Management interface: add /cert-status-by-serial/ endpoint

[felixfontein]

This adds a /cert-status-by-serial/ endpoint to the management interface. The certificate is identified by its serial number (in hexadecimal). (It can be extracted with OpenSSL via openssl x509 -in cert.pem -noout -text | sed -En 's/.*Serial Number.*\(0x([0-9a-f]+)\)/\1/p'.) The endpoint returns the certificate itself (in PEM format), the serial (hexadecimal) and the revocation status (Valid or Revoked) as JSON.

Example usage:

$ curl -ki https://127.0.0.1:15000/cert-status-by-serial/5ab954d39632fd78
HTTP/2 200 
cache-control: public, max-age=0, no-cache
content-type: application/json; charset=utf-8
link: <https://127.0.0.1:15000/dir>;rel="index"
content-length: 1671
date: Fri, 12 Jul 2019 21:39:24 GMT

{
   "Certificate": "-----BEGIN CERTIFICATE-----\nMIIEVz...tcw=\n-----END CERTIFICATE-----\n",
   "Serial": "5ab954d39632fd78",
   "Status": "Valid"
}

$ curl -ki https://127.0.0.1:15000/cert-status-by-serial/7811e0b42b98cc1c
HTTP/2 200 
cache-control: public, max-age=0, no-cache
content-type: application/json; charset=utf-8
link: <https://127.0.0.1:15000/dir>;rel="index"
content-length: 1728
date: Fri, 12 Jul 2019 22:14:17 GMT

{
   "Certificate": "-----BEGIN CERTIFICATE-----\nMIIEVz...tcw=\n-----END CERTIFICATE-----\n",
   "RevokedAt": "2019-07-13T00:14:13.719654003+02:00",
   "Serial": "7811e0b42b98cc1c",
   "Status": "Revoked"
}

$ curl -ki https://127.0.0.1:15000/cert-status-by-serial/66317d2e02f5d3d6
HTTP/2 200 
cache-control: public, max-age=0, no-cache
content-type: application/json; charset=utf-8
link: <https://127.0.0.1:15000/dir>;rel="index"
content-length: 1740
date: Fri, 12 Jul 2019 22:14:21 GMT

{
   "Certificate": "-----BEGIN CERTIFICATE-----\nMIIEVz...tcw=\n-----END CERTIFICATE-----\n",
   "Reason": 4,
   "RevokedAt": "2019-07-13T00:13:20.418489956+02:00",
   "Serial": "66317d2e02f5d3d6",
   "Status": "Revoked"
}

CC @adferrand

[felixfontein]

I forgot: if Pebble doesn't know the certificate, or can't parse the serial as hex, it will return a 404 with no content.

[adferrand]

Looks promising!

One interesting thing to get also (to build a complete OCSP responder for instance) would be the date since when the certificate has been revoked on Pebble side. It could be retrieved as a fourth parameter in the JSON response, if the status is Revoked.

I think it is doable to store this date in the revokedCertificatesById map from ca.db.

What do you think of that @felixfontein?

[felixfontein]

Yes, that should be doable. I would include a full timestamp and not just a date, though. And also the revocation code used. I'm trying it now...

[felixfontein]

Now revocation timestamp and reason are stored with the revoked certificate, and returned by the endpoint (the reason only when available):

$ curl -ki https://127.0.0.1:15000/cert-status-by-serial/7811e0b42b98cc1c
HTTP/2 200 
cache-control: public, max-age=0, no-cache
content-type: application/json; charset=utf-8
link: <https://127.0.0.1:15000/dir>;rel="index"
content-length: 1728
date: Fri, 12 Jul 2019 22:14:17 GMT

{
   "Certificate": "-----BEGIN CERTIFICATE-----\nMIIEVz...tcw=\n-----END CERTIFICATE-----\n",
   "RevokedAt": "2019-07-13T00:14:13.719654003+02:00",
   "Serial": "7811e0b42b98cc1c",
   "Status": "Revoked"
}

$ curl -ki https://127.0.0.1:15000/cert-status-by-serial/66317d2e02f5d3d6
HTTP/2 200 
cache-control: public, max-age=0, no-cache
content-type: application/json; charset=utf-8
link: <https://127.0.0.1:15000/dir>;rel="index"
content-length: 1740
date: Fri, 12 Jul 2019 22:14:21 GMT

{
   "Certificate": "-----BEGIN CERTIFICATE-----\nMIIEVz...tcw=\n-----END CERTIFICATE-----\n",
   "Reason": 4,
   "RevokedAt": "2019-07-13T00:13:20.418489956+02:00",
   "Serial": "66317d2e02f5d3d6",
   "Status": "Revoked"
}

[felixfontein]

I changed it a little so that the timestamp is returned in UTC:

    "RevokedAt": "2019-07-12T22:21:05.392675552Z",

[felixfontein]

BTW (and unrelated): all requests to the management interface have a Link header for the directory included, but with the wrong port (that of the management interface).

[cpu]

BTW (and unrelated): all requests to the management interface have a Link header for the directory

@felixfontein Good catch! #253

I'll try to review this PR in the next couple of days.

[felixfontein]

Rebased to remove conflicts with #254.

[cpu]

Thanks @felixfontein, this is a nice bit of work :-)

I left a few minor comments but I'm happy with the overall design. Thanks again!

[felixfontein]

@cpu thanks for your feedback! I hope I've adjusted everything correctly. At least it still works in my tests :)

[cpu]

Thanks for integrating my last round of feedback @felixfontein. I left a couple of small comments. I think once those are resolved I'm ☑️ on this branch.

[cpu]

🎉

[cpu]

Thanks again @felixfontein. My goal is to cut a new Pebble release that will have this commit and some of the other new work next week (hopefully Monday).

[felixfontein]

@cpu thanks again for reviewing and merging! :)

[cpu]

My goal is to cut a new Pebble release that will have this commit and some of the other new work next week (hopefully Monday).

https://github.com/letsencrypt/pebble/releases/tag/v2.2.1 🎉