Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement Certificate Revocation List (1) #1383

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion bundle/nginx/nginx.conf.template
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,7 @@ http {
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
}
location ~ ^(/api/v1/sign) {
location ~ ^(/certificate-authority|/api/v1/sign) {
set $upstream_certificate_authority https://127.0.0.1:REPLACE_HTTP_CERTIFICATE_AUTHORITY_PORT;
proxy_pass $upstream_certificate_authority;
proxy_ssl_certificate /data/certs/internal/endpoint.crt;
Expand Down
7 changes: 3 additions & 4 deletions certificate-authority/config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ apis:
tokenTrustVerification:
cacheExpiration: 30s
http:
externalAddress: ""
address: "0.0.0.0:9101"
readTimeout: 8s
readHeaderTimeout: 4s
Expand All @@ -68,10 +69,6 @@ clients:
keyFile: "/secrets/private/cert.key"
certFile: "/secrets/public/cert.crt"
useSystemCAPool: false
bulkWrite:
timeout: 1m0s
throttleTime: 500ms
documentLimit: 1000
cqlDB:
table: "signedCertificateRecords"
hosts: []
Expand Down Expand Up @@ -115,3 +112,5 @@ signer:
certFile: "/secrets/public/intermediateca.crt"
validFrom: "now-1h"
expiresIn: "87600h"
crl:
expiresIn: "10m"
12 changes: 9 additions & 3 deletions certificate-authority/pb/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -89,8 +89,8 @@
| ----------- | ------------ | ------------- | ------------|
| SignIdentityCertificate | [SignCertificateRequest](#certificateauthority-pb-SignCertificateRequest) | [SignCertificateResponse](#certificateauthority-pb-SignCertificateResponse) | SignIdentityCertificate sends a Identity Certificate Signing Request to the certificate authority and obtains a signed certificate. Both in the PEM format. It adds EKU: '1.3.6.1.4.1.44924.1.6' . |
| SignCertificate | [SignCertificateRequest](#certificateauthority-pb-SignCertificateRequest) | [SignCertificateResponse](#certificateauthority-pb-SignCertificateResponse) | SignCertificate sends a Certificate Signing Request to the certificate authority and obtains a signed certificate. Both in the PEM format. |
| GetSigningRecords | [GetSigningRecordsRequest](#certificateauthority-pb-GetSigningRecordsRequest) | [SigningRecord](#certificateauthority-pb-SigningRecord) stream | Get signed certficate records. |
| DeleteSigningRecords | [DeleteSigningRecordsRequest](#certificateauthority-pb-DeleteSigningRecordsRequest) | [DeletedSigningRecords](#certificateauthority-pb-DeletedSigningRecords) | Delete signed certficate records. |
| GetSigningRecords | [GetSigningRecordsRequest](#certificateauthority-pb-GetSigningRecordsRequest) | [SigningRecord](#certificateauthority-pb-SigningRecord) stream | Get signed certificate records. |
| DeleteSigningRecords | [DeleteSigningRecordsRequest](#certificateauthority-pb-DeleteSigningRecordsRequest) | [DeletedSigningRecords](#certificateauthority-pb-DeletedSigningRecords) | Revoke signed certificate records or delete expired signed certificate records. |



Expand Down Expand Up @@ -120,6 +120,12 @@
| valid_until_date | [int64](#int64) | | Record valid until date, in unix nanoseconds timestamp format

@gotags: bson:"validUntilDate" |
| serial | [string](#string) | | Serial number of the last certificate issued

@gotags: bson:"serial" |
| issuer_id | [string](#string) | | Issuer id is calculated from the issuer's public certificate, and it is computed as uuid.NewSHA1(uuid.NameSpaceX500, publicKeyRaw)

@gotags: bson:"issuerId" |



Expand All @@ -145,7 +151,7 @@
<a name="certificateauthority-pb-DeletedSigningRecords"></a>

### DeletedSigningRecords

Revoke or delete certificates


| Field | Type | Label | Description |
Expand Down
52 changes: 49 additions & 3 deletions certificate-authority/pb/doc.html
Original file line number Diff line number Diff line change
Expand Up @@ -346,14 +346,14 @@ <h3 id="certificateauthority.pb.CertificateAuthority">CertificateAuthority</h3>
<td>GetSigningRecords</td>
<td><a href="#certificateauthority.pb.GetSigningRecordsRequest">GetSigningRecordsRequest</a></td>
<td><a href="#certificateauthority.pb.SigningRecord">SigningRecord</a> stream</td>
<td><p>Get signed certficate records.</p></td>
<td><p>Get signed certificate records.</p></td>
</tr>

<tr>
<td>DeleteSigningRecords</td>
<td><a href="#certificateauthority.pb.DeleteSigningRecordsRequest">DeleteSigningRecordsRequest</a></td>
<td><a href="#certificateauthority.pb.DeletedSigningRecords">DeletedSigningRecords</a></td>
<td><p>Delete signed certficate records.</p></td>
<td><p>Revoke signed certificate records or delete expired signed certificate records.</p></td>
</tr>

</tbody>
Expand Down Expand Up @@ -383,6 +383,13 @@ <h4>Methods with HTTP bindings</h4>
<td>*</td>
</tr>

<tr>
<td>SignIdentityCertificate</td>
<td>POST</td>
<td>/certificate-authority/api/v1/sign/identity-csr</td>
<td>*</td>
</tr>
Danielius1922 marked this conversation as resolved.
Show resolved Hide resolved




Expand All @@ -393,6 +400,13 @@ <h4>Methods with HTTP bindings</h4>
<td>*</td>
</tr>

<tr>
<td>SignCertificate</td>
<td>POST</td>
<td>/certificate-authority/api/v1/sign/csr</td>
<td>*</td>
</tr>




Expand All @@ -403,6 +417,13 @@ <h4>Methods with HTTP bindings</h4>
<td></td>
</tr>

<tr>
<td>GetSigningRecords</td>
<td>GET</td>
<td>/certificate-authority/api/v1/signing/records</td>
<td></td>
</tr>




Expand All @@ -413,6 +434,13 @@ <h4>Methods with HTTP bindings</h4>
<td></td>
</tr>

<tr>
<td>DeleteSigningRecords</td>
<td>DELETE</td>
<td>/certificate-authority/api/v1/signing/records</td>
<td></td>
</tr>


</tbody>
</table>
Expand Down Expand Up @@ -463,6 +491,24 @@ <h3 id="certificateauthority.pb.CredentialStatus">CredentialStatus</h3>
@gotags: bson:&#34;validUntilDate&#34; </p></td>
</tr>

<tr>
<td>serial</td>
<td><a href="#string">string</a></td>
<td></td>
<td><p>Serial number of the last certificate issued

@gotags: bson:&#34;serial&#34; </p></td>
</tr>

<tr>
<td>issuer_id</td>
<td><a href="#string">string</a></td>
<td></td>
<td><p>Issuer id is calculated from the issuer&#39;s public certificate, and it is computed as uuid.NewSHA1(uuid.NameSpaceX500, publicKeyRaw)

@gotags: bson:&#34;issuerId&#34; </p></td>
</tr>

</tbody>
</table>

Expand Down Expand Up @@ -502,7 +548,7 @@ <h3 id="certificateauthority.pb.DeleteSigningRecordsRequest">DeleteSigningRecord


<h3 id="certificateauthority.pb.DeletedSigningRecords">DeletedSigningRecords</h3>
<p></p>
<p>Revoke or delete certificates</p>


<table class="field-table">
Expand Down
Loading
Loading