} else if( job->task == "revoke" ) {
try {
auto data = jp->getRevocationInfo( job );
- std::pair<std::shared_ptr<CRL>, std::string> rev = sign->revoke( CAs.at( data.second ), data.first );
+ std::vector<std::string> serials;
+ serials.push_back( data.first );
+ std::pair<std::shared_ptr<CRL>, std::string> rev = sign->revoke( CAs.at( data.second ), serials );
std::string date = rev.second;
const unsigned char* pos = ( const unsigned char* ) date.data();
std::shared_ptr<ASN1_TIME> time( d2i_ASN1_TIME( NULL, &pos, date.size() ), ASN1_TIME_free );
return result;
}
-std::pair<std::shared_ptr<CRL>, std::string> RemoteSigner::revoke( std::shared_ptr<CAConfig> ca, std::string serial ) {
+std::pair<std::shared_ptr<CRL>, std::string> RemoteSigner::revoke( std::shared_ptr<CAConfig> ca, std::vector<std::string> serials ) {
( void )BIO_reset( target.get() );
std::shared_ptr<SSL> ssl( SSL_new( ctx.get() ), SSL_free );
head.flags = 0;
head.sessid = 13;
- std::string payload = ca->name + std::string( "\0", 1 ) + serial;
+ for( std::string serial : serials ) {
+ send( conn, head, RecordHeader::SignerCommand::ADD_SERIAL, serial );
+ }
+
+ std::string payload = ca->name;
send( conn, head, RecordHeader::SignerCommand::REVOKE, payload );
std::vector<char> buffer( 2048 * 4 );
ASN1_TIME_free( time );
date = payload.substr( 0, pos - buffer2 );
std::string rest = payload.substr( pos - buffer2 );
- crl->revoke( serial, date );
+
+ for( std::string serial : serials ) {
+ crl->revoke( serial, date );
+ }
+
crl->setSignature( rest );
bool ok = crl->verify( ca );
RemoteSigner( std::shared_ptr<BIO> target, std::shared_ptr<SSL_CTX> ctx );
~RemoteSigner();
std::shared_ptr<SignedCertificate> sign( std::shared_ptr<TBSCertificate> cert );
- std::pair<std::shared_ptr<CRL>, std::string> revoke( std::shared_ptr<CAConfig> ca, std::string serial );
+ std::pair<std::shared_ptr<CRL>, std::string> revoke( std::shared_ptr<CAConfig> ca, std::vector<std::string> serial );
void setLog( std::shared_ptr<std::ostream> target );
};
#pragma once
#include <memory>
+#include <vector>
#include "db/database.h"
#include "crypto/sslUtil.h"
class Signer {
public:
virtual std::shared_ptr<SignedCertificate> sign( std::shared_ptr<TBSCertificate> cert ) = 0;
- virtual std::pair<std::shared_ptr<CRL>, std::string> revoke( std::shared_ptr<CAConfig> ca, std::string serial ) = 0;
+ virtual std::pair<std::shared_ptr<CRL>, std::string> revoke( std::shared_ptr<CAConfig> ca, std::vector<std::string> serial ) = 0;
};
return output;
}
-std::pair<std::shared_ptr<CRL>, std::string> SimpleOpensslSigner::revoke( std::shared_ptr<CAConfig> ca, std::string serial ) {
+std::pair<std::shared_ptr<CRL>, std::string> SimpleOpensslSigner::revoke( std::shared_ptr<CAConfig> ca, std::vector<std::string> serials ) {
std::string crlpath = ca->path + "/ca.crl";
std::shared_ptr<CRL> crl( new CRL( crlpath ) );
- std::string date = crl->revoke( serial, "" );
+ std::string date = "";
+
+ for( std::string serial : serials ) {
+ date = crl->revoke( serial, "" );
+ }
+
crl->sign( ca );
writeFile( crlpath, crl->toString() );
return std::pair<std::shared_ptr<CRL>, std::string>( crl, date );
SimpleOpensslSigner();
~SimpleOpensslSigner();
std::shared_ptr<SignedCertificate> sign( std::shared_ptr<TBSCertificate> cert );
- std::pair<std::shared_ptr<CRL>, std::string> revoke( std::shared_ptr<CAConfig> ca, std::string serial );
+ std::pair<std::shared_ptr<CRL>, std::string> revoke( std::shared_ptr<CAConfig> ca, std::vector<std::string> serial );
};
LOG_SAVED = 0x81,
REVOKE = 0x100,
GET_FULL_CRL = 0x101,
+ ADD_SERIAL = 0x102,
GET_TIMESTAMP = 0xC0,
GET_STATUS_REPORT = 0xD0
};
std::shared_ptr<Signer> signer;
std::shared_ptr<std::ofstream> log;
+ std::vector<std::string> serials;
RecordHandlerSession( DefaultRecordHandler* parent, std::shared_ptr<Signer> signer, std::shared_ptr<SSL_CTX> ctx, std::shared_ptr<BIO> output ) :
tbs( new TBSCertificate() ) {
break;
- case RecordHeader::SignerCommand::REVOKE: {
- ( *log ) << "got revoking command: " << data.size() << std::endl;
- std::string nullstr( "\0", 1 );
- size_t t = data.find( nullstr );
-
- if( t == std::string::npos ) {
- // error
- ( *log ) << "error while parsing revoking command." << data << std::endl;
- break;
- }
-
- std::string ca = data.substr( 0, t );
- std::string serial = data.substr( t + 1 );
- ( *log ) << "revoking " << ca << "<->" << serial << std::endl;
-
- ( *log ) << "[";
-
- for( auto x : CAs ) {
- ( *log ) << x.first << ", ";
- }
-
- ( *log ) << "]" << std::endl;
+ case RecordHeader::SignerCommand::ADD_SERIAL:
+ serials.push_back( data );
+ break;
+ case RecordHeader::SignerCommand::REVOKE: {
+ std::string ca = data;
auto reqCA = CAs.at( ca );
( *log ) << "CA found" << std::endl;
std::shared_ptr<CRL> crl;
std::string date;
- std::tie<std::shared_ptr<CRL>, std::string>( crl, date ) = signer->revoke( reqCA, serial );
+ std::tie<std::shared_ptr<CRL>, std::string>( crl, date ) = signer->revoke( reqCA, serials );
respondCommand( RecordHeader::SignerResult::REVOKED, date + crl->getSignature() );