fixup! Implement Certificate Revocation List

certificate-authority/config.yaml

@@ -68,10 +68,6 @@ clients:
         keyFile: "/secrets/private/cert.key"
         certFile: "/secrets/public/cert.crt"
         useSystemCAPool: false
-      bulkWrite:
-        timeout: 1m0s
-        throttleTime: 500ms
-        documentLimit: 1000
     cqlDB:
       table: "signedCertificateRecords"
       hosts: []

certificate-authority/pb/README.md

@@ -120,6 +120,12 @@
 | valid_until_date | [int64](#int64) |  | Record valid until date, in unix nanoseconds timestamp format
 
 @gotags: bson:"validUntilDate" |
+| serial | [string](#string) |  | Serial number of the last certificat issued
+
+@gotags: bson:"serial" |
+| issuer_id | [string](#string) |  | Issuer id is calculated from the issuer's public certificate, and it is computed as uuid.NewSHA1(uuid.NameSpaceX500, publicKeyRaw)
+
+@gotags: bson:"issuerId" |
 
 
 

certificate-authority/pb/doc.html

@@ -463,6 +463,24 @@ <h3 id="certificateauthority.pb.CredentialStatus">CredentialStatus</h3>
 @gotags: bson:&#34;validUntilDate&#34; </p></td>
                 </tr>
 
+                <tr>
+                  <td>serial</td>
+                  <td><a href="#string">string</a></td>
+                  <td></td>
+                  <td><p>Serial number of the last certificat issued
+
+@gotags: bson:&#34;serial&#34; </p></td>
+                </tr>
+
+                <tr>
+                  <td>issuer_id</td>
+                  <td><a href="#string">string</a></td>
+                  <td></td>
+                  <td><p>Issuer id is calculated from the issuer&#39;s public certificate, and it is computed as uuid.NewSHA1(uuid.NameSpaceX500, publicKeyRaw)
+
+@gotags: bson:&#34;issuerId&#34; </p></td>
+                </tr>
+
             </tbody>
           </table>
 

certificate-authority/pb/service.swagger.json

@@ -227,6 +227,16 @@
           "format": "int64",
           "description": "@gotags: bson:\"validUntilDate\"",
           "title": "Record valid until date, in unix nanoseconds timestamp format"
+        },
+        "serial": {
+          "type": "string",
+          "description": "@gotags: bson:\"serial\"",
+          "title": "Serial number of the last certificat issued"
+        },
+        "issuerId": {
+          "type": "string",
+          "description": "@gotags: bson:\"issuerId\"",
+          "title": "Issuer id is calculated from the issuer's public certificate, and it is computed as uuid.NewSHA1(uuid.NameSpaceX500, publicKeyRaw)"
         }
       }
     },

certificate-authority/pb/signingRecords.proto

@@ -20,6 +20,10 @@ message CredentialStatus {
   string certificate_pem = 2; // @gotags: bson:"identityCertificate"
   // Record valid until date, in unix nanoseconds timestamp format
   int64 valid_until_date = 3; // @gotags: bson:"validUntilDate"
+  // Serial number of the last certificat issued
+  string serial = 4;  // @gotags: bson:"serial"
+  // Issuer id is calculated from the issuer's public certificate, and it is computed as uuid.NewSHA1(uuid.NameSpaceX500, publicKeyRaw)
+  string issuer_id = 5; // @gotags: bson:"issuerId"
 }
 
 message SigningRecord  {

certificate-authority/service/grpc/signCertificate.go

@@ -26,7 +26,7 @@ func (s *CertificateAuthorityServer) validateRequest(csr []byte) error {
 	return nil
 }
 
-func (s *CertificateAuthorityServer) updateSigningIdentityCertificateRecord(ctx context.Context, updateSigningRecord *pb.SigningRecord) error {
+func (s *CertificateAuthorityServer) updateSigningIdentityCertificateRecord(ctx context.Context, updateSigningRecord *pb.SigningRecord) (*pb.SigningRecord, error) {
 	var found bool
 	now := time.Now().UnixNano()
 	err := s.store.LoadSigningRecords(ctx, updateSigningRecord.GetOwner(), &store.SigningRecordsQuery{
@@ -46,15 +46,15 @@ func (s *CertificateAuthorityServer) updateSigningIdentityCertificateRecord(ctx
 		return nil
 	})
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if found {
 		return s.store.UpdateSigningRecord(ctx, updateSigningRecord)
 	}
-	return s.store.CreateSigningRecord(ctx, updateSigningRecord)
+	return nil, s.store.CreateSigningRecord(ctx, updateSigningRecord)
 }
 
-func toSigningRecord(owner string, template *x509.Certificate) (*pb.SigningRecord, error) {
+func toSigningRecord(owner, issuerID string, template *x509.Certificate) (*pb.SigningRecord, error) {
 	publicKeyRaw, err := x509.MarshalPKIXPublicKey(template.PublicKey)
 	if err != nil {
 		return nil, err
@@ -82,11 +82,13 @@ func toSigningRecord(owner string, template *x509.Certificate) (*pb.SigningRecor
 			CertificatePem: "",
 			Date:           now,
 			ValidUntilDate: template.NotAfter.UnixNano(),
+			Serial:         template.SerialNumber.String(),
+			IssuerId:       issuerID,
 		},
 	}, nil
 }
 
-func (s *CertificateAuthorityServer) updateSigningRecord(ctx context.Context, signingRecord *pb.SigningRecord) error {
+func (s *CertificateAuthorityServer) updateSigningRecord(ctx context.Context, signingRecord *pb.SigningRecord) (*pb.SigningRecord, error) {
 	var checkForIdentity bool
 	if signingRecord.GetDeviceId() != "" && signingRecord.GetDeviceId() != signingRecord.GetOwner() {
 		checkForIdentity = true
@@ -111,14 +113,27 @@ func (s *CertificateAuthorityServer) SignCertificate(ctx context.Context, req *p
 	if err != nil {
 		return nil, logger.LogAndReturnError(status.Errorf(codes.InvalidArgument, fmtError, err))
 	}
-	if signingRecord.GetCredential() == nil {
-		return nil, logger.LogAndReturnError(status.Errorf(codes.InvalidArgument, "cannot sign certificate: cannot create signing record"))
+	credential := signingRecord.GetCredential()
+	if credential == nil {
+		return nil, logger.LogAndReturnError(status.Errorf(codes.InvalidArgument, fmtError, errors.New("cannot create signing record")))
 	}
-	signingRecord.Credential.CertificatePem = string(cert)
-	if err := s.updateSigningRecord(ctx, signingRecord); err != nil {
+	credential.CertificatePem = string(cert)
+	replacedRecord, err := s.updateSigningRecord(ctx, signingRecord)
+	if err != nil {
 		return nil, logger.LogAndReturnError(status.Errorf(codes.InvalidArgument, fmtError, err))
 	}
 	logger.With("crt", string(cert)).Debugf("CertificateAuthorityServer.SignCertificate")
+	replacedCredential := replacedRecord.GetCredential()
+	if replacedRecord != nil {
+		err = s.store.AddRevocationListCertificate(ctx, replacedCredential.GetIssuerId(), &store.RevocationListCertificate{
+			Serial:     replacedCredential.GetSerial(),
+			Expiration: replacedCredential.GetValidUntilDate(),
+			Revocation: time.Now().UnixNano(),
+		})
+		if err != nil {
+			// TODO: what to do here? remove the new signing record? restore the original?
+		}
+	}
 
 	return &pb.SignCertificateResponse{
 		Certificate: cert,

certificate-authority/service/grpc/signIdentityCertificate.go

@@ -5,8 +5,10 @@ import (
 	"crypto/x509/pkix"
 	"errors"
 	"fmt"
+	"time"
 
 	"github.com/plgd-dev/hub/v2/certificate-authority/pb"
+	"github.com/plgd-dev/hub/v2/certificate-authority/store"
 	"github.com/plgd-dev/hub/v2/identity-store/events"
 	"github.com/plgd-dev/hub/v2/pkg/net/grpc"
 	"google.golang.org/grpc/codes"
@@ -56,10 +58,22 @@ func (s *CertificateAuthorityServer) SignIdentityCertificate(ctx context.Context
 		return nil, logger.LogAndReturnError(status.Errorf(codes.InvalidArgument, fmtError, "cannot create signing record"))
 	}
 	signingRecord.Credential.CertificatePem = string(cert)
-	if err := s.updateSigningRecord(ctx, signingRecord); err != nil {
+	replacedRecord, err := s.updateSigningRecord(ctx, signingRecord)
+	if err != nil {
 		return nil, logger.LogAndReturnError(status.Errorf(codes.InvalidArgument, fmtError, err))
 	}
 	logger.With("crt", string(cert)).Debugf("CertificateAuthorityServer.SignIdentityCertificate")
+	replacedCredential := replacedRecord.GetCredential()
+	if replacedCredential != nil {
+		err = s.store.AddRevocationListCertificate(ctx, replacedCredential.GetIssuerId(), &store.RevocationListCertificate{
+			Serial:     replacedCredential.GetSerial(),
+			Expiration: replacedCredential.GetValidUntilDate(),
+			Revocation: time.Now().UnixNano(),
+		})
+		if err != nil {
+			// TODO: what to do here? remove the new signing record? restore the original?
+		}
+	}
 
 	return &pb.SignCertificateResponse{
 		Certificate: cert,