From 8a9ea3d28547e9742fcacc7cad9e8adb7784e596 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Felix=20D=C3=B6rre?= Date: Fri, 25 Aug 2017 16:45:55 +0200 Subject: [PATCH] add: key-compromise revocation Change-Id: If52127f976f6a0238ed4ec3673b848f1aba0181a --- .../wpia/gigi/database/DatabaseConnection.java | 2 +- src/club/wpia/gigi/database/tableStructure.sql | 10 +++++++--- src/club/wpia/gigi/database/upgrade/from_29.sql | 5 +++++ src/club/wpia/gigi/dbObjects/Certificate.java | 13 ++++++++++++- src/club/wpia/gigi/dbObjects/Job.java | 15 +++++++++++++-- 5 files changed, 38 insertions(+), 7 deletions(-) create mode 100644 src/club/wpia/gigi/database/upgrade/from_29.sql diff --git a/src/club/wpia/gigi/database/DatabaseConnection.java b/src/club/wpia/gigi/database/DatabaseConnection.java index b7b9c14f..3f0acd8a 100644 --- a/src/club/wpia/gigi/database/DatabaseConnection.java +++ b/src/club/wpia/gigi/database/DatabaseConnection.java @@ -122,7 +122,7 @@ public class DatabaseConnection { } - public static final int CURRENT_SCHEMA_VERSION = 29; + public static final int CURRENT_SCHEMA_VERSION = 30; public static final int CONNECTION_TIMEOUT = 24 * 60 * 60; diff --git a/src/club/wpia/gigi/database/tableStructure.sql b/src/club/wpia/gigi/database/tableStructure.sql index 620ac55e..416d6a18 100644 --- a/src/club/wpia/gigi/database/tableStructure.sql +++ b/src/club/wpia/gigi/database/tableStructure.sql @@ -138,7 +138,7 @@ CREATE TABLE "user_agreements" ( DROP TABLE IF EXISTS "certs"; DROP TYPE IF EXISTS "revocationType"; -CREATE TYPE "revocationType" AS ENUM('user', 'support', 'ping_timeout'); +CREATE TYPE "revocationType" AS ENUM('user', 'support', 'ping_timeout', 'key_compromise'); DROP TYPE IF EXISTS "mdType"; CREATE TYPE "mdType" AS ENUM('md5','sha1','sha256','sha384','sha512'); @@ -161,8 +161,13 @@ CREATE TABLE "certs" ( "crt_name" varchar(255) NOT NULL DEFAULT '', "created" timestamp NULL DEFAULT NULL, "modified" timestamp NULL DEFAULT NULL, + "revoked" timestamp NULL, "revocationType" "revocationType" NULL, + "revocationChallenge" varchar(32) NULL DEFAULT NULL, + "revocationSignature" text NULL DEFAULT NULL, + "revocationMessage" text NULL DEFAULT NULL, + "expire" timestamp NULL DEFAULT NULL, "renewed" boolean NOT NULL DEFAULT 'false', "pkhash" char(40) DEFAULT NULL, @@ -178,7 +183,6 @@ CREATE INDEX ON "certs" ("serial"); CREATE INDEX ON "certs" ("expire"); CREATE INDEX ON "certs" ("crt_name"); - DROP TABLE IF EXISTS "certAvas"; CREATE TABLE "certAvas" ( "certId" int NOT NULL, @@ -377,7 +381,7 @@ CREATE TABLE "schemeVersion" ( "version" smallint NOT NULL, PRIMARY KEY ("version") ); -INSERT INTO "schemeVersion" (version) VALUES(29); +INSERT INTO "schemeVersion" (version) VALUES(30); DROP TABLE IF EXISTS `passwordResetTickets`; CREATE TABLE `passwordResetTickets` ( diff --git a/src/club/wpia/gigi/database/upgrade/from_29.sql b/src/club/wpia/gigi/database/upgrade/from_29.sql new file mode 100644 index 00000000..f2777223 --- /dev/null +++ b/src/club/wpia/gigi/database/upgrade/from_29.sql @@ -0,0 +1,5 @@ +ALTER TABLE "certs" ADD COLUMN "revocationChallenge" varchar(32) NULL DEFAULT NULL; +ALTER TABLE "certs" ADD COLUMN "revocationSignature" text NULL DEFAULT NULL; +ALTER TABLE "certs" ADD COLUMN "revocationMessage" text NULL DEFAULT NULL; + +ALTER TYPE "revocationType" ADD VALUE 'key_compromise' AFTER 'ping_timeout'; diff --git a/src/club/wpia/gigi/dbObjects/Certificate.java b/src/club/wpia/gigi/dbObjects/Certificate.java index 8447fd73..bd1e7744 100644 --- a/src/club/wpia/gigi/dbObjects/Certificate.java +++ b/src/club/wpia/gigi/dbObjects/Certificate.java @@ -14,6 +14,7 @@ import java.util.Collections; import java.util.HashMap; import java.util.LinkedList; import java.util.List; +import java.util.Locale; import java.util.Map.Entry; import club.wpia.gigi.GigiApiException; @@ -28,7 +29,7 @@ import club.wpia.gigi.util.KeyStorage; public class Certificate implements IdCachable { public enum RevocationType implements DBEnum { - USER("user"), SUPPORT("support"), PING_TIMEOUT("ping_timeout"); + USER("user"), SUPPORT("support"), PING_TIMEOUT("ping_timeout"), KEY_COMPROMISE("key_compromise"); private final String dbName; @@ -40,6 +41,10 @@ public class Certificate implements IdCachable { public String getDBName() { return dbName; } + + public static RevocationType fromString(String s) { + return valueOf(s.toUpperCase(Locale.ENGLISH)); + } } public enum SANType implements DBEnum { @@ -345,7 +350,13 @@ public class Certificate implements IdCachable { throw new IllegalStateException(); } return Job.revoke(this, type); + } + public Job revoke(String challenge, String signature, String message) { + if (getStatus() != CertificateStatus.ISSUED) { + throw new IllegalStateException(); + } + return Job.revoke(this, challenge, signature, message); } public CACertificate getParent() { diff --git a/src/club/wpia/gigi/dbObjects/Job.java b/src/club/wpia/gigi/dbObjects/Job.java index ac0c9cf7..a505eb41 100644 --- a/src/club/wpia/gigi/dbObjects/Job.java +++ b/src/club/wpia/gigi/dbObjects/Job.java @@ -45,9 +45,20 @@ public class Job implements IdCachable { } protected synchronized static Job revoke(Certificate targetId, RevocationType type) { - try (GigiPreparedStatement ps = new GigiPreparedStatement("UPDATE `certs` SET `revocationType`=?::`revocationType` WHERE id=?")) { + return revoke(targetId, type, null, null, null); + } + + protected synchronized static Job revoke(Certificate targetId, String challenge, String signature, String message) { + return revoke(targetId, RevocationType.KEY_COMPROMISE, challenge, signature, message); + } + + private synchronized static Job revoke(Certificate targetId, RevocationType type, String challenge, String signature, String message) { + try (GigiPreparedStatement ps = new GigiPreparedStatement("UPDATE `certs` SET `revocationType`=?::`revocationType`, `revocationChallenge`=?, `revocationSignature`=?, `revocationMessage`=? WHERE id=?")) { ps.setEnum(1, type); - ps.setInt(2, targetId.getId()); + ps.setString(2, challenge); + ps.setString(3, signature); + ps.setString(4, message); + ps.setInt(5, targetId.getId()); ps.execute(); } -- 2.39.2