Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow password-protected CAs to call revoke command #165

Merged
merged 4 commits into from
Jul 21, 2022
Merged

Allow password-protected CAs to call revoke command #165

merged 4 commits into from
Jul 21, 2022

Conversation

isemaya-square
Copy link
Contributor

@isemaya-square isemaya-square commented Jul 14, 2022
edited
Loading

This addresses #110

We test this in workflow_test.go, which is an integration test. We check to make sure that calling revoke does not result in any errors.

I also added password as a flag to the revoke command (mainly for integration testing purposes - this is a common pattern in workflow_test.go).

Manual Testing: I ran go build for certstrap so that I can run certstrap with the updates in this PR - the successful case is with the Alice cert, and the failure case (i.e. we fail to supply the passphrase when revoking) with Bob):

~/Development/certstrap isemaya/certstrap-fix-revoke-key-for-passphrase-protected-ca ./certstrap init --common-name "CertAuth"
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Created out/CertAuth.key (encrypted by passphrase)
Created out/CertAuth.crt
Created out/CertAuth.crl
~/Development/certstrap isemaya/certstrap-fix-revoke-key-for-passphrase-protected-ca ls
CODEOWNERS      Dockerfile      NOTICE          certstrap       cmd             go.mod          out             tests
CONTRIBUTING.md LICENSE         README.md       certstrap.go    depot           go.sum          pkix
~/Development/certstrap isemaya/certstrap-fix-revoke-key-for-passphrase-protected-ca ./certstrap request-cert --common-name Alice
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Created out/Alice.key
Created out/Alice.csr
~/Development/certstrap isemaya/certstrap-fix-revoke-key-for-passphrase-protected-ca ./certstrap sign Alice --CA CertAuth
Enter passphrase for CA key (empty for no passphrase): 
Created out/Alice.crt from out/Alice.csr signed by out/CertAuth.key
~/Development/certstrap isemaya/certstrap-fix-revoke-key-for-passphrase-protected-ca ./certstrap revoke --CN Alice --CA CertAuth
Enter passphrase for CA key (empty for no passphrase): 
~/Development/certstrap isemaya/certstrap-fix-revoke-key-for-passphrase-protected-ca ./certstrap sign Alice --CA CertAuth
Certificate "Alice" already exists!
~/Development/certstrap isemaya/certstrap-fix-revoke-key-for-passphrase-protected-ca ./certstrap sign Robert --CA CertAuth
Get certificate request error: stat /Users/isemaya/Development/certstrap/out/Robert.csr: no such file or directory
~/Development/certstrap isemaya/certstrap-fix-revoke-key-for-passphrase-protected-ca ./certstrap request-cert --common-name Bob
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Created out/Bob.key
Created out/Bob.csr
~/Development/certstrap isemaya/certstrap-fix-revoke-key-for-passphrase-protected-ca ./certstrap sign Bob --CA CertAuth
Enter passphrase for CA key (empty for no passphrase): 
Created out/Bob.crt from out/Bob.csr signed by out/CertAuth.key
~/Development/certstrap isemaya/certstrap-fix-revoke-key-for-passphrase-protected-ca ./certstrap revoke --CN Bob --CA CertAuth
Enter passphrase for CA key (empty for no passphrase): 
get CA key error when saving revoked certificates: x509: decryption password incorrect

@isemaya-square isemaya-square requested review from a team, jdtw, mweissbacher and stfinney July 14, 2022 23:00
@isemaya-square isemaya-square mentioned this pull request Jul 14, 2022
Closed
@isemaya-square isemaya-square changed the title Isemaya/certstrap fix revoke key for passphrase protected ca Allowed password-protected CA to call revoke command Jul 14, 2022
@isemaya-square isemaya-square force-pushed the isemaya/certstrap-fix-revoke-key-for-passphrase-protected-ca branch from 3c96f36 to 992908f Compare July 14, 2022 23:42
@isemaya-square isemaya-square changed the title Allowed password-protected CA to call revoke command Allow password-protected CAs to call revoke command Jul 14, 2022
jdtw
jdtw reviewed Jul 20, 2022
View reviewed changes
cmd/util.go Outdated Show resolved Hide resolved
jdtw
jdtw reviewed Jul 20, 2022
View reviewed changes
cmd/util.go Outdated Show resolved Hide resolved
jdtw
jdtw reviewed Jul 20, 2022
View reviewed changes
cmd/revoke.go Show resolved Hide resolved
@isemaya-square isemaya-square merged commit ad1ccbf into master Jul 21, 2022
@isemaya-square isemaya-square deleted the isemaya/certstrap-fix-revoke-key-for-passphrase-protected-ca branch July 21, 2022 19:55
@isemaya-square isemaya-square mentioned this pull request Jul 21, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jdtw jdtw jdtw approved these changes

@mweissbacher mweissbacher Awaiting requested review from mweissbacher

@stfinney stfinney Awaiting requested review from stfinney

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@isemaya-square @jdtw