]> WPIA git - cassiopeia.git/blob - src/crypto/remoteSigner.cpp
add: Full CRL tranfer (non-chunked)
[cassiopeia.git] / src / crypto / remoteSigner.cpp
1 #include "remoteSigner.h"
2 #include "util.h"
3
4 #include <iostream>
5
6 #include <openssl/ssl.h>
7 #include <openssl/bn.h>
8
9 RemoteSigner::RemoteSigner( std::shared_ptr<BIO> target, std::shared_ptr<SSL_CTX> ctx ) {
10     this->target = target;
11     this->ctx = ctx;
12 }
13
14 RemoteSigner::~RemoteSigner() {
15 }
16
17 void RemoteSigner::send( std::shared_ptr<OpensslBIOWrapper> bio, RecordHeader& head, RecordHeader::SignerCommand cmd, std::string data ) {
18     head.command = ( uint16_t ) cmd;
19     head.command_count++;
20     head.totalLength = data.size();
21     sendCommand( head, data, bio, log );
22
23 }
24
25 std::shared_ptr<SignedCertificate> RemoteSigner::sign( std::shared_ptr<TBSCertificate> cert ) {
26     ( void )BIO_reset( target.get() );
27
28     std::shared_ptr<SSL> ssl( SSL_new( ctx.get() ), SSL_free );
29     std::shared_ptr<BIO> bio( BIO_new( BIO_f_ssl() ), BIO_free );
30     SSL_set_connect_state( ssl.get() );
31     SSL_set_bio( ssl.get(), target.get(), target.get() );
32     BIO_set_ssl( bio.get(), ssl.get(), BIO_NOCLOSE );
33     std::shared_ptr<OpensslBIOWrapper> conn( new OpensslBIOWrapper( bio ) );
34     RecordHeader head;
35     head.flags = 0;
36     head.sessid = 13;
37
38     if( cert->csr_type == "CSR" ) {
39         send( conn, head, RecordHeader::SignerCommand::SET_CSR, cert->csr_content );
40     } else if( cert->csr_type == "SPKAC" ) {
41         send( conn, head, RecordHeader::SignerCommand::SET_SPKAC, cert->csr_content );
42     } else {
43         std::cout << "Unknown csr_type: " << cert->csr_type;
44         return std::shared_ptr<SignedCertificate>();
45     }
46
47     send( conn, head, RecordHeader::SignerCommand::SET_SIGNATURE_TYPE, cert->md );
48     send( conn, head, RecordHeader::SignerCommand::SET_PROFILE, cert->profile );
49
50     for( auto ava : cert->AVAs ) {
51         if( ava->name.find( "," ) != std::string::npos ) {
52             // invalid ava
53             return std::shared_ptr<SignedCertificate>();
54         }
55
56         send( conn, head, RecordHeader::SignerCommand::ADD_AVA, ava->name + "," + ava->value );
57     }
58
59     for( auto san : cert->SANs ) {
60         if( san->type.find( "," ) != std::string::npos ) {
61             // invalid ava
62             return std::shared_ptr<SignedCertificate>();
63         }
64
65         send( conn, head, RecordHeader::SignerCommand::ADD_SAN, san->type + "," + san->content );
66     }
67
68     send( conn, head, RecordHeader::SignerCommand::SIGN, "" );
69     send( conn, head, RecordHeader::SignerCommand::LOG_SAVED, "" );
70     std::shared_ptr<SignedCertificate> result = std::shared_ptr<SignedCertificate>( new SignedCertificate() );
71     std::vector<char> buffer( 2048 * 4 );
72
73     for( int i = 0; i < 2; i++ ) {
74         try {
75             int length = conn->read( buffer.data(), buffer.size() );
76
77             if( length <= 0 ) {
78                 std::cout << "Error, no response data" << std::endl;
79                 result = std::shared_ptr<SignedCertificate>();
80                 break;
81             }
82
83             RecordHeader head;
84             std::string payload = parseCommand( head, std::string( buffer.data(), length ), log );
85
86             switch( ( RecordHeader::SignerResult ) head.command ) {
87             case RecordHeader::SignerResult::CERTIFICATE:
88                 result->certificate = payload;
89                 break;
90
91             case RecordHeader::SignerResult::SAVE_LOG:
92                 result->log = payload;
93                 break;
94
95             default:
96                 std::cout << "Invalid Message" << std::endl;
97                 break;
98             }
99         } catch( const char* msg ) {
100             std::cout << msg << std::endl;
101             return std::shared_ptr<SignedCertificate>();
102         }
103     }
104
105     if( result ) {
106         std::shared_ptr<BIO> bios( BIO_new( BIO_s_mem() ), BIO_free );
107         const char* buf = result->certificate.data();
108         unsigned int len = result->certificate.size();
109
110         while( len > 0 ) {
111             int dlen = BIO_write( bios.get(), buf, len );
112
113             if( dlen <= 0 ) {
114                 throw "Memory error.";
115             }
116
117             len -= dlen;
118             buf += dlen;
119         }
120
121         std::shared_ptr<X509> pem( PEM_read_bio_X509( bios.get(), NULL, 0, NULL ) );
122
123         if( !pem ) {
124             throw "Pem was not readable";
125         }
126
127         std::shared_ptr<BIGNUM> ser( ASN1_INTEGER_to_BN( pem->cert_info->serialNumber, NULL ), BN_free );
128         std::shared_ptr<char> serStr(
129             BN_bn2hex( ser.get() ),
130             []( char* p ) {
131                 OPENSSL_free( p );
132             } ); // OPENSSL_free is a macro...
133         result->serial = std::string( serStr.get() );
134     }
135
136     if( !SSL_shutdown( ssl.get() ) && !SSL_shutdown( ssl.get() ) ) { // need to close the connection twice
137         std::cout << "SSL shutdown failed" << std::endl;
138     }
139
140     return result;
141 }
142
143 std::pair<std::shared_ptr<CRL>, std::string> RemoteSigner::revoke( std::shared_ptr<CAConfig> ca, std::string serial ) {
144     ( void )BIO_reset( target.get() );
145
146     std::shared_ptr<SSL> ssl( SSL_new( ctx.get() ), SSL_free );
147     std::shared_ptr<BIO> bio( BIO_new( BIO_f_ssl() ), BIO_free );
148     SSL_set_connect_state( ssl.get() );
149     SSL_set_bio( ssl.get(), target.get(), target.get() );
150     BIO_set_ssl( bio.get(), ssl.get(), BIO_NOCLOSE );
151     std::shared_ptr<OpensslBIOWrapper> conn( new OpensslBIOWrapper( bio ) );
152
153     RecordHeader head;
154     head.flags = 0;
155     head.sessid = 13;
156
157     std::string payload = ca->name + std::string( "\0", 1 ) + serial;
158     send( conn, head, RecordHeader::SignerCommand::REVOKE, payload );
159
160     std::vector<char> buffer( 2048 * 4 );
161     int length = conn->read( buffer.data(), buffer.size() );
162
163     if( length <= 0 ) {
164         std::cout << "Error, no response data" << std::endl;
165         return std::pair<std::shared_ptr<CRL>, std::string>( std::shared_ptr<CRL>(), "" );
166     }
167
168     payload = parseCommand( head, std::string( buffer.data(), length ), log );
169
170     std::shared_ptr<CRL> crl( new CRL( ca->path + std::string( "/ca.crl" ) ) );
171
172     switch( ( RecordHeader::SignerResult ) head.command ) {
173     case RecordHeader::SignerResult::REVOKED: {
174         const unsigned char* buffer2 = ( const unsigned char* ) payload.data();
175         const unsigned char* pos = buffer2;
176         ASN1_UTCTIME* time = d2i_ASN1_UTCTIME( NULL, &pos, payload.size() );
177         ASN1_UTCTIME_free( time );
178         std::string rest = payload.substr( pos - buffer2 );
179         crl->revoke( serial, payload.substr( 0, pos - buffer2 ) );
180         crl->setSignature( rest );
181         bool ok = crl->verify( ca );
182
183         if( ok ) {
184             ( *log ) << "CRL verificated successfully" << std::endl;
185             writeFile( ca->path + std::string( "/ca.crl" ), crl->toString() );
186         } else {
187             ( *log ) << "CRL is broken" << std::endl;
188             send( conn, head, RecordHeader::SignerCommand::GET_FULL_CRL, ca->name );
189             length = conn->read( buffer.data(), buffer.size() );
190
191             if( length <= 0 ) {
192                 ( *log ) << "Error, no response data" << std::endl;
193                 return std::pair<std::shared_ptr<CRL>, std::string>( std::shared_ptr<CRL>(), "" );
194             }
195
196             payload = parseCommand( head, std::string( buffer.data(), length ), log );
197             writeFile( ca->path + std::string( "/ca.crl.bak" ), payload );
198             crl = std::shared_ptr<CRL>( new CRL( ca->path + std::string( "/ca.crl.bak" ) ) );
199
200             if( crl->verify( ca ) ) {
201                 writeFile( ca->path + std::string( "/ca.crl" ), crl->toString() );
202                 ( *log ) << "CRL is now valid" << std::endl;
203             } else {
204                 ( *log ) << "CRL is still broken... Please, help me" << std::endl;
205             }
206
207         }
208
209         ( *log ) << "CRL: " << std::endl << crl->toString() << std::endl;
210         break;
211     }
212
213     default:
214         throw "Invalid response command.";
215     }
216
217
218     if( !SSL_shutdown( ssl.get() ) && !SSL_shutdown( ssl.get() ) ) { // need to close the connection twice
219         std::cout << "SSL shutdown failed" << std::endl;
220     }
221
222     return std::pair<std::shared_ptr<CRL>, std::string>( std::shared_ptr<CRL>(), "" );
223 }
224
225 void RemoteSigner::setLog( std::shared_ptr<std::ostream> target ) {
226     this->log = target;
227 }