| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394 |
- // Package crl implements the HTTP handler for the crl command.
- package crl
- import (
- "crypto"
- "crypto/x509"
- "net/http"
- "os"
- "time"
- "github.com/cloudflare/cfssl/api"
- "github.com/cloudflare/cfssl/certdb"
- "github.com/cloudflare/cfssl/crl"
- "github.com/cloudflare/cfssl/errors"
- "github.com/cloudflare/cfssl/helpers"
- "github.com/cloudflare/cfssl/log"
- )
- // A Handler accepts requests with a serial number parameter
- // and revokes
- type Handler struct {
- dbAccessor certdb.Accessor
- ca *x509.Certificate
- key crypto.Signer
- }
- // NewHandler returns a new http.Handler that handles a revoke request.
- func NewHandler(dbAccessor certdb.Accessor, caPath string, caKeyPath string) (http.Handler, error) {
- ca, err := helpers.ReadBytes(caPath)
- if err != nil {
- return nil, err
- }
- caKey, err := helpers.ReadBytes(caKeyPath)
- if err != nil {
- return nil, errors.Wrap(errors.PrivateKeyError, errors.ReadFailed, err)
- }
- // Parse the PEM encoded certificate
- issuerCert, err := helpers.ParseCertificatePEM(ca)
- if err != nil {
- return nil, err
- }
- strPassword := os.Getenv("CFSSL_CA_PK_PASSWORD")
- password := []byte(strPassword)
- if strPassword == "" {
- password = nil
- }
- // Parse the key given
- key, err := helpers.ParsePrivateKeyPEMWithPassword(caKey, password)
- if err != nil {
- log.Debug("malformed private key %v", err)
- return nil, err
- }
- return &api.HTTPHandler{
- Handler: &Handler{
- dbAccessor: dbAccessor,
- ca: issuerCert,
- key: key,
- },
- Methods: []string{"GET"},
- }, nil
- }
- // Handle responds to revocation requests. It attempts to revoke
- // a certificate with a given serial number
- func (h *Handler) Handle(w http.ResponseWriter, r *http.Request) error {
- var newExpiryTime = 7 * helpers.OneDay
- certs, err := h.dbAccessor.GetRevokedAndUnexpiredCertificates()
- if err != nil {
- return err
- }
- queryExpiryTime := r.URL.Query().Get("expiry")
- if queryExpiryTime != "" {
- log.Infof("requested expiry time of %s", queryExpiryTime)
- newExpiryTime, err = time.ParseDuration(queryExpiryTime)
- if err != nil {
- return err
- }
- }
- result, err := crl.NewCRLFromDB(certs, h.ca, h.key, newExpiryTime)
- if err != nil {
- return err
- }
- return api.SendResponse(w, result)
- }
|
