// IncrementAndGetSerial returns the next-available serial number, incrementing
// it in the database before returning. There must be an active transaction to
// call this method. Callers should Begin the transaction, call this method,
// perform any other work, and Commit at the end once the certificate is issued.
func (cadb *CertificateAuthorityDatabaseImpl) IncrementAndGetSerial(tx *gorp.Transaction) (val int64, err error) {
if tx == nil {
err = fmt.Errorf("No transaction given")
return
}
rowObj, err := tx.Get(SerialNumber{}, 1)
if err != nil {
return
}
row, ok := rowObj.(*SerialNumber)
if !ok {
err = fmt.Errorf("No serial number found. This is a serious issue")
return
}
val = row.Number
row.Number = val + 1
_, err = tx.Update(row)
if err != nil {
return
}
return
}
func revokeBySerial(serial string, reasonCode core.RevocationCode, deny bool, cac rpc.CertificateAuthorityClient, auditlogger *blog.AuditLogger, tx *gorp.Transaction) (err error) {
if reasonCode < 0 || reasonCode == 7 || reasonCode > 10 {
panic(fmt.Sprintf("Invalid reason code: %d", reasonCode))
}
certObj, err := tx.Get(core.Certificate{}, serial)
if err != nil {
return
}
certificate, ok := certObj.(*core.Certificate)
if !ok {
err = fmt.Errorf("Cast failure")
return
}
if deny {
// Retrieve DNS names associated with serial
var cert *x509.Certificate
cert, err = x509.ParseCertificate(certificate.DER)
if err != nil {
return
}
err = addDeniedNames(tx, append(cert.DNSNames, cert.Subject.CommonName))
if err != nil {
return
}
}
err = cac.RevokeCertificate(certificate.Serial, reasonCode)
if err != nil {
return
}
auditlogger.Info(fmt.Sprintf("Revoked certificate %s with reason '%s'", serial, core.RevocationReasons[reasonCode]))
return
}
func (updater *OCSPUpdater) processResponse(tx *gorp.Transaction, serial string) error {
certObj, err := tx.Get(core.Certificate{}, serial)
if err != nil {
return err
}
statusObj, err := tx.Get(core.CertificateStatus{}, serial)
if err != nil {
return err
}
cert, ok := certObj.(*core.Certificate)
if !ok {
return fmt.Errorf("Cast failure")
}
status, ok := statusObj.(*core.CertificateStatus)
if !ok {
return fmt.Errorf("Cast failure")
}
_, err = x509.ParseCertificate(cert.DER)
if err != nil {
return err
}
signRequest := core.OCSPSigningRequest{
CertDER: cert.DER,
Reason: status.RevokedReason,
Status: string(status.Status),
RevokedAt: status.RevokedDate,
}
ocspResponse, err := updater.cac.GenerateOCSP(signRequest)
if err != nil {
return err
}
timeStamp := time.Now()
// Record the response.
ocspResp := &core.OCSPResponse{Serial: serial, CreatedAt: timeStamp, Response: ocspResponse}
err = tx.Insert(ocspResp)
if err != nil {
return err
}
// Reset the update clock
status.OCSPLastUpdated = timeStamp
_, err = tx.Update(status)
if err != nil {
return err
}
// Done
return nil
}
func revokeByReg(regID int, reasonCode int, deny bool, cac rpc.CertificateAuthorityClient, auditlogger *blog.AuditLogger, tx *gorp.Transaction) (err error) {
_, err = tx.Get(core.Registration{}, regID)
if err != nil {
return
}
var certs []core.Certificate
_, err = tx.Select(&certs, "SELECT serial FROM certificates WHERE registrationID = :regID", map[string]interface{}{"regID": regID})
if err != nil {
return
}
for _, cert := range certs {
err = revokeBySerial(cert.Serial, reasonCode, deny, cac, auditlogger, tx)
if err != nil {
return
}
}
return
}