feat: add crl support (#13)

Create an empty CRL during CA creation

Author: nothinux

certify.go

@@ -17,6 +17,7 @@ import (
 
 // Certificate hold certificate information
 type Certificate struct {
+	SerialNumber     *big.Int
 	Subject          pkix.Name
 	NotBefore        time.Time
 	NotAfter         time.Time
@@ -25,12 +26,15 @@ type Certificate struct {
 	IsCA             bool
 	Parent           *x509.Certificate
 	ParentPrivateKey interface{}
+	KeyUsage         x509.KeyUsage
 	ExtentedKeyUsage []x509.ExtKeyUsage
+	SubjectKeyId     []byte
 }
 
 // Result hold created certificate in []byte format
 type Result struct {
-	Certificate []byte
+	ByteCert []byte
+	Cert     *x509.Certificate
 }
 
 // GetSerial returns serial and an error
@@ -44,17 +48,19 @@ func GetSerial() (*big.Int, error) {
 }
 
 // SetTemplate set template for x509.Certificate from given Certificate struct
-func (c *Certificate) SetTemplate(serial *big.Int) x509.Certificate {
+func (c *Certificate) SetTemplate() x509.Certificate {
 	return x509.Certificate{
-		SerialNumber:          serial,
+		SerialNumber:          c.SerialNumber,
 		Subject:               c.Subject,
 		NotBefore:             c.NotBefore,
 		NotAfter:              c.NotAfter,
 		ExtKeyUsage:           c.ExtentedKeyUsage,
+		KeyUsage:              c.KeyUsage,
 		IsCA:                  c.IsCA,
 		IPAddresses:           c.IPAddress,
 		DNSNames:              c.DNSNames,
 		BasicConstraintsValid: true,
+		SubjectKeyId:          c.SubjectKeyId,
 	}
 }
 
@@ -65,7 +71,8 @@ func (c *Certificate) GetCertificate(pkey *ecdsa.PrivateKey) (*Result, error) {
 		return nil, err
 	}
 
-	template := c.SetTemplate(serial)
+	c.SerialNumber = serial
+	template := c.SetTemplate()
 
 	if c.Parent == nil {
 		c.Parent = &template
@@ -80,7 +87,7 @@ func (c *Certificate) GetCertificate(pkey *ecdsa.PrivateKey) (*Result, error) {
 		return nil, err
 	}
 
-	return &Result{Certificate: der}, nil
+	return &Result{ByteCert: der, Cert: c.Parent}, nil
 }
 
 // String returns certificate in string format
@@ -89,7 +96,7 @@ func (r *Result) String() string {
 
 	if err := pem.Encode(&w, &pem.Block{
 		Type:  "CERTIFICATE",
-		Bytes: r.Certificate,
+		Bytes: r.ByteCert,
 	}); err != nil {
 		return ""
 	}

cmd/certify/command.go

@@ -19,11 +19,18 @@ func initCA(args []string) error {
 	}
 	fmt.Println("CA private key file generated", caKeyPath)
 
-	if err := generateCA(pkey.PrivateKey, args, caPath); err != nil {
+	caCert, err := generateCA(pkey.PrivateKey, args, caPath)
+	if err != nil {
 		return err
 	}
 
 	fmt.Println("CA certificate file generated", caPath)
+
+	if err := generateCRL(pkey.PrivateKey, caCert.Cert); err != nil {
+		return err
+	}
+	fmt.Println("CRL file generated", caCRLPath)
+
 	return nil
 }
 

cmd/certify/command_test.go

@@ -72,6 +72,7 @@ func TestInitCA(t *testing.T) {
 			t.Cleanup(func() {
 				os.Remove(caPath)
 				os.Remove(caKeyPath)
+				os.Remove(caCRLPath)
 			})
 		})
 	}
@@ -246,6 +247,7 @@ func TestCreateCertificate(t *testing.T) {
 	t.Cleanup(func() {
 		os.Remove(caPath)
 		os.Remove(caKeyPath)
+		os.Remove(caCRLPath)
 		os.Remove("nothinux.local.pem")
 		os.Remove("nothinux.local-key.pem")
 	})
@@ -265,6 +267,7 @@ func TestCreateIntermediateCertificate(t *testing.T) {
 	t.Cleanup(func() {
 		os.Remove(caPath)
 		os.Remove(caKeyPath)
+		os.Remove(caCRLPath)
 		os.Remove(caInterPath)
 		os.Remove(caInterKeyPath)
 	})

cmd/certify/helper.go

@@ -3,6 +3,7 @@ package main
 import (
 	"crypto/ecdsa"
 	"crypto/rand"
+	"crypto/sha1"
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
@@ -28,25 +29,43 @@ func generatePrivateKey(path string) (*certify.PrivateKey, error) {
 	return p, store(p.String(), path)
 }
 
-func generateCA(pkey *ecdsa.PrivateKey, args []string, path string) error {
+func generateCA(pkey *ecdsa.PrivateKey, args []string, path string) (*certify.Result, error) {
 	_, _, cn, org, expiry, _ := parseArgs(args)
 
+	b, err := x509.MarshalPKIXPublicKey(&pkey.PublicKey)
+	if err != nil {
+		return nil, err
+	}
+
+	ski := sha1.Sum(b)
+
 	template := certify.Certificate{
 		Subject: pkix.Name{
 			Organization: []string{org},
 			CommonName:   cn,
 		},
-		NotBefore: time.Now(),
-		NotAfter:  expiry,
-		IsCA:      true,
+		NotBefore:    time.Now(),
+		NotAfter:     expiry,
+		IsCA:         true,
+		KeyUsage:     x509.KeyUsageCRLSign,
+		SubjectKeyId: ski[:],
 	}
 
 	caCert, err := template.GetCertificate(pkey)
+	if err != nil {
+		return nil, err
+	}
+
+	return caCert, store(caCert.String(), path)
+}
+
+func generateCRL(pkey *ecdsa.PrivateKey, caCert *x509.Certificate) error {
+	crl, err := certify.CreateCRL(pkey, caCert)
 	if err != nil {
 		return err
 	}
 
-	return store(caCert.String(), path)
+	return store(crl.String(), caCRLPath)
 }
 
 func generateCert(pkey *ecdsa.PrivateKey, args []string) (err error) {

cmd/certify/helper_test.go

@@ -16,7 +16,7 @@ func TestGeneratePrivateKeyAndCA(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	if err := generateCA(pkey.PrivateKey, []string{"cn:local"}, caPath); err != nil {
+	if _, err := generateCA(pkey.PrivateKey, []string{"cn:local"}, caPath); err != nil {
 		t.Fatal(err)
 	}
 

cmd/certify/main.go

@@ -43,6 +43,7 @@ Flags:
 var (
 	caPath         = "ca-cert.pem"
 	caKeyPath      = "ca-key.pem"
+	caCRLPath      = "ca-crl.pem"
 	caInterPath    = "ca-intermediate.pem"
 	caInterKeyPath = "ca-intermediate-key.pem"
 	Version        = "No version provided"

cmd/certify/main_test.go

@@ -38,6 +38,7 @@ func TestRunMain(t *testing.T) {
 
 				os.Remove(caPath)
 				os.Remove(caKeyPath)
+				os.Remove(caCRLPath)
 			},
 		},
 		{
@@ -54,6 +55,7 @@ func TestRunMain(t *testing.T) {
 
 				os.Remove(caPath)
 				os.Remove(caKeyPath)
+				os.Remove(caCRLPath)
 			},
 		},
 		{
@@ -138,6 +140,7 @@ func TestRunMain(t *testing.T) {
 
 				os.Remove(caPath)
 				os.Remove(caKeyPath)
+				os.Remove(caCRLPath)
 				os.Remove(caInterPath)
 				os.Remove(caInterKeyPath)
 			},
@@ -162,6 +165,7 @@ func TestRunMain(t *testing.T) {
 
 				os.Remove(caPath)
 				os.Remove(caKeyPath)
+				os.Remove(caCRLPath)
 				os.Remove("nothinux.pem")
 				os.Remove("nothinux-key.pem")
 			},

crl.go

@@ -0,0 +1,48 @@
+package certify
+
+import (
+	"bytes"
+	"crypto/ecdsa"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"math/big"
+	"time"
+)
+
+// CertRevocationList hold certificate revocation list
+type CertRevocationList struct {
+	Byte []byte
+}
+
+// CreateCRL Create certificate revocation list
+func CreateCRL(pkey *ecdsa.PrivateKey, caCert *x509.Certificate) (*CertRevocationList, error) {
+	crlNumber := time.Now().UTC().Format("20060102150405")
+	num, _ := big.NewInt(0).SetString(crlNumber, 10)
+
+	crl, err := x509.CreateRevocationList(rand.Reader, &x509.RevocationList{
+		RevokedCertificates: []pkix.RevokedCertificate{},
+		Number:              num,
+		ThisUpdate:          time.Now(),
+		NextUpdate:          time.Now().Add(time.Hour * 48),
+	}, caCert, pkey)
+	if err != nil {
+		return nil, err
+	}
+
+	return &CertRevocationList{Byte: crl}, nil
+}
+
+// String return string of certificate revocation list in pem encoded format
+func (c *CertRevocationList) String() string {
+	var w bytes.Buffer
+	if err := pem.Encode(&w, &pem.Block{
+		Type:  "X509 CRL",
+		Bytes: c.Byte,
+	}); err != nil {
+		return ""
+	}
+
+	return w.String()
+}

crl_test.go

@@ -0,0 +1,68 @@
+package certify
+
+import (
+	"crypto/sha1"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"net"
+	"testing"
+	"time"
+)
+
+func TestCreateCRL(t *testing.T) {
+	pkey, err := GetPrivateKey()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	b, err := x509.MarshalPKIXPublicKey(&pkey.PublicKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	ski := sha1.Sum(b)
+
+	template := Certificate{
+		Subject: pkix.Name{
+			Organization: []string{"certify"},
+			CommonName:   "certify",
+		},
+		NotBefore:    time.Now(),
+		NotAfter:     time.Now().Add(24 * time.Hour),
+		IsCA:         true,
+		SubjectKeyId: ski[:],
+		DNSNames:     []string{"github.com"},
+		IPAddress: []net.IP{
+			net.ParseIP("127.0.0.1"),
+		},
+	}
+
+	t.Run("Test Create CRL with cert that doesn't have keyUsage", func(t *testing.T) {
+		template1 := template
+
+		caCert, err := template1.GetCertificate(pkey.PrivateKey)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		_, err = CreateCRL(pkey.PrivateKey, caCert.Cert)
+		if err == nil {
+			t.Fatalf("this should be error, because the cert doesn't have keyUsage")
+		}
+	})
+
+	t.Run("Test Create CRL", func(t *testing.T) {
+		template2 := template
+		template2.KeyUsage = x509.KeyUsageCRLSign
+
+		caCert, err := template2.GetCertificate(pkey.PrivateKey)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		_, err = CreateCRL(pkey.PrivateKey, caCert.Cert)
+		if err != nil {
+			t.Fatal(err)
+		}
+	})
+}

go.mod

@@ -1,12 +1,15 @@
 module github.com/nothinux/certify
 
-go 1.17
+go 1.21
+
+require (
+	github.com/manifoldco/promptui v0.9.0
+	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
+	software.sslmate.com/src/go-pkcs12 v0.0.0-20210415151418-c5206de65a78
+)
 
 require (
 	github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e // indirect
-	github.com/manifoldco/promptui v0.9.0 // indirect
 	golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83 // indirect
 	golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 // indirect
-	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
-	software.sslmate.com/src/go-pkcs12 v0.0.0-20210415151418-c5206de65a78 // indirect
 )

go.sum

@@ -1,7 +1,11 @@
+github.com/chzyer/logex v1.1.10 h1:Swpa1K6QvQznwJRcfTfQJmTE72DqScAa40E+fbHEXEE=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e h1:fY5BOSpyZCqRo5OhCuC+XN+r/bBCmeuuJtjz+bCNIf8=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
+github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1 h1:q763qf9huN11kDQavWsoZXJNW3xEE4JJyHa5Q25/sd8=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/manifoldco/promptui v0.9.0 h1:3V4HzJk1TtXW1MTZMP7mdlwbBpIinw3HztaIlYthEiA=
 github.com/manifoldco/promptui v0.9.0/go.mod h1:ka04sppxSGFAtxX0qhlYQjISsg9mR4GWtQEhdbn6Pgg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=