Allow listing expired certificates for debugging purposes

Signed-off-by: Knut Ahlers <knut@ahlers.me>
2024-09-18 17:12:57 +00:00 · 2018-06-14 21:09:15 +02:00 · 2018-06-14 21:09:15 +02:00 · 3c822ae59a
commit 3c822ae59a
parent 9d8003c88f
4 changed files with 14 additions and 14 deletions
--- a/cmd/helpers.go
+++ b/cmd/helpers.go
@ -18,11 +18,11 @@ import (
 	"github.com/spf13/viper"
 )

-func fetchCertificateBySerial(serial string) (*x509.Certificate, bool, error) {
+func fetchCertificateBySerial(serial string) (*x509.Certificate, bool, bool, error) {
 	path := strings.Join([]string{strings.Trim(viper.GetString("pki-mountpoint"), "/"), "cert", serial}, "/")
 	cs, err := client.Logical().Read(path)
 	if err != nil {
-		return nil, false, fmt.Errorf("Unable to read certificate: %s", err.Error())
+		return nil, false, false, fmt.Errorf("Unable to read certificate: %s", err.Error())
 	}

 	revoked := false
@ -37,12 +37,7 @@ func fetchCertificateBySerial(serial string) (*x509.Certificate, bool, error) {
 	data, _ := pem.Decode([]byte(cs.Data["certificate"].(string)))
 	cert, err := x509.ParseCertificate(data.Bytes)

-	if cert.NotAfter.Before(time.Now()) {
-		// Hide expired certs (they will not get the revoke-timestamp set on revoke)
-		revoked = true
-	}
-
-	return cert, revoked, err
+	return cert, revoked, cert.NotAfter.Before(time.Now()), err
 }

 func fetchOVPNKey() (string, error) {
@ -65,7 +60,7 @@ func fetchOVPNKey() (string, error) {
 	return key.(string), nil
 }

-func fetchValidCertificatesFromVault() ([]*x509.Certificate, error) {
+func fetchCertificatesFromVault(listExpired bool) ([]*x509.Certificate, error) {
 	res := []*x509.Certificate{}

 	path := strings.Join([]string{strings.Trim(viper.GetString("pki-mountpoint"), "/"), "certs"}, "/")
@ -83,7 +78,7 @@ func fetchValidCertificatesFromVault() ([]*x509.Certificate, error) {
 	}

 	for _, serial := range secret.Data["keys"].([]interface{}) {
-		cert, revoked, err := fetchCertificateBySerial(serial.(string))
+		cert, revoked, expired, err := fetchCertificateBySerial(serial.(string))
 		if err != nil {
 			return res, err
 		}
@ -92,6 +87,10 @@ func fetchValidCertificatesFromVault() ([]*x509.Certificate, error) {
 			continue
 		}

+		if !listExpired && expired {
+			continue
+		}
+
 		res = append(res, cert)
 	}

--- a/cmd/list.go
+++ b/cmd/list.go
@ -24,6 +24,7 @@ func init() {
 	RootCmd.AddCommand(listCmd)

 	listCmd.Flags().StringVar(&cfg.Sort, "sort", "fqdn", "How to sort list output (fqdn, issuedate, expiredate)")
+	listCmd.Flags().Bool("list-expired", false, "Also list expired certificates")
 	viper.BindPFlags(listCmd.Flags())
 }

@ -34,7 +35,7 @@ func listCertificates() error {

 	lines := []listCertificatesTableRow{}

-	certs, err := fetchValidCertificatesFromVault()
+	certs, err := fetchCertificatesFromVault(viper.GetBool("list-expired"))
 	if err != nil {
 		return err
 	}
--- a/cmd/revoke-serial.go
+++ b/cmd/revoke-serial.go
@ -29,11 +29,11 @@ func init() {
 }

 func revokeCertificateBySerial(serial string) error {
-	cert, revoked, err := fetchCertificateBySerial(serial)
+	cert, revoked, expired, err := fetchCertificateBySerial(serial)
 	if err != nil {
 		return err
 	}
-	if revoked {
+	if revoked || expired {
 		return nil
 	}

--- a/cmd/revoke.go
+++ b/cmd/revoke.go
@ -26,7 +26,7 @@ func init() {
 }

 func revokeCertificateByFQDN(fqdn string) error {
-	certs, err := fetchValidCertificatesFromVault()
+	certs, err := fetchCertificatesFromVault(false)
 	if err != nil {
 		return err
 	}