diff options
| author | Niall Sheridan <nsheridan@gmail.com> | 2016-07-31 20:41:52 +0100 |
|---|---|---|
| committer | Niall Sheridan <nsheridan@gmail.com> | 2016-07-31 21:18:55 +0100 |
| commit | 531f63e5a9e82d86a6ee1f5d44bebee0bc51d828 (patch) | |
| tree | 882b6dfb10c4db96b9e983fd6112a29d227a416a /server | |
| parent | 44fef1c2a163bdfd781ef08a06e3cf5cf9b7d5da (diff) | |
Use a KRL for revoked certs
Diffstat (limited to 'server')
| -rw-r--r-- | server/signer/signer.go | 18 | ||||
| -rw-r--r-- | server/signer/signer_test.go | 31 |
2 files changed, 49 insertions, 0 deletions
diff --git a/server/signer/signer.go b/server/signer/signer.go index 8169c11..0bff1c3 100644 --- a/server/signer/signer.go +++ b/server/signer/signer.go @@ -13,6 +13,8 @@ import ( "github.com/nsheridan/cashier/lib" "github.com/nsheridan/cashier/server/config" + "github.com/nsheridan/cashier/server/store" + "github.com/stripe/krl" "golang.org/x/crypto/ssh" ) @@ -51,6 +53,22 @@ func (s *KeySigner) SignUserKey(req *lib.SignRequest) (*ssh.Certificate, error) return cert, nil } +// GenerateRevocationList returns an SSH key revocation list (KRL). +func (s *KeySigner) GenerateRevocationList(certs []*store.CertRecord) ([]byte, error) { + revoked := &krl.KRLCertificateSection{ + CA: s.ca.PublicKey(), + } + ids := krl.KRLCertificateKeyID{} + for _, c := range certs { + ids = append(ids, c.KeyID) + } + revoked.Sections = append(revoked.Sections, &ids) + k := &krl.KRL{ + Sections: []krl.KRLSection{revoked}, + } + return k.Marshal(rand.Reader) +} + func makeperms(perms []string) map[string]string { if len(perms) > 0 { m := make(map[string]string) diff --git a/server/signer/signer_test.go b/server/signer/signer_test.go index a80e64a..9c76f4b 100644 --- a/server/signer/signer_test.go +++ b/server/signer/signer_test.go @@ -7,7 +7,9 @@ import ( "time" "github.com/nsheridan/cashier/lib" + "github.com/nsheridan/cashier/server/store" "github.com/nsheridan/cashier/testdata" + "github.com/stripe/krl" "golang.org/x/crypto/ssh" ) @@ -49,3 +51,32 @@ func TestCert(t *testing.T) { t.Fatalf("Invalid validity, expected %d, got %d", r.ValidUntil, cert.ValidBefore) } } + +func TestRevocationList(t *testing.T) { + r := &lib.SignRequest{ + Key: string(testdata.Pub), + Principal: "revoked", + ValidUntil: time.Now().Add(1 * time.Hour), + } + cert1, _ := signer.SignUserKey(r) + r.Principal = "ok" + cert2, _ := signer.SignUserKey(r) + var rec []*store.CertRecord + rec = append(rec, &store.CertRecord{ + KeyID: cert1.KeyId, + }) + rl, err := signer.GenerateRevocationList(rec) + if err != nil { + t.Error(err) + } + k, err := krl.ParseKRL(rl) + if err != nil { + t.Error(err) + } + if !k.IsRevoked(cert1) { + t.Errorf("expected cert %s to be revoked", cert1.KeyId) + } + if k.IsRevoked(cert2) { + t.Errorf("cert %s should not be revoked", cert2.KeyId) + } +} |