fixup! Implement Certificate Revocation List

plgd-dev · Sep 24, 2024 · 5ab9db9 · 5ab9db9
1 parent 0efe52b
commit 5ab9db9
Show file tree

Hide file tree

Showing 13 changed files with 259 additions and 134 deletions.
diff --git a/certificate-authority/service/http/revocationList.go b/certificate-authority/service/http/revocationList.go
@@ -1,54 +1,54 @@
 package http
 
 import (
-	"context"
 	"crypto/ecdsa"
 	"crypto/rand"
 	"crypto/x509"
 	"math/big"
 	"net/http"
 	"time"
 
+	"github.com/gorilla/mux"
 	"github.com/plgd-dev/hub/v2/certificate-authority/store"
 	pkgHttp "github.com/plgd-dev/hub/v2/pkg/net/http"
+	pkgTime "github.com/plgd-dev/hub/v2/pkg/time"
 )
 
 var revocationListNumber = big.NewInt(0)
 
 func (requestHandler *RequestHandler) revocationList(w http.ResponseWriter, r *http.Request) {
-	var rl []x509.RevocationListEntry
-	err := requestHandler.store.LoadSigningRecords(r.Context(), "", nil, func(ctx context.Context, iter store.SigningRecordIter) (err error) {
-		for {
-			var sr store.SigningRecord
-			if !iter.Next(ctx, &sr) {
-				break
+	vars := mux.Vars(r)
+	issuerID := vars[IssuerIDKey]
+
+	var rles []x509.RevocationListEntry
+	err := requestHandler.store.GetRevokedCertificates(r.Context(), store.CertificatesQuery{
+		IssuerIdFilter: []string{issuerID},
+	}, func(rl *store.RevocationList) error {
+		for _, c := range rl.Certificates {
+			var sn big.Int
+			_, ok := sn.SetString(c.Serial, 10)
+			if !ok {
+				panic("invalid serial number string " + c.Serial)
 			}
-			// revoked := sr.GetCredential().GetRevoked()
-			// if !revoked.GetFlag() {
-			// 	continue
-			// }
-			// var sn big.Int
-			// _, ok := sn.SetString(sr.GetCredential().GetSerial(), 10)
-			// if !ok {
-			// 	continue
-			// }
-			// rl = append(rl, x509.RevocationListEntry{
-			// 	SerialNumber:   &sn,
-			// 	RevocationTime: pkgTime.Unix(revoked.GetTimestamp(), 0),
-			// })
+			rles = append(rles, x509.RevocationListEntry{
+				SerialNumber:   &sn,
+				RevocationTime: pkgTime.Unix(0, c.Revocation),
+			})
 		}
-		return iter.Err()
+		return nil
 	})
+	// TODO: remove panics
 	if err != nil {
 		panic(err)
 	}
 
 	issuingCert := requestHandler.cas.GetSigner().GetCertificate()
-	// TODO check issuingCert for nil
-
+	if issuingCert == nil {
+		panic("issuer certificate not set")
+	}
 	now := time.Now()
 	template := &x509.RevocationList{
-		RevokedCertificateEntries: rl,
+		RevokedCertificateEntries: rles,
 		Number:                    revocationListNumber,
 		ThisUpdate:                now,
 		NextUpdate:                now.Add(time.Minute * 10), // TODO: pridat konfiguraciu, default napr. 10min

diff --git a/certificate-authority/service/http/revocationList_test.go b/certificate-authority/service/http/revocationList_test.go
@@ -2,63 +2,55 @@ package http_test
 
 import (
 	"context"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
 	"crypto/x509"
-	"fmt"
 	"io"
 	"net/http"
 	"testing"
 	"time"
 
-	"github.com/plgd-dev/device/v2/pkg/security/generateCertificate"
-	"github.com/plgd-dev/hub/v2/certificate-authority/pb"
 	certAuthHttp "github.com/plgd-dev/hub/v2/certificate-authority/service/http"
+	"github.com/plgd-dev/hub/v2/certificate-authority/store"
+	"github.com/plgd-dev/hub/v2/certificate-authority/test"
+	caService "github.com/plgd-dev/hub/v2/certificate-authority/test"
 	httpgwTest "github.com/plgd-dev/hub/v2/http-gateway/test"
+	"github.com/plgd-dev/hub/v2/pkg/config/database"
 	pkgGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc"
 	"github.com/plgd-dev/hub/v2/test/config"
 	oauthTest "github.com/plgd-dev/hub/v2/test/oauth-server/test"
-	"github.com/plgd-dev/hub/v2/test/service"
+	testService "github.com/plgd-dev/hub/v2/test/service"
 	"github.com/stretchr/testify/require"
 )
 
 func TestRevocationList(t *testing.T) {
+	if config.ACTIVE_DATABASE() == database.CqlDB {
+		t.Skip("revocation list not supported for CqlDB")
+	}
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*3600)
 	defer cancel()
 
-	tearDown := service.SetUp(ctx, t)
-	defer tearDown()
+	shutDown := testService.SetUpServices(context.Background(), t, testService.SetUpServicesOAuth|testService.SetUpServicesMachine2MachineOAuth)
+	defer shutDown()
+	caShutdown := caService.New(t, caService.MakeConfig(t))
+	defer caShutdown()
+	s, cleanUpStore := test.NewStore(t)
+	defer cleanUpStore()
+
 	token := oauthTest.GetDefaultAccessToken(t)
 	ctx = pkgGrpc.CtxWithToken(ctx, token)
 
-	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	test.AddRevocationListToStore(ctx, t, s, time.Now())
+	err := s.RevokeCertificates(ctx, store.CertificatesQuery{})
 	require.NoError(t, err)
-	var cfg generateCertificate.Configuration
-	cfg.Subject.CommonName = "aa"
-	csr, err := generateCertificate.GenerateCSR(cfg, priv)
-	require.NoError(t, err)
-
-	req := &pb.SignCertificateRequest{
-		CertificateSigningRequest: csr,
-	}
-	var resp pb.SignCertificateResponse
-	err = httpDoSign(ctx, t, certAuthHttp.SignCertificate, req, &resp)
-	require.NoError(t, err)
-
-	time.Sleep(time.Second)
 
-	request := httpgwTest.NewRequest(http.MethodGet, certAuthHttp.SigningRevocationList, nil).Host(config.CERTIFICATE_AUTHORITY_HTTP_HOST).AuthToken(token).Build()
+	request := httpgwTest.NewRequest(http.MethodGet, certAuthHttp.SigningRevocationList, nil).Host(config.CERTIFICATE_AUTHORITY_HTTP_HOST).AuthToken(token).AddIssuerID(test.GetIssuerID(2)).Build()
 	httpResp := httpgwTest.HTTPDo(t, request)
 	respBody, err := io.ReadAll(httpResp.Body)
 	require.NoError(t, err)
 	err = httpResp.Body.Close()
 	require.NoError(t, err)
-	fmt.Printf("%v\n", respBody)
 
-	crl, err := x509.ParseRevocationList(respBody)
+	_, err = x509.ParseRevocationList(respBody)
 	require.NoError(t, err)
-	fmt.Printf("%v\n", crl.RevokedCertificateEntries)
 
 	time.Sleep(time.Minute)
 }
diff --git a/certificate-authority/service/http/service.go b/certificate-authority/service/http/service.go
@@ -28,7 +28,7 @@ func New(serviceName string, config Config, s store.Store, ca *grpcService.Certi
 	whiteList := []pkgHttpJwt.RequestMatcher{
 		{
 			Method: http.MethodGet,
-			URI:    regexp.MustCompile(regexp.QuoteMeta(SigningRevocationList)),
+			URI:    regexp.MustCompile(regexp.QuoteMeta("/api/v1/signing/crl") + `\/.*`),
 		},
 	}
 

diff --git a/certificate-authority/service/http/uri.go b/certificate-authority/service/http/uri.go
@@ -3,15 +3,17 @@ package http
 import "strings"
 
 const (
-	api  string = "/api/v1"
-	sign string = api + "/sign"
+	API  string = "/api/v1"
+	Sign string = API + "/sign"
 
-	SignIdentityCertificate string = sign + "/identity-csr"
-	SignCertificate         string = sign + "/csr"
+	SignIdentityCertificate string = Sign + "/identity-csr"
+	SignCertificate         string = Sign + "/csr"
 
-	SigningRevocationList string = api + "/signing/crl"
+	IssuerIDKey = "issuerId"
+
+	SigningRevocationList string = API + "/signing/crl/{" + IssuerIDKey + "}"
 )
 
 var queryCaseInsensitive = map[string]string{
-	strings.ToLower(SigningRevocationList): SigningRevocationList,
+	strings.ToLower(IssuerIDKey): IssuerIDKey,
 }
diff --git a/certificate-authority/store/cqldb/revocationList.go b/certificate-authority/store/cqldb/revocationList.go
@@ -10,6 +10,10 @@ func (s *Store) InsertRevocationLists(context.Context, ...*store.RevocationList)
 	return store.ErrNotSupported
 }
 
+func (s *Store) RevokeCertificates(context.Context, store.CertificatesQuery) error {
+	return store.ErrNotSupported
+}
+
 func (s *Store) GetExpiredCertificates(context.Context, store.ExpiredCertificatesQuery, store.Process[store.RevocationList]) error {
 	return store.ErrNotSupported
 }