package openssl import ( "bufio" "crypto/x509" "crypto/x509/pkix" "encoding/asn1" "errors" "fmt" "math/big" "os" "path" "strings" "sync" "time" ) var OidCRLReason = asn1.ObjectIdentifier{2, 5, 29, 21} type CRLReason int // CRL reason codes as defined in RFC 5280 section 5.3.1 const ( CRLReasonUnspecified CRLReason = 0 CRLReasonKeyCompromise CRLReason = 1 CRLReasonCACompromise CRLReason = 2 CRLReasonAffiliationChanged CRLReason = 3 CRLReasonSuperseded CRLReason = 4 CRLReasonCessationOfOperation CRLReason = 5 CRLReasonCertificateHold CRLReason = 6 CRLReasonRemoveFromCRL CRLReason = 8 CRLReasonPrivilegeWithdrawn CRLReason = 9 CRLReasonAACompromise CRLReason = 10 ) var crlReasonNames = map[CRLReason]string{ CRLReasonUnspecified: "unspecified", CRLReasonKeyCompromise: "keyCompromise", CRLReasonCACompromise: "CACompromise", CRLReasonAffiliationChanged: "affiliationChanged", CRLReasonSuperseded: "superseded", CRLReasonCessationOfOperation: "cessationOfOperation", CRLReasonCertificateHold: "certificateHold", CRLReasonRemoveFromCRL: "removeFromCRL", CRLReasonPrivilegeWithdrawn: "privilegeWithdrawn", CRLReasonAACompromise: "AACompromise", } func (r CRLReason) String() string { if reason, ok := crlReasonNames[r]; ok { return reason } return crlReasonNames[CRLReasonUnspecified] } // ParseReason takes a reason string and performs a case-insensitive match to a reason code func ParseReason(rs string) CRLReason { for key, name := range crlReasonNames { if strings.EqualFold(name, rs) { return key } } return CRLReasonUnspecified } const TimeSpec = "060102030405Z" type indexStatus string const ( certificateValid indexStatus = "V" certificateRevoked indexStatus = "R" certificateExpired indexStatus = "E" ) // An indexEntry represents a line in an openssl ca compatible index.txt file // a format specification is available at https://pki-tutorial.readthedocs.io/en/latest/cadb.html type indexEntry struct { statusFlag indexStatus expiresAt time.Time revokedAt *time.Time revocationReason CRLReason serialNumber *big.Int fileName string certificateSubjectDN string } func (ie *indexEntry) String() string { var revoked, fileName string if ie.revokedAt != nil { revoked = fmt.Sprintf("%s,%s", ie.revokedAt.Format(TimeSpec), ie.revocationReason) } if ie.fileName == "" { fileName = "unknown" } return strings.Join([]string{ string(ie.statusFlag), ie.expiresAt.Format(TimeSpec), revoked, strings.ToUpper(ie.serialNumber.Text(16)), fileName, ie.certificateSubjectDN, // this is not 100% compatible with openssl that uses a non-RFC syntax }, "\t") } // The Repository stores information about signed and revoked certificates // in an openssl index.txt compatible file. // // A reference for the file format can be found at // https://pki-tutorial.readthedocs.io/en/latest/cadb.html. type Repository struct { indexFileName string lock sync.Locker entries []indexEntry } func (ie *indexEntry) markRevoked(revocationTime time.Time, reason CRLReason) { if ie.statusFlag == certificateValid { ie.statusFlag = certificateRevoked ie.revokedAt = &revocationTime ie.revocationReason = reason } } func (r *Repository) findEntry(number *big.Int) (*indexEntry, error) { if number == nil { return nil, errors.New("serial number must not be nil") } for _, entry := range r.entries { if entry.serialNumber.Cmp(number) == 0 { return &entry, nil } } return nil, nil } type CannotRevokeUnknown struct { Serial *big.Int } func (c CannotRevokeUnknown) Error() string { return fmt.Sprintf("cannot revoke unknown certificate with serial number %s", c.Serial) } // StoreRevocation records information about a revoked certificate. func (r *Repository) StoreRevocation(revoked *pkix.RevokedCertificate) error { r.lock.Lock() defer r.lock.Unlock() err := r.loadIndex() if err != nil { return err } entry, err := r.findEntry(revoked.SerialNumber) if err != nil { return err } if entry == nil { return CannotRevokeUnknown{Serial: revoked.SerialNumber} } reason := CRLReasonUnspecified for _, ext := range revoked.Extensions { if ext.Id.Equal(OidCRLReason) { _, err := asn1.Unmarshal(ext.Value, &reason) if err != nil { return fmt.Errorf("could not unmarshal ") } } } entry.markRevoked(revoked.RevocationTime, reason) err = r.writeIndex() return err } // StoreCertificate records information about a signed certificate. func (r *Repository) StoreCertificate(signed *x509.Certificate) error { var err error r.lock.Lock() defer r.lock.Unlock() err = r.loadIndex() if err != nil { return err } entry, err := r.findEntry(signed.SerialNumber) if err != nil { return err } if entry != nil { return fmt.Errorf("certificate with serial %s is already in the index", signed.SerialNumber) } status := certificateValid if signed.NotAfter.Before(time.Now().UTC()) { status = certificateExpired } err = r.addIndexEntry(&indexEntry{ statusFlag: status, expiresAt: signed.NotAfter, serialNumber: signed.SerialNumber, certificateSubjectDN: signed.Subject.String(), // not openssl compatible }) if err != nil { return err } return nil } func (r *Repository) loadIndex() error { entries := make([]indexEntry, 0, 100) f, err := os.Open(r.indexFileName) if err != nil && !os.IsNotExist(err) { return fmt.Errorf("could not load index from %s: %w", r.indexFileName, err) } if f == nil { r.entries = entries return nil } defer func() { _ = f.Close() }() indexScanner := bufio.NewScanner(f) for indexScanner.Scan() { indexEntry, err := r.newIndexEntryFromLine(indexScanner.Text()) if err != nil { return err } entries = append(entries, *indexEntry) } if err := indexScanner.Err(); err != nil { return err } r.entries = entries return nil } func (r *Repository) writeIndex() error { f, err := os.OpenFile(r.indexFileName, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o600) if err != nil { return fmt.Errorf("could not create index file %s: %w", r.indexFileName, err) } defer func(f *os.File) { _ = f.Close() }(f) w := bufio.NewWriter(f) for i, entry := range r.entries { _, err = w.WriteString(entry.String()) if err != nil { return fmt.Errorf("could not write entry for serial %s: %w", entry.serialNumber, err) } if i < len(r.entries)-1 { _, err = w.WriteString("\n") if err != nil { return fmt.Errorf("could not write linebreak: %w", err) } } } err = w.Flush() if err != nil { return fmt.Errorf("could not write to %s: %w", r.indexFileName, err) } return nil } func (r *Repository) addIndexEntry(ie *indexEntry) error { r.entries = append(r.entries, *ie) err := r.writeIndex() if err != nil { return err } return nil } func (r *Repository) newIndexEntryFromLine(text string) (*indexEntry, error) { var err error fields := strings.Split(text, "\t") const expectedFieldNumber = 6 if len(fields) != expectedFieldNumber { return nil, fmt.Errorf( "unexpected number of fields %d instead of %d", len(fields), expectedFieldNumber, ) } expirationParsed, err := time.Parse(TimeSpec, fields[1]) if err != nil { return nil, err } var revocationTimeParsed time.Time var revocationReason CRLReason if fields[2] != "" { var timeString string if strings.Contains(fields[2], ",") { parts := strings.SplitN(fields[2], ",", 2) timeString = parts[0] revocationReason = ParseReason(parts[1]) } else { timeString = fields[2] } revocationTimeParsed, err = time.Parse(TimeSpec, timeString) if err != nil { return nil, err } } serialParsed := new(big.Int) if _, ok := serialParsed.SetString(fields[3], 16); !ok { return nil, fmt.Errorf("could not parse serial number %s", fields[3]) } fileNameParsed := "unknown" if fields[4] != "" { _, err = os.Stat(path.Join(path.Dir(r.indexFileName), fields[4])) if err != nil && !os.IsNotExist(err) { return nil, err } fileNameParsed = fields[4] } return &indexEntry{ statusFlag: indexStatus(fields[0]), expiresAt: expirationParsed, revokedAt: &revocationTimeParsed, revocationReason: revocationReason, serialNumber: serialParsed, fileName: fileNameParsed, certificateSubjectDN: fields[5], }, nil } func NewFileRepository(baseDirectory string) (*Repository, error) { err := os.Chdir(baseDirectory) if err != nil { return nil, err } return &Repository{ indexFileName: path.Join(baseDirectory, "index.txt"), lock: &sync.Mutex{}, }, nil }