diff --git a/central_backend/src/crypto/pki.rs b/central_backend/src/crypto/pki.rs index 3e77a77..06b1d99 100644 --- a/central_backend/src/crypto/pki.rs +++ b/central_backend/src/crypto/pki.rs @@ -46,6 +46,24 @@ impl CertData { crl: Some(AppConfig::get().root_ca_crl_path()), }) } + + /// Load web CA + fn load_web_ca() -> anyhow::Result { + Ok(Self { + cert: load_certificate_from_file(AppConfig::get().web_ca_cert_path())?, + key: load_priv_key_from_file(AppConfig::get().web_ca_priv_key_path())?, + crl: Some(AppConfig::get().web_ca_crl_path()), + }) + } + + /// Load devices CA + fn load_devices_ca() -> anyhow::Result { + Ok(Self { + cert: load_certificate_from_file(AppConfig::get().devices_ca_cert_path())?, + key: load_priv_key_from_file(AppConfig::get().devices_ca_priv_key_path())?, + crl: Some(AppConfig::get().devices_ca_crl_path()), + }) + } } /// Generate private key @@ -259,7 +277,7 @@ fn refresh_crl(d: &CertData) -> anyhow::Result<()> { if X509_CRL_set_version(crl, X509_CRL_VERSION_2) == 0 { return Err(PKIError::GenCRLError("X509_CRL_set_version").into()); } - if X509_CRL_set_issuer_name(crl, d.cert.issuer_name().as_ptr()) == 0 { + if X509_CRL_set_issuer_name(crl, d.cert.subject_name().as_ptr()) == 0 { return Err(PKIError::GenCRLError("X509_CRL_set_issuer_name").into()); } @@ -296,7 +314,10 @@ fn refresh_crl(d: &CertData) -> anyhow::Result<()> { Ok(()) } -/// Initialize or refresh Root CA CRL, if needed -pub fn initialize_root_ca_crl() -> anyhow::Result<()> { - refresh_crl(&CertData::load_root_ca()?) +/// Refresh revocation lists +pub fn refresh_crls() -> anyhow::Result<()> { + refresh_crl(&CertData::load_root_ca()?)?; + refresh_crl(&CertData::load_web_ca()?)?; + refresh_crl(&CertData::load_devices_ca()?)?; + Ok(()) } diff --git a/central_backend/src/main.rs b/central_backend/src/main.rs index c5cf5ed..08b91ff 100644 --- a/central_backend/src/main.rs +++ b/central_backend/src/main.rs @@ -16,5 +16,5 @@ fn main() { pki::initialize_web_ca().expect("Failed to initialize web CA!"); pki::initialize_devices_ca().expect("Failed to initialize devices CA!"); - pki::initialize_root_ca_crl().expect("Failed to initialize Root CA!"); + pki::refresh_crls().expect("Failed to initialize Root CA!"); }