Iteration 4 » Historie » Verze 8
Jan Pašek, 2021-04-08 07:28
| 1 | 1 | Jan Pašek | h1. Iteration 4 |
|---|---|---|---|
| 2 | 2 | Jan Pašek | |
| 3 | *Target:* CRL/OCSP, certificate detailed view |
||
| 4 | |||
| 5 | h2. Tasks |
||
| 6 | |||
| 7 | 5 | Jan Pašek | h3. Implement certificate revocation, add CRL distribution point and OCSP endpoint to certificate extensions |
| 8 | |||
| 9 | 6 | Jan Pašek | * One Rest API endpoint: POST /certificates/{id}/revoke body = { reason: "<reason for revocation>"} |
| 10 | with reason: [unspecified, keyCompromise, cACompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, removeFromCRL, privilegeWithdrawn, aACompromise]. |
||
| 11 | The reason will be optional and if not present, unspecified is used. |
||
| 12 | * Controller will call a method revoke_certificate(id) of CertificateService. |
||
| 13 | * Certificate service will call a CertificateRepository set_certificate_revoked(id, timestamp, reason) to set the certificate revoked. |
||
| 14 | * Database must be extended with the following data: revocation date (Unix timestamp, generated automatically by the CertificateService), bool flag if is revoked, the reason for revocation(may be implemented as a second table with revocation reason values). |
||
| 15 | * CertificateRepository shall expose the following method get_all_revoked_by(id) that returns all certificates that were issued by the given CA and are now revoked. |
||
| 16 | |||
| 17 | 5 | Jan Pašek | h3. Implement certificate deletion endpoint |
| 18 | |||
| 19 | 8 | Jan Pašek | * One Rest API endpoint: DELETE /certificates/{id} that deletes the certificate |
| 20 | * Controller calls CertificateService delete_certificate(id) that must be extended to delete the whole subtree of certificates |
||
| 21 | * To extend delete_certificate(id) a CertificateRepository must implement get_all_issued_by(id) that returns all certificates that were issued by the given CA |
||
| 22 | |||
| 23 | 5 | Jan Pašek | h3. Implement endpoint for retrieving public/private key for each certificate |
| 24 | |||
| 25 | 8 | Jan Pašek | * Two endpoints GET /certificates/{id}/publickey and GET /certificates/{id}/privatekey |
| 26 | * The first endpoint just queries the certificate using CertificateService, gets a private key ID, queries private key from the KeyService and returns its data. |
||
| 27 | * The second endpoint will do the same, except at the end it calls a new method of KeyService get_public_key(private_key) that utilizes OpenSSL via CryptographyService to get a public key out of the private key provided |
||
| 28 | |||
| 29 | 5 | Jan Pašek | h3. Implement endpoint for retrieving all certificates issued by a given CA |
| 30 | 3 | Jan Pašek | |
| 31 | 8 | Jan Pašek | * Extend existing endpoint GET /certificates with another filtering option {issuedby: <id>} |
| 32 | * Controller can use new function of CertificateService get_certificates_issued_by(id) that calls CertificateRepository -> get_all_issued_by(id) (described previously) |
||
| 33 | |||
| 34 | 1 | Jan Pašek | h3. Implement creation OpenSSL index file |
| 35 | 3 | Jan Pašek | |
| 36 | 8 | Jan Pašek | * Probably new service for CRL/OCSP |
| 37 | * One method create_revoked_index(ca_id) that queries revoked certificates of the given CA using get_all_revoked_by(id) of the CertificateRepository and creates index file based on the following link |
||
| 38 | 3 | Jan Pašek | https://pki-tutorial.readthedocs.io/en/latest/cadb.html |
| 39 | |||
| 40 | 1 | Jan Pašek | h3. Implement CRL service and corresponding endpoint |
| 41 | 3 | Jan Pašek | |
| 42 | 1 | Jan Pašek | h3. Implement OCSP service and corresponding endpoint |
| 43 | 3 | Jan Pašek | |
| 44 | h3. Logging |
||
| 45 | |||
| 46 | h3. Application initialization and DI |
||
| 47 | |||
| 48 | h3. Database initialization |
||
| 49 | |||
| 50 | h3. Dependency injection |
||
| 51 | 4 | Jan Pašek | |
| 52 | h3. Certificate detailed view |