ASWI - Pokročilé softwarové inženýrství » ASWI 2021 » Aplikace pro správu X.509 certifikátů (Yoso Czech s.r.o.) - JMSD

Implement certificate revocation endpoint and specify CRL/OCSP distribution points in extensions

• One Rest API endpoint: POST /api/certificates/{id}/revoke body = { reason: "<reason for revocation>"} with reason: [unspecified, keyCompromise, cACompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, removeFromCRL, privilegeWithdrawn, aACompromise].
• The reason will be optional and if not present, unspecified is used.
• Controller will call a method revoke_certificate(id) of CertificateService.
• Certificate service will call a CertificateRepository set_certificate_revoked(id, timestamp, reason) to set the certificate revoked.
• Database must be extended with the following data: revocation date (Unix timestamp, generated automatically by the CertificateService), bool flag if is revoked, the reason for revocation(may be implemented as a second table with revocation reason values).
• CertificateRepository shall expose the following method get_all_revoked_by(id) that returns all certificates that were issued by the given CA and are now revoked.
• Extensions of each certificate shall contain CRL and OCSP distribution points. Base URL of the server must be determined from the configuration

Requirements: FR 1.2.1, FR 2.2.1, FR 3.3

Reviewer: Stanislav Král