1 #include "remoteSigner.h"
6 #include <openssl/ssl.h>
7 #include <openssl/bn.h>
9 RemoteSigner::RemoteSigner( std::shared_ptr<BIO> target, std::shared_ptr<SSL_CTX> ctx ) : target( target ), ctx( ctx ) {
12 RemoteSigner::~RemoteSigner() {
15 void RemoteSigner::send( std::shared_ptr<OpensslBIOWrapper> bio, RecordHeader& head, RecordHeader::SignerCommand cmd, std::string data ) {
16 head.command = ( uint16_t ) cmd;
18 head.totalLength = data.size();
19 sendCommand( head, data, bio, log );
23 std::shared_ptr<SignedCertificate> RemoteSigner::sign( std::shared_ptr<TBSCertificate> cert ) {
24 ( void )BIO_reset( target.get() );
26 std::shared_ptr<SSL> ssl( SSL_new( ctx.get() ), SSL_free );
27 std::shared_ptr<BIO> bio( BIO_new( BIO_f_ssl() ), BIO_free );
28 SSL_set_connect_state( ssl.get() );
29 SSL_set_bio( ssl.get(), target.get(), target.get() );
30 BIO_set_ssl( bio.get(), ssl.get(), BIO_NOCLOSE );
31 std::shared_ptr<OpensslBIOWrapper> conn( new OpensslBIOWrapper( bio ) );
36 if( cert->csr_type == "CSR" ) {
37 send( conn, head, RecordHeader::SignerCommand::SET_CSR, cert->csr_content );
38 } else if( cert->csr_type == "SPKAC" ) {
39 send( conn, head, RecordHeader::SignerCommand::SET_SPKAC, cert->csr_content );
41 std::cout << "Unknown csr_type: " << cert->csr_type;
42 return std::shared_ptr<SignedCertificate>();
45 send( conn, head, RecordHeader::SignerCommand::SET_SIGNATURE_TYPE, cert->md );
46 send( conn, head, RecordHeader::SignerCommand::SET_PROFILE, cert->profile );
47 send( conn, head, RecordHeader::SignerCommand::SET_WISH_FROM, cert->wishFrom );
48 send( conn, head, RecordHeader::SignerCommand::SET_WISH_TO, cert->wishTo );
50 for( auto ava : cert->AVAs ) {
51 if( ava->name.find( "," ) != std::string::npos ) {
53 return std::shared_ptr<SignedCertificate>();
56 send( conn, head, RecordHeader::SignerCommand::ADD_AVA, ava->name + "," + ava->value );
59 for( auto san : cert->SANs ) {
60 if( san->type.find( "," ) != std::string::npos ) {
62 return std::shared_ptr<SignedCertificate>();
65 send( conn, head, RecordHeader::SignerCommand::ADD_SAN, san->type + "," + san->content );
68 send( conn, head, RecordHeader::SignerCommand::SIGN, "" );
69 send( conn, head, RecordHeader::SignerCommand::LOG_SAVED, "" );
70 std::shared_ptr<SignedCertificate> result = std::shared_ptr<SignedCertificate>( new SignedCertificate() );
71 std::vector<char> buffer( 2048 * 4 );
73 for( int i = 0; i < 3; i++ ) {
75 int length = conn->read( buffer.data(), buffer.size() );
78 std::cout << "Error, no response data" << std::endl;
79 result = std::shared_ptr<SignedCertificate>();
84 std::string payload = parseCommand( head, std::string( buffer.data(), length ), log );
86 switch( ( RecordHeader::SignerResult ) head.command ) {
87 case RecordHeader::SignerResult::CERTIFICATE:
88 result->certificate = payload;
91 case RecordHeader::SignerResult::SAVE_LOG:
92 result->log = payload;
95 case RecordHeader::SignerResult::SIGNING_CA:
96 result->ca_name = payload;
100 std::cout << "Invalid Message" << std::endl;
103 } catch( const char* msg ) {
104 std::cout << msg << std::endl;
105 return std::shared_ptr<SignedCertificate>();
110 std::shared_ptr<BIO> bios( BIO_new( BIO_s_mem() ), BIO_free );
111 const char* buf = result->certificate.data();
112 unsigned int len = result->certificate.size();
115 int dlen = BIO_write( bios.get(), buf, len );
118 throw "Memory error.";
125 std::shared_ptr<X509> pem( PEM_read_bio_X509( bios.get(), NULL, 0, NULL ) );
128 throw "Pem was not readable";
131 std::shared_ptr<BIGNUM> ser( ASN1_INTEGER_to_BN( pem->cert_info->serialNumber, NULL ), BN_free );
132 std::shared_ptr<char> serStr(
133 BN_bn2hex( ser.get() ),
136 } ); // OPENSSL_free is a macro...
138 extractTimes( pem, result );
140 result->serial = std::string( serStr.get() );
143 if( !SSL_shutdown( ssl.get() ) && !SSL_shutdown( ssl.get() ) ) { // need to close the connection twice
144 std::cout << "SSL shutdown failed" << std::endl;
150 std::pair<std::shared_ptr<CRL>, std::string> RemoteSigner::revoke( std::shared_ptr<CAConfig> ca, std::vector<std::string> serials ) {
151 ( void )BIO_reset( target.get() );
153 std::shared_ptr<SSL> ssl( SSL_new( ctx.get() ), SSL_free );
154 std::shared_ptr<BIO> bio( BIO_new( BIO_f_ssl() ), BIO_free );
155 SSL_set_connect_state( ssl.get() );
156 SSL_set_bio( ssl.get(), target.get(), target.get() );
157 BIO_set_ssl( bio.get(), ssl.get(), BIO_NOCLOSE );
158 std::shared_ptr<OpensslBIOWrapper> conn( new OpensslBIOWrapper( bio ) );
164 for( std::string serial : serials ) {
165 send( conn, head, RecordHeader::SignerCommand::ADD_SERIAL, serial );
168 std::string payload = ca->name;
169 send( conn, head, RecordHeader::SignerCommand::REVOKE, payload );
171 std::vector<char> buffer( 2048 * 4 );
172 int length = conn->read( buffer.data(), buffer.size() );
175 throw "Error, no response data";
178 payload = parseCommand( head, std::string( buffer.data(), length ), log );
180 std::shared_ptr<CRL> crl( new CRL( ca->path + std::string( "/ca.crl" ) ) );
183 if( ( RecordHeader::SignerResult ) head.command != RecordHeader::SignerResult::REVOKED ) {
184 throw "Protocol violation";
187 const unsigned char* buffer2 = ( const unsigned char* ) payload.data();
188 const unsigned char* pos = buffer2;
189 ASN1_TIME* time = d2i_ASN1_TIME( NULL, &pos, payload.size() );
190 ASN1_TIME_free( time );
191 date = payload.substr( 0, pos - buffer2 );
192 std::string rest = payload.substr( pos - buffer2 );
194 for( std::string serial : serials ) {
195 crl->revoke( serial, date );
198 crl->setSignature( rest );
199 bool ok = crl->verify( ca );
202 ( *log ) << "CRL verificated successfully" << std::endl;
203 writeFile( ca->path + std::string( "/ca.crl" ), crl->toString() );
205 ( *log ) << "CRL is broken" << std::endl;
206 send( conn, head, RecordHeader::SignerCommand::GET_FULL_CRL, ca->name );
207 length = conn->read( buffer.data(), buffer.size() );
210 throw "Error, no response data";
213 payload = parseCommand( head, std::string( buffer.data(), length ), log );
215 if( ( RecordHeader::SignerResult ) head.command != RecordHeader::SignerResult::FULL_CRL ) {
216 throw "Protocol violation";
219 writeFile( ca->path + std::string( "/ca.crl.bak" ), payload );
220 crl = std::shared_ptr<CRL>( new CRL( ca->path + std::string( "/ca.crl.bak" ) ) );
222 if( crl->verify( ca ) ) {
223 writeFile( ca->path + std::string( "/ca.crl" ), crl->toString() );
224 ( *log ) << "CRL is now valid" << std::endl;
226 ( *log ) << "CRL is still broken... Please, help me" << std::endl;
231 ( *log ) << "CRL: " << std::endl << crl->toString() << std::endl;
233 if( !SSL_shutdown( ssl.get() ) && !SSL_shutdown( ssl.get() ) ) { // need to close the connection twice
234 std::cout << "SSL shutdown failed" << std::endl;
237 return std::pair<std::shared_ptr<CRL>, std::string>( crl, date );
240 void RemoteSigner::setLog( std::shared_ptr<std::ostream> target ) {