Skip to content

Commit

Permalink
Implement Certificate Revocation List
Browse files Browse the repository at this point in the history
  • Loading branch information
Danielius1922 committed Oct 28, 2024
1 parent 11ac65b commit c19ad81
Show file tree
Hide file tree
Showing 67 changed files with 4,610 additions and 881 deletions.
2 changes: 1 addition & 1 deletion bundle/nginx/nginx.conf.template
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,7 @@ http {
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
}
location ~ ^(/api/v1/sign) {
location ~ ^(/certificate-authority|/api/v1/sign) {
set $upstream_certificate_authority https://127.0.0.1:REPLACE_HTTP_CERTIFICATE_AUTHORITY_PORT;
proxy_pass $upstream_certificate_authority;
proxy_ssl_certificate /data/certs/internal/endpoint.crt;
Expand Down
7 changes: 3 additions & 4 deletions certificate-authority/config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ apis:
tokenTrustVerification:
cacheExpiration: 30s
http:
externalAddress: ""
address: "0.0.0.0:9101"
readTimeout: 8s
readHeaderTimeout: 4s
Expand All @@ -68,10 +69,6 @@ clients:
keyFile: "/secrets/private/cert.key"
certFile: "/secrets/public/cert.crt"
useSystemCAPool: false
bulkWrite:
timeout: 1m0s
throttleTime: 500ms
documentLimit: 1000
cqlDB:
table: "signedCertificateRecords"
hosts: []
Expand Down Expand Up @@ -115,3 +112,5 @@ signer:
certFile: "/secrets/public/intermediateca.crt"
validFrom: "now-1h"
expiresIn: "87600h"
crl:
expiresIn: "10m"
12 changes: 9 additions & 3 deletions certificate-authority/pb/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -89,8 +89,8 @@
| ----------- | ------------ | ------------- | ------------|
| SignIdentityCertificate | [SignCertificateRequest](#certificateauthority-pb-SignCertificateRequest) | [SignCertificateResponse](#certificateauthority-pb-SignCertificateResponse) | SignIdentityCertificate sends a Identity Certificate Signing Request to the certificate authority and obtains a signed certificate. Both in the PEM format. It adds EKU: '1.3.6.1.4.1.44924.1.6' . |
| SignCertificate | [SignCertificateRequest](#certificateauthority-pb-SignCertificateRequest) | [SignCertificateResponse](#certificateauthority-pb-SignCertificateResponse) | SignCertificate sends a Certificate Signing Request to the certificate authority and obtains a signed certificate. Both in the PEM format. |
| GetSigningRecords | [GetSigningRecordsRequest](#certificateauthority-pb-GetSigningRecordsRequest) | [SigningRecord](#certificateauthority-pb-SigningRecord) stream | Get signed certficate records. |
| DeleteSigningRecords | [DeleteSigningRecordsRequest](#certificateauthority-pb-DeleteSigningRecordsRequest) | [DeletedSigningRecords](#certificateauthority-pb-DeletedSigningRecords) | Delete signed certficate records. |
| GetSigningRecords | [GetSigningRecordsRequest](#certificateauthority-pb-GetSigningRecordsRequest) | [SigningRecord](#certificateauthority-pb-SigningRecord) stream | Get signed certificate records. |
| DeleteSigningRecords | [DeleteSigningRecordsRequest](#certificateauthority-pb-DeleteSigningRecordsRequest) | [DeletedSigningRecords](#certificateauthority-pb-DeletedSigningRecords) | Revoke signed certificate records or delete expired signed certificate records. |



Expand Down Expand Up @@ -120,6 +120,12 @@
| valid_until_date | [int64](#int64) | | Record valid until date, in unix nanoseconds timestamp format

@gotags: bson:"validUntilDate" |
| serial | [string](#string) | | Serial number of the last certificate issued

@gotags: bson:"serial" |
| issuer_id | [string](#string) | | Issuer id is calculated from the issuer's public certificate, and it is computed as uuid.NewSHA1(uuid.NameSpaceX500, publicKeyRaw)

@gotags: bson:"issuerId" |



Expand All @@ -145,7 +151,7 @@
<a name="certificateauthority-pb-DeletedSigningRecords"></a>

### DeletedSigningRecords

Revoke or delete certificates


| Field | Type | Label | Description |
Expand Down
52 changes: 49 additions & 3 deletions certificate-authority/pb/doc.html
Original file line number Diff line number Diff line change
Expand Up @@ -346,14 +346,14 @@ <h3 id="certificateauthority.pb.CertificateAuthority">CertificateAuthority</h3>
<td>GetSigningRecords</td>
<td><a href="#certificateauthority.pb.GetSigningRecordsRequest">GetSigningRecordsRequest</a></td>
<td><a href="#certificateauthority.pb.SigningRecord">SigningRecord</a> stream</td>
<td><p>Get signed certficate records.</p></td>
<td><p>Get signed certificate records.</p></td>
</tr>

<tr>
<td>DeleteSigningRecords</td>
<td><a href="#certificateauthority.pb.DeleteSigningRecordsRequest">DeleteSigningRecordsRequest</a></td>
<td><a href="#certificateauthority.pb.DeletedSigningRecords">DeletedSigningRecords</a></td>
<td><p>Delete signed certficate records.</p></td>
<td><p>Revoke signed certificate records or delete expired signed certificate records.</p></td>
</tr>

</tbody>
Expand Down Expand Up @@ -383,6 +383,13 @@ <h4>Methods with HTTP bindings</h4>
<td>*</td>
</tr>

<tr>
<td>SignIdentityCertificate</td>
<td>POST</td>
<td>/certificate-authority/api/v1/sign/identity-csr</td>
<td>*</td>
</tr>




Expand All @@ -393,6 +400,13 @@ <h4>Methods with HTTP bindings</h4>
<td>*</td>
</tr>

<tr>
<td>SignCertificate</td>
<td>POST</td>
<td>/certificate-authority/api/v1/sign/csr</td>
<td>*</td>
</tr>




Expand All @@ -403,6 +417,13 @@ <h4>Methods with HTTP bindings</h4>
<td></td>
</tr>

<tr>
<td>GetSigningRecords</td>
<td>GET</td>
<td>/certificate-authority/api/v1/signing/records</td>
<td></td>
</tr>




Expand All @@ -413,6 +434,13 @@ <h4>Methods with HTTP bindings</h4>
<td></td>
</tr>

<tr>
<td>DeleteSigningRecords</td>
<td>DELETE</td>
<td>/certificate-authority/api/v1/signing/records</td>
<td></td>
</tr>


</tbody>
</table>
Expand Down Expand Up @@ -463,6 +491,24 @@ <h3 id="certificateauthority.pb.CredentialStatus">CredentialStatus</h3>
@gotags: bson:&#34;validUntilDate&#34; </p></td>
</tr>

<tr>
<td>serial</td>
<td><a href="#string">string</a></td>
<td></td>
<td><p>Serial number of the last certificate issued

@gotags: bson:&#34;serial&#34; </p></td>
</tr>

<tr>
<td>issuer_id</td>
<td><a href="#string">string</a></td>
<td></td>
<td><p>Issuer id is calculated from the issuer&#39;s public certificate, and it is computed as uuid.NewSHA1(uuid.NameSpaceX500, publicKeyRaw)

@gotags: bson:&#34;issuerId&#34; </p></td>
</tr>

</tbody>
</table>

Expand Down Expand Up @@ -502,7 +548,7 @@ <h3 id="certificateauthority.pb.DeleteSigningRecordsRequest">DeleteSigningRecord


<h3 id="certificateauthority.pb.DeletedSigningRecords">DeletedSigningRecords</h3>
<p></p>
<p>Revoke or delete certificates</p>


<table class="field-table">
Expand Down
Loading

0 comments on commit c19ad81

Please sign in to comment.