7 #include <unordered_map>
9 #include "db/database.h"
11 #include "crypto/simpleOpensslSigner.h"
12 #include "crypto/remoteSigner.h"
13 #include "crypto/sslUtil.h"
14 #include "log/logger.hpp"
17 #include "io/slipBio.h"
19 #include <internal/bio.h>
21 #include <crypto/X509.h>
29 extern std::string keyDir;
30 extern std::string sqlHost, sqlUser, sqlPass, sqlDB;
31 extern std::string serialPath;
32 extern std::unordered_map<std::string, std::shared_ptr<CAConfig>> CAs;
34 void checkCRLs( std::shared_ptr<Signer> sign ) {
36 logger::note( "Signing CRLs" );
38 for( auto& x : CAs ) {
39 logger::notef( "Checking: %s ...", x.first );
41 if( !x.second->crlNeedsResign() ) {
42 logger::warnf( "Skipping Resigning CRL: %s ...", x.second->name );
46 logger::notef( "Resigning CRL: %s ...", x.second->name );
49 std::vector<std::string> serials;
50 std::pair<std::shared_ptr<CRL>, std::string> rev = sign->revoke( x.second, serials );
51 } catch( const std::exception& e ) {
52 logger::error( "Exception: ", e.what() );
57 bool pathExists( const std::string& name ) {
59 return stat( name.c_str(), &buffer ) == 0;
62 void signOCSP( std::shared_ptr<Signer> sign, std::string profileName, std::string req, std::string crtName ) {
63 auto cert = std::make_shared<TBSCertificate>();
64 cert->ocspCA = profileName;
65 cert->wishFrom = "now";
69 logger::note( "INFO: Message Digest: ", cert->md );
71 cert->csr_content = req;
72 cert->csr_type = "CSR";
73 auto nAVA = std::make_shared<AVA>();
75 nAVA->value = "OCSP Responder";
76 cert->AVAs.push_back( nAVA );
78 std::shared_ptr<SignedCertificate> res = sign->sign( cert );
81 logger::error( "OCSP Cert signing failed." );
85 writeFile( crtName, res->certificate );
86 logger::notef( "Cert log: %s", res->log );
89 void checkOCSP( std::shared_ptr<Signer> sign ) {
90 std::unique_ptr<DIR, std::function<void( DIR * )>> dp( opendir( "ca" ), []( DIR * d ) {
94 // When opendir fails and returns 0 the unique_ptr will be considered unintialized and will not call closedir.
95 // Even if closedir would be called, according to POSIX it MAY handle nullptr properly (for glibc it does).
97 logger::error( "CA directory not found" );
103 while( ( ep = readdir( dp.get() ) ) ) {
104 if( ep->d_name[0] == '.' ) {
108 std::string profileName( ep->d_name );
109 std::string csr = "ca/" + profileName + "/ocsp.csr";
111 if( ! pathExists( csr ) ) {
115 std::string crtName = "ca/" + profileName + "/ocsp.crt";
117 if( pathExists( crtName ) ) {
121 logger::notef( "Discovered OCSP CSR that needs action: %s", csr );
122 std::string req = readFile( csr );
123 std::shared_ptr<X509Req> parsed = X509Req::parseCSR( req );
125 if( parsed->verify() <= 0 ) {
126 logger::errorf( "Invalid CSR for %s", profileName );
130 signOCSP( sign, profileName, req, crtName );
135 int main( int argc, const char *argv[] ) {
137 bool resetOnly = false;
139 if( argc == 2 && std::string( "--once" ) == argv[1] ) {
143 if( argc == 2 && std::string( "--reset" ) == argv[1] ) {
150 path = "/etc/wpia/cassiopeia/cassiopeia.conf";
155 if( parseConfig( path ) != 0 ) {
156 logger::fatal( "Error: Could not parse the configuration file." );
160 if( serialPath == "" ) {
161 logger::fatal( "Error: no serial device is given!" );
165 std::shared_ptr<JobProvider> jp = std::make_shared<PostgresJobProvider>( sqlHost, sqlUser, sqlPass, sqlDB );
166 std::shared_ptr<BIO> b = openSerial( serialPath );
167 std::shared_ptr<BIO_METHOD> m( toBio<SlipBIO>(), BIO_meth_free );
168 std::shared_ptr<BIO> slip1( BIO_new( m.get() ), BIO_free );
169 static_cast<SlipBIO *>( slip1->ptr )->setTarget( std::make_shared<OpensslBIOWrapper>( b ), false );
170 auto sign = std::make_shared<RemoteSigner>( slip1, generateSSLContext( false ) );
171 // std::shared_ptr<Signer> sign( new SimpleOpensslSigner() );
174 std::cout << "Doing BIO reset" << std::endl;
175 int result = BIO_reset( slip1.get() );
176 std::cout << "Did BIO reset, result " << result << ", exiting." << std::endl;
180 time_t lastCRLCheck = 0;
187 if( lastCRLCheck + 30 * 60 < current ) {
188 // todo set good log TODO FIXME
189 auto ostreamFree = []( std::ostream * o ) {
192 sign->setLog( std::shared_ptr<std::ostream>( &std::cout, ostreamFree ) );
194 lastCRLCheck = current;
199 std::shared_ptr<Job> job;
202 job = jp->fetchJob();
203 } catch( std::exception& e ) {
204 logger::errorf( "Exception while fetchJob: %s", e.what() );
212 std::shared_ptr<std::ofstream> logPtr = openLogfile( std::string( "logs/" ) + job->id + std::string( "_" ) + job->warning + std::string( ".log" ) );
214 logger::logger_set log_set( {logger::log_target( *logPtr, logger::level::debug )}, logger::auto_register::on );
216 logger::note( "TASK ID: ", job->id );
217 logger::note( "TRY: ", job->warning );
218 logger::note( "TARGET: ", job->target );
219 logger::note( "TASK: ", job->task );
221 if( job->task == "sign" ) {
223 std::shared_ptr<TBSCertificate> cert = jp->fetchTBSCert( job );
226 logger::error( "Unable to load CSR" );
231 cert->wishFrom = job->from;
232 cert->wishTo = job->to;
233 logger::note( "INFO: Message Digest: ", cert->md );
234 logger::note( "INFO: Profile ID: ", cert->profile );
236 for( auto& SAN : cert->SANs ) {
237 logger::notef( "INFO: SAN %s: %s", SAN->type, SAN->content );
240 for( auto& AVA : cert->AVAs ) {
241 logger::notef( "INFO: AVA %s: %s", AVA->name, AVA->value );
244 logger::notef( "FINE: Found the CSR at '%s'", cert->csr );
245 cert->csr_content = readFile( keyDir + "/../" + cert->csr );
246 logger::note( "FINE: CSR content:\n", cert->csr_content );
248 std::shared_ptr<SignedCertificate> res = sign->sign( cert );
251 logger::error( "ERROR: The signer failed. No certificate was returned." );
256 logger::note( "FINE: CERTIFICATE LOG:\n", res->log,
257 "FINE: CERTIFICATE:\n", res->certificate );
259 std::string fn = writeBackFile( job->target.c_str(), res->certificate, keyDir );
262 logger::error( "ERROR: Writeback of the certificate failed." );
268 jp->writeBack( job, res ); //! \FIXME: Check return value
269 logger::note( "FINE: signing done." );
272 jp->finishJob( job );
276 } catch( std::exception& c ) {
277 logger::error( "ERROR: ", c.what() );
282 } catch( std::exception& c ) {
283 logger::error( "ERROR: ", c.what() );
285 } else if( job->task == "revoke" ) {
287 logger::note( "revoking" );
288 auto data = jp->getRevocationInfo( job );
289 std::vector<std::string> serials;
290 serials.push_back( data.first );
291 logger::note( "revoking" );
292 std::pair<std::shared_ptr<CRL>, std::string> rev = sign->revoke( CAs.at( data.second ), serials );
293 std::string date = rev.second;
294 const unsigned char *pos = ( const unsigned char * ) date.data();
295 std::shared_ptr<ASN1_TIME> time( d2i_ASN1_TIME( NULL, &pos, date.size() ), ASN1_TIME_free );
297 jp->writeBackRevocation( job, timeToString( time ) );
298 jp->finishJob( job );
299 } catch( const std::exception& c ) {
300 logger::error( "Exception: ", c.what() );
303 logger::errorf( "Unknown job type (\"%s\")", job->task );
307 if( !DAEMON || once ) {
310 } catch( std::exception& e ) {
311 logger::errorf( "std::exception in mainloop: %s", e.what() );