1 #include "remoteSigner.h"
5 #include <openssl/ssl.h>
6 #include <openssl/bn.h>
8 RemoteSigner::RemoteSigner( std::shared_ptr<BIO> target, std::shared_ptr<SSL_CTX> ctx ) {
13 RemoteSigner::~RemoteSigner() {
16 void RemoteSigner::send( std::shared_ptr<OpensslBIOWrapper> bio, RecordHeader& head, RecordHeader::SignerCommand cmd, std::string data ) {
17 head.command = ( uint16_t ) cmd;
19 head.totalLength = data.size();
20 sendCommand( head, data, bio, log );
24 std::shared_ptr<SignedCertificate> RemoteSigner::sign( std::shared_ptr<TBSCertificate> cert ) {
25 ( void )BIO_reset( target.get() );
27 std::shared_ptr<SSL> ssl( SSL_new( ctx.get() ), SSL_free );
28 std::shared_ptr<BIO> bio( BIO_new( BIO_f_ssl() ), BIO_free );
29 SSL_set_connect_state( ssl.get() );
30 SSL_set_bio( ssl.get(), target.get(), target.get() );
31 BIO_set_ssl( bio.get(), ssl.get(), BIO_NOCLOSE );
32 std::shared_ptr<OpensslBIOWrapper> conn( new OpensslBIOWrapper( bio ) );
37 if( cert->csr_type == "CSR" ) {
38 send( conn, head, RecordHeader::SignerCommand::SET_CSR, cert->csr_content );
39 } else if( cert->csr_type == "SPKAC" ) {
40 send( conn, head, RecordHeader::SignerCommand::SET_SPKAC, cert->csr_content );
42 std::cout << "Unknown csr_type: " << cert->csr_type;
43 return std::shared_ptr<SignedCertificate>();
46 send( conn, head, RecordHeader::SignerCommand::SET_SIGNATURE_TYPE, cert->md );
47 send( conn, head, RecordHeader::SignerCommand::SET_PROFILE, cert->profile );
49 for( auto ava : cert->AVAs ) {
50 if( ava->name.find( "," ) != std::string::npos ) {
52 return std::shared_ptr<SignedCertificate>();
55 send( conn, head, RecordHeader::SignerCommand::ADD_AVA, ava->name + "," + ava->value );
58 for( auto san : cert->SANs ) {
59 if( san->type.find( "," ) != std::string::npos ) {
61 return std::shared_ptr<SignedCertificate>();
64 send( conn, head, RecordHeader::SignerCommand::ADD_SAN, san->type + "," + san->content );
67 send( conn, head, RecordHeader::SignerCommand::SIGN, "" );
68 send( conn, head, RecordHeader::SignerCommand::LOG_SAVED, "" );
69 std::shared_ptr<SignedCertificate> result = std::shared_ptr<SignedCertificate>( new SignedCertificate() );
70 std::vector<char> buffer( 2048 * 4 );
72 for( int i = 0; i < 2; i++ ) {
74 int length = conn->read( buffer.data(), buffer.size() );
77 std::cout << "Error, no response data" << std::endl;
78 result = std::shared_ptr<SignedCertificate>();
83 std::string payload = parseCommand( head, std::string( buffer.data(), length ), log );
85 switch( ( RecordHeader::SignerResult ) head.command ) {
86 case RecordHeader::SignerResult::CERTIFICATE:
87 result->certificate = payload;
90 case RecordHeader::SignerResult::SAVE_LOG:
91 result->log = payload;
95 std::cout << "Invalid Message" << std::endl;
98 } catch( const char* msg ) {
99 std::cout << msg << std::endl;
100 return std::shared_ptr<SignedCertificate>();
105 std::shared_ptr<BIO> bios( BIO_new( BIO_s_mem() ), BIO_free );
106 const char* buf = result->certificate.data();
107 unsigned int len = result->certificate.size();
110 int dlen = BIO_write( bios.get(), buf, len );
113 throw "Memory error.";
120 std::shared_ptr<X509> pem( PEM_read_bio_X509( bios.get(), NULL, 0, NULL ) );
123 throw "Pem was not readable";
126 std::shared_ptr<BIGNUM> ser( ASN1_INTEGER_to_BN( pem->cert_info->serialNumber, NULL ), BN_free );
127 std::shared_ptr<char> serStr(
128 BN_bn2hex( ser.get() ),
131 } ); // OPENSSL_free is a macro...
132 result->serial = std::string( serStr.get() );
135 if( !SSL_shutdown( ssl.get() ) && !SSL_shutdown( ssl.get() ) ) { // need to close the connection twice
136 std::cout << "SSL shutdown failed" << std::endl;
142 std::shared_ptr<X509_CRL> RemoteSigner::revoke( std::shared_ptr<CAConfig> ca, std::string serial ) {
143 ( void )BIO_reset( target.get() );
145 std::shared_ptr<SSL> ssl( SSL_new( ctx.get() ), SSL_free );
146 std::shared_ptr<BIO> bio( BIO_new( BIO_f_ssl() ), BIO_free );
147 SSL_set_connect_state( ssl.get() );
148 SSL_set_bio( ssl.get(), target.get(), target.get() );
149 BIO_set_ssl( bio.get(), ssl.get(), BIO_NOCLOSE );
150 std::shared_ptr<OpensslBIOWrapper> conn( new OpensslBIOWrapper( bio ) );
156 std::string payload = ca->name + std::string( "\0", 1 ) + serial;
157 send( conn, head, RecordHeader::SignerCommand::REVOKE, payload );
159 std::vector<char> buffer( 2048 * 4 );
160 int length = conn->read( buffer.data(), buffer.size() );
163 std::cout << "Error, no response data" << std::endl;
164 return std::shared_ptr<X509_CRL>();
167 payload = parseCommand( head, std::string( buffer.data(), length ), log );
169 switch( ( RecordHeader::SignerResult ) head.command ) {
170 case RecordHeader::SignerResult::REVOKED:
171 std::cout << "CRL: " << std::endl << payload << std::endl;
175 throw "Invalid response command.";
178 if( !SSL_shutdown( ssl.get() ) && !SSL_shutdown( ssl.get() ) ) { // need to close the connection twice
179 std::cout << "SSL shutdown failed" << std::endl;
182 return std::shared_ptr<X509_CRL>();
185 void RemoteSigner::setLog( std::shared_ptr<std::ostream> target ) {