Updates and bugfixes for CRL management, call validation optimization…

…s, local db processing/storage, stats reporting

acmeClient.go

@@ -34,9 +34,6 @@ const AcmeSignerCert = "signer.crt"
 
 var acmeMetaData = &AcmeMetaData{}
 
-const martiniStaging = "https://wfe.dev.martinisecurity.com/v2/acme/directory"
-const martiniProd = "https://wfe.prod.martinisecurity.com/v2/acme/directory"
-
 type AcmeStatus string
 
 const (
@@ -50,6 +47,9 @@ const (
 	AcmeComplete    AcmeStatus = "complete"
 )
 
+const martiniStaging = "https://wfe.dev.martinisecurity.com/v2/acme/directory"
+const martiniProd = "https://wfe.prod.martinisecurity.com/v2/acme/directory"
+
 func initializeAcme() {
 	// Attempt to load up existing ACME cert
 	err := acmeMetaData.loadMetaData()
@@ -154,11 +154,14 @@ func CheckAndRefreshAcmeCert() {
 }
 
 func readyAcmeApi() error {
-	acmeDirectory := martiniStaging
-	if GlobalConfig.IsProdMode() {
-		acmeDirectory = martiniProd
+	martiniAcmeDirectory := martiniProd
+	if !GlobalConfig.isAcmeProdMode() {
+		logger.LogChan <- &logger.LogMessage{Severity: logger.INFO, MsgStr: "ACME Client: Dev API Being Used..."}
+		martiniAcmeDirectory = martiniStaging
+	} else {
+		logger.LogChan <- &logger.LogMessage{Severity: logger.INFO, MsgStr: "ACME Client: Production API Being Used..."}
 	}
-	resp, err := httpClient.Get(acmeDirectory)
+	resp, err := httpClient.Get(martiniAcmeDirectory)
 	if err != nil {
 		return err
 	}
@@ -443,7 +446,6 @@ func createNewOrder() (*OrderResponse, string, error) {
 		return nil, "", errors.New("create order response was " + strconv.Itoa(resp.StatusCode))
 	}
 	respBytes, err := io.ReadAll(resp.Body)
-	//fmt.Println(string(respBytes))
 	if err != nil {
 		return nil, "", err
 	}
@@ -495,7 +497,6 @@ func retrieveChallenge(url string) (*ChallengeResponse, error) {
 		return nil, errors.New("post-as-get for acme challenge failed with status " + strconv.Itoa(resp.StatusCode))
 	}
 	respBytes, err := io.ReadAll(resp.Body)
-	//fmt.Println(string(respBytes))
 	if err != nil {
 		return nil, err
 	}
@@ -534,7 +535,6 @@ func respondToChallenge(url string) (*ChallengeResponse, error) {
 		return nil, err
 	}
 	signedJwt := jws.FullSerialize()
-	//fmt.Println(signedJwt)
 	req, _ := http.NewRequest(http.MethodPost, url, bytes.NewBuffer([]byte(signedJwt)))
 	req.Header.Add("Content-Type", "application/jose+json")
 	req.Header.Set("User-Agent", UserAgent)
@@ -545,7 +545,6 @@ func respondToChallenge(url string) (*ChallengeResponse, error) {
 	nextNonce.Set(resp.Header.Get("Replay-Nonce"))
 	defer resp.Body.Close()
 	respBytes, err := io.ReadAll(resp.Body)
-	//fmt.Println(string(respBytes))
 	if err != nil {
 		return nil, err
 	}
@@ -568,7 +567,6 @@ func pollOrder(orderUrl string, delay time.Duration) (*OrderResponse, error) {
 	}
 	nextNonce.Set(resp.Header.Get("Replay-Nonce"))
 	respBytes, err := io.ReadAll(resp.Body)
-	//fmt.Println(string(respBytes))
 	if err != nil {
 		return nil, err
 	}
@@ -685,7 +683,6 @@ func requestCert(csrBytes []byte, finalizeUrl string) (*OrderResponse, error) {
 	nextNonce.Set(resp.Header.Get("Replay-Nonce"))
 	defer resp.Body.Close()
 	respBytes, err := io.ReadAll(resp.Body)
-	//fmt.Println(string(respBytes))
 	if err != nil {
 		return nil, err
 	}

authVerifyServer.go

@@ -1259,7 +1259,7 @@ func (ourSigner *SigningAuth) Configure(keyPath string, certRepoUrl string) {
 	ourSigner.ready = true
 	ourSigner.certRepoUrl = &certRepoUrl
 	ourSigner.eccSigner = eccSigner
-
+	logger.LogChan <- &logger.LogMessage{Severity: logger.INFO, MsgStr: "STI-AS: Signer Ready"}
 }
 func decodeEccKey(pemEncoded []byte) (*ecdsa.PrivateKey, error) {
 	block, _ := pem.Decode(pemEncoded)
@@ -1446,7 +1446,6 @@ type ServerStatus struct {
 	CertRepoUrl            string `json:"certRepoUrl"`
 	CaTrustListLastFetched string `json:"caTrustListLastFetched"`
 	CrlLastFetched         string `json:"crlLastFetched"`
-	IsTestMode             bool   `json:"isTestMode"`
 }
 
 func getServerStatus(c *gin.Context) {

config.go

@@ -46,6 +46,9 @@ type Config struct {
 		AcmeCrlIssuerFallback string `yaml:"acme_crl_issuer_fallback"`
 		AcmeDir               string `yaml:"acme_dir"`
 	} `yaml:"sti_as"`
+	StiVs struct {
+		StrictCrlHandling bool `yaml:"strict_crl_handling"`
+	} `yaml:"sti_vs"`
 	Database struct {
 		Enabled  bool   `yaml:"enabled"`
 		Host     string `yaml:"host"`
@@ -129,7 +132,6 @@ func (ourConfig *Config) GetStiPaApiPassword() string {
 	defer ourConfig.RUnlock()
 	return ourConfig.StiPa.ApiPassword
 }
-
 func (ourConfig *Config) GetStiAsAcmeAcctId() string {
 	ourConfig.RLock()
 	defer ourConfig.RUnlock()
@@ -150,13 +152,11 @@ func (ourConfig *Config) GetStiAsCarrierOcn() string {
 	defer ourConfig.RUnlock()
 	return ourConfig.StiAs.CarrierOcn
 }
-
-func (ourConfig *Config) IsProdMode() bool {
+func (ourConfig *Config) isAcmeProdMode() bool {
 	ourConfig.RLock()
 	defer ourConfig.RUnlock()
 	return ourConfig.StiAs.AcmeProdEnabled
 }
-
 func (ourConfig *Config) GetStiAsAcmeAcctKeyFile() string {
 	ourConfig.RLock()
 	defer ourConfig.RUnlock()
@@ -210,6 +210,12 @@ func (ourConfig *Config) getListenPoint() string {
 	return ourConfig.Server.ListenPoint
 }
 
+func (ourConfig *Config) isStrictCrlHandling() bool {
+	ourConfig.RLock()
+	defer ourConfig.RUnlock()
+	return ourConfig.StiVs.StrictCrlHandling
+}
+
 func (ourConfig *Config) setStiAsAcmeAcctKeyBound(binding bool) {
 	ourConfig.Lock()
 	defer ourConfig.Unlock()
@@ -241,6 +247,12 @@ func (ourConfig *Config) SetServerInstanceId(instanceId string) {
 	ourConfig.Server.InstanceId = instanceId
 }
 
+func (ourConfig *Config) setDbEnabled(enabled bool) {
+	ourConfig.Lock()
+	defer ourConfig.Unlock()
+	ourConfig.Database.Enabled = enabled
+}
+
 func (ourConfig *Config) Save() {
 	data, err := yaml.Marshal(ourConfig)
 	if err != nil {

config.yml

@@ -26,6 +26,8 @@ sti_as:
   acme_crl_uri_fallback: https://authenticate-api.iconectiv.com/download/v1/crl
   acme_crl_issuer_fallback: L = Bridgewater, ST = NJ, CN = STI-PA CRL, C = US, O = STI-PA
   acme_dir: certs/acme
+sti_vs:
+  strict_crl_handling: false
 database:
   enabled: false
   host: