1 #include "remoteSigner.h"
3 #include "log/logger.hpp"
8 #include <openssl/ssl.h>
9 #include <openssl/bn.h>
11 RemoteSigner::RemoteSigner( std::shared_ptr<BIO> target, std::shared_ptr<SSL_CTX> ctx ) : target( target ), ctx( ctx ) {
14 RemoteSigner::~RemoteSigner() {
17 void RemoteSigner::send( std::shared_ptr<OpensslBIOWrapper> bio, RecordHeader& head, RecordHeader::SignerCommand cmd, std::string data ) {
18 head.command = static_cast<uint16_t>( cmd );
20 head.totalLength = data.size();
21 sendCommand( head, data, bio );
24 std::shared_ptr<SignedCertificate> RemoteSigner::sign( std::shared_ptr<TBSCertificate> cert ) {
25 ( void )BIO_reset( target.get() );
27 std::shared_ptr<SSL> ssl( SSL_new( ctx.get() ), SSL_free );
28 std::shared_ptr<BIO> bio( BIO_new( BIO_f_ssl() ), BIO_free );
29 SSL_set_connect_state( ssl.get() );
30 SSL_set_bio( ssl.get(), target.get(), target.get() );
31 BIO_set_ssl( bio.get(), ssl.get(), BIO_NOCLOSE );
32 auto conn = std::make_shared<OpensslBIOWrapper>( bio );
37 if( cert->csr_type == "CSR" ) {
38 send( conn, head, RecordHeader::SignerCommand::SET_CSR, cert->csr_content );
39 } else if( cert->csr_type == "SPKAC" ) {
40 send( conn, head, RecordHeader::SignerCommand::SET_SPKAC, cert->csr_content );
42 logger::error( "Unknown csr_type: ", cert->csr_type );
46 send( conn, head, RecordHeader::SignerCommand::SET_SIGNATURE_TYPE, cert->md );
47 send( conn, head, RecordHeader::SignerCommand::SET_PROFILE, cert->profile );
48 send( conn, head, RecordHeader::SignerCommand::SET_WISH_FROM, cert->wishFrom );
49 send( conn, head, RecordHeader::SignerCommand::SET_WISH_TO, cert->wishTo );
51 for( auto &ava : cert->AVAs ) {
52 if( ava->name.find( "," ) != std::string::npos ) {
57 send( conn, head, RecordHeader::SignerCommand::ADD_AVA, ava->name + "," + ava->value );
60 for( auto &san : cert->SANs ) {
61 if( san->type.find( "," ) != std::string::npos ) {
66 send( conn, head, RecordHeader::SignerCommand::ADD_SAN, san->type + "," + san->content );
69 send( conn, head, RecordHeader::SignerCommand::SIGN, "" );
70 send( conn, head, RecordHeader::SignerCommand::LOG_SAVED, "" );
71 auto result = std::make_shared<SignedCertificate>();
73 for( int i = 0; i < 3; i++ ) {
76 std::string payload = parseCommandChunked( head, conn );
78 switch( static_cast<RecordHeader::SignerResult>( head.command )) {
79 case RecordHeader::SignerResult::CERTIFICATE:
80 result->certificate = payload;
83 case RecordHeader::SignerResult::SAVE_LOG:
84 result->log = payload;
87 case RecordHeader::SignerResult::SIGNING_CA:
88 result->ca_name = payload;
92 logger::error( "Invalid Message" );
95 } catch( const std::exception& msg ) {
96 logger::error( msg.what() );
97 return std::shared_ptr<SignedCertificate>();
102 std::shared_ptr<BIO> bios( BIO_new( BIO_s_mem() ), BIO_free );
103 const char* buf = result->certificate.data();
104 unsigned int len = result->certificate.size();
107 int dlen = BIO_write( bios.get(), buf, len );
110 throw std::runtime_error("Memory error.");
117 std::shared_ptr<X509> pem( PEM_read_bio_X509( bios.get(), NULL, 0, NULL ), X509_free );
120 throw std::runtime_error("Pem was not readable");
123 std::shared_ptr<BIGNUM> ser( ASN1_INTEGER_to_BN( X509_get_serialNumber(pem.get()), NULL), BN_free );
124 std::shared_ptr<char> serStr(
125 BN_bn2hex( ser.get() ),
128 } ); // OPENSSL_free is a macro...
130 extractTimes( pem, result );
132 result->serial = std::string( serStr.get() );
135 logger::note( "Closing SSL connection" );
136 if( !SSL_shutdown( ssl.get() ) && !SSL_shutdown( ssl.get() ) ) { // need to close the connection twice
137 logger::warn( "SSL shutdown failed" );
139 logger::note( "SSL connection closed" );
144 std::pair<std::shared_ptr<CRL>, std::string> RemoteSigner::revoke( std::shared_ptr<CAConfig> ca, std::vector<std::string> serials ) {
145 ( void )BIO_reset( target.get() );
147 std::shared_ptr<SSL> ssl( SSL_new( ctx.get() ), SSL_free );
148 std::shared_ptr<BIO> bio( BIO_new( BIO_f_ssl() ), BIO_free );
149 SSL_set_connect_state( ssl.get() );
150 SSL_set_bio( ssl.get(), target.get(), target.get() );
151 BIO_set_ssl( bio.get(), ssl.get(), BIO_NOCLOSE );
152 auto conn = std::make_shared<OpensslBIOWrapper>( bio );
158 for( auto &serial : serials ) {
159 send( conn, head, RecordHeader::SignerCommand::ADD_SERIAL, serial );
162 std::string payload = ca->name;
163 send( conn, head, RecordHeader::SignerCommand::REVOKE, payload );
165 payload = parseCommandChunked( head, conn );
167 std::string tgtName = ca->path + std::string( "/ca.crl" );
168 auto crl = std::make_shared<CRL>( tgtName );
171 if( static_cast<RecordHeader::SignerResult>( head.command ) != RecordHeader::SignerResult::REVOKED ) {
172 throw std::runtime_error("Protocol violation");
175 const unsigned char* buffer2 = reinterpret_cast<const unsigned char*>( payload.data() );
176 const unsigned char* pos = buffer2;
177 ASN1_TIME* time = d2i_ASN1_TIME( NULL, &pos, payload.size() );
178 ASN1_TIME_free( time );
179 date = payload.substr( 0, pos - buffer2 );
180 std::string rest = payload.substr( pos - buffer2 );
182 for( std::string &serial : serials ) {
183 crl->revoke( serial, date );
186 crl->setSignature( rest );
187 bool ok = crl->verify( ca );
190 logger::note( "CRL verificated successfully" );
191 writeFile( tgtName, crl->toString() );
193 logger::warn( "CRL is broken, trying to recover" );
194 send( conn, head, RecordHeader::SignerCommand::GET_FULL_CRL, ca->name );
196 payload = parseCommandChunked( head, conn );
198 if( static_cast<RecordHeader::SignerResult>( head.command ) != RecordHeader::SignerResult::FULL_CRL ) {
199 throw std::runtime_error("Protocol violation");
202 std::string name_bak = ca->path + std::string( "/ca.crl.bak" );
203 writeFile( name_bak, payload );
204 crl = std::make_shared<CRL>( name_bak );
206 if( crl->verify( ca ) ) {
207 if( rename( name_bak.c_str(), tgtName.c_str() ) != 0 ){
208 logger::warn( "Moving new CRL over old CRL failed" );
210 logger::note( "CRL is now valid again" );
212 logger::warn( "CRL is still broken... Please, help me" );
216 logger::note( "Closing SSL connection" );
217 if( !SSL_shutdown( ssl.get() ) && !SSL_shutdown( ssl.get() ) ) { // need to close the connection twice
218 logger::warn( "SSL shutdown failed" );
220 logger::note( "SSL connection closed" );
222 return { crl, date };
225 void RemoteSigner::setLog( std::shared_ptr<std::ostream> target ) {