(MAINT) Add ability to generate a CRL to certificates package. (#54)

eoinmcq · web-flow · commit c12085b00040 · 2024-04-08T12:36:45.000+01:00
diff --git a/cmd/cert-generator/main.go b/cmd/cert-generator/main.go
@@ -28,6 +28,7 @@ func main() {
 	commonName := flag.String("cn", "localhost", "common name for certificate")
 	directory := flag.String("directory", wd, "output to generate certs to")
 	generateCAFiles := flag.Bool("cafiles", false, "whether to output generated CA certs or not")
+	generateCRLFile := flag.Bool("crlfile", false, "whether to output a CRL or not")
 	caCert := flag.String("cacertfile", "", "The location of the CA certificate file.")
 	caKey := flag.String("cakeyfile", "", "The location of the CA key file.")
 
@@ -95,4 +96,19 @@ func main() {
 		fmt.Printf("Failed to write TLS key file to disk: %s.", err)
 		os.Exit(errorExitCode)
 	}
+
+	if generateCRLFile != nil && *generateCRLFile {
+		crl, err := certificate.GenerateCRL(CAKeyPair)
+		if err != nil {
+			fmt.Printf("Failed to generate CRL file: %s.", err)
+			os.Exit(errorExitCode)
+		}
+
+		err = os.WriteFile(filepath.Join(filepath.Clean(*directory), "tls.crl"), crl,
+			fileModeUserReadWriteOnly)
+		if err != nil {
+			fmt.Printf("Failed to write CRL file to disk: %s.", err)
+			os.Exit(errorExitCode)
+		}
+	}
 }
diff --git a/pkg/certificate/certificate.go b/pkg/certificate/certificate.go
@@ -23,6 +23,9 @@ const (
 	numberOfHoursInYear = 8760
 )
 
+// ErrFailedToDecodeKey indicates that the private key could not be decoded.
+var ErrFailedToDecodeKey = fmt.Errorf("unable to decode private key")
+
 // KeyPair stores a PEM encoded certificate and
 // a PEM encoded RSA private key.
 type KeyPair struct {
@@ -75,7 +78,7 @@ func GenerateCA() (*KeyPair, error) {
 		IsCA:                  true,
 		SubjectKeyId:          subjectKeyID[:],
 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
-		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
 		BasicConstraintsValid: true,
 	}
 
@@ -163,6 +166,42 @@ func GenerateSignedCert(ca *KeyPair, hostnames HostNames, commonName string) (*K
 	return &keyPair, nil
 }
 
+// GenerateCRL will generate a blank Certificate revocation List from the provided issuer certificate.
+func GenerateCRL(ca *KeyPair) ([]byte, error) {
+	tlsKeyPair, err := tls.X509KeyPair(ca.Certificate, ca.PrivateKey)
+	if err != nil {
+		return nil, fmt.Errorf("can't convert to X509KeyPair because: %w", err)
+	}
+
+	issuerCert, err := x509.ParseCertificate(tlsKeyPair.Certificate[0])
+	if err != nil {
+		return nil, fmt.Errorf("%w", err)
+	}
+
+	privateKey, _ := pem.Decode(ca.PrivateKey)
+	if privateKey == nil {
+		return nil, ErrFailedToDecodeKey
+	}
+
+	crlKey, err := x509.ParsePKCS1PrivateKey(privateKey.Bytes)
+	if err != nil {
+		return nil, fmt.Errorf("%w", err)
+	}
+
+	crlTemplate := &x509.RevocationList{
+		Number:     generateSerialNumber(),
+		ThisUpdate: time.Now(),
+		NextUpdate: time.Now().Add(time.Hour * 24 * 365 * 10), // Set to be a large time in the future.
+	}
+
+	crlList, err := x509.CreateRevocationList(rand.Reader, crlTemplate, issuerCert, crlKey)
+	if err != nil {
+		return nil, fmt.Errorf("%w", err)
+	}
+
+	return pem.EncodeToMemory(&pem.Block{Type: "X509 CRL", Bytes: crlList}), nil
+}
+
 func generateSerialNumber() *big.Int {
 	// choose a random number between 0 and 999999999999999999
 	upperLimitForRandomNumber := 999999999999999999
diff --git a/pkg/certificate/certificate_test.go b/pkg/certificate/certificate_test.go
@@ -20,6 +20,34 @@ func TestGenerateCAWorks(t *testing.T) {
 	}
 }
 
+func TestGenerateCRLWorks(t *testing.T) {
+	keyPair, err := GenerateCA()
+	if err != nil {
+		t.Errorf("Unable to generate cert due to %s", err)
+	}
+
+	roots := x509.NewCertPool()
+	ok := roots.AppendCertsFromPEM([]byte(keyPair.Certificate))
+	if !ok {
+		t.Error("failed to parse root certificate")
+	}
+
+	crlPem, err := GenerateCRL(keyPair)
+	if err != nil {
+		t.Errorf("failed to generate CRL due to error %s", err)
+	}
+
+	crl, _ := pem.Decode(crlPem)
+	if crl == nil {
+		t.Error("failed to parse CRL due to nil response from pem decode")
+	}
+
+	_, err = x509.ParseRevocationList(crl.Bytes)
+	if err != nil {
+		t.Errorf("failed to parse CRL due to error %s", err)
+	}
+}
+
 func TestGenerateCertLocalhostWorks(t *testing.T) {
 	rootKeyPair, err := GenerateCA()
 	if err != nil {
diff --git a/scripts/generate-cert.sh b/scripts/generate-cert.sh
@@ -48,10 +48,17 @@ else
     read generateca
     validate_choice $generateca
     if [ "$generateca" == "y" ];then
-        CA_ARGS="-cafiles true"
+        CA_ARGS="-cafiles"
     fi
 fi
 
+echo "Do you want to generate a CRL?(y|n)"
+read generatecrl
+validate_choice $generatecrl
+if [ "$generatecrl" == "y" ];then
+  CRL_ARGS="-crlfile"
+fi
+
 echo "Enter the comman name(cn) you want to generate the certificate for(localhost):"
 read commonname < /dev/stdin
 
@@ -84,5 +91,5 @@ else
     done
 fi
 
-ARGS="$DIR_ARGS $CA_ARGS $CN_ARGS $HOST_ARGS"
+ARGS="$DIR_ARGS $CA_ARGS $CN_ARGS $CRL_ARGS $HOST_ARGS"
 go run cmd/cert-generator/main.go $ARGS
