add: Implement automatic re-signing of the CRL

author Felix Dörre <felix@dogcraft.de>

Fri, 16 Jan 2015 23:37:08 +0000 (00:37 +0100)

committer Benny Baumann <BenBE@geshi.org>

Sat, 24 Jan 2015 17:33:29 +0000 (18:33 +0100)
author Felix Dörre <felix@dogcraft.de>
Fri, 16 Jan 2015 23:37:08 +0000 (00:37 +0100)
committer Benny Baumann <BenBE@geshi.org>
Sat, 24 Jan 2015 17:33:29 +0000 (18:33 +0100)
diff --git a/src/apps/client.cpp b/src/apps/client.cpp

index 5258b9abad9b887e48b966cf1a46e35c3b2a895e..a066d87589b38a0c4222287b7371c71b9c791219 100644 (file)
--- a/src/apps/client.cpp
+++ b/src/apps/client.cpp
@@ -27,6 +27,28 @@ extern std::string sqlHost, sqlUser, sqlPass, sqlDB;
  extern std::string serialPath;
  extern std::unordered_map<std::string, std::shared_ptr<CAConfig>> CAs;
  
+void checkCRLs( std::shared_ptr<Signer> sign ) {
+    std::cout << "Signing CRLs" << std::endl;
+
+    for( auto x : CAs ) {
+        std::cout << "Checking: " << x.first << std::endl;
+
+        if( !x.second->crlNeedsResign() ) {
+            std::cout << "Skipping Resigning CRL: " + x.second->name << std::endl;
+            continue;
+        }
+
+        std::cout << "Resigning CRL: " + x.second->name << std::endl;
+
+        try {
+            std::vector<std::string> serials;
+            std::pair<std::shared_ptr<CRL>, std::string> rev = sign->revoke( x.second, serials );
+        } catch( const char* c ) {
+            std::cout << "Exception: " << c << std::endl;
+        }
+    }
+}
+
  int main( int argc, const char* argv[] ) {
      ( void ) argc;
      ( void ) argv;
@@ -60,7 +82,23 @@ int main( int argc, const char* argv[] ) {
      std::shared_ptr<RemoteSigner> sign( new RemoteSigner( slip1, generateSSLContext( false ) ) );
      // std::shared_ptr<Signer> sign( new SimpleOpensslSigner() );
  
+    time_t lastCRLCheck = 0;
+
      while( true ) {
+        time_t current;
+        time( &current );
+
+        if( lastCRLCheck + 30 * 60 < current ) {
+            // todo set good log TODO FIXME
+            sign->setLog( std::shared_ptr<std::ostream>(
+                &std::cout,
+                []( std::ostream * o ) {
+                    ( void ) o;
+                } ) );
+            checkCRLs( sign );
+            lastCRLCheck = current;
+        }
+
          std::shared_ptr<Job> job = jp->fetchJob();
  
          if( !job ) {
diff --git a/src/crypto/CRL.cpp b/src/crypto/CRL.cpp

index 7c3eb866dfff7be87521bb1ec349a4c0bd471104..1a31cdd3be24627e1694144188958d4367d63247 100644 (file)
--- a/src/crypto/CRL.cpp
+++ b/src/crypto/CRL.cpp
@@ -122,3 +122,17 @@ void CRL::setSignature( std::string signature ) {
      d2i_ASN1_TIME( &crl->crl->lastUpdate, &buffer, signature.size() + data - buffer );
      d2i_ASN1_TIME( &crl->crl->nextUpdate, &buffer, signature.size() + data - buffer );
  }
+
+bool CRL::needsResign() {
+    time_t current;
+    time( &current );
+    current += 60 * 60;// 1 hour
+    auto time = X509_CRL_get_nextUpdate( crl.get() );
+
+    if( !time ) {
+        return true;
+    }
+
+    int cmp =  X509_cmp_time( time, &current );
+    return cmp < 0;
+}
diff --git a/src/crypto/CRL.h b/src/crypto/CRL.h

index 55c2c3faf5b8f74a0a89b6aaa2c3a4f4d4ef03bb..938710a44fea55213df29d3c4c2bc54582b22a16 100644 (file)
--- a/src/crypto/CRL.h
+++ b/src/crypto/CRL.h
@@ -19,6 +19,8 @@ public:
       */
      std::string revoke( std::string serial, std::string time );
  
+    bool needsResign();
+
      /**
       * Signs this CRL.
       * @param ca the CA to sign with
diff --git a/src/crypto/sslUtil.cpp b/src/crypto/sslUtil.cpp

index 82ff9f80fc8dac1dcda3a7a768a5049f7b4285da..d0710e0a837d8d297dd343f37b1796f18d362e0f 100644 (file)
--- a/src/crypto/sslUtil.cpp
+++ b/src/crypto/sslUtil.cpp
@@ -3,8 +3,11 @@
  #include <sys/types.h>
  #include <termios.h>
  #include <unistd.h>
+
  #include <iostream>
  
+#include "crypto/CRL.h"
+
  std::shared_ptr<int> ssl_lib_ref(
      new int( SSL_library_init() ),
      []( int* ref ) {
@@ -196,3 +199,8 @@ void extractTimes( std::shared_ptr<X509> target,  std::shared_ptr<SignedCertific
      cert->before = timeToString( std::shared_ptr<ASN1_TIME>( X509_get_notBefore( target.get() ), ASN1_TIME_free ) );
      cert->after = timeToString( std::shared_ptr<ASN1_TIME>( X509_get_notAfter( target.get() ), ASN1_TIME_free ) );
  }
+
+bool CAConfig::crlNeedsResign() {
+    std::shared_ptr<CRL> crl( new CRL( path + "/ca.crl" ) );
+    return crl->needsResign();
+}
diff --git a/src/crypto/sslUtil.h b/src/crypto/sslUtil.h

index c01418fdca28ba9df86c290bd2bda1e59afc036e..dddfdafd0e8f146b74a57f658300dcd160c46fc4 100644 (file)
--- a/src/crypto/sslUtil.h
+++ b/src/crypto/sslUtil.h
@@ -18,6 +18,7 @@ public:
      std::shared_ptr<EVP_PKEY> caKey;
      std::shared_ptr<ASN1_TIME> notBefore;
      CAConfig( std::string name );
+    bool crlNeedsResign();
  };
  
  struct Profile {
author	Felix Dörre <felix@dogcraft.de>
	Fri, 16 Jan 2015 23:37:08 +0000 (00:37 +0100)
committer	Benny Baumann <BenBE@geshi.org>
	Sat, 24 Jan 2015 17:33:29 +0000 (18:33 +0100)
src/apps/client.cpp		patch \| blob \| history
src/crypto/CRL.cpp		patch \| blob \| history
src/crypto/CRL.h		patch \| blob \| history
src/crypto/sslUtil.cpp		patch \| blob \| history
src/crypto/sslUtil.h		patch \| blob \| history