Implement Certificate Revocation List

plgd-dev · Oct 27, 2024 · 287679e · 287679e
1 parent 11ac65b
commit 287679e
Show file tree

Hide file tree

Showing 144 changed files with 3,469 additions and 1,024 deletions.
diff --git a/certificate-authority/config.yaml b/certificate-authority/config.yaml
@@ -48,6 +48,7 @@ apis:
       tokenTrustVerification:
         cacheExpiration: 30s
   http:
+    externalAddress: "https://0.0.0.0:9101"
     address: "0.0.0.0:9101"
     readTimeout: 8s
     readHeaderTimeout: 4s
@@ -68,10 +69,6 @@ clients:
         keyFile: "/secrets/private/cert.key"
         certFile: "/secrets/public/cert.crt"
         useSystemCAPool: false
-      bulkWrite:
-        timeout: 1m0s
-        throttleTime: 500ms
-        documentLimit: 1000
     cqlDB:
       table: "signedCertificateRecords"
       hosts: []
@@ -115,3 +112,5 @@ signer:
   certFile: "/secrets/public/intermediateca.crt"
   validFrom: "now-1h"
   expiresIn: "87600h"
+  crl:
+    expiresIn: "10m"
diff --git a/certificate-authority/pb/README.md b/certificate-authority/pb/README.md
@@ -89,8 +89,8 @@
 | ----------- | ------------ | ------------- | ------------|
 | SignIdentityCertificate | [SignCertificateRequest](#certificateauthority-pb-SignCertificateRequest) | [SignCertificateResponse](#certificateauthority-pb-SignCertificateResponse) | SignIdentityCertificate sends a Identity Certificate Signing Request to the certificate authority and obtains a signed certificate. Both in the PEM format. It adds EKU: &#39;1.3.6.1.4.1.44924.1.6&#39; . |
 | SignCertificate | [SignCertificateRequest](#certificateauthority-pb-SignCertificateRequest) | [SignCertificateResponse](#certificateauthority-pb-SignCertificateResponse) | SignCertificate sends a Certificate Signing Request to the certificate authority and obtains a signed certificate. Both in the PEM format. |
-| GetSigningRecords | [GetSigningRecordsRequest](#certificateauthority-pb-GetSigningRecordsRequest) | [SigningRecord](#certificateauthority-pb-SigningRecord) stream | Get signed certficate records. |
-| DeleteSigningRecords | [DeleteSigningRecordsRequest](#certificateauthority-pb-DeleteSigningRecordsRequest) | [DeletedSigningRecords](#certificateauthority-pb-DeletedSigningRecords) | Delete signed certficate records. |
+| GetSigningRecords | [GetSigningRecordsRequest](#certificateauthority-pb-GetSigningRecordsRequest) | [SigningRecord](#certificateauthority-pb-SigningRecord) stream | Get signed certificate records. |
+| DeleteSigningRecords | [DeleteSigningRecordsRequest](#certificateauthority-pb-DeleteSigningRecordsRequest) | [DeletedSigningRecords](#certificateauthority-pb-DeletedSigningRecords) | Revoke signed certficate or delete expired signed certificate records. |
 
 
 
@@ -120,6 +120,12 @@
 | valid_until_date | [int64](#int64) |  | Record valid until date, in unix nanoseconds timestamp format
 
 @gotags: bson:&#34;validUntilDate&#34; |
+| serial | [string](#string) |  | Serial number of the last certificat issued
+
+@gotags: bson:&#34;serial&#34; |
+| issuer_id | [string](#string) |  | Issuer id is calculated from the issuer&#39;s public certificate, and it is computed as uuid.NewSHA1(uuid.NameSpaceX500, publicKeyRaw)
+
+@gotags: bson:&#34;issuerId&#34; |
 
 
 
@@ -145,7 +151,7 @@
 <a name="certificateauthority-pb-DeletedSigningRecords"></a>
 
 ### DeletedSigningRecords
-
+Revoke or delete certificates
 
 
 | Field | Type | Label | Description |

diff --git a/certificate-authority/pb/doc.html b/certificate-authority/pb/doc.html
@@ -346,14 +346,14 @@ <h3 id="certificateauthority.pb.CertificateAuthority">CertificateAuthority</h3>
                 <td>GetSigningRecords</td>
                 <td><a href="#certificateauthority.pb.GetSigningRecordsRequest">GetSigningRecordsRequest</a></td>
                 <td><a href="#certificateauthority.pb.SigningRecord">SigningRecord</a> stream</td>
-                <td><p>Get signed certficate records.</p></td>
+                <td><p>Get signed certificate records.</p></td>
               </tr>
 
               <tr>
                 <td>DeleteSigningRecords</td>
                 <td><a href="#certificateauthority.pb.DeleteSigningRecordsRequest">DeleteSigningRecordsRequest</a></td>
                 <td><a href="#certificateauthority.pb.DeletedSigningRecords">DeletedSigningRecords</a></td>
-                <td><p>Delete signed certficate records.</p></td>
+                <td><p>Revoke signed certficate or delete expired signed certificate records.</p></td>
               </tr>
 
           </tbody>
@@ -463,6 +463,24 @@ <h3 id="certificateauthority.pb.CredentialStatus">CredentialStatus</h3>
 @gotags: bson:&#34;validUntilDate&#34; </p></td>
                 </tr>
 
+                <tr>
+                  <td>serial</td>
+                  <td><a href="#string">string</a></td>
+                  <td></td>
+                  <td><p>Serial number of the last certificat issued
+
+@gotags: bson:&#34;serial&#34; </p></td>
+                </tr>
+
+                <tr>
+                  <td>issuer_id</td>
+                  <td><a href="#string">string</a></td>
+                  <td></td>
+                  <td><p>Issuer id is calculated from the issuer&#39;s public certificate, and it is computed as uuid.NewSHA1(uuid.NameSpaceX500, publicKeyRaw)
+
+@gotags: bson:&#34;issuerId&#34; </p></td>
+                </tr>
+
             </tbody>
           </table>
 
@@ -502,7 +520,7 @@ <h3 id="certificateauthority.pb.DeleteSigningRecordsRequest">DeleteSigningRecord
 
 
         <h3 id="certificateauthority.pb.DeletedSigningRecords">DeletedSigningRecords</h3>
-        <p></p>
+        <p>Revoke or delete certificates</p>
 
 
           <table class="field-table">

diff --git a/certificate-authority/pb/service.proto b/certificate-authority/pb/service.proto
@@ -56,7 +56,7 @@ service CertificateAuthority {
     };
   }
 
-  // Get signed certficate records.
+  // Get signed certificate records.
   rpc GetSigningRecords (GetSigningRecordsRequest) returns (stream SigningRecord) {
     option (google.api.http) = {
       get: "/api/v1/signing/records"
@@ -66,7 +66,7 @@ service CertificateAuthority {
     };
   };
 
-  // Delete signed certficate records.
+  // Revoke signed certficate or delete expired signed certificate records.
   rpc DeleteSigningRecords (DeleteSigningRecordsRequest) returns (DeletedSigningRecords) {
     option (google.api.http) = {
       delete: "/api/v1/signing/records"

diff --git a/certificate-authority/pb/service.swagger.json b/certificate-authority/pb/service.swagger.json
@@ -98,7 +98,7 @@
     },
     "/api/v1/signing/records": {
       "get": {
-        "summary": "Get signed certficate records.",
+        "summary": "Get signed certificate records.",
         "operationId": "CertificateAuthority_GetSigningRecords",
         "responses": {
           "200": {
@@ -163,7 +163,7 @@
         ]
       },
       "delete": {
-        "summary": "Delete signed certficate records.",
+        "summary": "Revoke signed certficate or delete expired signed certificate records.",
         "operationId": "CertificateAuthority_DeleteSigningRecords",
         "responses": {
           "200": {
@@ -227,6 +227,16 @@
           "format": "int64",
           "description": "@gotags: bson:\"validUntilDate\"",
           "title": "Record valid until date, in unix nanoseconds timestamp format"
+        },
+        "serial": {
+          "type": "string",
+          "description": "@gotags: bson:\"serial\"",
+          "title": "Serial number of the last certificat issued"
+        },
+        "issuerId": {
+          "type": "string",
+          "description": "@gotags: bson:\"issuerId\"",
+          "title": "Issuer id is calculated from the issuer's public certificate, and it is computed as uuid.NewSHA1(uuid.NameSpaceX500, publicKeyRaw)"
         }
       }
     },
@@ -238,7 +248,8 @@
           "format": "int64",
           "description": "Number of deleted records."
         }
-      }
+      },
+      "title": "Revoke or delete certificates"
     },
     "pbSignCertificateRequest": {
       "type": "object",

diff --git a/certificate-authority/pb/service_grpc.pb.go b/certificate-authority/pb/service_grpc.pb.go
diff --git a/certificate-authority/pb/signingRecords.go b/certificate-authority/pb/signingRecords.go
@@ -3,6 +3,7 @@ package pb
 import (
 	"errors"
 	"fmt"
+	"math/big"
 	"sort"
 
 	"github.com/google/uuid"
@@ -17,6 +18,26 @@ func (p SigningRecords) Sort() {
 	})
 }
 
+func (credential *CredentialStatus) Validate() error {
+	if credential.GetDate() == 0 {
+		return errors.New("empty signing credential date")
+	}
+	if credential.GetValidUntilDate() == 0 {
+		return errors.New("empty signing record credential expiration date")
+	}
+	if credential.GetCertificatePem() == "" {
+		return errors.New("empty signing record credential certificate")
+	}
+	serial := big.Int{}
+	if _, ok := serial.SetString(credential.GetSerial(), 10); !ok {
+		return errors.New("invalid signing record credential certificate serial number")
+	}
+	if _, err := uuid.Parse(credential.GetIssuerId()); err != nil {
+		return fmt.Errorf("invalid signing record issuer's ID(%v): %w", credential.GetIssuerId(), err)
+	}
+	return nil
+}
+
 func (signingRecord *SigningRecord) Marshal() ([]byte, error) {
 	return proto.Marshal(signingRecord)
 }
@@ -43,14 +64,9 @@ func (signingRecord *SigningRecord) Validate() error {
 	if signingRecord.GetOwner() == "" {
 		return errors.New("empty signing record owner")
 	}
-	if signingRecord.GetCredential() != nil && signingRecord.GetCredential().GetDate() == 0 {
-		return errors.New("empty signing credential date")
-	}
-	if signingRecord.GetCredential() != nil && signingRecord.GetCredential().GetValidUntilDate() == 0 {
-		return errors.New("empty signing record credential expiration date")
-	}
-	if signingRecord.GetCredential() != nil && signingRecord.GetCredential().GetCertificatePem() == "" {
-		return errors.New("empty signing record credential certificate")
+	credential := signingRecord.GetCredential()
+	if credential != nil {
+		return credential.Validate()
 	}
 	return nil
 }