implemented some requested changes

Raal Goff · Raal Goff · commit 53dbe2309ba3 · 2022-04-06T08:24:49.000+08:00
diff --git a/api/api.go b/api/api.go
@@ -50,7 +50,6 @@ type Authority interface {
 	GetRoots() ([]*x509.Certificate, error)
 	GetFederation() ([]*x509.Certificate, error)
 	Version() authority.Version
-	GenerateCertificateRevocationList() error
 	GetCertificateRevocationList() ([]byte, error)
 }
 
diff --git a/api/crl.go b/api/crl.go
@@ -4,6 +4,7 @@ import (
 	"encoding/pem"
 	"fmt"
 	"github.com/pkg/errors"
+	"github.com/smallstep/certificates/errs"
 	"net/http"
 )
 
@@ -14,17 +15,16 @@ func (h *caHandler) CRL(w http.ResponseWriter, r *http.Request) {
 	_, formatAsPEM := r.URL.Query()["pem"]
 
 	if err != nil {
-		w.WriteHeader(500)
-		_, err = fmt.Fprintf(w, "%v\n", err)
-		if err != nil {
-			panic(errors.Wrap(err, "error writing http response"))
+
+		caErr, isCaErr := err.(*errs.Error)
+
+		if isCaErr {
+			http.Error(w, caErr.Msg, caErr.Status)
+			return
 		}
-		return
-	}
 
-	if crlBytes == nil {
-		w.WriteHeader(404)
-		_, err = fmt.Fprintln(w, "No CRL available")
+		w.WriteHeader(500)
+		_, err = fmt.Fprintf(w, "%v\n", err)
 		if err != nil {
 			panic(errors.Wrap(err, "error writing http response"))
 		}
diff --git a/authority/authority.go b/authority/authority.go
@@ -67,7 +67,7 @@ type Authority struct {
 	sshCAHostFederatedCerts []ssh.PublicKey
 
 	// CRL vars
-	crlChannel chan int
+	crlTicker *time.Ticker
 
 	// Do not re-initialize
 	initOnce  bool
@@ -604,6 +604,10 @@ func (a *Authority) IsAdminAPIEnabled() bool {
 
 // Shutdown safely shuts down any clients, databases, etc. held by the Authority.
 func (a *Authority) Shutdown() error {
+	if a.crlTicker != nil {
+		a.crlTicker.Stop()
+	}
+
 	if err := a.keyManager.Close(); err != nil {
 		log.Printf("error closing the key manager: %v", err)
 	}
@@ -612,6 +616,11 @@ func (a *Authority) Shutdown() error {
 
 // CloseForReload closes internal services, to allow a safe reload.
 func (a *Authority) CloseForReload() {
+
+	if a.crlTicker != nil {
+		a.crlTicker.Stop()
+	}
+
 	if err := a.keyManager.Close(); err != nil {
 		log.Printf("error closing the key manager: %v", err)
 	}
@@ -686,12 +695,12 @@ func (a *Authority) startCRLGenerator() error {
 	if tickerDuration <= 0 {
 		panic(fmt.Sprintf("ERROR: Addition of jitter to CRL generation time %v creates a negative duration (%v). Use a CRL generation time of longer than 1 minute.", a.config.CRL.CacheDuration, tickerDuration))
 	}
-	crlTicker := time.NewTicker(tickerDuration)
+	a.crlTicker = time.NewTicker(tickerDuration)
 
 	go func() {
 		for {
 			select {
-			case <-crlTicker.C:
+			case <-a.crlTicker.C:
 				log.Println("Regenerating CRL")
 				err := a.GenerateCertificateRevocationList()
 				if err != nil {
diff --git a/authority/tls.go b/authority/tls.go
@@ -409,13 +409,15 @@ func (a *Authority) Revoke(ctx context.Context, revokeOpts *RevokeOptions) error
 		err error
 	)
 
-	// Attempt to get the certificate expiry using the serial number.
-	cert, err := a.db.GetCertificate(revokeOpts.Serial)
-
-	// Revocation of a certificate not in the database may be requested, so fill in the expiry only
-	// if we can
-	if err == nil {
-		rci.ExpiresAt = cert.NotAfter
+	if revokeOpts.Crt == nil {
+		// Attempt to get the certificate expiry using the serial number.
+		cert, err := a.db.GetCertificate(revokeOpts.Serial)
+
+		// Revocation of a certificate not in the database may be requested, so fill in the expiry only
+		// if we can
+		if err == nil {
+			rci.ExpiresAt = cert.NotAfter
+		}
 	}
 
 	// If not mTLS nor ACME, then get the TokenID of the token.
diff --git a/db/db.go b/db/db.go
@@ -216,13 +216,15 @@ func (db *DB) GetRevokedCertificates() (*[]RevokedCertificateInfo, error) {
 		return nil, err
 	}
 	var revokedCerts []RevokedCertificateInfo
+	now := time.Now().UTC()
+
 	for _, e := range entries {
 		var data RevokedCertificateInfo
 		if err := json.Unmarshal(e.Value, &data); err != nil {
 			return nil, err
 		}
 
-		if !data.ExpiresAt.IsZero() && data.ExpiresAt.After(time.Now().UTC()) {
+		if !data.ExpiresAt.IsZero() && data.ExpiresAt.After(now) {
 			revokedCerts = append(revokedCerts, data)
 		} else if data.ExpiresAt.IsZero() {
 			cert, err := db.GetCertificate(data.Serial)
@@ -233,7 +235,7 @@ func (db *DB) GetRevokedCertificates() (*[]RevokedCertificateInfo, error) {
 				continue
 			}
 
-			if cert.NotAfter.After(time.Now().UTC()) {
+			if cert.NotAfter.After(now) {
 				revokedCerts = append(revokedCerts, data)
 			}
 		}

Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,6 @@ type Authority interface {`
`50`	`50`	`GetRoots() ([]*x509.Certificate, error)`
`51`	`51`	`GetFederation() ([]*x509.Certificate, error)`
`52`	`52`	`Version() authority.Version`
`53`		`- GenerateCertificateRevocationList() error`
`54`	`53`	`GetCertificateRevocationList() ([]byte, error)`
`55`	`54`	`}`
`56`	`55`
Original file line number	Diff line number	Diff line change
`@@ -216,13 +216,15 @@ func (db DB) GetRevokedCertificates() ([]RevokedCertificateInfo, error) {`
`216`	`216`	`return nil, err`
`217`	`217`	`}`
`218`	`218`	`var revokedCerts []RevokedCertificateInfo`
	`219`	`+ now := time.Now().UTC()`
	`220`	`+`
`219`	`221`	`for _, e := range entries {`
`220`	`222`	`var data RevokedCertificateInfo`
`221`	`223`	`if err := json.Unmarshal(e.Value, &data); err != nil {`
`222`	`224`	`return nil, err`
`223`	`225`	`}`
`224`	`226`
`225`		`- if !data.ExpiresAt.IsZero() && data.ExpiresAt.After(time.Now().UTC()) {`
	`227`	`+ if !data.ExpiresAt.IsZero() && data.ExpiresAt.After(now) {`
`226`	`228`	`revokedCerts = append(revokedCerts, data)`
`227`	`229`	`} else if data.ExpiresAt.IsZero() {`
`228`	`230`	`cert, err := db.GetCertificate(data.Serial)`
`@@ -233,7 +235,7 @@ func (db DB) GetRevokedCertificates() ([]RevokedCertificateInfo, error) {`
`233`	`235`	`continue`
`234`	`236`	`}`
`235`	`237`
`236`		`- if cert.NotAfter.After(time.Now().UTC()) {`
	`238`	`+ if cert.NotAfter.After(now) {`
`237`	`239`	`revokedCerts = append(revokedCerts, data)`
`238`	`240`	`}`
`239`	`241`	`}`