src/crypto/remoteSigner.cpp

   1 #include "remoteSigner.h"
   2 #include "util.h"
   3
   4 #include <iostream>
   5
   6 #include <openssl/ssl.h>
   7 #include <openssl/bn.h>
   8
   9 RemoteSigner::RemoteSigner( std::shared_ptr<BIO> target, std::shared_ptr<SSL_CTX> ctx ) {
  10     this->target = target;
  11     this->ctx = ctx;
  12 }
  13
  14 RemoteSigner::~RemoteSigner() {
  15 }
  16
  17 void RemoteSigner::send( std::shared_ptr<OpensslBIOWrapper> bio, RecordHeader& head, RecordHeader::SignerCommand cmd, std::string data ) {
  18     head.command = ( uint16_t ) cmd;
  19     head.command_count++;
  20     head.totalLength = data.size();
  21     sendCommand( head, data, bio, log );
  22
  23 }
  24
  25 std::shared_ptr<SignedCertificate> RemoteSigner::sign( std::shared_ptr<TBSCertificate> cert ) {
  26     ( void )BIO_reset( target.get() );
  27
  28     std::shared_ptr<SSL> ssl( SSL_new( ctx.get() ), SSL_free );
  29     std::shared_ptr<BIO> bio( BIO_new( BIO_f_ssl() ), BIO_free );
  30     SSL_set_connect_state( ssl.get() );
  31     SSL_set_bio( ssl.get(), target.get(), target.get() );
  32     BIO_set_ssl( bio.get(), ssl.get(), BIO_NOCLOSE );
  33     std::shared_ptr<OpensslBIOWrapper> conn( new OpensslBIOWrapper( bio ) );
  34     RecordHeader head;
  35     head.flags = 0;
  36     head.sessid = 13;
  37
  38     if( cert->csr_type == "CSR" ) {
  39         send( conn, head, RecordHeader::SignerCommand::SET_CSR, cert->csr_content );
  40     } else if( cert->csr_type == "SPKAC" ) {
  41         send( conn, head, RecordHeader::SignerCommand::SET_SPKAC, cert->csr_content );
  42     } else {
  43         std::cout << "Unknown csr_type: " << cert->csr_type;
  44         return std::shared_ptr<SignedCertificate>();
  45     }
  46
  47     send( conn, head, RecordHeader::SignerCommand::SET_SIGNATURE_TYPE, cert->md );
  48     send( conn, head, RecordHeader::SignerCommand::SET_PROFILE, cert->profile );
  49
  50     for( auto ava : cert->AVAs ) {
  51         if( ava->name.find( "," ) != std::string::npos ) {
  52             // invalid ava
  53             return std::shared_ptr<SignedCertificate>();
  54         }
  55
  56         send( conn, head, RecordHeader::SignerCommand::ADD_AVA, ava->name + "," + ava->value );
  57     }
  58
  59     for( auto san : cert->SANs ) {
  60         if( san->type.find( "," ) != std::string::npos ) {
  61             // invalid ava
  62             return std::shared_ptr<SignedCertificate>();
  63         }
  64
  65         send( conn, head, RecordHeader::SignerCommand::ADD_SAN, san->type + "," + san->content );
  66     }
  67
  68     send( conn, head, RecordHeader::SignerCommand::SIGN, "" );
  69     send( conn, head, RecordHeader::SignerCommand::LOG_SAVED, "" );
  70     std::shared_ptr<SignedCertificate> result = std::shared_ptr<SignedCertificate>( new SignedCertificate() );
  71     std::vector<char> buffer( 2048 * 4 );
  72
  73     for( int i = 0; i < 2; i++ ) {
  74         try {
  75             int length = conn->read( buffer.data(), buffer.size() );
  76
  77             if( length <= 0 ) {
  78                 std::cout << "Error, no response data" << std::endl;
  79                 result = std::shared_ptr<SignedCertificate>();
  80                 break;
  81             }
  82
  83             RecordHeader head;
  84             std::string payload = parseCommand( head, std::string( buffer.data(), length ), log );
  85
  86             switch( ( RecordHeader::SignerResult ) head.command ) {
  87             case RecordHeader::SignerResult::CERTIFICATE:
  88                 result->certificate = payload;
  89                 break;
  90
  91             case RecordHeader::SignerResult::SAVE_LOG:
  92                 result->log = payload;
  93                 break;
  94
  95             default:
  96                 std::cout << "Invalid Message" << std::endl;
  97                 break;
  98             }
  99         } catch( const char* msg ) {
 100             std::cout << msg << std::endl;
 101             return std::shared_ptr<SignedCertificate>();
 102         }
 103     }
 104
 105     if( result ) {
 106         std::shared_ptr<BIO> bios( BIO_new( BIO_s_mem() ), BIO_free );
 107         const char* buf = result->certificate.data();
 108         unsigned int len = result->certificate.size();
 109
 110         while( len > 0 ) {
 111             int dlen = BIO_write( bios.get(), buf, len );
 112
 113             if( dlen <= 0 ) {
 114                 throw "Memory error.";
 115             }
 116
 117             len -= dlen;
 118             buf += dlen;
 119         }
 120
 121         std::shared_ptr<X509> pem( PEM_read_bio_X509( bios.get(), NULL, 0, NULL ) );
 122
 123         if( !pem ) {
 124             throw "Pem was not readable";
 125         }
 126
 127         std::shared_ptr<BIGNUM> ser( ASN1_INTEGER_to_BN( pem->cert_info->serialNumber, NULL ), BN_free );
 128         std::shared_ptr<char> serStr(
 129             BN_bn2hex( ser.get() ),
 130             []( char* p ) {
 131                 OPENSSL_free( p );
 132             } ); // OPENSSL_free is a macro...
 133         result->serial = std::string( serStr.get() );
 134     }
 135
 136     if( !SSL_shutdown( ssl.get() ) && !SSL_shutdown( ssl.get() ) ) { // need to close the connection twice
 137         std::cout << "SSL shutdown failed" << std::endl;
 138     }
 139
 140     return result;
 141 }
 142
 143 std::shared_ptr<CRL> RemoteSigner::revoke( std::shared_ptr<CAConfig> ca, std::string serial ) {
 144     ( void )BIO_reset( target.get() );
 145
 146     std::shared_ptr<SSL> ssl( SSL_new( ctx.get() ), SSL_free );
 147     std::shared_ptr<BIO> bio( BIO_new( BIO_f_ssl() ), BIO_free );
 148     SSL_set_connect_state( ssl.get() );
 149     SSL_set_bio( ssl.get(), target.get(), target.get() );
 150     BIO_set_ssl( bio.get(), ssl.get(), BIO_NOCLOSE );
 151     std::shared_ptr<OpensslBIOWrapper> conn( new OpensslBIOWrapper( bio ) );
 152
 153     RecordHeader head;
 154     head.flags = 0;
 155     head.sessid = 13;
 156
 157     std::string payload = ca->name + std::string( "\0", 1 ) + serial;
 158     send( conn, head, RecordHeader::SignerCommand::REVOKE, payload );
 159
 160     std::vector<char> buffer( 2048 * 4 );
 161     int length = conn->read( buffer.data(), buffer.size() );
 162
 163     if( length <= 0 ) {
 164         std::cout << "Error, no response data" << std::endl;
 165         return std::shared_ptr<CRL>();
 166     }
 167
 168     payload = parseCommand( head, std::string( buffer.data(), length ), log );
 169
 170     switch( ( RecordHeader::SignerResult ) head.command ) {
 171     case RecordHeader::SignerResult::REVOKED:
 172         std::cout << "CRL: " << std::endl << payload << std::endl;
 173         break;
 174
 175     default:
 176         throw "Invalid response command.";
 177     }
 178
 179     writeFile( ca->path + "/ca.crl", payload );
 180
 181     if( !SSL_shutdown( ssl.get() ) && !SSL_shutdown( ssl.get() ) ) { // need to close the connection twice
 182         std::cout << "SSL shutdown failed" << std::endl;
 183     }
 184
 185     return std::shared_ptr<CRL>();
 186 }
 187
 188 void RemoteSigner::setLog( std::shared_ptr<std::ostream> target ) {
 189     this->log = target;
 190 }