Giter Club home page Giter Club logo

gorevoke's Introduction

GoRevoke

GitHub Actions Workflow Status GitHub Actions Workflow Status GitHub License GitHub release (with filter)

Overview

GoRevoke is a standalone Certificate Revocation List Distrution Point written in Go, designed to be lightweight and fully self-contained. Using a simple configuration, GoRevoke automates downloading and serving of remote CRLs. GoRevoke is based on, revoke, a shell based script providing similar function.

Key Features

  • Cross-platform compatiblity; tested on Linux and Windows
  • Native and containerized deployment options
  • Retrieve remote CRL data via HTTP or HTTPS
  • Validation and confirmation of CRL data
  • Built-in webserver alleviates the need for additional servers
  • Ability to retrieve and serve an unlimited number of CRL sources
  • Support for full and delta CRLs

Planned Features

  • OCSP responder

Installation Instructions

GoRevoke can be deployed as either a containerized image or installed natively on the host. The following instructions outline basic installation and configuration options.

Docker Deployment

  1. On the host machine create the following directories: ${PWD}/appdata/gorevoke/conf and ${PWD}/appdata/gorevoke/crl
  2. Copy and rename the configuration example conf/config.yml.example to ${PWD}/appdata/gorevoke/conf/config.yml
  3. Pull the latest image from Docker Hub using the following example Docker run command:
docker run -d \
--name gorevoke \
-p 80:4000 \
-v ${PWD}/appdata/gorevoke/crl:/usr/local/bin/gorevoke/crl/static \
-v ${PWD}/appdata/gorevoke/config:/usr/local/bin/gorevoke/conf \
--restart=unless-stopped \
ghcr.io/acavella/gorevoke:latest

Important

The Docker Run command above exposes the built-in webserver to the host directly on port 80 and is not recommended for production deploys. For a production configuration we recommend placing a webserver or proxy (such as Apache httpd or nginx) in front of GoRevoke to handle public web requests.

Native Deployment

  1. Download the latest release archive for the appropriate platform
    • Linux (amd64): gorevoke--linux-amd64.tar.gz
    • Windows (amd64): gorevoke--windows-amd64.zip
  2. Extract the archive to the appropriate application directory
    • Linux: /usr/local/bin
    • Windows: C:\Program Files\
  3. Edit the provided example configuration file conf/config.yml.example and save it as conf/config.yml
  4. Create a systemd service file /etc/systemd/service/gorevoke.service with the following contents:
[Unit]
Description=GoRevoke CDP Server
After=network-online.target

[Service]
Type=simple
ExecStart=/usr/local/bin/gorevoke/gorevoke

[Install]
WantedBy=multi-user.target
  1. Set the permissions sudo chmod 664 /etc/systemd/service/gorevoke.service
  2. Reload the systemd configuration sudo systemctl daemon-reload
  3. Enable and start the service:
sudo systemctl enable gorevoke.service
sudo systemctl start gorevoke.service

Container Performance

Docker Container Performance

Security Vulnerabilities

I welcome welcome all responsible disclosures. Please do not open an ISSUE to report a security problem. Please use the private reporting system to report security related issues responsibly: https://github.com/acavella/gorevoke/security/advisories/new

Contributing

Contributions are essential to the success of open-source projects. In other words, we need your help to keep GoRevoke great!

What is a contribution? All the following are highly valuable:

  1. Let us know of the best-practices you believe should be standardized
    GoRevoke is designed to be compliant with applicable RFCs out-of-the box. By sharing your experiences and knowledge you help us build a solution that takes into account best-practices and user experience.

  2. Let us know if things aren't working right
    We aim to provide a perfect application and test it extensively, however, we can't imagine or replicate every deployment scenario possible. If you run into an issue that you think isn't normal, please let us know.

  3. Add or improve features
    Have an idea to add or improve functionality, then let us know! We want to make GoRevoke the best total solution it can be.

General information about contributions:

Check our Security Policy.
Found a bug? Open a GitHub issue.
Read our Contributing Code of Conduct, which contains all the information you need to contribute to GoRevoke!

License

Distributed under the MIT License. See LICENSE for more information.

Contact

Acknowledgements

gorevoke's People

Contributors

acavella avatar

Stargazers

avatar avatar avatar

Watchers

avatar

Forkers

amishakov

gorevoke's Issues

[Feature] Build Script

Feature description

Develop a shell script to perform build and deployment tasks on "builder".
Related #6

Suggested implementation

No response

Relevant code

No response

[Feature] Serve CRL via HTTP

Feature description

Respond to HTTP request and serve appropriate CRL based on CA ID.

Suggested implementation

No response

Relevant code

No response

[Feature] Download Function

Feature description

A function to download CRL from destinations defined in config.

Suggested implementation

No response

Relevant code

No response

[Feature] Parse YAML Config

Feature description

Ability to parse a YAML based configuration file to read user defined variables.

Suggested implementation

Go Module: github.com/spf13/viper

Should be able to loop through an undefined number of CLR download locations.
YAML configuration should include CA ID and associated download location for each CRL at minimum.

Relevant code

No response

[Feature] Docker Image

Feature description

Develop a Docker Image to deploy GoRevoke.

Suggested implementation

Dockerfile

  1. Builder to pull from Github and build app (Golang / Alpine)
  2. Runner (Red Hat UBI)

Relevant code

No response

[Issue] Dockerfile doesn't create appropriate directory on runner

Operating system

any

Script Version

v1.0.0-rc.4

Bug description

Dockerfile copies contents of gorevoke folder to /usr/local/bin/ without creating app directory.

Steps to reproduce

No response

Relevant log output

COPY --from=builder /usr/local/bin/gorevoke/ /usr/local/bin/

Should be:

COPY --from=builder /usr/local/bin/gorevoke/ /usr/local/bin/gorevoke/

[Issue] Path construction fails if binary is running in the root directory

Build Type

Docker/Podman (Container)

Operating system

RHEL 9

GoRevoke Version

v1.1.3

Bug description

If the gorevoke binary is located in / (e.g. when using a distroless container), the path construction for the CRL directory appends an extra / which results in an invalid path, ex //crl/tmp/x1.crl

The problem lines of code appear to be:

// When running in root, this causes "directory" to be set to "/"
directory, err := filepath.Abs(filepath.Dir(os.Args[0])) 

// Later, this will cause tmpfile to be set to "//crl/tmp"
var tmpfile string = workpath + "/crl/tmp/" + caid[i] + ".crl"

Steps to reproduce

Run gorevoke from /

Relevant log output

GoRevoke ver. 1.1.3
Build Type: Docker
Build Date: 20240712-0214
time="2024-07-12T15:39:32Z" level=info msg="CRLs in list: 5"
time="2024-07-12T15:39:32Z" level=info msg="Refresh interval: 15m0s"
time="2024-07-12T15:39:32Z" level=error msg="Problem opening downloaded file: open //crl/tmp/x1.crl: no such file or directory"
time="2024-07-12T15:39:32Z" level=info msg="Moving to next CRL entry."
time="2024-07-12T15:39:32Z" level=error msg="Problem opening downloaded file: open //crl/tmp/x11.crl: no such file or directory"
time="2024-07-12T15:39:32Z" level=info msg="Moving to next CRL entry."
time="2024-07-12T15:39:32Z" level=error msg="Problem opening downloaded file: open //crl/tmp/x12.crl: no such file or directory"
time="2024-07-12T15:39:32Z" level=info msg="Moving to next CRL entry."
time="2024-07-12T15:39:32Z" level=error msg="Problem opening downloaded file: open //crl/tmp/x2.crl: no such file or directory"
time="2024-07-12T15:39:32Z" level=info msg="Moving to next CRL entry."
time="2024-07-12T15:39:33Z" level=error msg="Problem opening downloaded file: open //crl/tmp/x21.crl: no such file or directory"
time="2024-07-12T15:39:33Z" level=info msg="Moving to next CRL entry."

[Issue] Remove "v" from version string on build

Operating system

any

Script Version

1.0.0-rc.3

Bug description

Dockerfile helper script pulls environmental variable (release tag) to assign version on build. Currently the tag includes "v" prepended to the semantic version number, e.g. v1.0.0

The leading "v" should be stripped from variable when used in build.

Steps to reproduce

No response

Relevant log output

# ./gorevoke
GoRevoke ver. v1.0.0-rc.2
Build Type: Docker
Build Date: 20240105-3622
INFO[2024-01-05T23:34:34Z] CRLs in list: 2
INFO[2024-01-05T23:34:34Z] Refresh interval: 15m0s
INFO[2024-01-05T23:34:34Z] Checking for new CRL(s)
...

[Issue] Logger returning \n instead of new line

Operating system

Docker

Script Version

1.1.0

Bug description

Info log is return \n instead of actual new line on validating CRL.

Steps to reproduce

No response

Relevant log output

No response

[Feature] Disable built-in webserver

Feature description

Add config variable to enable/disable buit-in webserver.

Suggested implementation

No response

Relevant code

if server {
   go webserver(webport)
}

[Issue] App not starting at startup

Operating system

Docker

Script Version

v1.0.0-rc.5

Bug description

GoRevoke isn't starting automatically when container runs.

Steps to reproduce

No response

Relevant log output

No response

[Issue] Failed download causes app to exit

Operating system

Docker

Script Version

v1.0.0

Bug description

A download failure causes the application to exit. This might be isolated to HTTPS trust issues. Need to test all failure scenarios to root cause.

Steps to reproduce

No response

Relevant log output

No response

[Issue] Logger not returning CRL serial number

Operating system

Docker

Script Version

1.1.0

Bug description

Info logger isn't returning the CRL's serial number on validation.

Steps to reproduce

No response

Relevant log output

No response

[Feature] Add OCI Image Description

Feature description

Add Image description to Dockerfile

Suggested implementation

No response

Relevant code

LABEL org.opencontainers.image.description DESCRIPTION

[Feature] Upgrade Go version

Feature description

Upgrade Go from 1.20.12 to latest stable, 1.21.5

Suggested implementation

No response

Relevant code

No response

[Feature] Validate CRL

Feature description

CRL must be validated prior to replacing previous file; can be included in #2

Suggested implementation

No response

Relevant code

No response

[Issue] File doesn't detect empty file properly

Build Type

Docker/Podman (Container)

Operating system

RHEL8-UBI

GoRevoke Version

1.1.2

Bug description

When the CA (source) is down, integrity checks continue to run on a non-existent file. The hash on the "new" file returns a 0 because no file exists. The next step proceeds and compares the 0 with an actual hash of the old file. It considers this a mismatch, meaning that a new CRL is present, even though there is no file.

image

Steps to reproduce

  1. Ensure GoRevoke is running and has valid CRL files
  2. Turn off / block the CRL source

image

Relevant log output

No response

[Issue] Relative paths broken

Operating system

any

Script Version

v.1.0.0-rc9

Bug description

Using relative paths leads to program using user's current working directory as the base path. Need to add a variable that fills in application's execution directory.

Steps to reproduce

No response

Relevant log output

No response

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.