revoke: implement thread-safe compatibility and local file CRL

[kayrus]

subj

[codecov-io]

Current coverage is 58.39% (diff: 62.06%)

Merging #637 into master will increase coverage by 0.08%

@@             master       #637   diff @@
==========================================
  Files            74         74          
  Lines          6404       6526   +122   
  Methods           0          0          
  Messages          0          0          
  Branches          0          0          
==========================================
+ Hits           3734       3811    +77   
- Misses         2311       2350    +39   
- Partials        359        365     +6   

Powered by Codecov. Last update 4a47280...552dcad

[kisom]

Maybe this should use the file: scheme?

[kayrus]

file scheme doesn't work with ioutil.ReadFile. And do you really want to convert regular path to file:// and then convert it back for ReadFile?

[kisom]

If you have a file:// URL, wouldn't the Path field work for the file name? RFC 5280 has a number of options for CRL distribution points, and the one that seems most relevant is a URI (other options include directory names, e.g. for LDAP, or nameRelativeToIssuer). It seems then that the file scheme is the most appropriate. If it's a local file, wouldn't it make sense to put it in CRLSet as a URI, not a plain path?

[lziest]

I agree with @kisom, we need to be RFC compatible. We need to use URI here.

[kayrus]

@lziest RFC explains the certificate extension, and there is nothing about the local file. In our situation we set CRL path from the app and it doesn't relate to this RFC.

[kayrus]

@lziest @kisom added file:/// scheme support

[kayrus]

@kisom I also would like to remove the github.com/cloudflare/cfssl/log from include to allow external app to use its own logger (not quite sure how to implement that, any clue?). And make HardFail to be an option for functions to make it independent for multiple subapps/threads.

[kisom]

@kayrus I don't really have a problem with removing log except that it's useful for debugging --- if you have a good way around that, I'm all ears. I'm also fine with making HardFail an option. It might be useful to make a revocation configuration structure instead and add the checking functions onto that as methods, or make the functions accept that structure (e.g. crypto/x509's VerifyOptions).

[kayrus]

@kisom added few improvements, could you please check?

[kisom]

Per Go package conventions, this can just be New.

[kayrus]

Fixed

[lziest]

prefer a named initialization: {
HardFail : false,
...
}

[lziest]

this insertLocalCRL and test again isn't giving any more line coverage, restore it to the original state.

[kayrus]

fixed

[kayrus]

Will push commits fixing the issues soon.

[kayrus]

@lziest please have a look once again. i've reworked lock logic. it is not optimized for remote URL fetching, but it is completely safe now.

[kayrus]

@lziest do you have any news on this PR? I'd like CRL stuff to be merged into k8s v1.4. This PR is a blocker.

[lziest]

sorry, I don't have time to review it until next week.

[kayrus]

@lziest np. thanks for letting know.

[lziest]

why return error with nil CRL? nil CRL is fine, right? It means empty list.

[kayrus]

ParseCRL returns ParseDERCRL (https://golang.org/src/crypto/x509/x509.go?s=51887:51948#L1647). ParseDERCRL returns crl=nil only when there is an error. I don't know whether new golang releases would return something else. That is why I added extra check. If you think I have to remove this check, so ok.

[lziest]

Let's start fresh. I will close this, and please re-submit with a separate PR.