From beeced861039dcb4f2f378ed9efcb8ac71e766e4 Mon Sep 17 00:00:00 2001
From: Mitali Rawat <mitali@cloudflare.com>
Date: Wed, 16 Sep 2020 13:37:58 -0700
Subject: [PATCH] Allowing CSR to take CRL url as input which can then be used
 on a certificate

---
 csr/csr.go            |  1 +
 initca/initca.go      |  4 ++++
 initca/initca_test.go | 17 ++++++++++++++++-
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/csr/csr.go b/csr/csr.go
index d8b8b9c65..844bc282d 100644
--- a/csr/csr.go
+++ b/csr/csr.go
@@ -139,6 +139,7 @@ type CertificateRequest struct {
 	CA           *CAConfig        `json:"ca,omitempty" yaml:"ca,omitempty"`
 	SerialNumber string           `json:"serialnumber,omitempty" yaml:"serialnumber,omitempty"`
 	Extensions   []pkix.Extension `json:"extensions,omitempty" yaml:"extensions,omitempty"`
+	CRL          string           `json:"crl_url,omitempty" yaml:"crl_url,omitempty"`
 }
 
 // New returns a new, empty CertificateRequest with a
diff --git a/initca/initca.go b/initca/initca.go
index 2cdc0925f..40a608502 100644
--- a/initca/initca.go
+++ b/initca/initca.go
@@ -69,6 +69,10 @@ func New(req *csr.CertificateRequest) (cert, csrPEM, key []byte, err error) {
 		}
 	}
 
+	if req.CRL != "" {
+		policy.Default.CRL = req.CRL
+	}
+
 	g := &csr.Generator{Validator: validator}
 	csrPEM, key, err = g.ProcessRequest(req)
 	if err != nil {
diff --git a/initca/initca_test.go b/initca/initca_test.go
index 04fc13280..19664e539 100644
--- a/initca/initca_test.go
+++ b/initca/initca_test.go
@@ -64,6 +64,7 @@ var invalidCryptoParams = []csr.KeyRequest{
 func TestInitCA(t *testing.T) {
 	var req *csr.CertificateRequest
 	hostname := "cloudflare.com"
+	crl := "http://crl.cloudflare.com/655c6a9b-01c6-4eea-bf21-be690cc315e0.crl" //cert_uuid.crl
 	for _, param := range validKeyParams {
 		for _, caconfig := range validCAConfigs {
 			req = &csr.CertificateRequest{
@@ -80,6 +81,7 @@ func TestInitCA(t *testing.T) {
 				Hosts:      []string{hostname, "www." + hostname},
 				KeyRequest: &param,
 				CA:         &caconfig,
+				CRL:        crl,
 			}
 			certBytes, _, keyBytes, err := New(req)
 			if err != nil {
@@ -94,6 +96,18 @@ func TestInitCA(t *testing.T) {
 				t.Fatal("InitCA cert parsing failed:", err)
 			}
 
+			// Verify if the CRL is set
+			crlSet := false
+			for _, certCrl := range cert.CRLDistributionPoints {
+				if certCrl == crl {
+					crlSet = true
+					break
+				}
+			}
+			if !crlSet {
+				t.Fatal("Missing CRL on certificate")
+			}
+
 			// Verify key parameters.
 			switch req.KeyRequest.Algo() {
 			case "rsa":
@@ -126,7 +140,7 @@ func TestInitCA(t *testing.T) {
 				}
 			}
 
-			// Replace the default CAPolicy with a test (short expiry) version.
+			// Replace the default CAPolicy with a test (short expiry) version and add a crl
 			CAPolicy = func() *config.Signing {
 				return &config.Signing{
 					Default: &config.SigningProfile{
@@ -134,6 +148,7 @@ func TestInitCA(t *testing.T) {
 						ExpiryString: "300s",
 						Expiry:       300 * time.Second,
 						CAConstraint: config.CAConstraint{IsCA: true},
+						CRL:          crl,
 					},
 				}
 			}