Add Expires: header to CRL downloads corresponding to current CRL expiration

5 months ago · 659117c329
parent e92a173e30
commit 659117c329
3 changed files with 31 additions and 0 deletions
--- a/api/api.go
+++ b/api/api.go
@ -50,6 +50,7 @@ type Authority interface {
 	GetRoots() ([]*x509.Certificate, error)
 	GetFederation() ([]*x509.Certificate, error)
 	Version() authority.Version
+	GetCertificateRevocationListExpiration() (time.Time, error)
 	GetCertificateRevocationList() ([]byte, error)
 }

--- a/api/crl.go
+++ b/api/crl.go
@ -3,6 +3,7 @@ package api
 import (
 	"encoding/pem"
 	"net/http"
+	"time"

 	"github.com/smallstep/certificates/api/render"
 )
@ -15,6 +16,14 @@ func CRL(w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	exp, err := mustAuthority(r.Context()).GetCertificateRevocationListExpiration()
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	w.Header().Add("Expires", exp.Format(time.RFC1123))
+
 	_, formatAsPEM := r.URL.Query()["pem"]
 	if formatAsPEM {
 		pemBytes := pem.EncodeToMemory(&pem.Block{
--- a/authority/tls.go
+++ b/authority/tls.go
@ -675,6 +675,27 @@ func (a *Authority) revokeSSH(crt *ssh.Certificate, rci *db.RevokedCertificateIn
 	return a.db.RevokeSSH(rci)
 }

+// GetCertificateRevocationListExpiration will return the expiration date of the currently generated CRL from the DB, or a not implemented
+// error if the underlying AuthDB does not support CRLs
+func (a *Authority) GetCertificateRevocationListExpiration() (time.Time, error) {
+	zeroTime := time.Date(0, 0, 0, 0, 0, 0, 0, time.UTC)
+	if !a.config.CRL.IsEnabled() {
+		return zeroTime, errs.Wrap(http.StatusNotFound, errors.Errorf("Certificate Revocation Lists are not enabled"), "authority.GetCertificateRevocationList")
+	}
+
+	crlDB, ok := a.db.(db.CertificateRevocationListDB)
+	if !ok {
+		return zeroTime, errs.Wrap(http.StatusNotImplemented, errors.Errorf("Database does not support Certificate Revocation Lists"), "authority.GetCertificateRevocationList")
+	}
+
+	crlInfo, err := crlDB.GetCRL()
+	if err != nil {
+		return zeroTime, errs.Wrap(http.StatusInternalServerError, err, "authority.GetCertificateRevocationList")
+	}
+
+	return crlInfo.ExpiresAt, nil
+}
+
 // GetCertificateRevocationList will return the currently generated CRL from the DB, or a not implemented
 // error if the underlying AuthDB does not support CRLs
 func (a *Authority) GetCertificateRevocationList() ([]byte, error) {