|
|
|
@ -271,10 +271,19 @@ func (a *Authority) authorizeRevoke(ctx context.Context, token string) error {
|
|
|
|
|
//
|
|
|
|
|
// TODO(mariano): should we authorize by default?
|
|
|
|
|
func (a *Authority) authorizeRenew(cert *x509.Certificate) error {
|
|
|
|
|
var err error
|
|
|
|
|
var isRevoked bool
|
|
|
|
|
var opts = []interface{}{errs.WithKeyVal("serialNumber", cert.SerialNumber.String())}
|
|
|
|
|
|
|
|
|
|
// Check the passive revocation table.
|
|
|
|
|
isRevoked, err := a.db.IsRevoked(cert.SerialNumber.String())
|
|
|
|
|
serial := cert.SerialNumber.String()
|
|
|
|
|
if lca, ok := a.adminDB.(interface {
|
|
|
|
|
IsRevoked(string) (bool, error)
|
|
|
|
|
}); ok {
|
|
|
|
|
isRevoked, err = lca.IsRevoked(serial)
|
|
|
|
|
} else {
|
|
|
|
|
isRevoked, err = a.db.IsRevoked(serial)
|
|
|
|
|
}
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errs.Wrap(http.StatusInternalServerError, err, "authority.authorizeRenew", opts...)
|
|
|
|
|
}
|
|
|
|
@ -294,8 +303,17 @@ func (a *Authority) authorizeRenew(cert *x509.Certificate) error {
|
|
|
|
|
|
|
|
|
|
// authorizeSSHCertificate returns an error if the given certificate is revoked.
|
|
|
|
|
func (a *Authority) authorizeSSHCertificate(ctx context.Context, cert *ssh.Certificate) error {
|
|
|
|
|
var err error
|
|
|
|
|
var isRevoked bool
|
|
|
|
|
|
|
|
|
|
serial := strconv.FormatUint(cert.Serial, 10)
|
|
|
|
|
isRevoked, err := a.db.IsSSHRevoked(serial)
|
|
|
|
|
if lca, ok := a.adminDB.(interface {
|
|
|
|
|
IsSSHRevoked(string) (bool, error)
|
|
|
|
|
}); ok {
|
|
|
|
|
isRevoked, err = lca.IsSSHRevoked(serial)
|
|
|
|
|
} else {
|
|
|
|
|
isRevoked, err = a.db.IsSSHRevoked(serial)
|
|
|
|
|
}
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errs.Wrap(http.StatusInternalServerError, err, "authority.authorizeSSHCertificate", errs.WithKeyVal("serialNumber", serial))
|
|
|
|
|
}
|
|
|
|
|