feat: Add support for CRL-based revocation

wireapp · Jan 10, 2024 · 02992d2 · 02992d2
1 parent 2bce5f9
commit 02992d2
Show file tree

Hide file tree

Showing 17 changed files with 1,115 additions and 57 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,5 +1,5 @@
 [workspace]
-members = ["e2e-identity", "jwt", "ffi", "cli", "acme"]
+members = ["e2e-identity", "jwt", "ffi", "cli", "acme", "x509-check"]
 resolver = "2"
 
 [patch.crates-io.biscuit]

diff --git a/acme/Cargo.toml b/acme/Cargo.toml
@@ -16,6 +16,7 @@ serde_json = "1.0"
 thiserror = "1.0"
 rusty-jwt-tools = { version = "0.7.1", path = "../jwt" }
 jwt-simple = { workspace = true }
+rusty-x509-check = { version = "0.6.1", path = "../x509-check" }
 base64 = "0.21"
 url = { version = "2.5", features = ["serde"] }
 time = { version = "0.3", features = ["serde", "serde-well-known", "wasm-bindgen"] }
@@ -28,7 +29,6 @@ p256 = "0.13"
 p384 = "0.13"
 pem = "3.0"
 getrandom = { version = "0.2.8", features = ["js"] }
-
 fluvio-wasm-timer = "0.2"
 
 [dev-dependencies]

diff --git a/acme/src/certificate.rs b/acme/src/certificate.rs
@@ -33,7 +33,7 @@ impl RustyAcme {
                 let cert = x509_cert::Certificate::from_der(cert_pem.contents())?;
                 // only verify that leaf has the right identity fields
                 if i == 0 {
-                    Self::verify_leaf_certificate(order.clone(), cert)?;
+                    Self::verify_leaf_certificate(&order, cert)?;
                 }
                 acc.push(cert_pem.contents().to_vec());
                 Ok(acc)
@@ -42,11 +42,15 @@ impl RustyAcme {
 
     /// Ensure that the generated certificate matches our expectations (i.e. that the acme server is configured the right way)
     /// We verify that the fields in the certificate match the ones in the ACME order
-    fn verify_leaf_certificate(mut order: AcmeOrder, cert: Certificate) -> RustyAcmeResult<()> {
+    fn verify_leaf_certificate(order: &AcmeOrder, cert: Certificate) -> RustyAcmeResult<()> {
         // TODO: verify that cert is signed by enrollment.sign_kp
         let cert_identity = cert.extract_identity()?;
-        let identifier = order.identifiers.pop().ok_or(RustyAcmeError::ImplementationError)?;
-        let identifier = identifier.to_wire_identifier()?;
+        let identifier = order
+            .identifiers
+            .first()
+            .ok_or(RustyAcmeError::ImplementationError)?
+            .to_wire_identifier()?;
+
         let invalid_client_id =
             ClientId::try_from_qualified(&cert_identity.client_id)? != ClientId::try_from_uri(&identifier.client_id)?;
         if invalid_client_id {

diff --git a/acme/src/error.rs b/acme/src/error.rs
@@ -13,6 +13,9 @@ pub enum RustyAcmeError {
     /// Error while building a JWT
     #[error(transparent)]
     JwtError(#[from] rusty_jwt_tools::prelude::RustyJwtError),
+    /// Error related to various X509 processing facilities/tools/checks
+    #[error(transparent)]
+    X509CheckError(#[from] rusty_x509_check::RustyX509CheckError),
     /// Failed mapping an ASN.1 ObjectIdentifier
     #[error(transparent)]
     OidError(#[from] x509_cert::der::oid::Error),
@@ -58,6 +61,7 @@ pub enum RustyAcmeError {
     /// Error while finalizing an order
     #[error(transparent)]
     FinalizeError(#[from] crate::finalize::AcmeFinalizeError),
+    /// UTF-8 parsing error
     #[error(transparent)]
     Utf8(#[from] std::str::Utf8Error),
     /// Invalid/incomplete certificate