aboutsummaryrefslogtreecommitdiff
path: root/server/signer
diff options
context:
space:
mode:
Diffstat (limited to 'server/signer')
-rw-r--r--server/signer/signer.go18
-rw-r--r--server/signer/signer_test.go31
2 files changed, 49 insertions, 0 deletions
diff --git a/server/signer/signer.go b/server/signer/signer.go
index 8169c11..0bff1c3 100644
--- a/server/signer/signer.go
+++ b/server/signer/signer.go
@@ -13,6 +13,8 @@ import (
"github.com/nsheridan/cashier/lib"
"github.com/nsheridan/cashier/server/config"
+ "github.com/nsheridan/cashier/server/store"
+ "github.com/stripe/krl"
"golang.org/x/crypto/ssh"
)
@@ -51,6 +53,22 @@ func (s *KeySigner) SignUserKey(req *lib.SignRequest) (*ssh.Certificate, error)
return cert, nil
}
+// GenerateRevocationList returns an SSH key revocation list (KRL).
+func (s *KeySigner) GenerateRevocationList(certs []*store.CertRecord) ([]byte, error) {
+ revoked := &krl.KRLCertificateSection{
+ CA: s.ca.PublicKey(),
+ }
+ ids := krl.KRLCertificateKeyID{}
+ for _, c := range certs {
+ ids = append(ids, c.KeyID)
+ }
+ revoked.Sections = append(revoked.Sections, &ids)
+ k := &krl.KRL{
+ Sections: []krl.KRLSection{revoked},
+ }
+ return k.Marshal(rand.Reader)
+}
+
func makeperms(perms []string) map[string]string {
if len(perms) > 0 {
m := make(map[string]string)
diff --git a/server/signer/signer_test.go b/server/signer/signer_test.go
index a80e64a..9c76f4b 100644
--- a/server/signer/signer_test.go
+++ b/server/signer/signer_test.go
@@ -7,7 +7,9 @@ import (
"time"
"github.com/nsheridan/cashier/lib"
+ "github.com/nsheridan/cashier/server/store"
"github.com/nsheridan/cashier/testdata"
+ "github.com/stripe/krl"
"golang.org/x/crypto/ssh"
)
@@ -49,3 +51,32 @@ func TestCert(t *testing.T) {
t.Fatalf("Invalid validity, expected %d, got %d", r.ValidUntil, cert.ValidBefore)
}
}
+
+func TestRevocationList(t *testing.T) {
+ r := &lib.SignRequest{
+ Key: string(testdata.Pub),
+ Principal: "revoked",
+ ValidUntil: time.Now().Add(1 * time.Hour),
+ }
+ cert1, _ := signer.SignUserKey(r)
+ r.Principal = "ok"
+ cert2, _ := signer.SignUserKey(r)
+ var rec []*store.CertRecord
+ rec = append(rec, &store.CertRecord{
+ KeyID: cert1.KeyId,
+ })
+ rl, err := signer.GenerateRevocationList(rec)
+ if err != nil {
+ t.Error(err)
+ }
+ k, err := krl.ParseKRL(rl)
+ if err != nil {
+ t.Error(err)
+ }
+ if !k.IsRevoked(cert1) {
+ t.Errorf("expected cert %s to be revoked", cert1.KeyId)
+ }
+ if k.IsRevoked(cert2) {
+ t.Errorf("cert %s should not be revoked", cert2.KeyId)
+ }
+}