Implement user-facing revocation.
This commit is contained in:
Jacob Hoffman-Andrews
parent
bff5ea2cfe
commit
de4e37bf60
|
|
@ -391,6 +391,83 @@ func (wfe *WebFrontEndImpl) RevokeCertificate(response http.ResponseWriter, requ
|
|||
return
|
||||
}
|
||||
|
||||
err = wfe.CA.RevokeCertificate(revokeRequest.Serial)
|
||||
if err != nil {
|
||||
wfe.sendError(response,
|
||||
"Failed to revoke certificate",
|
||||
http.StatusInternalServerError)
|
||||
} else {
|
||||
wfe.log.Debug(fmt.Sprintf("Revoked %v", revokeRequest.Serial))
|
||||
response.WriteHeader(http.StatusOK)
|
||||
}
|
||||
}
|
||||
|
||||
func (wfe *WebFrontEndImpl) NewCertificate(response http.ResponseWriter, request *http.Request) {
|
||||
if request.Method != "POST" {
|
||||
wfe.sendError(response, "Method not allowed", http.StatusMethodNotAllowed)
|
||||
return
|
||||
}
|
||||
|
||||
body, requestKey, err := verifyPOST(request)
|
||||
if err != nil {
|
||||
wfe.sendError(response, "Unable to read/verify body", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
type RevokeRequest struct {
|
||||
Serial string
|
||||
}
|
||||
var revokeRequest RevokeRequest
|
||||
if err = json.Unmarshal(body, &revokeRequest); err != nil {
|
||||
fmt.Println("Couldn't unmarshal in revoke request", string(body))
|
||||
wfe.sendError(response, "Unable to read/verify body", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
if len(revokeRequest.Serial) != 32 {
|
||||
wfe.log.Debug("Bad serial in revoke request " + revokeRequest.Serial)
|
||||
wfe.sendError(response, "Unable to read/verify body", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
certDER, err := wfe.SA.GetCertificate(revokeRequest.Serial)
|
||||
if err != nil {
|
||||
wfe.sendError(response, "No such certificate", http.StatusNotFound)
|
||||
return
|
||||
}
|
||||
parsedCertificate, err := x509.ParseCertificate(certDER)
|
||||
if err != nil {
|
||||
wfe.sendError(response, "Invalid certificate", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
certStatus, err := wfe.SA.GetCertificateStatus(revokeRequest.Serial)
|
||||
if err != nil {
|
||||
wfe.sendError(response, "No such certificate", http.StatusNotFound)
|
||||
return
|
||||
}
|
||||
|
||||
if certStatus.Status == core.OCSPStatusRevoked {
|
||||
wfe.sendError(response, "Certificate already revoked", http.StatusConflict)
|
||||
return
|
||||
}
|
||||
|
||||
// TODO: Allow other types of keys.
|
||||
if requestKey.Rsa == nil {
|
||||
wfe.sendError(response, "Non-RSA keys not permitted.", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
// TODO: Implement other methods of validating revocation, e.g. through
|
||||
// authorizations on account.
|
||||
if core.KeyDigest(requestKey.Rsa) != core.KeyDigest(parsedCertificate.PublicKey) {
|
||||
wfe.log.Debug(fmt.Sprintf("Key mismatch for revoke: %s vs %s",
|
||||
core.KeyDigest(requestKey),
|
||||
core.KeyDigest(parsedCertificate.PublicKey)))
|
||||
wfe.sendError(response,
|
||||
"Revocation request must be signed by private key of cert to be revoked",
|
||||
http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
||||
err = wfe.CA.RevokeCertificate(revokeRequest.Serial)
|
||||
if err != nil {
|
||||
wfe.sendError(response,
|
||||
|
|
|
|||
Loading…
Reference in New Issue