Merge pull request #165 from square/isemaya/certstrap-fix-revoke-key-…

…for-passphrase-protected-ca Allow password-protected CAs to call revoke command
square · Jul 21, 2022 · ad1ccbf · ad1ccbf
2 parents 1377eab + 98b4087
commit ad1ccbf
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 5 deletions.
diff --git a/cmd/revoke.go b/cmd/revoke.go
@@ -26,6 +26,10 @@ func NewRevokeCommand() cli.Command {
 		Usage:       "Revoke certificate",
 		Description: "Add certificate to the CA's CRL.",
 		Flags: []cli.Flag{
+			cli.StringFlag{
+				Name:  "passphrase",
+				Usage: "Passphrase to decrypt private-key PEM block of CA",
+			},
 			cli.StringFlag{
 				Name:  "CN",
 				Usage: "Common Name (CN) of certificate to revoke",
@@ -77,7 +81,7 @@ func (c *revokeCommand) run(ctx *cli.Context) {
 		RevocationTime: time.Now(),
 	})
 
-	err = c.saveRevokedCertificates(caCert, revoked)
+	err = c.saveRevokedCertificates(ctx, caCert, revoked)
 	c.checkErr(err)
 }
 
@@ -111,13 +115,20 @@ func (c *revokeCommand) revokedCertificates() ([]x509pkix.RevokedCertificate, er
 	return certList.TBSCertList.RevokedCertificates, nil
 }
 
-func (c *revokeCommand) saveRevokedCertificates(cert *x509.Certificate, list []x509pkix.RevokedCertificate) error {
-	priv, err := depot.GetPrivateKey(d, c.ca)
+func (c *revokeCommand) saveRevokedCertificates(ctx *cli.Context, cert *x509.Certificate, list []x509pkix.RevokedCertificate) error {
+	privateKey, err := depot.GetPrivateKey(d, c.ca)
 	if err != nil {
-		return fmt.Errorf("could not get %q private key: %v", c.ca, err)
+		pass, err := getPassPhrase(ctx, "CA key")
+		if err != nil {
+			return fmt.Errorf("error retreiving passphrase when saving revoked certificates: %v", err)
+		}
+		privateKey, err = depot.GetEncryptedPrivateKey(d, c.ca, pass)
+		if err != nil {
+			return fmt.Errorf("get CA key error when saving revoked certificates: %v", err)
+		}
 	}
 
-	crlBytes, err := cert.CreateCRL(rand.Reader, priv.Private, list, time.Now(), time.Now().Add(2*8760*time.Hour))
+	crlBytes, err := cert.CreateCRL(rand.Reader, privateKey.Private, list, time.Now(), time.Now().Add(2*8760*time.Hour))
 	if err != nil {
 		return fmt.Errorf("could not create CRL: %v", err)
 	}

diff --git a/tests/workflow_test.go b/tests/workflow_test.go
@@ -112,6 +112,14 @@ func TestWorkflow(t *testing.T) {
 			if cert.PublicKeyAlgorithm != tc.expected {
 				t.Fatalf("Public key algorithm = %d, want %d", cert.PublicKeyAlgorithm, tc.expected)
 			}
+
+			stdout, stderr, err = run(binPath, "revoke", "--passphrase", passphrase, "--CN", hostname, "--CA", "CA")
+			if stderr != "" || err != nil {
+				t.Fatalf("Received unexpected error: %v, %v", stderr, err)
+			}
+			if strings.Count(stdout, hostname) != 0 {
+				t.Fatalf("Received incorrect create: %v", stdout)
+			}
 		})
 	}
 }