File: revoke.go

package info (click to toggle)
golang-github-smallstep-certificates 0.20.0-5
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 23,144 kB
  • sloc: sh: 278; makefile: 170
file content (291 lines) | stat: -rw-r--r-- 10,064 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
 
package api

import (
	"bytes"
	"context"
	"crypto/x509"
	"encoding/base64"
	"encoding/json"
	"fmt"
	"net/http"
	"strings"

	"go.step.sm/crypto/jose"
	"golang.org/x/crypto/ocsp"

	"github.com/smallstep/certificates/acme"
	"github.com/smallstep/certificates/api/render"
	"github.com/smallstep/certificates/authority"
	"github.com/smallstep/certificates/authority/provisioner"
	"github.com/smallstep/certificates/logging"
)

type revokePayload struct {
	Certificate string `json:"certificate"`
	ReasonCode  *int   `json:"reason,omitempty"`
}

// RevokeCert attempts to revoke a certificate.
func RevokeCert(w http.ResponseWriter, r *http.Request) {
	ctx := r.Context()
	db := acme.MustDatabaseFromContext(ctx)
	linker := acme.MustLinkerFromContext(ctx)

	jws, err := jwsFromContext(ctx)
	if err != nil {
		render.Error(w, err)
		return
	}

	prov, err := provisionerFromContext(ctx)
	if err != nil {
		render.Error(w, err)
		return
	}

	payload, err := payloadFromContext(ctx)
	if err != nil {
		render.Error(w, err)
		return
	}

	var p revokePayload
	err = json.Unmarshal(payload.value, &p)
	if err != nil {
		render.Error(w, acme.WrapErrorISE(err, "error unmarshaling payload"))
		return
	}

	certBytes, err := base64.RawURLEncoding.DecodeString(p.Certificate)
	if err != nil {
		// in this case the most likely cause is a client that didn't properly encode the certificate
		render.Error(w, acme.WrapError(acme.ErrorMalformedType, err, "error base64url decoding payload certificate property"))
		return
	}

	certToBeRevoked, err := x509.ParseCertificate(certBytes)
	if err != nil {
		// in this case a client may have encoded something different than a certificate
		render.Error(w, acme.WrapError(acme.ErrorMalformedType, err, "error parsing certificate"))
		return
	}

	serial := certToBeRevoked.SerialNumber.String()
	dbCert, err := db.GetCertificateBySerial(ctx, serial)
	if err != nil {
		render.Error(w, acme.WrapErrorISE(err, "error retrieving certificate by serial"))
		return
	}

	if !bytes.Equal(dbCert.Leaf.Raw, certToBeRevoked.Raw) {
		// this should never happen
		render.Error(w, acme.NewErrorISE("certificate raw bytes are not equal"))
		return
	}

	if shouldCheckAccountFrom(jws) {
		account, err := accountFromContext(ctx)
		if err != nil {
			render.Error(w, err)
			return
		}
		acmeErr := isAccountAuthorized(ctx, dbCert, certToBeRevoked, account)
		if acmeErr != nil {
			render.Error(w, acmeErr)
			return
		}
	} else {
		// if account doesn't need to be checked, the JWS should be verified to be signed by the
		// private key that belongs to the public key in the certificate to be revoked.
		_, err := jws.Verify(certToBeRevoked.PublicKey)
		if err != nil {
			// TODO(hs): possible to determine an error vs. unauthorized and thus provide an ISE vs. Unauthorized?
			render.Error(w, wrapUnauthorizedError(certToBeRevoked, nil, "verification of jws using certificate public key failed", err))
			return
		}
	}

	ca := mustAuthority(ctx)
	hasBeenRevokedBefore, err := ca.IsRevoked(serial)
	if err != nil {
		render.Error(w, acme.WrapErrorISE(err, "error retrieving revocation status of certificate"))
		return
	}

	if hasBeenRevokedBefore {
		render.Error(w, acme.NewError(acme.ErrorAlreadyRevokedType, "certificate was already revoked"))
		return
	}

	reasonCode := p.ReasonCode
	acmeErr := validateReasonCode(reasonCode)
	if acmeErr != nil {
		render.Error(w, acmeErr)
		return
	}

	// Authorize revocation by ACME provisioner
	ctx = provisioner.NewContextWithMethod(ctx, provisioner.RevokeMethod)
	err = prov.AuthorizeRevoke(ctx, "")
	if err != nil {
		render.Error(w, acme.WrapErrorISE(err, "error authorizing revocation on provisioner"))
		return
	}

	options := revokeOptions(serial, certToBeRevoked, reasonCode)
	err = ca.Revoke(ctx, options)
	if err != nil {
		render.Error(w, wrapRevokeErr(err))
		return
	}

	logRevoke(w, options)
	w.Header().Add("Link", link(linker.GetLink(ctx, acme.DirectoryLinkType), "index"))
	w.Write(nil)
}

// isAccountAuthorized checks if an ACME account that was retrieved earlier is authorized
// to revoke the certificate. An Account must always be valid in order to revoke a certificate.
// In case the certificate retrieved from the database belongs to the Account, the Account is
// authorized. If the certificate retrieved from the database doesn't belong to the Account,
// the identifiers in the certificate are extracted and compared against the (valid) Authorizations
// that are stored for the ACME Account. If these sets match, the Account is considered authorized
// to revoke the certificate. If this check fails, the client will receive an unauthorized error.
func isAccountAuthorized(ctx context.Context, dbCert *acme.Certificate, certToBeRevoked *x509.Certificate, account *acme.Account) *acme.Error {
	if !account.IsValid() {
		return wrapUnauthorizedError(certToBeRevoked, nil, fmt.Sprintf("account '%s' has status '%s'", account.ID, account.Status), nil)
	}
	certificateBelongsToAccount := dbCert.AccountID == account.ID
	if certificateBelongsToAccount {
		return nil // return early
	}

	// TODO(hs): according to RFC8555: 7.6, a server MUST consider the following accounts authorized
	// to revoke a certificate:
	//
	//	o  the account that issued the certificate.
	//	o  an account that holds authorizations for all of the identifiers in the certificate.
	//
	// We currently only support the first case. The second might result in step going OOM when
	// large numbers of Authorizations are involved when the current nosql interface is in use.
	// We want to protect users from this failure scenario, so that's why it hasn't been added yet.
	// This issue is tracked in https://github.com/smallstep/certificates/issues/767

	// not authorized; fail closed.
	return wrapUnauthorizedError(certToBeRevoked, nil, fmt.Sprintf("account '%s' is not authorized", account.ID), nil)
}

// wrapRevokeErr is a best effort implementation to transform an error during
// revocation into an ACME error, so that clients can understand the error.
func wrapRevokeErr(err error) *acme.Error {
	t := err.Error()
	if strings.Contains(t, "is already revoked") {
		return acme.NewError(acme.ErrorAlreadyRevokedType, t)
	}
	return acme.WrapErrorISE(err, "error when revoking certificate")
}

// unauthorizedError returns an ACME error indicating the request was
// not authorized to revoke the certificate.
func wrapUnauthorizedError(cert *x509.Certificate, unauthorizedIdentifiers []acme.Identifier, msg string, err error) *acme.Error {
	var acmeErr *acme.Error
	if err == nil {
		acmeErr = acme.NewError(acme.ErrorUnauthorizedType, msg)
	} else {
		acmeErr = acme.WrapError(acme.ErrorUnauthorizedType, err, msg)
	}
	acmeErr.Status = http.StatusForbidden // RFC8555 7.6 shows example with 403

	switch {
	case len(unauthorizedIdentifiers) > 0:
		identifier := unauthorizedIdentifiers[0] // picking the first; compound may be an option too?
		acmeErr.Detail = fmt.Sprintf("No authorization provided for name %s", identifier.Value)
	case cert.Subject.String() != "":
		acmeErr.Detail = fmt.Sprintf("No authorization provided for name %s", cert.Subject.CommonName)
	default:
		acmeErr.Detail = "No authorization provided"
	}

	return acmeErr
}

// logRevoke logs successful revocation of certificate
func logRevoke(w http.ResponseWriter, ri *authority.RevokeOptions) {
	if rl, ok := w.(logging.ResponseLogger); ok {
		rl.WithFields(map[string]interface{}{
			"serial":      ri.Serial,
			"reasonCode":  ri.ReasonCode,
			"reason":      ri.Reason,
			"passiveOnly": ri.PassiveOnly,
			"ACME":        ri.ACME,
		})
	}
}

// validateReasonCode validates the revocation reason
func validateReasonCode(reasonCode *int) *acme.Error {
	if reasonCode != nil && ((*reasonCode < ocsp.Unspecified || *reasonCode > ocsp.AACompromise) || *reasonCode == 7) {
		return acme.NewError(acme.ErrorBadRevocationReasonType, "reasonCode out of bounds")
	}
	// NOTE: it's possible to add additional requirements to the reason code:
	//		The server MAY disallow a subset of reasonCodes from being
	//		used by the user. If a request contains a disallowed reasonCode,
	//		then the server MUST reject it with the error type
	//		"urn:ietf:params:acme:error:badRevocationReason"
	// No additional checks have been implemented so far.
	return nil
}

// revokeOptions determines the RevokeOptions for the Authority to use in revocation
func revokeOptions(serial string, certToBeRevoked *x509.Certificate, reasonCode *int) *authority.RevokeOptions {
	opts := &authority.RevokeOptions{
		Serial: serial,
		ACME:   true,
		Crt:    certToBeRevoked,
	}
	if reasonCode != nil { // NOTE: when implementing CRL and/or OCSP, and reason code is missing, CRL entry extension should be omitted
		opts.Reason = reason(*reasonCode)
		opts.ReasonCode = *reasonCode
	}
	return opts
}

// reason transforms an integer reason code to a
// textual description of the revocation reason.
func reason(reasonCode int) string {
	switch reasonCode {
	case ocsp.Unspecified:
		return "unspecified reason"
	case ocsp.KeyCompromise:
		return "key compromised"
	case ocsp.CACompromise:
		return "ca compromised"
	case ocsp.AffiliationChanged:
		return "affiliation changed"
	case ocsp.Superseded:
		return "superseded"
	case ocsp.CessationOfOperation:
		return "cessation of operation"
	case ocsp.CertificateHold:
		return "certificate hold"
	case ocsp.RemoveFromCRL:
		return "remove from crl"
	case ocsp.PrivilegeWithdrawn:
		return "privilege withdrawn"
	case ocsp.AACompromise:
		return "aa compromised"
	default:
		return "unspecified reason"
	}
}

// shouldCheckAccountFrom indicates whether an account should be
// retrieved from the context, so that it can be used for
// additional checks. This should only be done when no JWK
// can be extracted from the request, as that would indicate
// that the revocation request was signed with a certificate
// key pair (and not an account key pair). Looking up such
// a JWK would result in no Account being found.
func shouldCheckAccountFrom(jws *jose.JSONWebSignature) bool {
	return !canExtractJWKFrom(jws)
}