v0.1.109

分支 (1)

标签 (133)

管理

管理

master

v0.1.111

v0.1.110

v0.1.109

v0.1.108

v0.1.107

v0.1.106

v0.1.105

v0.1.104

v0.1.103

v0.1.102

v0.1.101

v0.1.100

v0.1.99

v0.1.98

v0.1.97

v0.1.96

v0.1.95

v0.1.94

v0.1.93

v0.1.92

console-core-go
/
pkg
/
cert
/
cfssl
/
revoke
/
revoke.go

package revoke

import (
	"crypto/x509"
	"log"

	"gitee.com/carlmax_my/console-core-go/pkg/cert"
	"github.com/cloudflare/cfssl/certdb"
	"github.com/cloudflare/cfssl/certinfo"
	"github.com/cloudflare/cfssl/config"
	"github.com/cloudflare/cfssl/crl"
	"github.com/pkg/errors"
	"golang.org/x/crypto/ocsp"
)

type RevokeManager struct {
	// db         *sqlx.DB
	dbAccessor certdb.Accessor
}

func NewRevokeManager() *RevokeManager {
	m := RevokeManager{}
	return &m
}

func (m *RevokeManager) SetDbAccessor(dbAccessor certdb.Accessor) {
	m.dbAccessor = dbAccessor
}

// x509 certificate PEM.
// 获取序列号> openssl x509 -in /path/from/cert_file -noout -serial -subject
// cfssl revoke -db-config config_file -serial serial -aki authority_key_id [-reason reason]
// cfssl revoke -ca ca.pem -config ca-config.json cert.pem > revoked.pem
func (m *RevokeManager) InsertCert(certPem []byte) (serial string, err error) {
	certInfo, err := certinfo.ParseCertificatePEM(certPem)
	if err != nil {
		return "", errors.Wrap(err, "InsertCert err")
	}

	serial = certInfo.SerialNumber
	// expirationTime := time.Now().AddDate(1, 0, 0)
	cert := certdb.CertificateRecord{
		Serial: serial,
		AKI:    certInfo.AKI, // cfg.json -> profiles.key ?
		// Expiry: expirationTime,
		PEM: string(certPem),
	}

	err = m.dbAccessor.InsertCertificate(cert)
	if err != nil {
		return
	}

	return
}

func (m *RevokeManager) RevokeCertBySerial(aki string, serial string) (err error) {
	reasonCode := ocsp.PrivilegeWithdrawn
	err = m.dbAccessor.RevokeCertificate(aki, serial, reasonCode)
	if err != nil {
		return err
	}

	return nil
}

// x509 certificate PEM.
func (m *RevokeManager) RevokeCert(certPem []byte) (err error) {
	certInfo, err := certinfo.ParseCertificatePEM(certPem)
	if err != nil {
		return errors.Wrap(err, "RevokeCert err")
	}

	reasonCode := ocsp.PrivilegeWithdrawn
	err = m.dbAccessor.RevokeCertificate(certInfo.AKI, certInfo.SerialNumber, reasonCode)
	if err != nil {
		return err
	}

	return nil
}

func (m *RevokeManager) IsCertRevokedBySerial(aki string, serial string) (revoked bool, err error) {
	var certs []certdb.CertificateRecord
	certs, err = m.dbAccessor.GetCertificate(serial, aki)
	if err != nil {
		return false, err
	}
	if len(certs) == 0 {
		return false, nil
	}

	revoked = certs[0].Status == cert.CERT_STATUS_REVOKED

	return
}

// x509 certificate PEM.
func (m *RevokeManager) IsCertRevoked(certPem []byte) (revoked bool, err error) {
	certInfo, err := certinfo.ParseCertificatePEM(certPem)
	if err != nil {
		return false, errors.Wrap(err, "IsCertRevoked err")
	}

	var certs []certdb.CertificateRecord
	certs, err = m.dbAccessor.GetCertificate(certInfo.SerialNumber, certInfo.AKI)
	if err != nil {
		return false, err
	}
	if len(certs) == 0 {
		return false, nil
	}

	revoked = certs[0].Status == "revoked"

	return
}

// generate certificate revoke list
// cfssl gencrl INPUT-FILE CERT KEY TIME
func (m *RevokeManager) GenCRL(caFile, caKeyFile string, caCfg *config.Config, profile string, certPem []byte) (err error) {
	serialListBytes := []byte{}
	certFileBytes := []byte{}
	keyBytes := []byte{}
	timeString := string("0")
	crlBytes, err := crl.NewCRLFromFile(serialListBytes, certFileBytes, keyBytes, timeString)
	if err != nil {
		return errors.Wrap(err, "GenCRL err")
	}

	revokeList, err := x509.ParseRevocationList(crlBytes)
	if err != nil {
		return errors.Wrap(err, "GenCRL err")
	}

	numCerts := len(revokeList.RevokedCertificateEntries)
	log.Printf("certList.count=%d", numCerts)

	return nil
}