feat: allow user to specify CRL date validity (#19)

allow user to specify CRL date validity when revoking the certificate and during CA creation

Author: nothinux

README.md

@@ -9,6 +9,7 @@ Certify is an easy-to-use certificate manager and can be used as an alternative
 + Show certificate information from file or remote host
 + Export certificate to PKCS12 format
 + Verify private key matches with certificate
++ Revoke certificate
 
 
 ## Installation
@@ -20,36 +21,43 @@ Download in the [release page](https://github.com/nothinux/certify/releases)
  ___ ___ ___| |_|_|  _|_ _ 
 |  _| -_|  _|  _| |  _| | |
 |___|___|_| |_| |_|_| |_  |
-                      |___| Certify v1.5
+                      |___| Certify v1.x
 
 Usage of certify:  
 certify [flag] [ip-or-dns-san] [cn:default certify] [eku:default serverAuth,clientAuth] [expiry:default 8766h s,m,h,d]
 
 $ certify server.local 172.17.0.1 cn:web-server eku:serverAuth expiry:1d
+$ certify -init cn:web-server o:nothinux crl-nextupdate:100d
 
 Flags:
   -init
-        Initialize new root CA Certificate and Key
+	Initialize new root CA Certificate and Key
   -intermediate
-        Generate intermediate certificate
+	Generate intermediate certificate
   -read  <filename>
-        Read certificate information from file server.local.pem
+	Read certificate information from file or stdin
+  -read-crl <filename>
+	Read certificate revocation list from file or stdin
   -connect  <host:443> <tlsver:1.2> <insecure> <with-ca:ca-path>
-        Show certificate information from remote host, use tlsver to set spesific tls version
+	Show certificate information from remote host, use tlsver to set spesific tls version
   -export-p12  <cert> <private-key> <ca-cert>
-        Generate client.p12 pem file containing certificate, private key and ca certificate
+	Generate client.p12 pem file containing certificate, private key and ca certificate
   -match  <private-key> <cert>
-        Verify cert-key.pem and cert.pem has same public key
+	Verify cert-key.pem and cert.pem has same public key
   -interactive
-        Run certify interactively
+	Run certify interactively
+  -revoke <certificate> <crl-file> <crl-nextupdate:10d(optional)>
+	Revoke certificate, the certificate will be added to CRL
+  -verify-crl <certificate> <crl-file>
+	Check if the certificate was revoked
   -version
-        print certify version
+	print certify version
 ```
 
 Create Certificate with CN nothinux and expiry 30 days
 ```
 # create CA
-$ certify init
+$ certify -init cn:nothinux o:nothinux
 
 # create Certificate
 $ certify cn:nothinux expiry:30d

cmd/certify/command.go

@@ -26,7 +26,7 @@ func initCA(args []string) error {
 
 	fmt.Println("CA certificate file generated", caPath)
 
-	if err := generateCRL(pkey.PrivateKey, caCert.Cert); err != nil {
+	if err := generateCRL(args, pkey.PrivateKey, caCert.Cert); err != nil {
 		return err
 	}
 	fmt.Println("CRL file generated", caCRLPath)
@@ -236,8 +236,10 @@ func revokeCertificate(args []string) (string, error) {
 		return "", err
 	}
 
+	_, _, _, _, _, _, nextUpdate := parseArgs(args)
+
 	fmt.Printf("revoking certificate cn=%s o=%s with serial number %s\n", cert.Subject.CommonName, cert.Subject.Organization, cert.SerialNumber)
-	crl, crlNum, err := certify.RevokeCertificate(crlBytes, cert, caCert, pkey)
+	crl, crlNum, err := certify.RevokeCertificate(crlBytes, cert, caCert, pkey, nextUpdate)
 	if err != nil {
 		return "", err
 	}

cmd/certify/helper.go

@@ -40,7 +40,7 @@ func getKeyIdentifier(publicKey *ecdsa.PublicKey) ([]byte, error) {
 }
 
 func generateCA(pkey *ecdsa.PrivateKey, args []string, path string) (*certify.Result, error) {
-	_, _, cn, org, expiry, _ := parseArgs(args)
+	_, _, cn, org, expiry, _, _ := parseArgs(args)
 
 	ski, err := getKeyIdentifier(&pkey.PublicKey)
 	if err != nil {
@@ -67,8 +67,10 @@ func generateCA(pkey *ecdsa.PrivateKey, args []string, path string) (*certify.Re
 	return caCert, store(caCert.String(), path)
 }
 
-func generateCRL(pkey *ecdsa.PrivateKey, caCert *x509.Certificate) error {
-	crl, _, err := certify.CreateCRL(pkey, caCert, nil)
+func generateCRL(args []string, pkey *ecdsa.PrivateKey, caCert *x509.Certificate) error {
+	_, _, _, _, _, _, nextUpdate := parseArgs(args)
+
+	crl, _, err := certify.CreateCRL(pkey, caCert, nil, nextUpdate)
 	if err != nil {
 		return err
 	}
@@ -77,7 +79,7 @@ func generateCRL(pkey *ecdsa.PrivateKey, caCert *x509.Certificate) error {
 }
 
 func generateCert(pkey *ecdsa.PrivateKey, args []string) (err error) {
-	iplist, dnsnames, cn, org, expiry, ekus := parseArgs(args)
+	iplist, dnsnames, cn, org, expiry, ekus, _ := parseArgs(args)
 
 	var parent *x509.Certificate
 	var parentKey *ecdsa.PrivateKey
@@ -154,7 +156,7 @@ func generateCert(pkey *ecdsa.PrivateKey, args []string) (err error) {
 }
 
 func generateIntermediateCert(pkey *ecdsa.PrivateKey, args []string) error {
-	_, _, cn, org, expiry, _ := parseArgs(args)
+	_, _, cn, org, expiry, _, _ := parseArgs(args)
 
 	parentKey, err := getCAPrivateKey(caKeyPath)
 	if err != nil {
@@ -201,7 +203,7 @@ func generateIntermediateCert(pkey *ecdsa.PrivateKey, args []string) error {
 // first it will check dnsnames, if nil, then check iplist, if iplist nil too
 // it will check common name
 func getFilename(args []string, key bool) string {
-	iplist, dnsnames, cn, _, _, _ := parseArgs(args)
+	iplist, dnsnames, cn, _, _, _, _ := parseArgs(args)
 
 	var ext string
 	var path string
@@ -334,12 +336,13 @@ func matcher(key, cert string) (string, string, error) {
 	return comparePublicKey(k, c)
 }
 
-// parseAltNames returns parsed net.IP, DNS, Common Name, Organization and expiry date in slice format
-func parseArgs(args []string) ([]net.IP, []string, string, string, time.Time, []x509.ExtKeyUsage) {
+// parseAltNames returns parsed net.IP, DNS, Common Name, Organization, expiry date, EKU and crl.Nextupdate in slice format
+func parseArgs(args []string) ([]net.IP, []string, string, string, time.Time, []x509.ExtKeyUsage, time.Time) {
 	var iplist []net.IP
 	var dnsnames []string
 	var cn, organization string
 	var expiry time.Time
+	var crlNextUpdate time.Time
 	var ekus []x509.ExtKeyUsage
 
 	for _, arg := range args[1:] {
@@ -357,6 +360,8 @@ func parseArgs(args []string) ([]net.IP, []string, string, string, time.Time, []
 			expiry = parseExpiry(arg)
 		} else if strings.Contains(arg, "eku:") {
 			ekus = parseEKU(arg)
+		} else if strings.Contains(arg, "crl-nextupdate:") {
+			crlNextUpdate = parseExpiry(arg)
 		} else {
 			dnsnames = append(dnsnames, arg)
 		}
@@ -366,6 +371,10 @@ func parseArgs(args []string) ([]net.IP, []string, string, string, time.Time, []
 		expiry = parseExpiry("expiry:")
 	}
 
+	if crlNextUpdate.IsZero() {
+		crlNextUpdate = parseExpiry("crl-nextupdate:10d")
+	}
+
 	if cn == "" {
 		cn = "certify"
 	}
@@ -381,7 +390,7 @@ func parseArgs(args []string) ([]net.IP, []string, string, string, time.Time, []
 		}
 	}
 
-	return iplist, dnsnames, cn, organization, expiry, ekus
+	return iplist, dnsnames, cn, organization, expiry, ekus, crlNextUpdate
 }
 
 func parseString(ss string) string {

cmd/certify/helper_test.go

@@ -115,6 +115,7 @@ func TestParseArgs(t *testing.T) {
 		expectedOrganization string
 		expectedExpiry       time.Time
 		expectedEku          []x509.ExtKeyUsage
+		expectedNextUpdate   time.Time
 	}{
 		{
 			Name:                 "Test with ip and dns names",
@@ -201,11 +202,18 @@ func TestParseArgs(t *testing.T) {
 			expectedCN:           "client",
 			expectedOrganization: "certify",
 		},
+		{
+			Name:                 "Test with crl-nextupdate 100d",
+			Args:                 []string{"certify", "crl-nextupdate:100d"},
+			expectedNextUpdate:   time.Now().Add(2400 * time.Hour),
+			expectedCN:           "certify",
+			expectedOrganization: "certify",
+		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.Name, func(t *testing.T) {
-			ips, dns, cn, o, expiry, ekus := parseArgs(tt.Args)
+			ips, dns, cn, o, expiry, ekus, nextUpdate := parseArgs(tt.Args)
 
 			if len(tt.expectedIP) != 0 {
 				for i, ip := range ips {
@@ -255,6 +263,16 @@ func TestParseArgs(t *testing.T) {
 					t.Fatalf("got %v, want %v", ekus, defaultEku)
 				}
 			}
+
+			if !tt.expectedNextUpdate.IsZero() {
+				if nextUpdate.Unix() != tt.expectedNextUpdate.Unix() {
+					t.Fatalf("got %v, want %v", nextUpdate.Unix(), tt.expectedNextUpdate.Unix())
+				}
+			} else {
+				if nextUpdate.Unix() != time.Now().Add(240*time.Hour).Unix() {
+					t.Fatalf("got %v, want %v", nextUpdate.Unix(), time.Now().Add(240*time.Hour).Unix())
+				}
+			}
 		})
 	}
 }

cmd/certify/main.go

@@ -20,6 +20,7 @@ Usage of certify:
 certify [flag] [ip-or-dns-san] [cn:default certify] [o: default certify] [eku:default serverAuth,clientAuth] [expiry:default 8766h s,m,h,d]
 
 $ certify server.local 172.17.0.1 cn:web-server eku:serverAuth expiry:1d
+$ certify -init cn:web-server o:nothinux crl-nextupdate:100d
 
 Flags:
   -init
@@ -38,7 +39,7 @@ Flags:
 	Verify cert-key.pem and cert.pem has same public key
   -interactive
 	Run certify interactively
-  -revoke <certificate> <crl-file>
+  -revoke <certificate> <crl-file> <crl-nextupdate:10d(optional)>
 	Revoke certificate, the certificate will be added to CRL
   -verify-crl <certificate> <crl-file>
 	Check if the certificate was revoked

crl.go

@@ -19,7 +19,7 @@ type CertRevocationList struct {
 }
 
 // CreateCRL Create certificate revocation list
-func CreateCRL(pkey *ecdsa.PrivateKey, caCert *x509.Certificate, crl *x509.RevocationList) (*CertRevocationList, *big.Int, error) {
+func CreateCRL(pkey *ecdsa.PrivateKey, caCert *x509.Certificate, crl *x509.RevocationList, nextUpdate time.Time) (*CertRevocationList, *big.Int, error) {
 	crlNumber := time.Now().UTC().Format("20060102150405")
 	num, _ := big.NewInt(0).SetString(crlNumber, 10)
 
@@ -31,7 +31,7 @@ func CreateCRL(pkey *ecdsa.PrivateKey, caCert *x509.Certificate, crl *x509.Revoc
 
 	crl.Number = num
 	crl.ThisUpdate = time.Now()
-	crl.NextUpdate = time.Now().Add(96 * time.Hour)
+	crl.NextUpdate = nextUpdate
 
 	crlByte, err := x509.CreateRevocationList(rand.Reader, crl, caCert, pkey)
 	if err != nil {
@@ -63,7 +63,7 @@ func ParseCRL(crl []byte) (*x509.RevocationList, error) {
 	return x509.ParseRevocationList(c.Bytes)
 }
 
-func RevokeCertificate(crl []byte, cert *x509.Certificate, caCert *x509.Certificate, pkey *ecdsa.PrivateKey) (*CertRevocationList, *big.Int, error) {
+func RevokeCertificate(crl []byte, cert *x509.Certificate, caCert *x509.Certificate, pkey *ecdsa.PrivateKey, nextUpdate time.Time) (*CertRevocationList, *big.Int, error) {
 	crlF, err := ParseCRL(crl)
 	if err != nil {
 		return nil, nil, err
@@ -74,7 +74,7 @@ func RevokeCertificate(crl []byte, cert *x509.Certificate, caCert *x509.Certific
 		RevocationTime: time.Now(),
 	})
 
-	return CreateCRL(pkey, caCert, crlF)
+	return CreateCRL(pkey, caCert, crlF, nextUpdate)
 
 }
 

crl_test.go

@@ -73,7 +73,7 @@ func TestCreateCRL(t *testing.T) {
 			t.Fatal(err)
 		}
 
-		_, _, err = CreateCRL(pkey.PrivateKey, caCert.Cert, nil)
+		_, _, err = CreateCRL(pkey.PrivateKey, caCert.Cert, nil, time.Now().Add(48*time.Hour))
 		if err == nil {
 			t.Fatalf("this should be error, because the cert doesn't have keyUsage")
 		}
@@ -88,7 +88,7 @@ func TestCreateCRL(t *testing.T) {
 			t.Fatal(err)
 		}
 
-		_, _, err = CreateCRL(pkey.PrivateKey, caCert.Cert, nil)
+		_, _, err = CreateCRL(pkey.PrivateKey, caCert.Cert, nil, time.Now().Add(48*time.Hour))
 		if err != nil {
 			t.Fatal(err)
 		}