Allowing CSR to take CRL url as input which can then be used on a certificate

Author: mitalirawat

csr/csr.go

@@ -139,6 +139,7 @@ type CertificateRequest struct {
 	CA           *CAConfig        `json:"ca,omitempty" yaml:"ca,omitempty"`
 	SerialNumber string           `json:"serialnumber,omitempty" yaml:"serialnumber,omitempty"`
 	Extensions   []pkix.Extension `json:"extensions,omitempty" yaml:"extensions,omitempty"`
+	CRL          string           `json:"crl_url,omitempty" yaml:"crl_url,omitempty"`
 }
 
 // New returns a new, empty CertificateRequest with a

initca/initca.go

@@ -69,6 +69,10 @@ func New(req *csr.CertificateRequest) (cert, csrPEM, key []byte, err error) {
 		}
 	}
 
+	if req.CRL != "" {
+		policy.Default.CRL = req.CRL
+	}
+
 	g := &csr.Generator{Validator: validator}
 	csrPEM, key, err = g.ProcessRequest(req)
 	if err != nil {

initca/initca_test.go

@@ -64,6 +64,7 @@ var invalidCryptoParams = []csr.KeyRequest{
 func TestInitCA(t *testing.T) {
 	var req *csr.CertificateRequest
 	hostname := "cloudflare.com"
+	crl := "http://crl.cloudflare.com/655c6a9b-01c6-4eea-bf21-be690cc315e0.crl" //cert_uuid.crl
 	for _, param := range validKeyParams {
 		for _, caconfig := range validCAConfigs {
 			req = &csr.CertificateRequest{
@@ -80,6 +81,7 @@ func TestInitCA(t *testing.T) {
 				Hosts:      []string{hostname, "www." + hostname},
 				KeyRequest: &param,
 				CA:         &caconfig,
+				CRL:        crl,
 			}
 			certBytes, _, keyBytes, err := New(req)
 			if err != nil {
@@ -94,6 +96,18 @@ func TestInitCA(t *testing.T) {
 				t.Fatal("InitCA cert parsing failed:", err)
 			}
 
+			// Verify if the CRL is set
+			crlSet := false
+			for _, certCrl := range cert.CRLDistributionPoints {
+				if certCrl == crl {
+					crlSet = true
+					break
+				}
+			}
+			if !crlSet {
+				t.Fatal("Missing CRL on certificate")
+			}
+
 			// Verify key parameters.
 			switch req.KeyRequest.Algo() {
 			case "rsa":
@@ -126,14 +140,15 @@ func TestInitCA(t *testing.T) {
 				}
 			}
 
-			// Replace the default CAPolicy with a test (short expiry) version.
+			// Replace the default CAPolicy with a test (short expiry) version and add a crl
 			CAPolicy = func() *config.Signing {
 				return &config.Signing{
 					Default: &config.SigningProfile{
 						Usage:        []string{"cert sign", "crl sign"},
 						ExpiryString: "300s",
 						Expiry:       300 * time.Second,
 						CAConstraint: config.CAConstraint{IsCA: true},
+						CRL:          crl,
 					},
 				}
 			}