Improve CRL fetching

- improve client data structures
- do not fetch CRLs for root CA certificates
This commit is contained in:
Jan Dittberner 2022-11-30 20:21:51 +01:00
parent 4d9d826e8b
commit 792675c8c5
2 changed files with 17 additions and 7 deletions

View file

@ -48,10 +48,15 @@ type Profile struct {
UseFor string UseFor string
} }
type CertInfo struct {
Name string
FetchCRL bool
}
type SignerInfo struct { type SignerInfo struct {
SignerHealth bool SignerHealth bool
SignerVersion string SignerVersion string
CACertificates []string CACertificates []CertInfo
UsableProfiles map[string][]Profile UsableProfiles map[string][]Profile
} }
@ -237,12 +242,14 @@ func (c *Client) buildCRLInfo() []CRLInfo {
return nil return nil
} }
infos := make([]CRLInfo, len(c.signerInfo.CACertificates)) infos := make([]CRLInfo, 0)
for i, caName := range c.signerInfo.CACertificates { for _, caInfo := range c.signerInfo.CACertificates {
lastKnown := c.lastKnownCRL(caName) if caInfo.FetchCRL {
lastKnown := c.lastKnownCRL(caInfo.Name)
infos[i] = CRLInfo{Name: caName, LastKnown: lastKnown} infos = append(infos, CRLInfo{Name: caInfo.Name, LastKnown: lastKnown})
}
} }
return infos return infos

View file

@ -160,7 +160,7 @@ func (s *SignerClientHandler) handleHealthResponse(r *messages.HealthResponse) {
switch item.Source { switch item.Source {
case "HSM": case "HSM":
signerInfo.CACertificates = make([]string, 0) signerInfo.CACertificates = make([]client.CertInfo, 0)
signerInfo.UsableProfiles = make(map[string][]client.Profile) signerInfo.UsableProfiles = make(map[string][]client.Profile)
for certName, value := range item.MoreInfo { for certName, value := range item.MoreInfo {
@ -179,7 +179,10 @@ func (s *SignerClientHandler) handleHealthResponse(r *messages.HealthResponse) {
"valid-until": certInfo.ValidUntil, "valid-until": certInfo.ValidUntil,
}).Trace("certificate info") }).Trace("certificate info")
signerInfo.CACertificates = append(signerInfo.CACertificates, certName) signerInfo.CACertificates = append(
signerInfo.CACertificates,
client.CertInfo{Name: certName, FetchCRL: certInfo.Signing},
)
if certInfo.Signing { if certInfo.Signing {
for _, profile := range certInfo.Profiles { for _, profile := range certInfo.Profiles {