From 7966cd4a5e6c719b9b9790839c743a137b52900b Mon Sep 17 00:00:00 2001 From: =?utf8?q?Felix=20D=C3=B6rre?= Date: Fri, 25 Aug 2017 16:45:55 +0200 Subject: [PATCH] add: key-compromise revocation --- src/club/wpia/gigi/database/DatabaseConnection.java | 2 +- src/club/wpia/gigi/database/tableStructure.sql | 7 +++++-- src/club/wpia/gigi/database/upgrade/from_29.sql | 5 +++++ src/club/wpia/gigi/dbObjects/Certificate.java | 13 ++++++++++++- src/club/wpia/gigi/dbObjects/Job.java | 13 ++++++++++++- 5 files changed, 35 insertions(+), 5 deletions(-) create mode 100644 src/club/wpia/gigi/database/upgrade/from_29.sql diff --git a/src/club/wpia/gigi/database/DatabaseConnection.java b/src/club/wpia/gigi/database/DatabaseConnection.java index b7b9c14f..3f0acd8a 100644 --- a/src/club/wpia/gigi/database/DatabaseConnection.java +++ b/src/club/wpia/gigi/database/DatabaseConnection.java @@ -122,7 +122,7 @@ public class DatabaseConnection { } - public static final int CURRENT_SCHEMA_VERSION = 29; + public static final int CURRENT_SCHEMA_VERSION = 30; public static final int CONNECTION_TIMEOUT = 24 * 60 * 60; diff --git a/src/club/wpia/gigi/database/tableStructure.sql b/src/club/wpia/gigi/database/tableStructure.sql index 0662bf18..8a4eec22 100644 --- a/src/club/wpia/gigi/database/tableStructure.sql +++ b/src/club/wpia/gigi/database/tableStructure.sql @@ -175,13 +175,16 @@ CREATE INDEX ON "certs" ("crt_name"); DROP TABLE IF EXISTS "certsRevoked"; DROP TYPE IF EXISTS "revocationType"; -CREATE TYPE "revocationType" AS ENUM('user', 'support', 'ping_timeout'); +CREATE TYPE "revocationType" AS ENUM('user', 'support', 'ping_timeout', 'key_compromise'); CREATE TABLE "certsRevoked" ( "id" int NOT NULL, -- the time when the certificate was revoked by cassiopeia (and that is stored in the CRL) -- NULL indicated the revocation is pending "revoked" timestamp NULL, "type" "revocationType" NOT NULL, + "challenge" varchar(16) NULL DEFAULT NULL, + "signature" text NULL DEFAULT NULL, + "message" text NULL DEFAULT NULL, PRIMARY KEY ("id") ); @@ -384,7 +387,7 @@ CREATE TABLE "schemeVersion" ( "version" smallint NOT NULL, PRIMARY KEY ("version") ); -INSERT INTO "schemeVersion" (version) VALUES(29); +INSERT INTO "schemeVersion" (version) VALUES(30); DROP TABLE IF EXISTS `passwordResetTickets`; CREATE TABLE `passwordResetTickets` ( diff --git a/src/club/wpia/gigi/database/upgrade/from_29.sql b/src/club/wpia/gigi/database/upgrade/from_29.sql new file mode 100644 index 00000000..200aeb0c --- /dev/null +++ b/src/club/wpia/gigi/database/upgrade/from_29.sql @@ -0,0 +1,5 @@ +ALTER TABLE "certsRevoked" ADD COLUMN "challenge" varchar(16) NULL DEFAULT NULL; +ALTER TABLE "certsRevoked" ADD COLUMN "signature" text NULL DEFAULT NULL; +ALTER TABLE "certsRevoked" ADD COLUMN "message" text NULL DEFAULT NULL; + +ALTER TYPE "revocationType" ADD VALUE 'key_compromise' AFTER 'ping_timeout'; diff --git a/src/club/wpia/gigi/dbObjects/Certificate.java b/src/club/wpia/gigi/dbObjects/Certificate.java index c3ff5ab1..70ce26a0 100644 --- a/src/club/wpia/gigi/dbObjects/Certificate.java +++ b/src/club/wpia/gigi/dbObjects/Certificate.java @@ -14,6 +14,7 @@ import java.util.Collections; import java.util.HashMap; import java.util.LinkedList; import java.util.List; +import java.util.Locale; import java.util.Map.Entry; import club.wpia.gigi.GigiApiException; @@ -28,7 +29,7 @@ import club.wpia.gigi.util.KeyStorage; public class Certificate implements IdCachable { public enum RevocationType implements DBEnum { - USER("user"), SUPPORT("support"), PING_TIMEOUT("ping_timeout"); + USER("user"), SUPPORT("support"), PING_TIMEOUT("ping_timeout"), KEY_COMPROMISE("key_compromise"); private final String dbName; @@ -40,6 +41,10 @@ public class Certificate implements IdCachable { public String getDBName() { return dbName; } + + public static RevocationType fromString(String s) { + return valueOf(s.toUpperCase(Locale.ENGLISH)); + } } public enum SANType implements DBEnum { @@ -345,7 +350,13 @@ public class Certificate implements IdCachable { throw new IllegalStateException(); } return Job.revoke(this, type); + } + public Job revoke(String challenge, String signature, String message) { + if (getStatus() != CertificateStatus.ISSUED) { + throw new IllegalStateException(); + } + return Job.revoke(this, challenge, signature, message); } public CACertificate getParent() { diff --git a/src/club/wpia/gigi/dbObjects/Job.java b/src/club/wpia/gigi/dbObjects/Job.java index 8941e38a..4c4c753d 100644 --- a/src/club/wpia/gigi/dbObjects/Job.java +++ b/src/club/wpia/gigi/dbObjects/Job.java @@ -45,9 +45,20 @@ public class Job implements IdCachable { } protected synchronized static Job revoke(Certificate targetId, RevocationType type) { - try (GigiPreparedStatement ps = new GigiPreparedStatement("INSERT INTO `certsRevoked` SET id=?, type=?::`revocationType`")) { + return revoke(targetId, type, null, null, null); + } + + protected synchronized static Job revoke(Certificate targetId, String challenge, String signature, String message) { + return revoke(targetId, RevocationType.KEY_COMPROMISE, challenge, signature, message); + } + + private synchronized static Job revoke(Certificate targetId, RevocationType type, String challenge, String signature, String message) { + try (GigiPreparedStatement ps = new GigiPreparedStatement("INSERT INTO `certsRevoked` SET id=?, type=?::`revocationType`, challenge=?, signature=?, message=?")) { ps.setInt(1, targetId.getId()); ps.setEnum(2, type); + ps.setString(3, challenge); + ps.setString(4, signature); + ps.setString(5, message); ps.execute(); } -- 2.39.2