fix serial, add index

fix serial, supposed to be hexa for openssl compatibility add index file to be used by oscp daemon, revoke/crl future commands
author: Jeremy Clerc <jclerc@google.com> 2015-09-11 11:36:37 +0200
committer: Jeremy Clerc <jeremy@clerc.io> 2015-09-11 11:36:37 +0200
commit: e08d02983d7ae67f33b66145ea128d5fefaac065 (patch)
tree: e1b70d8da4d138a890b3c3c6f6db606d54c6429c /pkg/easyca
parent: f2487ba1c659998b5792efdf11fc86275ed5dcc9 (diff)
download: easypki-e08d02983d7ae67f33b66145ea128d5fefaac065.tar.xz
2 files changed, 63 insertions, 24 deletions
diff --git a/pkg/easyca/easyca.go b/pkg/easyca/easyca.go
index be77ae6..2bd43fe 100644
--- a/pkg/easyca/easyca.go
+++ b/pkg/easyca/easyca.go
@@ -83,7 +83,7 @@ func GenerateCertifcate(pkiroot, name string, template *x509.Certificate) error
 		if err != nil {
 			return fmt.Errorf("get next serial: %v", err)
 		}
-		template.SerialNumber = big.NewInt(serialNumber)
+		template.SerialNumber = serialNumber
 
 		caCrt, caKey, err = GetCA(pkiroot)
 		if err != nil {
@@ -110,6 +110,13 @@ func GenerateCertifcate(pkiroot, name string, template *x509.Certificate) error
 		return fmt.Errorf("pem encode crt: %v", err)
 	}
 
+	// I do not think we have to write the ca.crt in the index
+	if !template.IsCA {
+		WriteIndex(pkiroot, name, template)
+		if err != nil {
+			return fmt.Errorf("write index: %v", err)
+		}
+	}
 	return nil
 }
 
@@ -126,6 +133,7 @@ func GetCA(pkiroot string) (*x509.Certificate, *rsa.PrivateKey, error) {
 	if err != nil {
 		return nil, nil, fmt.Errorf("parse ca private key: %v", err)
 	}
+
 	caCrtBytes, err := ioutil.ReadFile(filepath.Join(pkiroot, "ca.crt"))
 	if err != nil {
 		return nil, nil, fmt.Errorf("read ca crt: %v", err)
@@ -138,5 +146,35 @@ func GetCA(pkiroot string) (*x509.Certificate, *rsa.PrivateKey, error) {
 	if err != nil {
 		return nil, nil, fmt.Errorf("parse ca crt: %v", err)
 	}
+
 	return caCrt, caKey, nil
 }
+
+func WriteIndex(pkiroot, filename string, crt *x509.Certificate) error {
+	f, err := os.OpenFile(filepath.Join(pkiroot, "index.txt"), os.O_WRONLY|os.O_CREATE|os.O_APPEND, 0644)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	serialOutput := fmt.Sprintf("%X", crt.SerialNumber)
+	// For compatibility with openssl we need an even length
+	if len(serialOutput)%2 == 1 {
+		serialOutput = "0" + serialOutput
+	}
+
+	// Date format: yymmddHHMMSSZ
+	// E|R|V<tab>Expiry<tab>[RevocationDate]<tab>Serial<tab>filename<tab>SubjectDN
+	n, err := fmt.Fprintf(f, "V\t%vZ\t\t%v\t%v.crt\t%v\n",
+		crt.NotAfter.UTC().Format("060102150405"),
+		serialOutput,
+		filename,
+		"/CN="+crt.Subject.CommonName)
+	if err != nil {
+		return err
+	}
+	if n == 0 {
+		return fmt.Errorf("written 0 bytes in index file")
+	}
+	return nil
+}
diff --git a/pkg/easyca/serial.go b/pkg/easyca/serial.go
index aded542..7fadb84 100644
--- a/pkg/easyca/serial.go
+++ b/pkg/easyca/serial.go
@@ -2,43 +2,44 @@ package easyca
 
 import (
 	"fmt"
-	"io/ioutil"
+	"math/big"
 	"os"
 	"path/filepath"
-	"strconv"
-	"strings"
 )
 
-func NextSerial(pkiroot string) (int64, error) {
-	var serial int64
-	f, err := os.OpenFile(filepath.Join(pkiroot, "serial"), os.O_RDWR|os.O_CREATE, 0644)
+func NextSerial(pkiroot string) (*big.Int, error) {
+	serial := big.NewInt(0)
+
+	f, err := os.OpenFile(filepath.Join(pkiroot, "serial"), os.O_RDWR, 0644)
 	if err != nil {
-		return 0, err
+		return nil, err
 	}
 	defer f.Close()
-	out, err := ioutil.ReadAll(f)
+
+	n, err := fmt.Fscanf(f, "%X\n", serial)
 	if err != nil {
-		return 0, err
+		return nil, err
 	}
-	if len(out) == 0 {
-		serial = 1
-	} else {
-		// If serial file is edited manually, it will probably get \n or \r\n
-		// We make sure to clean the unwanted characters
-		serial, err = strconv.ParseInt(strings.TrimSpace(string(out)), 10, 64)
-		if err != nil {
-			return 0, err
-		}
-		serial += 1
+	if n != 1 {
+		return nil, fmt.Errorf("supposed to read 1 element, read: %v", n)
 	}
 
+	next := big.NewInt(1)
+	next.Add(serial, next)
+	output := fmt.Sprintf("%X", next)
+	// For compatibility with openssl we need an even length
+	if len(output)%2 == 1 {
+		output = "0" + output
+	}
+	f.Truncate(0)
 	f.Seek(0, 0)
-	written, err := fmt.Fprint(f, serial)
+
+	n, err = fmt.Fprintln(f, output)
 	if err != nil {
-		return 0, err
+		return nil, err
 	}
-	if written == 0 {
-		return 0, fmt.Errorf("wanted to write %s to serial file, no byte written", written)
+	if n == 0 {
+		return nil, fmt.Errorf("supposed to write 1 element, written: %v", n)
 	}
 
 	return serial, nil
author	Jeremy Clerc <jclerc@google.com>	2015-09-11 11:36:37 +0200
committer	Jeremy Clerc <jeremy@clerc.io>	2015-09-11 11:36:37 +0200
commit	e08d02983d7ae67f33b66145ea128d5fefaac065 (patch)
tree	e1b70d8da4d138a890b3c3c6f6db606d54c6429c /pkg/easyca
parent	f2487ba1c659998b5792efdf11fc86275ed5dcc9 (diff)
download	easypki-e08d02983d7ae67f33b66145ea128d5fefaac065.tar.xz