Projekt

Obecné

Profil

Akce
Historie

Application for X509 certificate management » Iteration notes »

Iteration 4 » Historie » Revize 8

« Předchozí | Revize 8/14 (rozdíl) | Další »
Jan Pašek, 2021-04-08 07:28

Iteration 4

Target: CRL/OCSP, certificate detailed view

Tasks

Implement certificate revocation, add CRL distribution point and OCSP endpoint to certificate extensions

  • One Rest API endpoint: POST /certificates/{id}/revoke body = { reason: "<reason for revocation>"}
    with reason: [unspecified, keyCompromise, cACompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, removeFromCRL, privilegeWithdrawn, aACompromise].
    The reason will be optional and if not present, unspecified is used.
  • Controller will call a method revoke_certificate(id) of CertificateService.
  • Certificate service will call a CertificateRepository set_certificate_revoked(id, timestamp, reason) to set the certificate revoked.
  • Database must be extended with the following data: revocation date (Unix timestamp, generated automatically by the CertificateService), bool flag if is revoked, the reason for revocation(may be implemented as a second table with revocation reason values).
  • CertificateRepository shall expose the following method get_all_revoked_by(id) that returns all certificates that were issued by the given CA and are now revoked.

Implement certificate deletion endpoint

  • One Rest API endpoint: DELETE /certificates/{id} that deletes the certificate
  • Controller calls CertificateService delete_certificate(id) that must be extended to delete the whole subtree of certificates
  • To extend delete_certificate(id) a CertificateRepository must implement get_all_issued_by(id) that returns all certificates that were issued by the given CA

Implement endpoint for retrieving public/private key for each certificate

  • Two endpoints GET /certificates/{id}/publickey and GET /certificates/{id}/privatekey
  • The first endpoint just queries the certificate using CertificateService, gets a private key ID, queries private key from the KeyService and returns its data.
  • The second endpoint will do the same, except at the end it calls a new method of KeyService get_public_key(private_key) that utilizes OpenSSL via CryptographyService to get a public key out of the private key provided

Implement endpoint for retrieving all certificates issued by a given CA

  • Extend existing endpoint GET /certificates with another filtering option {issuedby: <id>}
  • Controller can use new function of CertificateService get_certificates_issued_by(id) that calls CertificateRepository -> get_all_issued_by(id) (described previously)

Implement creation OpenSSL index file

  • Probably new service for CRL/OCSP
  • One method create_revoked_index(ca_id) that queries revoked certificates of the given CA using get_all_revoked_by(id) of the CertificateRepository and creates index file based on the following link
    https://pki-tutorial.readthedocs.io/en/latest/cadb.html

Implement CRL service and corresponding endpoint

Implement OCSP service and corresponding endpoint

Logging

Application initialization and DI

Database initialization

Dependency injection

Certificate detailed view

Aktualizováno uživatelem Jan Pašek před asi 4 roky(ů) · 8 revizí