Improve signer setup code

- allow multiple attempts to setup certificates
- use CAB forum BR compliant CRLDistributionPoint for Subordinate CA
  certificates by referencing their own CRL instead of their parent CA's CRL
- store certificates in DER encoded form
main
Jan Dittberner 2 years ago
parent fffc65a540
commit de7e716a82

@ -270,8 +270,8 @@ func (c *SignerConfig) BuildOCSPURL(cert *CaCertificateEntry) string {
return c.global.URLPatterns.Ocsp return c.global.URLPatterns.Ocsp
} }
func (c *SignerConfig) BuildCRLUrl(cert *CaCertificateEntry) string { func (c *SignerConfig) BuildCRLUrl(label string) string {
return fmt.Sprintf(c.global.URLPatterns.CRL, cert.Parent) return fmt.Sprintf(c.global.URLPatterns.CRL, label)
} }
func (c *SignerConfig) GetParentCA(label string) (*CaCertificateEntry, error) { func (c *SignerConfig) GetParentCA(label string) (*CaCertificateEntry, error) {

@ -633,11 +633,11 @@ func TestSignerConfig_CertificateFileName(t *testing.T) {
func TestSignerConfig_BuildCRLUrl(t *testing.T) { func TestSignerConfig_BuildCRLUrl(t *testing.T) {
sc := loadSignerConfig(t) sc := loadSignerConfig(t)
ca, err := sc.GetCADefinition("sub1") _, err := sc.GetCADefinition("sub1")
require.NoError(t, err) require.NoError(t, err)
url := sc.BuildCRLUrl(ca) url := sc.BuildCRLUrl("sub1")
assert.Equal(t, "http://crl.example.org/root.crl", url) assert.Equal(t, "http://crl.example.org/sub1.crl", url)
} }
func TestSignerConfig_BuildIssuerUrl(t *testing.T) { func TestSignerConfig_BuildIssuerUrl(t *testing.T) {

@ -25,7 +25,6 @@ import (
"crypto/rsa" "crypto/rsa"
"crypto/x509" "crypto/x509"
"encoding/asn1" "encoding/asn1"
"encoding/pem"
"errors" "errors"
"fmt" "fmt"
"math/big" "math/big"
@ -175,16 +174,7 @@ func (c *caFile) loadCertificate(caDirectory string) (*x509.Certificate, error)
return nil, fmt.Errorf("could not read %s: %w", certFile, err) return nil, fmt.Errorf("could not read %s: %w", certFile, err)
} }
pemData, _ := pem.Decode(certData) certificate, err := x509.ParseCertificate(certData)
if pemData == nil {
return nil, fmt.Errorf("no PEM data in %s", certFile)
}
if pemData.Type != "CERTIFICATE" {
return nil, fmt.Errorf("no certificate found in %s", certFile)
}
certificate, err := x509.ParseCertificate(pemData.Bytes)
if err != nil { if err != nil {
return nil, fmt.Errorf("could not parse certificate from %s: %w", certFile, err) return nil, fmt.Errorf("could not parse certificate from %s: %w", certFile, err)
} }
@ -233,9 +223,11 @@ func (a *Access) GetRootCACertificate(label string) (*x509.Certificate, error) {
return certificate, nil return certificate, nil
} }
keyPair, err = a.getKeyPair(label, caCert.KeyInfo) if a.IsSetupMode() {
if err != nil { keyPair, err = a.getKeyPair(label, caCert.KeyInfo)
return nil, err if err != nil {
return nil, err
}
} }
if certificate != nil { if certificate != nil {
@ -244,6 +236,8 @@ func (a *Access) GetRootCACertificate(label string) (*x509.Certificate, error) {
return nil, err return nil, err
} }
caCert.Certificate, caCert.KeyPair = certificate, keyPair
return certificate, nil return certificate, nil
} }
@ -355,7 +349,7 @@ func (a *Access) GetSubordinateCACertificate(certLabel string) (*x509.Certificat
ExtKeyUsage: caCert.ExtKeyUsage, ExtKeyUsage: caCert.ExtKeyUsage,
IssuingCertificateURL: []string{sc.BuildIssuerURL(caCert)}, IssuingCertificateURL: []string{sc.BuildIssuerURL(caCert)},
OCSPServer: []string{sc.BuildOCSPURL(caCert)}, OCSPServer: []string{sc.BuildOCSPURL(caCert)},
CRLDistributionPoints: []string{sc.BuildCRLUrl(caCert)}, CRLDistributionPoints: []string{sc.BuildCRLUrl(certLabel)},
PolicyIdentifiers: []asn1.ObjectIdentifier{ PolicyIdentifiers: []asn1.ObjectIdentifier{
// use policy identifiers from http://wiki.cacert.org/OidAllocation // use policy identifiers from http://wiki.cacert.org/OidAllocation
oidCAcertClass3PolicyV1, oidCAcertClass3PolicyV1,
@ -414,15 +408,10 @@ func (a *Access) generateSubordinateCACertificate(
parent.KeyPair, parent.KeyPair,
) )
if err != nil { if err != nil {
return nil, fmt.Errorf("could not create subordinate CA certificate: %w", err) return nil, fmt.Errorf("could not create subordinate CA certificate %s: %w", certLabel, err)
} }
certBlock := &pem.Block{ err = certFile.storeCertificate(a.caDirectory, certBytes)
Type: "CERTIFICATE",
Bytes: certBytes,
}
err = certFile.storeCertificate(a.caDirectory, pem.EncodeToMemory(certBlock))
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -590,12 +579,7 @@ func (a *Access) generateRootCACertificate(
return nil, fmt.Errorf("could not create root certificate: %w", err) return nil, fmt.Errorf("could not create root certificate: %w", err)
} }
certBlock := &pem.Block{ if err = certFile.storeCertificate(a.caDirectory, certBytes); err != nil {
Type: "CERTIFICATE",
Bytes: certBytes,
}
if err = certFile.storeCertificate(a.caDirectory, pem.EncodeToMemory(certBlock)); err != nil {
return nil, err return nil, err
} }

Loading…
Cancel
Save