Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Merge pull request #1129 from mitalirawat/mitali/SECENG-8092
Allowing CertificateRequest to take CRL url as input which can then be used on a cert
  • Loading branch information
nickysemenza committed Sep 17, 2020
2 parents ca392c0 + beeced8 commit 046b174
Show file tree
Hide file tree
Showing 3 changed files with 21 additions and 1 deletion.
1 change: 1 addition & 0 deletions csr/csr.go
Expand Up @@ -139,6 +139,7 @@ type CertificateRequest struct {
CA *CAConfig `json:"ca,omitempty" yaml:"ca,omitempty"`
SerialNumber string `json:"serialnumber,omitempty" yaml:"serialnumber,omitempty"`
Extensions []pkix.Extension `json:"extensions,omitempty" yaml:"extensions,omitempty"`
CRL string `json:"crl_url,omitempty" yaml:"crl_url,omitempty"`
}

// New returns a new, empty CertificateRequest with a
Expand Down
4 changes: 4 additions & 0 deletions initca/initca.go
Expand Up @@ -69,6 +69,10 @@ func New(req *csr.CertificateRequest) (cert, csrPEM, key []byte, err error) {
}
}

if req.CRL != "" {
policy.Default.CRL = req.CRL
}

g := &csr.Generator{Validator: validator}
csrPEM, key, err = g.ProcessRequest(req)
if err != nil {
Expand Down
17 changes: 16 additions & 1 deletion initca/initca_test.go
Expand Up @@ -64,6 +64,7 @@ var invalidCryptoParams = []csr.KeyRequest{
func TestInitCA(t *testing.T) {
var req *csr.CertificateRequest
hostname := "cloudflare.com"
crl := "http://crl.cloudflare.com/655c6a9b-01c6-4eea-bf21-be690cc315e0.crl" //cert_uuid.crl
for _, param := range validKeyParams {
for _, caconfig := range validCAConfigs {
req = &csr.CertificateRequest{
Expand All @@ -80,6 +81,7 @@ func TestInitCA(t *testing.T) {
Hosts: []string{hostname, "www." + hostname},
KeyRequest: &param,
CA: &caconfig,
CRL: crl,
}
certBytes, _, keyBytes, err := New(req)
if err != nil {
Expand All @@ -94,6 +96,18 @@ func TestInitCA(t *testing.T) {
t.Fatal("InitCA cert parsing failed:", err)
}

// Verify if the CRL is set
crlSet := false
for _, certCrl := range cert.CRLDistributionPoints {
if certCrl == crl {
crlSet = true
break
}
}
if !crlSet {
t.Fatal("Missing CRL on certificate")
}

// Verify key parameters.
switch req.KeyRequest.Algo() {
case "rsa":
Expand Down Expand Up @@ -126,14 +140,15 @@ func TestInitCA(t *testing.T) {
}
}

// Replace the default CAPolicy with a test (short expiry) version.
// Replace the default CAPolicy with a test (short expiry) version and add a crl
CAPolicy = func() *config.Signing {
return &config.Signing{
Default: &config.SigningProfile{
Usage: []string{"cert sign", "crl sign"},
ExpiryString: "300s",
Expiry: 300 * time.Second,
CAConstraint: config.CAConstraint{IsCA: true},
CRL: crl,
},
}
}
Expand Down

0 comments on commit 046b174

Please sign in to comment.