Implement user-facing revocation.
This commit is contained in:
Jacob Hoffman-Andrews
parent
bff5ea2cfe
commit
de4e37bf60
|
|
@ -391,6 +391,83 @@ func (wfe *WebFrontEndImpl) RevokeCertificate(response http.ResponseWriter, requ
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
err = wfe.CA.RevokeCertificate(revokeRequest.Serial)
|
||||||
|
if err != nil {
|
||||||
|
wfe.sendError(response,
|
||||||
|
"Failed to revoke certificate",
|
||||||
|
http.StatusInternalServerError)
|
||||||
|
} else {
|
||||||
|
wfe.log.Debug(fmt.Sprintf("Revoked %v", revokeRequest.Serial))
|
||||||
|
response.WriteHeader(http.StatusOK)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (wfe *WebFrontEndImpl) NewCertificate(response http.ResponseWriter, request *http.Request) {
|
||||||
|
if request.Method != "POST" {
|
||||||
|
wfe.sendError(response, "Method not allowed", http.StatusMethodNotAllowed)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
body, requestKey, err := verifyPOST(request)
|
||||||
|
if err != nil {
|
||||||
|
wfe.sendError(response, "Unable to read/verify body", http.StatusBadRequest)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
type RevokeRequest struct {
|
||||||
|
Serial string
|
||||||
|
}
|
||||||
|
var revokeRequest RevokeRequest
|
||||||
|
if err = json.Unmarshal(body, &revokeRequest); err != nil {
|
||||||
|
fmt.Println("Couldn't unmarshal in revoke request", string(body))
|
||||||
|
wfe.sendError(response, "Unable to read/verify body", http.StatusBadRequest)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if len(revokeRequest.Serial) != 32 {
|
||||||
|
wfe.log.Debug("Bad serial in revoke request " + revokeRequest.Serial)
|
||||||
|
wfe.sendError(response, "Unable to read/verify body", http.StatusBadRequest)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
certDER, err := wfe.SA.GetCertificate(revokeRequest.Serial)
|
||||||
|
if err != nil {
|
||||||
|
wfe.sendError(response, "No such certificate", http.StatusNotFound)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
parsedCertificate, err := x509.ParseCertificate(certDER)
|
||||||
|
if err != nil {
|
||||||
|
wfe.sendError(response, "Invalid certificate", http.StatusInternalServerError)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
certStatus, err := wfe.SA.GetCertificateStatus(revokeRequest.Serial)
|
||||||
|
if err != nil {
|
||||||
|
wfe.sendError(response, "No such certificate", http.StatusNotFound)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
if certStatus.Status == core.OCSPStatusRevoked {
|
||||||
|
wfe.sendError(response, "Certificate already revoked", http.StatusConflict)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// TODO: Allow other types of keys.
|
||||||
|
if requestKey.Rsa == nil {
|
||||||
|
wfe.sendError(response, "Non-RSA keys not permitted.", http.StatusForbidden)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
// TODO: Implement other methods of validating revocation, e.g. through
|
||||||
|
// authorizations on account.
|
||||||
|
if core.KeyDigest(requestKey.Rsa) != core.KeyDigest(parsedCertificate.PublicKey) {
|
||||||
|
wfe.log.Debug(fmt.Sprintf("Key mismatch for revoke: %s vs %s",
|
||||||
|
core.KeyDigest(requestKey),
|
||||||
|
core.KeyDigest(parsedCertificate.PublicKey)))
|
||||||
|
wfe.sendError(response,
|
||||||
|
"Revocation request must be signed by private key of cert to be revoked",
|
||||||
|
http.StatusForbidden)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
err = wfe.CA.RevokeCertificate(revokeRequest.Serial)
|
err = wfe.CA.RevokeCertificate(revokeRequest.Serial)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
wfe.sendError(response,
|
wfe.sendError(response,
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue