func revokeBySerial(ctx context.Context, serial string, reasonCode core.RevocationCode, rac rpc.RegistrationAuthorityClient, logger blog.Logger, tx *gorp.Transaction) (err error) {
if reasonCode < 0 || reasonCode == 7 || reasonCode > 10 {
panic(fmt.Sprintf("Invalid reason code: %d", reasonCode))
}
certObj, err := tx.Get(core.Certificate{}, serial)
if err != nil {
return
}
certificate, ok := certObj.(*core.Certificate)
if !ok {
err = fmt.Errorf("Cast failure")
return
}
cert, err := x509.ParseCertificate(certificate.DER)
if err != nil {
return
}
u, err := user.Current()
err = rac.AdministrativelyRevokeCertificate(ctx, *cert, reasonCode, u.Username)
if err != nil {
return
}
logger.Info(fmt.Sprintf("Revoked certificate %s with reason '%s'", serial, core.RevocationReasons[reasonCode]))
return
}
func revokeBySerial(ctx context.Context, serial string, reasonCode revocation.Reason, rac core.RegistrationAuthority, logger blog.Logger, tx *gorp.Transaction) (err error) {
if reasonCode < 0 || reasonCode == 7 || reasonCode > 10 {
panic(fmt.Sprintf("Invalid reason code: %d", reasonCode))
}
certObj, err := sa.SelectCertificate(tx, "WHERE serial = ?", serial)
if err == sql.ErrNoRows {
return core.NotFoundError(fmt.Sprintf("No certificate found for %s", serial))
}
if err != nil {
return err
}
cert, err := x509.ParseCertificate(certObj.DER)
if err != nil {
return
}
u, err := user.Current()
err = rac.AdministrativelyRevokeCertificate(ctx, *cert, reasonCode, u.Username)
if err != nil {
return
}
logger.Info(fmt.Sprintf("Revoked certificate %s with reason '%s'", serial, revocation.ReasonToString[reasonCode]))
return
}
// CatchSignals catches SIGTERM, SIGINT, SIGHUP and executes a callback
// method before exiting
func CatchSignals(logger blog.Logger, callback func()) {
sigChan := make(chan os.Signal, 1)
signal.Notify(sigChan, syscall.SIGTERM)
signal.Notify(sigChan, syscall.SIGINT)
signal.Notify(sigChan, syscall.SIGHUP)
sig := <-sigChan
logger.Info(fmt.Sprintf("Caught %s", signalToName[sig]))
if callback != nil {
callback()
}
logger.Info("Exiting")
os.Exit(0)
}
func parseLogLine(sa certificateStorage, logger blog.Logger, line string) (found bool, added bool) {
ctx := context.Background()
if !strings.Contains(line, "b64der=") || !strings.Contains(line, "orphaning certificate") {
return false, false
}
derStr := b64derOrphan.FindStringSubmatch(line)
if len(derStr) <= 1 {
logger.Err(fmt.Sprintf("Didn't match regex for b64der: %s", line))
return true, false
}
der, err := base64.StdEncoding.DecodeString(derStr[1])
if err != nil {
logger.Err(fmt.Sprintf("Couldn't decode b64: %s, [%s]", err, line))
return true, false
}
err = checkDER(sa, der)
if err != nil {
logFunc := logger.Err
if err == errAlreadyExists {
logFunc = logger.Info
}
logFunc(fmt.Sprintf("%s, [%s]", err, line))
return true, false
}
// extract the regID
regStr := regOrphan.FindStringSubmatch(line)
if len(regStr) <= 1 {
logger.Err(fmt.Sprintf("regID variable is empty, [%s]", line))
return true, false
}
regID, err := strconv.Atoi(regStr[1])
if err != nil {
logger.Err(fmt.Sprintf("Couldn't parse regID: %s, [%s]", err, line))
return true, false
}
_, err = sa.AddCertificate(ctx, der, int64(regID))
if err != nil {
logger.Err(fmt.Sprintf("Failed to store certificate: %s, [%s]", err, line))
return true, false
}
return true, true
}
// reconnect attempts repeatedly to connect and subscribe to the named queue. It
// will loop forever until it succeeds. This is used for a running server, where
// we don't want to shut down because we lost our AMQP connection.
func (ac *amqpConnector) reconnect(config *cmd.AMQPConfig, log blog.Logger) {
for i := 0; ; i++ {
ac.clk.Sleep(core.RetryBackoff(i, ac.retryTimeoutBase, ac.retryTimeoutMax, 2))
log.Info(fmt.Sprintf(" [!] attempting reconnect for %s", ac.queueName))
err := ac.connect(config)
if err != nil {
log.Warning(fmt.Sprintf(" [!] %s", err))
continue
}
break
}
log.Info(fmt.Sprintf(" [!] reconnect success for %s", ac.queueName))
return
}
// NewRegistrationAuthorityServer constructs an RPC server
func NewRegistrationAuthorityServer(rpc Server, impl core.RegistrationAuthority, log blog.Logger) error {
rpc.Handle(MethodNewRegistration, func(ctx context.Context, req []byte) (response []byte, err error) {
var rr registrationRequest
if err = json.Unmarshal(req, &rr); err != nil {
// AUDIT[ Improper Messages ] 0786b6f2-91ca-4f48-9883-842a19084c64
improperMessage(MethodNewRegistration, err, req)
return
}
reg, err := impl.NewRegistration(ctx, rr.Reg)
if err != nil {
return
}
response, err = json.Marshal(reg)
if err != nil {
// AUDIT[ Error Conditions ] 9cc4d537-8534-4970-8665-4b382abe82f3
errorCondition(MethodNewRegistration, err, req)
return
}
return
})
rpc.Handle(MethodNewAuthorization, func(ctx context.Context, req []byte) (response []byte, err error) {
var ar authorizationRequest
if err = json.Unmarshal(req, &ar); err != nil {
// AUDIT[ Improper Messages ] 0786b6f2-91ca-4f48-9883-842a19084c64
improperMessage(MethodNewAuthorization, err, req)
return
}
authz, err := impl.NewAuthorization(ctx, ar.Authz, ar.RegID)
if err != nil {
return
}
response, err = json.Marshal(authz)
if err != nil {
// AUDIT[ Error Conditions ] 9cc4d537-8534-4970-8665-4b382abe82f3
errorCondition(MethodNewAuthorization, err, req)
return
}
return
})
rpc.Handle(MethodNewCertificate, func(ctx context.Context, req []byte) (response []byte, err error) {
log.Info(fmt.Sprintf(" [.] Entering MethodNewCertificate"))
var cr certificateRequest
if err = json.Unmarshal(req, &cr); err != nil {
// AUDIT[ Improper Messages ] 0786b6f2-91ca-4f48-9883-842a19084c64
improperMessage(MethodNewCertificate, err, req)
return
}
log.Info(fmt.Sprintf(" [.] No problem unmarshaling request"))
cert, err := impl.NewCertificate(ctx, cr.Req, cr.RegID)
if err != nil {
return
}
log.Info(fmt.Sprintf(" [.] No problem issuing new cert"))
response, err = json.Marshal(cert)
if err != nil {
// AUDIT[ Error Conditions ] 9cc4d537-8534-4970-8665-4b382abe82f3
errorCondition(MethodNewCertificate, err, req)
return
}
return
})
rpc.Handle(MethodUpdateRegistration, func(ctx context.Context, req []byte) (response []byte, err error) {
var urReq updateRegistrationRequest
err = json.Unmarshal(req, &urReq)
if err != nil {
// AUDIT[ Improper Messages ] 0786b6f2-91ca-4f48-9883-842a19084c64
improperMessage(MethodUpdateRegistration, err, req)
return
}
reg, err := impl.UpdateRegistration(ctx, urReq.Base, urReq.Update)
if err != nil {
return
}
response, err = json.Marshal(reg)
if err != nil {
// AUDIT[ Error Conditions ] 9cc4d537-8534-4970-8665-4b382abe82f3
errorCondition(MethodUpdateRegistration, err, req)
return
}
return
})
rpc.Handle(MethodUpdateAuthorization, func(ctx context.Context, req []byte) (response []byte, err error) {
var uaReq updateAuthorizationRequest
err = json.Unmarshal(req, &uaReq)
if err != nil {
// AUDIT[ Improper Messages ] 0786b6f2-91ca-4f48-9883-842a19084c64
improperMessage(MethodUpdateAuthorization, err, req)
return
}
newAuthz, err := impl.UpdateAuthorization(ctx, uaReq.Authz, uaReq.Index, uaReq.Response)
if err != nil {
return
}
response, err = json.Marshal(newAuthz)
if err != nil {
// AUDIT[ Error Conditions ] 9cc4d537-8534-4970-8665-4b382abe82f3
errorCondition(MethodUpdateAuthorization, err, req)
return
}
return
})
rpc.Handle(MethodRevokeCertificateWithReg, func(ctx context.Context, req []byte) (response []byte, err error) {
var revReq struct {
Cert []byte
Reason core.RevocationCode
RegID int64
}
if err = json.Unmarshal(req, &revReq); err != nil {
// AUDIT[ Improper Messages ] 0786b6f2-91ca-4f48-9883-842a19084c64
improperMessage(MethodRevokeCertificateWithReg, err, req)
return
}
cert, err := x509.ParseCertificate(revReq.Cert)
if err != nil {
// AUDIT[ Error Conditions ] 9cc4d537-8534-4970-8665-4b382abe82f3
return
}
err = impl.RevokeCertificateWithReg(ctx, *cert, revReq.Reason, revReq.RegID)
return
})
rpc.Handle(MethodAdministrativelyRevokeCertificate, func(ctx context.Context, req []byte) (response []byte, err error) {
var revReq struct {
Cert []byte
Reason core.RevocationCode
User string
}
if err = json.Unmarshal(req, &revReq); err != nil {
// AUDIT[ Improper Messages ] 0786b6f2-91ca-4f48-9883-842a19084c64
improperMessage(MethodAdministrativelyRevokeCertificate, err, req)
return
}
cert, err := x509.ParseCertificate(revReq.Cert)
if err != nil {
// AUDIT[ Error Conditions ] 9cc4d537-8534-4970-8665-4b382abe82f3
return
}
err = impl.AdministrativelyRevokeCertificate(ctx, *cert, revReq.Reason, revReq.User)
return
})
return nil
}
