add: key-compromise revocation

author Felix Dörre <felix@dogcraft.de>

Fri, 25 Aug 2017 14:45:55 +0000 (16:45 +0200)

committer Felix Dörre <felix@dogcraft.de>

Mon, 9 Oct 2017 21:35:35 +0000 (23:35 +0200)
author Felix Dörre <felix@dogcraft.de>
Fri, 25 Aug 2017 14:45:55 +0000 (16:45 +0200)
committer Felix Dörre <felix@dogcraft.de>
Mon, 9 Oct 2017 21:35:35 +0000 (23:35 +0200)
diff --git a/src/club/wpia/gigi/database/DatabaseConnection.java b/src/club/wpia/gigi/database/DatabaseConnection.java

index b7b9c14fb13d896b630db8028131b621ad60b7ab..3f0acd8a4fc2c41252867d1d3433834327d7862f 100644 (file)
--- a/src/club/wpia/gigi/database/DatabaseConnection.java
+++ b/src/club/wpia/gigi/database/DatabaseConnection.java
@@ -122,7 +122,7 @@ public class DatabaseConnection {
  
      }
  
-    public static final int CURRENT_SCHEMA_VERSION = 29;
+    public static final int CURRENT_SCHEMA_VERSION = 30;
  
      public static final int CONNECTION_TIMEOUT = 24 * 60 * 60;
  
diff --git a/src/club/wpia/gigi/database/tableStructure.sql b/src/club/wpia/gigi/database/tableStructure.sql

index 620ac55e795973ae223d50aea0b6395dce2681df..416d6a18d06fa2a4fc4079b7cff0844c08cb1fb2 100644 (file)
--- a/src/club/wpia/gigi/database/tableStructure.sql
+++ b/src/club/wpia/gigi/database/tableStructure.sql
@@ -138,7 +138,7 @@ CREATE TABLE "user_agreements" (
  
  DROP TABLE IF EXISTS "certs";
  DROP TYPE IF EXISTS "revocationType";
-CREATE TYPE "revocationType" AS ENUM('user', 'support', 'ping_timeout');
+CREATE TYPE "revocationType" AS ENUM('user', 'support', 'ping_timeout', 'key_compromise');
  
  DROP TYPE IF EXISTS "mdType";
  CREATE TYPE "mdType" AS ENUM('md5','sha1','sha256','sha384','sha512');
@@ -161,8 +161,13 @@ CREATE TABLE "certs" (
    "crt_name" varchar(255) NOT NULL DEFAULT '',
    "created" timestamp NULL DEFAULT NULL,
    "modified" timestamp NULL DEFAULT NULL,
+
    "revoked" timestamp NULL,
    "revocationType" "revocationType" NULL,
+  "revocationChallenge" varchar(32) NULL DEFAULT NULL,
+  "revocationSignature" text NULL DEFAULT NULL,
+  "revocationMessage" text NULL DEFAULT NULL,
+
    "expire" timestamp NULL DEFAULT NULL,
    "renewed" boolean NOT NULL DEFAULT 'false',
    "pkhash" char(40) DEFAULT NULL,
@@ -178,7 +183,6 @@ CREATE INDEX ON "certs" ("serial");
  CREATE INDEX ON "certs" ("expire");
  CREATE INDEX ON "certs" ("crt_name");
  
-
  DROP TABLE IF EXISTS "certAvas";
  CREATE TABLE "certAvas" (
    "certId" int NOT NULL,
@@ -377,7 +381,7 @@ CREATE TABLE "schemeVersion" (
    "version" smallint NOT NULL,
    PRIMARY KEY ("version")
  );
-INSERT INTO "schemeVersion" (version)  VALUES(29);
+INSERT INTO "schemeVersion" (version)  VALUES(30);
  
  DROP TABLE IF EXISTS `passwordResetTickets`;
  CREATE TABLE `passwordResetTickets` (
diff --git a/src/club/wpia/gigi/database/upgrade/from_29.sql b/src/club/wpia/gigi/database/upgrade/from_29.sql

new file mode 100644 (file)

index 0000000..f277722
--- /dev/null
+++ b/src/club/wpia/gigi/database/upgrade/from_29.sql
@@ -0,0 +1,5 @@
+ALTER TABLE "certs" ADD COLUMN "revocationChallenge" varchar(32) NULL DEFAULT NULL;
+ALTER TABLE "certs" ADD COLUMN "revocationSignature" text NULL DEFAULT NULL;
+ALTER TABLE "certs" ADD COLUMN "revocationMessage" text NULL DEFAULT NULL;
+
+ALTER TYPE "revocationType" ADD VALUE 'key_compromise' AFTER 'ping_timeout';
diff --git a/src/club/wpia/gigi/dbObjects/Certificate.java b/src/club/wpia/gigi/dbObjects/Certificate.java

index 8447fd73e39ea04819a7f092d61a227ea669bc60..bd1e7744f7bd939185fe5516dfc0920e24e96e0c 100644 (file)
--- a/src/club/wpia/gigi/dbObjects/Certificate.java
+++ b/src/club/wpia/gigi/dbObjects/Certificate.java
@@ -14,6 +14,7 @@ import java.util.Collections;
  import java.util.HashMap;
  import java.util.LinkedList;
  import java.util.List;
+import java.util.Locale;
  import java.util.Map.Entry;
  
  import club.wpia.gigi.GigiApiException;
@@ -28,7 +29,7 @@ import club.wpia.gigi.util.KeyStorage;
  public class Certificate implements IdCachable {
  
      public enum RevocationType implements DBEnum {
-        USER("user"), SUPPORT("support"), PING_TIMEOUT("ping_timeout");
+        USER("user"), SUPPORT("support"), PING_TIMEOUT("ping_timeout"), KEY_COMPROMISE("key_compromise");
  
          private final String dbName;
  
@@ -40,6 +41,10 @@ public class Certificate implements IdCachable {
          public String getDBName() {
              return dbName;
          }
+
+        public static RevocationType fromString(String s) {
+            return valueOf(s.toUpperCase(Locale.ENGLISH));
+        }
      }
  
      public enum SANType implements DBEnum {
@@ -345,7 +350,13 @@ public class Certificate implements IdCachable {
              throw new IllegalStateException();
          }
          return Job.revoke(this, type);
+    }
  
+    public Job revoke(String challenge, String signature, String message) {
+        if (getStatus() != CertificateStatus.ISSUED) {
+            throw new IllegalStateException();
+        }
+        return Job.revoke(this, challenge, signature, message);
      }
  
      public CACertificate getParent() {
diff --git a/src/club/wpia/gigi/dbObjects/Job.java b/src/club/wpia/gigi/dbObjects/Job.java

index ac0c9cf7fd5ba086b7f41314a8b64ee58ca7ce57..a505eb41a05a7a70bbf5e3627361803be1185b14 100644 (file)
--- a/src/club/wpia/gigi/dbObjects/Job.java
+++ b/src/club/wpia/gigi/dbObjects/Job.java
@@ -45,9 +45,20 @@ public class Job implements IdCachable {
      }
  
      protected synchronized static Job revoke(Certificate targetId, RevocationType type) {
-        try (GigiPreparedStatement ps = new GigiPreparedStatement("UPDATE `certs` SET `revocationType`=?::`revocationType` WHERE id=?")) {
+        return revoke(targetId, type, null, null, null);
+    }
+
+    protected synchronized static Job revoke(Certificate targetId, String challenge, String signature, String message) {
+        return revoke(targetId, RevocationType.KEY_COMPROMISE, challenge, signature, message);
+    }
+
+    private synchronized static Job revoke(Certificate targetId, RevocationType type, String challenge, String signature, String message) {
+        try (GigiPreparedStatement ps = new GigiPreparedStatement("UPDATE `certs` SET `revocationType`=?::`revocationType`, `revocationChallenge`=?, `revocationSignature`=?, `revocationMessage`=? WHERE id=?")) {
              ps.setEnum(1, type);
-            ps.setInt(2, targetId.getId());
+            ps.setString(2, challenge);
+            ps.setString(3, signature);
+            ps.setString(4, message);
+            ps.setInt(5, targetId.getId());
              ps.execute();
          }
author	Felix Dörre <felix@dogcraft.de>
	Fri, 25 Aug 2017 14:45:55 +0000 (16:45 +0200)
committer	Felix Dörre <felix@dogcraft.de>
	Mon, 9 Oct 2017 21:35:35 +0000 (23:35 +0200)
src/club/wpia/gigi/database/DatabaseConnection.java		patch \| blob \| history
src/club/wpia/gigi/database/tableStructure.sql		patch \| blob \| history
src/club/wpia/gigi/database/upgrade/from_29.sql	[new file with mode: 0644]	patch \| blob
src/club/wpia/gigi/dbObjects/Certificate.java		patch \| blob \| history
src/club/wpia/gigi/dbObjects/Job.java		patch \| blob \| history