From 531f63e5a9e82d86a6ee1f5d44bebee0bc51d828 Mon Sep 17 00:00:00 2001
From: Niall Sheridan <nsheridan@gmail.com>
Date: Sun, 31 Jul 2016 20:41:52 +0100
Subject: Use a KRL for revoked certs

---
 server/signer/signer.go      | 18 ++++++++++++++++++
 server/signer/signer_test.go | 31 +++++++++++++++++++++++++++++++
 2 files changed, 49 insertions(+)

(limited to 'server')

diff --git a/server/signer/signer.go b/server/signer/signer.go
index 8169c11..0bff1c3 100644
--- a/server/signer/signer.go
+++ b/server/signer/signer.go
@@ -13,6 +13,8 @@ import (
 
 	"github.com/nsheridan/cashier/lib"
 	"github.com/nsheridan/cashier/server/config"
+	"github.com/nsheridan/cashier/server/store"
+	"github.com/stripe/krl"
 	"golang.org/x/crypto/ssh"
 )
 
@@ -51,6 +53,22 @@ func (s *KeySigner) SignUserKey(req *lib.SignRequest) (*ssh.Certificate, error)
 	return cert, nil
 }
 
+// GenerateRevocationList returns an SSH key revocation list (KRL).
+func (s *KeySigner) GenerateRevocationList(certs []*store.CertRecord) ([]byte, error) {
+	revoked := &krl.KRLCertificateSection{
+		CA: s.ca.PublicKey(),
+	}
+	ids := krl.KRLCertificateKeyID{}
+	for _, c := range certs {
+		ids = append(ids, c.KeyID)
+	}
+	revoked.Sections = append(revoked.Sections, &ids)
+	k := &krl.KRL{
+		Sections: []krl.KRLSection{revoked},
+	}
+	return k.Marshal(rand.Reader)
+}
+
 func makeperms(perms []string) map[string]string {
 	if len(perms) > 0 {
 		m := make(map[string]string)
diff --git a/server/signer/signer_test.go b/server/signer/signer_test.go
index a80e64a..9c76f4b 100644
--- a/server/signer/signer_test.go
+++ b/server/signer/signer_test.go
@@ -7,7 +7,9 @@ import (
 	"time"
 
 	"github.com/nsheridan/cashier/lib"
+	"github.com/nsheridan/cashier/server/store"
 	"github.com/nsheridan/cashier/testdata"
+	"github.com/stripe/krl"
 
 	"golang.org/x/crypto/ssh"
 )
@@ -49,3 +51,32 @@ func TestCert(t *testing.T) {
 		t.Fatalf("Invalid validity, expected %d, got %d", r.ValidUntil, cert.ValidBefore)
 	}
 }
+
+func TestRevocationList(t *testing.T) {
+	r := &lib.SignRequest{
+		Key:        string(testdata.Pub),
+		Principal:  "revoked",
+		ValidUntil: time.Now().Add(1 * time.Hour),
+	}
+	cert1, _ := signer.SignUserKey(r)
+	r.Principal = "ok"
+	cert2, _ := signer.SignUserKey(r)
+	var rec []*store.CertRecord
+	rec = append(rec, &store.CertRecord{
+		KeyID: cert1.KeyId,
+	})
+	rl, err := signer.GenerateRevocationList(rec)
+	if err != nil {
+		t.Error(err)
+	}
+	k, err := krl.ParseKRL(rl)
+	if err != nil {
+		t.Error(err)
+	}
+	if !k.IsRevoked(cert1) {
+		t.Errorf("expected cert %s to be revoked", cert1.KeyId)
+	}
+	if k.IsRevoked(cert2) {
+		t.Errorf("cert %s should not be revoked", cert2.KeyId)
+	}
+}
-- 
cgit v1.2.3