
type CRL struct {
// ThisUpdate is the issue date of this CRL.
// Default value is current time (when value is nil).
ThisUpdate *time.Time
// NextUpdate indicates the date by which the next CRL will be issued.
// Default value is ThisUpdate + one week (when value is nil).
NextUpdate *time.Time
// Revoked is the list of Certificates that will be included in the CRL.
// All Certificates must be issued by the same Issuer.
// Self-signed certificates cannot be added.
Revoked []*Certificate
// Issuer is the CA certificate issuing this CRL.
// If not set, it defaults to the issuer of certificates added to Revoked list.
Issuer *Certificate
// mutex ensures that only single goroutine can generate CRL concurrently.
mutex sync.Mutex
}
// Add appends a Certificate to CRL list.
// All Certificates must be issued by the same Issuer.
// Self-signed certificates cannot be added.
// Error is not nil if adding fails.
func (crl *CRL) Add(cert *Certificate) error {
if cert.Issuer == nil {
return fmt.Errorf("cannot revoke self-signed certificate: %s", cert.Subject)
}
if len(crl.Revoked) > 0 && (crl.Revoked[0].Issuer != cert.Issuer) {
return fmt.Errorf("CRL can contain certificates for single issuer only")
}
crl.Revoked = append(crl.Revoked, cert)
return nil
}
// DER returns the CRL as DER buffer.
// Error is not nil if generation fails.
func (crl *CRL) DER() (crlBytes []byte, err error) {
crl.mutex.Lock()
defer crl.mutex.Unlock()
if crl.Issuer == nil {
if len(crl.Revoked) == 0 {
return nil, fmt.Errorf("issuer not known: either set Issuer or add certificates to the CRL")
}
crl.Issuer = crl.Revoked[0].Issuer
}
effectiveRevocationTime := time.Now()
if crl.ThisUpdate != nil {
effectiveRevocationTime = *crl.ThisUpdate
}
week := 24 * 7 * time.Hour
effectiveExpiry := effectiveRevocationTime.UTC().Add(week)
if crl.NextUpdate != nil {
effectiveExpiry = *crl.NextUpdate
}
var revokedCerts []pkix.RevokedCertificate
for _, c := range crl.Revoked {
err := c.ensureGenerated()
if err != nil {
return nil, err
}
if c.Issuer == nil {
return nil, fmt.Errorf("cannot revoke self-signed certificate: %s", c.Subject)
} else if c.Issuer != crl.Issuer {
return nil, fmt.Errorf("revoked certificates added from several issuers, or certificate does not match explicitly set Issuer")
}
revokedCerts = append(revokedCerts, pkix.RevokedCertificate{
SerialNumber: c.SerialNumber,
RevocationTime: effectiveRevocationTime,
})
}
ca, err := crl.Issuer.X509Certificate()
if err != nil {
return nil, err
}
privateKey, err := crl.Issuer.PrivateKey()
if err != nil {
return nil, err
}
template := &x509.RevocationList{
Number: big.NewInt(0),
ThisUpdate: effectiveRevocationTime,
NextUpdate: effectiveExpiry,
RevokedCertificates: revokedCerts,
}
return x509.CreateRevocationList(rand.Reader, template, &ca, privateKey)
}
// PEM returns the CRL as PEM buffer.
// Error is not nil if generation fails.
func (crl *CRL) PEM() (crlBytes []byte, err error) {
derBytes, err := crl.DER()
if err != nil {
return nil, err
}
var buf bytes.Buffer
err = pem.Encode(&buf, &pem.Block{
Type: "X509 CRL",
Bytes: derBytes,
})
if err != nil {
return nil, err
}
crlBytes = append(crlBytes, buf.Bytes()...) // Create copy of underlying buf.
return
}
// WritePEM writes the CRL as PEM file.
// Error is not nil if writing fails.
func (crl *CRL) WritePEM(crlFile string) error {
pemBytes, err := crl.PEM()
if err != nil {
return err
}
err = os.WriteFile(crlFile, pemBytes, 0600)
if err != nil {
return err
}
return nil
}