Added certificate revocation and CRL generation code.

2025-07-28 01:34:21 +02:00
parent bd9547ff70
commit 6c5842826e
6 changed files with 425 additions and 138 deletions
--- a/certdb.go
+++ b/certdb.go
@@ -2,9 +2,15 @@
 package main

 import (
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/asn1"
 	"encoding/json"
+	"encoding/pem"
 	"fmt"
+	"math/big"
 	"os"
+	"path/filepath"
 	"time"
 )

@@ -14,54 +20,55 @@ type _CAState struct {
 	CreatedAt    string              `json:"createdAt"`
 	UpdatedAt    string              `json:"updatedAt"`
 	Serial       int                 `json:"serial,omitempty"`
+	CRLNumber    int                 `json:"crlNumber"`
 	Certificates []CertificateRecord `json:"certificates"`
 }

 type CertificateRecord struct {
-	Name    string `json:"name"`
-	Issued  string `json:"issued"`
-	Expires string `json:"expires"`
-	Serial  string `json:"serial"`
-	Valid   bool   `json:"valid"`
+	Name         string `json:"name"`
+	Issued       string `json:"issued"`
+	Expires      string `json:"expires"`
+	Serial       string `json:"serial"`
+	RevokedAt    string `json:"revokedAt,omitempty"`
+	RevokeReason int    `json:"revokeReason,omitempty"`
+}
+
+func caStatePath() string {
+	return filepath.Join(filepath.Dir(configPath), CAConfig.StateName())
 }

 // LoadCAState loads the CA state from a JSON file
-func LoadCAState(filename string) (*_CAState, error) {
-	f, err := os.Open(filename)
+func LoadCAState() error {
+	path := caStatePath()
+	fmt.Printf("Loading CA state from %s\n", path)
+	f, err := os.Open(path)
 	if err != nil {
-		return nil, err
+		return err
 	}
 	defer f.Close()
-	var state _CAState
-	if err := json.NewDecoder(f).Decode(&state); err != nil {
-		return nil, err
+	CAState = &_CAState{}
+	if err := json.NewDecoder(f).Decode(CAState); err != nil {
+		return err
 	}
-	return &state, nil
+	return nil
 }

 // SaveCAState saves the CA state to a JSON file
-func SaveCAState(filename string, state *_CAState) error {
-	state.UpdatedAt = time.Now().UTC().Format(time.RFC3339)
-	f, err := os.Create(filename)
+func SaveCAState() error {
+	CAState.UpdatedAt = time.Now().UTC().Format(time.RFC3339)
+	f, err := os.Create(caStatePath())
 	if err != nil {
 		return err
 	}
 	defer f.Close()
 	enc := json.NewEncoder(f)
 	enc.SetIndent("", "    ")
-	return enc.Encode(state)
+	return enc.Encode(CAState)
 }

 // UpdateCAStateAfterIssue updates the CA state JSON after issuing a certificate
-func UpdateCAStateAfterIssue(jsonFile, serialType, basename string, serialNumber any, validity time.Duration) error {
-	var err error
-	if CAState == nil {
-		CAState, err = LoadCAState(jsonFile)
-		if err != nil {
-			CAState = nil
-		}
-	}
-	if CAState == nil {
+func (s *_CAState) UpdateCAStateAfterIssue(serialType, basename string, serialNumber any, validity time.Duration) error {
+	if s == nil {
 		fmt.Fprintf(os.Stderr, "FATAL: CAState is nil in UpdateCAStateAfterIssue. This indicates a programming error.\n")
 		os.Exit(1)
 	}
@@ -77,13 +84,12 @@ func UpdateCAStateAfterIssue(jsonFile, serialType, basename string, serialNumber
 	default:
 		serialStr = fmt.Sprintf("%v", serialNumber)
 	}
-	AddCertificate(basename, issued, expires, serialStr, true)
+	s.AddCertificate(basename, issued, expires, serialStr)
 	return nil
 }

-// AddCertificate appends a new CertificateRecord to the CAState
-func AddCertificate(name, issued, expires, serial string, valid bool) {
-	if CAState == nil {
+func (s *_CAState) AddCertificate(name, issued, expires, serial string) {
+	if s == nil {
 		fmt.Fprintf(os.Stderr, "FATAL: CAState is nil in AddCertificate. This indicates a programming error.\n")
 		os.Exit(1)
 	}
@@ -92,9 +98,94 @@ func AddCertificate(name, issued, expires, serial string, valid bool) {
 		Issued:  issued,
 		Expires: expires,
 		Serial:  serial,
-		Valid:   valid,
 	}
-	CAState.Certificates = append(CAState.Certificates, rec)
+	s.Certificates = append(s.Certificates, rec)
 }

-// No CAConfig references to update in this file
+// RevokeCertificate revokes a certificate by serial number and reason code, updates state, and saves to disk
+func (s *_CAState) RevokeCertificate(serial string, reason int) error {
+	if s == nil {
+		fmt.Fprintf(os.Stderr, "FATAL: CAState is nil in RevokeCertificate. This indicates a programming error.\n")
+		os.Exit(1)
+	}
+	revoked := false
+	revokedAt := time.Now().UTC().Format(time.RFC3339)
+	for i, rec := range s.Certificates {
+		if rec.Serial == serial && rec.RevokedAt == "" {
+			s.Certificates[i].RevokedAt = revokedAt
+			s.Certificates[i].RevokeReason = reason
+			revoked = true
+		}
+	}
+	if !revoked {
+		return fmt.Errorf("certificate with serial %s not found or already revoked", serial)
+	}
+	s.UpdatedAt = time.Now().UTC().Format(time.RFC3339)
+	if err := SaveCAState(); err != nil {
+		return fmt.Errorf("failed to save CA state after revocation: %v", err)
+	}
+	return nil
+}
+
+// GenerateCRL generates a CRL file from revoked certificates and writes it to the given path
+// validityDays defines the number of days for which the CRL is valid (NextUpdate - ThisUpdate)
+func (s *_CAState) GenerateCRL(crlPath string, validityDays int) error {
+	if s == nil {
+		return fmt.Errorf("CAState is nil in GenerateCRL")
+	}
+	if CACert == nil || CAKey == nil {
+		return fmt.Errorf("CA certificate or key not loaded")
+	}
+	var revokedCerts []pkix.RevokedCertificate
+	for _, rec := range s.Certificates {
+		if rec.RevokedAt != "" {
+			serial := new(big.Int)
+			serial.SetString(rec.Serial, 16) // Parse serial as hex
+			revokedTime, err := time.Parse(time.RFC3339, rec.RevokedAt)
+			if err != nil {
+				return fmt.Errorf("invalid revocation time for serial %s: %v", rec.Serial, err)
+			}
+			reasonCode := rec.RevokeReason
+			// RFC 5280: Reason code must be encoded as ASN.1 ENUMERATED, not a raw byte
+			// Use ASN.1 encoding for ENUMERATED
+			asn1Reason, err := asn1.Marshal(asn1.Enumerated(reasonCode))
+			if err != nil {
+				return fmt.Errorf("failed to ASN.1 encode reason code: %v", err)
+			}
+			revokedCerts = append(revokedCerts, pkix.RevokedCertificate{
+				SerialNumber:   serial,
+				RevocationTime: revokedTime,
+				Extensions:     []pkix.Extension{{Id: []int{2, 5, 29, 21}, Value: asn1Reason}},
+			})
+		}
+	}
+	now := time.Now().UTC()
+	nextUpdate := now.Add(time.Duration(validityDays) * 24 * time.Hour) // validityDays * 24 * 60 * 60 * 1000 milliseconds
+	template := &x509.RevocationList{
+		SignatureAlgorithm:  CACert.SignatureAlgorithm,
+		RevokedCertificates: revokedCerts,
+		Number:              big.NewInt(int64(s.CRLNumber + 1)),
+		ThisUpdate:          now,
+		NextUpdate:          nextUpdate,
+		Issuer:              CACert.Subject,
+	}
+	crlBytes, err := x509.CreateRevocationList(nil, template, CACert, CAKey)
+	if err != nil {
+		return fmt.Errorf("failed to create CRL: %v", err)
+	}
+	f, err := os.Create(crlPath)
+	if err != nil {
+		return fmt.Errorf("failed to create CRL file: %v", err)
+	}
+	defer f.Close()
+	if err := pem.Encode(f, &pem.Block{Type: "X509 CRL", Bytes: crlBytes}); err != nil {
+		return fmt.Errorf("failed to write CRL PEM: %v", err)
+	}
+	// Update CRL number and save state
+	s.CRLNumber++
+	s.UpdatedAt = time.Now().UTC().Format(time.RFC3339)
+	if err := SaveCAState(); err != nil {
+		return fmt.Errorf("failed to update CA state after CRL generation: %v", err)
+	}
+	return nil
+}