server/libfic/certificate.go

package fic

import (
	"database/sql"
	"math/big"
	"time"
)

// Certificate represents a client certificate, which can be associated to a team.
//
// This is one method usable to handle authentication.
// To use it in nginx, you'll need to add following lines in your configuration:
//
//   ssl_client_certificate PKI/shared/ca.pem;
//   ssl_trusted_certificate PKI/shared/ca.pem;
//   ssl_verify_client optional;
//
// Non-recognized clients will have access to a registration form.
type Certificate struct {
	Id       uint64     `json:"id,string"`
	Creation time.Time  `json:"creation"`
	Password string     `json:"password"`
	Revoked  *time.Time `json:"revoked"`
}

// GetCertificates returns the list of all generated certificates.
func GetCertificates() (certificates []*Certificate, err error) {
	var rows *sql.Rows
	if rows, err = DBQuery("SELECT id_cert, creation, password, revoked FROM certificates ORDER BY creation"); err == nil {
		defer rows.Close()

		certificates = []*Certificate{}
		for rows.Next() {
			c := &Certificate{}
			if err = rows.Scan(&c.Id, &c.Creation, &c.Password, &c.Revoked); err != nil {
				return
			}
			certificates = append(certificates, c)
		}
		err = rows.Err()
	}
	return
}

// GetCertificate retrieves a certificate from its serial number.
func GetCertificate(serial uint64) (c *Certificate, err error) {
	c = &Certificate{}
	err = DBQueryRow("SELECT id_cert, creation, password, revoked FROM certificates WHERE id_cert = ?", serial).Scan(&c.Id, &c.Creation, &c.Password, &c.Revoked)
	return
}

// ExistingCertSerial tells you if the given bytes correspond to a know certificate.
func ExistingCertSerial(serial [8]byte) bool {
	var m big.Int
	m.SetBytes(serial[:])

	c, _ := GetCertificate(m.Uint64())
	return c.Id > 0
}

// RegisterCertificate registers a certificate in the database.
//
// "serial" is the certificate serial number
// "password" is the one used to crypt privatekey and .p12
func RegisterCertificate(serial uint64, password string) (Certificate, error) {
	now := time.Now()
	if _, err := DBExec("INSERT INTO certificates (id_cert, creation, password) VALUES (?, ?, ?)", serial, now, password); err != nil {
		return Certificate{}, err
	} else {
		return Certificate{serial, now, password, nil}, nil
	}
}

// Update applies modifications back to the database.
func (c *Certificate) Update() (int64, error) {
	if res, err := DBExec("UPDATE certificates SET creation = ?, password = ?, revoked = ? WHERE id_cert = ?", c.Creation, c.Password, c.Revoked, c.Id); err != nil {
		return 0, err
	} else if nb, err := res.RowsAffected(); err != nil {
		return 0, err
	} else {
		return nb, err
	}
}

// Revoke the certificate in database.
func (c *Certificate) Revoke() (int64, error) {
	now := time.Now()
	c.Revoked = &now
	return c.Update()
}

// Delete the certificate entry in the database.
func (c Certificate) Delete() (int64, error) {
	if res, err := DBExec("DELETE FROM certificates WHERE id_cert = ?", c.Id); err != nil {
		return 0, err
	} else if nb, err := res.RowsAffected(); err != nil {
		return 0, err
	} else {
		return nb, err
	}
}

// ClearCertificates removes all certificates from database.
func ClearCertificates() (int64, error) {
	if res, err := DBExec("DELETE FROM certificates"); err != nil {
		return 0, err
	} else if nb, err := res.RowsAffected(); err != nil {
		return 0, err
	} else {
		return nb, err
	}
}
Add certificate generation and revokation 2016-01-20 18:56:08 +00:00			`package fic`

			`import (`
Introducing new PKI management 2018-01-21 13:18:26 +00:00			`"database/sql"`
pki: improve serial number generation + fix team association Replace math/rand by crypto/rand. Fix big when associating certificate with leading zero: nginx prepend 0 wherehas we don't. 2018-02-02 19:29:16 +00:00			`"math/big"`
Introducing new PKI management 2018-01-21 13:18:26 +00:00			`"time"`
Add certificate generation and revokation 2016-01-20 18:56:08 +00:00			`)`
Introducing new PKI management 2018-01-21 13:18:26 +00:00
Write docs! 2018-03-09 18:07:08 +00:00			`// Certificate represents a client certificate, which can be associated to a team.`
			`//`
			`// This is one method usable to handle authentication.`
			`// To use it in nginx, you'll need to add following lines in your configuration:`
			`//`
			`// ssl_client_certificate PKI/shared/ca.pem;`
			`// ssl_trusted_certificate PKI/shared/ca.pem;`
			`// ssl_verify_client optional;`
			`//`
			`// Non-recognized clients will have access to a registration form.`
Introducing new PKI management 2018-01-21 13:18:26 +00:00			`type Certificate struct {`
pki: improve serial number generation + fix team association Replace math/rand by crypto/rand. Fix big when associating certificate with leading zero: nginx prepend 0 wherehas we don't. 2018-02-02 19:29:16 +00:00			Id uint64 `json:"id,string"`
Introducing new PKI management 2018-01-21 13:18:26 +00:00			Creation time.Time `json:"creation"`
			Password string `json:"password"`
			Revoked *time.Time `json:"revoked"`
			`}`

Write docs! 2018-03-09 18:07:08 +00:00			`// GetCertificates returns the list of all generated certificates.`
Use pointer receiver more offen 2021-11-22 14:35:07 +00:00			`func GetCertificates() (certificates []*Certificate, err error) {`
Introducing new PKI management 2018-01-21 13:18:26 +00:00			`var rows *sql.Rows`
admin/pki: use symlink instead of DB to associate certificate to team 2018-04-13 18:59:03 +00:00			`if rows, err = DBQuery("SELECT id_cert, creation, password, revoked FROM certificates ORDER BY creation"); err == nil {`
Introducing new PKI management 2018-01-21 13:18:26 +00:00			`defer rows.Close()`

Use pointer receiver more offen 2021-11-22 14:35:07 +00:00			`certificates = []*Certificate{}`
Introducing new PKI management 2018-01-21 13:18:26 +00:00			`for rows.Next() {`
Use pointer receiver more offen 2021-11-22 14:35:07 +00:00			`c := &Certificate{}`
admin/pki: use symlink instead of DB to associate certificate to team 2018-04-13 18:59:03 +00:00			`if err = rows.Scan(&c.Id, &c.Creation, &c.Password, &c.Revoked); err != nil {`
Introducing new PKI management 2018-01-21 13:18:26 +00:00			`return`
			`}`
			`certificates = append(certificates, c)`
			`}`
			`err = rows.Err()`
			`}`
			`return`
			`}`

Write docs! 2018-03-09 18:07:08 +00:00			`// GetCertificate retrieves a certificate from its serial number.`
Use pointer receiver more offen 2021-11-22 14:35:07 +00:00			`func GetCertificate(serial uint64) (c *Certificate, err error) {`
			`c = &Certificate{}`
admin/pki: use symlink instead of DB to associate certificate to team 2018-04-13 18:59:03 +00:00			`err = DBQueryRow("SELECT id_cert, creation, password, revoked FROM certificates WHERE id_cert = ?", serial).Scan(&c.Id, &c.Creation, &c.Password, &c.Revoked)`
Introducing new PKI management 2018-01-21 13:18:26 +00:00			`return`
			`}`

Write docs! 2018-03-09 18:07:08 +00:00			`// ExistingCertSerial tells you if the given bytes correspond to a know certificate.`
			`func ExistingCertSerial(serial [8]byte) bool {`
pki: improve serial number generation + fix team association Replace math/rand by crypto/rand. Fix big when associating certificate with leading zero: nginx prepend 0 wherehas we don't. 2018-02-02 19:29:16 +00:00			`var m big.Int`
			`m.SetBytes(serial[:])`

			`c, _ := GetCertificate(m.Uint64())`
Introducing new PKI management 2018-01-21 13:18:26 +00:00			`return c.Id > 0`
			`}`

Write docs! 2018-03-09 18:07:08 +00:00			`// RegisterCertificate registers a certificate in the database.`
			`//`
			`// "serial" is the certificate serial number`
			`// "password" is the one used to crypt privatekey and .p12`
pki: improve serial number generation + fix team association Replace math/rand by crypto/rand. Fix big when associating certificate with leading zero: nginx prepend 0 wherehas we don't. 2018-02-02 19:29:16 +00:00			`func RegisterCertificate(serial uint64, password string) (Certificate, error) {`
Introducing new PKI management 2018-01-21 13:18:26 +00:00			`now := time.Now()`
			`if _, err := DBExec("INSERT INTO certificates (id_cert, creation, password) VALUES (?, ?, ?)", serial, now, password); err != nil {`
			`return Certificate{}, err`
			`} else {`
admin/pki: use symlink instead of DB to associate certificate to team 2018-04-13 18:59:03 +00:00			`return Certificate{serial, now, password, nil}, nil`
Introducing new PKI management 2018-01-21 13:18:26 +00:00			`}`
			`}`

Write docs! 2018-03-09 18:07:08 +00:00			`// Update applies modifications back to the database.`
Use pointer receiver more offen 2021-11-22 14:35:07 +00:00			`func (c *Certificate) Update() (int64, error) {`
admin/pki: use symlink instead of DB to associate certificate to team 2018-04-13 18:59:03 +00:00			`if res, err := DBExec("UPDATE certificates SET creation = ?, password = ?, revoked = ? WHERE id_cert = ?", c.Creation, c.Password, c.Revoked, c.Id); err != nil {`
Introducing new PKI management 2018-01-21 13:18:26 +00:00			`return 0, err`
			`} else if nb, err := res.RowsAffected(); err != nil {`
			`return 0, err`
			`} else {`
			`return nb, err`
			`}`
			`}`

Write docs! 2018-03-09 18:07:08 +00:00			`// Revoke the certificate in database.`
Introducing new PKI management 2018-01-21 13:18:26 +00:00			`func (c *Certificate) Revoke() (int64, error) {`
			`now := time.Now()`
			`c.Revoked = &now`
			`return c.Update()`
			`}`

Write docs! 2018-03-09 18:07:08 +00:00			`// Delete the certificate entry in the database.`
Introducing new PKI management 2018-01-21 13:18:26 +00:00			`func (c Certificate) Delete() (int64, error) {`
			`if res, err := DBExec("DELETE FROM certificates WHERE id_cert = ?", c.Id); err != nil {`
			`return 0, err`
			`} else if nb, err := res.RowsAffected(); err != nil {`
			`return 0, err`
			`} else {`
			`return nb, err`
			`}`
			`}`

Write docs! 2018-03-09 18:07:08 +00:00			`// ClearCertificates removes all certificates from database.`
Introducing new PKI management 2018-01-21 13:18:26 +00:00			`func ClearCertificates() (int64, error) {`
			`if res, err := DBExec("DELETE FROM certificates"); err != nil {`
			`return 0, err`
			`} else if nb, err := res.RowsAffected(); err != nil {`
			`return 0, err`
			`} else {`
			`return nb, err`
			`}`
			`}`