github.com/hellobchain/third_party@v0.0.0-20230331131523-deb0478a2e52/cloudflare/cfssl/crl/crl.go (about) 1 // Package crl exposes Certificate Revocation List generation functionality 2 package crl 3 4 import ( 5 "crypto" 6 "crypto/rand" 7 "github.com/hellobchain/newcryptosm/x509" 8 "github.com/hellobchain/newcryptosm/x509/pkix" 9 "math/big" 10 "os" 11 "strconv" 12 "strings" 13 "time" 14 15 "github.com/hellobchain/third_party/cloudflare/cfssl/certdb" 16 "github.com/hellobchain/third_party/cloudflare/cfssl/helpers" 17 "github.com/hellobchain/third_party/cloudflare/cfssl/log" 18 ) 19 20 // NewCRLFromFile takes in a list of serial numbers, one per line, as well as the issuing certificate 21 // of the CRL, and the private key. This function is then used to parse the list and generate a CRL 22 func NewCRLFromFile(serialList, issuerFile, keyFile []byte, expiryTime string) ([]byte, error) { 23 24 var revokedCerts []pkix.RevokedCertificate 25 var oneWeek = time.Duration(604800) * time.Second 26 27 expiryInt, err := strconv.ParseInt(expiryTime, 0, 32) 28 if err != nil { 29 return nil, err 30 } 31 newDurationFromInt := time.Duration(expiryInt) * time.Second 32 newExpiryTime := time.Now().Add(newDurationFromInt) 33 if expiryInt == 0 { 34 newExpiryTime = time.Now().Add(oneWeek) 35 } 36 37 // Parse the PEM encoded certificate 38 issuerCert, err := helpers.ParseCertificatePEM(issuerFile) 39 if err != nil { 40 return nil, err 41 } 42 43 // Split input file by new lines 44 individualCerts := strings.Split(string(serialList), "\n") 45 46 // For every new line, create a new revokedCertificate and add it to slice 47 for _, value := range individualCerts { 48 if len(strings.TrimSpace(value)) == 0 { 49 continue 50 } 51 52 tempBigInt := new(big.Int) 53 tempBigInt.SetString(value, 10) 54 tempCert := pkix.RevokedCertificate{ 55 SerialNumber: tempBigInt, 56 RevocationTime: time.Now(), 57 } 58 revokedCerts = append(revokedCerts, tempCert) 59 } 60 61 strPassword := os.Getenv("CFSSL_CA_PK_PASSWORD") 62 password := []byte(strPassword) 63 if strPassword == "" { 64 password = nil 65 } 66 67 // Parse the key given 68 key, err := helpers.ParsePrivateKeyPEMWithPassword(keyFile, password) 69 if err != nil { 70 log.Debug("Malformed private key %v", err) 71 return nil, err 72 } 73 74 return CreateGenericCRL(revokedCerts, key, issuerCert, newExpiryTime) 75 } 76 77 // NewCRLFromDB takes in a list of CertificateRecords, as well as the issuing certificate 78 // of the CRL, and the private key. This function is then used to parse the records and generate a CRL 79 func NewCRLFromDB(certs []certdb.CertificateRecord, issuerCert *x509.Certificate, key crypto.Signer, expiryTime time.Duration) ([]byte, error) { 80 var revokedCerts []pkix.RevokedCertificate 81 82 newExpiryTime := time.Now().Add(expiryTime) 83 84 // For every record, create a new revokedCertificate and add it to slice 85 for _, certRecord := range certs { 86 serialInt := new(big.Int) 87 serialInt.SetString(certRecord.Serial, 10) 88 tempCert := pkix.RevokedCertificate{ 89 SerialNumber: serialInt, 90 RevocationTime: certRecord.RevokedAt, 91 } 92 revokedCerts = append(revokedCerts, tempCert) 93 } 94 95 return CreateGenericCRL(revokedCerts, key, issuerCert, newExpiryTime) 96 } 97 98 // CreateGenericCRL is a helper function that takes in all of the information above, and then calls the createCRL 99 // function. This outputs the bytes of the created CRL. 100 func CreateGenericCRL(certList []pkix.RevokedCertificate, key crypto.Signer, issuingCert *x509.Certificate, expiryTime time.Time) ([]byte, error) { 101 crlBytes, err := issuingCert.CreateCRL(rand.Reader, key, certList, time.Now(), expiryTime) 102 if err != nil { 103 log.Debug("error creating CRL: %s", err) 104 } 105 106 return crlBytes, err 107 108 }