#include <unordered_map>
#include "db/database.h"
-#include "db/mysql.h"
+#include "db/psql.h"
#include "crypto/simpleOpensslSigner.h"
#include "crypto/remoteSigner.h"
#include "crypto/sslUtil.h"
+#include "log/logger.hpp"
#include "util.h"
#include "io/bios.h"
#include "io/slipBio.h"
#include "config.h"
+#include <internal/bio.h>
+#include <dirent.h>
+#include <crypto/X509.h>
#ifdef NO_DAEMON
#define DAEMON false
extern std::unordered_map<std::string, std::shared_ptr<CAConfig>> CAs;
void checkCRLs( std::shared_ptr<Signer> sign ) {
- std::cout << "Signing CRLs" << std::endl;
- for( auto x : CAs ) {
- std::cout << "Checking: " << x.first << std::endl;
+ logger::note( "Signing CRLs" );
+ for( auto& x : CAs ) {
if( !x.second->crlNeedsResign() ) {
- std::cout << "Skipping Resigning CRL: " + x.second->name << std::endl;
continue;
}
- std::cout << "Resigning CRL: " + x.second->name << std::endl;
+ logger::notef( "Resigning CRL: %s ...", x.second->name );
try {
std::vector<std::string> serials;
std::pair<std::shared_ptr<CRL>, std::string> rev = sign->revoke( x.second, serials );
- } catch( const char* c ) {
- std::cout << "Exception: " << c << std::endl;
+ } catch( const std::exception& e ) {
+ logger::error( "Exception: ", e.what() );
}
}
}
-int main( int argc, const char* argv[] ) {
- ( void ) argc;
- ( void ) argv;
+bool pathExists( const std::string& name ) {
+ struct stat buffer;
+ return stat( name.c_str(), &buffer ) == 0;
+}
+
+void signOCSP( std::shared_ptr<Signer> sign, std::string profileName, std::string req, std::string crtName, std::string failName ) {
+ auto cert = std::make_shared<TBSCertificate>();
+ cert->ocspCA = profileName;
+ cert->wishFrom = "now";
+ cert->wishTo = "1y";
+ cert->md = "sha512";
+
+ logger::note( "INFO: Message Digest: ", cert->md );
+
+ cert->csr_content = req;
+ cert->csr_type = "CSR";
+ auto nAVA = std::make_shared<AVA>();
+ nAVA->name = "CN";
+ nAVA->value = "OCSP Responder";
+ cert->AVAs.push_back( nAVA );
+
+ std::shared_ptr<SignedCertificate> res = sign->sign( cert );
+
+ if( !res ) {
+ writeFile( failName, "failed" );
+ logger::error( "OCSP Cert signing failed." );
+ return;
+ }
+
+ writeFile( crtName, res->certificate );
+ logger::notef( "Cert log: %s", res->log );
+}
+
+void checkOCSP( std::shared_ptr<Signer> sign ) {
+ std::unique_ptr<DIR, std::function<void( DIR * )>> dp( opendir( "ca" ), []( DIR * d ) {
+ closedir( d );
+ } );
+
+ // When opendir fails and returns 0 the unique_ptr will be considered unintialized and will not call closedir.
+ // Even if closedir would be called, according to POSIX it MAY handle nullptr properly (for glibc it does).
+ if( !dp ) {
+ logger::error( "CA directory not found" );
+ return;
+ }
+
+ struct dirent *ep;
+
+ while( ( ep = readdir( dp.get() ) ) ) {
+ if( ep->d_name[0] == '.' ) {
+ continue;
+ }
+
+ std::string profileName( ep->d_name );
+ std::string csr = "ca/" + profileName + "/ocsp.csr";
+
+ if( ! pathExists( csr ) ) {
+ continue;
+ }
+
+ std::string crtName = "ca/" + profileName + "/ocsp.crt";
+
+ if( pathExists( crtName ) ) {
+ continue;
+ }
+
+ std::string failName = "ca/" + profileName + "/ocsp.fail";
+
+ if( pathExists( failName ) ) {
+ continue;
+ }
+
+ logger::notef( "Discovered OCSP CSR that needs action: %s", csr );
+ std::string req = readFile( csr );
+ std::shared_ptr<X509Req> parsed = X509Req::parseCSR( req );
+
+ if( parsed->verify() <= 0 ) {
+ logger::errorf( "Invalid CSR for %s", profileName );
+ continue;
+ }
+
+ signOCSP( sign, profileName, req, crtName, failName );
+ }
+}
+
+
+int main( int argc, const char *argv[] ) {
bool once = false;
+ bool resetOnly = false;
- if( argc == 2 && std::string( "--once" ) == std::string( argv[1] ) ) {
+ if( argc == 2 && std::string( "--once" ) == argv[1] ) {
once = true;
}
+ if( argc == 2 && std::string( "--reset" ) == argv[1] ) {
+ resetOnly = true;
+ }
+
std::string path;
#ifdef NDEBUG
- path = "/etc/cacert/cassiopeia/cassiopeia.conf";
+ path = "/etc/wpia/cassiopeia/cassiopeia.conf";
#else
path = "config.txt";
#endif
if( parseConfig( path ) != 0 ) {
+ logger::fatal( "Error: Could not parse the configuration file." );
return -1;
}
if( serialPath == "" ) {
- std::cout << "Error: no serial device is given" << std::endl;
+ logger::fatal( "Error: no serial device is given!" );
return -1;
}
- std::shared_ptr<JobProvider> jp( new MySQLJobProvider( sqlHost, sqlUser, sqlPass, sqlDB ) );
+ std::shared_ptr<JobProvider> jp = std::make_shared<PostgresJobProvider>( sqlHost, sqlUser, sqlPass, sqlDB );
std::shared_ptr<BIO> b = openSerial( serialPath );
- std::shared_ptr<BIO> slip1( BIO_new( toBio<SlipBIO>() ), BIO_free );
- static_cast<SlipBIO*>( slip1->ptr )->setTarget( std::shared_ptr<OpensslBIO>( new OpensslBIOWrapper( b ) ) );
- std::shared_ptr<RemoteSigner> sign( new RemoteSigner( slip1, generateSSLContext( false ) ) );
+ std::shared_ptr<BIO_METHOD> m( toBio<SlipBIO>(), BIO_meth_free );
+ std::shared_ptr<BIO> slip1( BIO_new( m.get() ), BIO_free );
+ static_cast<SlipBIO *>( slip1->ptr )->setTarget( std::make_shared<OpensslBIOWrapper>( b ), false );
+ auto sign = std::make_shared<RemoteSigner>( slip1, generateSSLContext( false ) );
// std::shared_ptr<Signer> sign( new SimpleOpensslSigner() );
+ if( resetOnly ) {
+ std::cout << "Doing BIO reset" << std::endl;
+ int result = BIO_reset( slip1.get() );
+ std::cout << "Did BIO reset, result " << result << ", exiting." << std::endl;
+ return result;
+ }
+
time_t lastCRLCheck = 0;
while( true ) {
- time_t current;
- time( ¤t );
-
- if( lastCRLCheck + 30 * 60 < current ) {
- // todo set good log TODO FIXME
- sign->setLog( std::shared_ptr<std::ostream>(
- &std::cout,
- []( std::ostream * o ) {
+ try {
+ time_t current;
+ time( ¤t );
+
+ if( lastCRLCheck + 30 * 60 < current ) {
+ // todo set good log TODO FIXME
+ auto ostreamFree = []( std::ostream * o ) {
( void ) o;
- } ) );
- checkCRLs( sign );
- lastCRLCheck = current;
- }
+ };
+ sign->setLog( std::shared_ptr<std::ostream>( &std::cout, ostreamFree ) );
+ checkCRLs( sign );
+ lastCRLCheck = current;
+ }
- std::shared_ptr<Job> job = jp->fetchJob();
+ checkOCSP( sign );
- if( !job ) {
- std::cout << "Nothing to work on" << std::endl;
- sleep( 5 );
- continue;
- }
+ std::shared_ptr<Job> job;
- std::ofstream* logP = new std::ofstream( std::string( "logs/" ) + job->id + std::string( "_" ) + job->warning + std::string( ".log" ) );
- std::shared_ptr<std::ofstream> logPtr(
- logP,
- []( std::ofstream * ptr ) {
- ( *ptr ).close();
- delete ptr;
- } );
- std::ofstream& log = *logP;
-
- sign->setLog( logPtr );
- log << "TASK ID: " << job->id << std::endl;
- log << "TRY: " << job->warning << std::endl;
- log << "TARGET: " << job->target << std::endl;
- log << "TASK: " << job->task << std::endl << std::endl;
-
- if( job->task == "sign" ) {
try {
- std::shared_ptr<TBSCertificate> cert = jp->fetchTBSCert( job );
- cert->wishFrom = job->from;
- cert->wishTo = job->to;
- log << "INFO: message digest: " << cert->md << std::endl;
- log << "INFO: profile id: " << cert->profile << std::endl;
-
- for( auto& SAN : cert->SANs ) {
- log << "INFO: SAN " << SAN->type << ": " << SAN->content;
- }
+ job = jp->fetchJob();
+ } catch( std::exception& e ) {
+ logger::errorf( "Exception while fetchJob: %s", e.what() );
+ }
- for( auto& AVA : cert->AVAs ) {
- log << "INFO: AVA " << AVA->name << ": " << AVA->value;
- }
+ if( !job ) {
+ sleep( 5 );
+ continue;
+ }
- if( !cert ) {
- std::cout << "wasn't able to load CSR" << std::endl;
- jp->failJob( job );
- continue;
- }
+ std::shared_ptr<std::ofstream> logPtr = openLogfile( std::string( "logs/" ) + job->id + std::string( "_" ) + job->warning + std::string( ".log" ) );
- log << "FINE: Found the CSR at '" << cert->csr << "'" << std::endl;
- cert->csr_content = readFile( keyDir + "/../" + cert->csr );
- log << "FINE: CSR is " << std::endl << cert->csr_content << std::endl;
+ logger::logger_set log_set( {logger::log_target( *logPtr, logger::level::debug )}, logger::auto_register::on );
- std::shared_ptr<SignedCertificate> res = sign->sign( cert );
+ logger::note( "TASK ID: ", job->id );
+ logger::note( "TRY: ", job->warning );
+ logger::note( "TARGET: ", job->target );
+ logger::note( "TASK: ", job->task );
+
+ if( job->task == "sign" ) {
+ try {
+ std::shared_ptr<TBSCertificate> cert = jp->fetchTBSCert( job );
+
+ if( !cert ) {
+ logger::error( "Unable to load CSR" );
+ jp->failJob( job );
+ continue;
+ }
+
+ cert->wishFrom = job->from;
+ cert->wishTo = job->to;
+ logger::note( "INFO: Message Digest: ", cert->md );
+ logger::note( "INFO: Profile ID: ", cert->profile );
+
+ for( auto& SAN : cert->SANs ) {
+ logger::notef( "INFO: SAN %s: %s", SAN->type, SAN->content );
+ }
+
+ for( auto& AVA : cert->AVAs ) {
+ logger::notef( "INFO: AVA %s: %s", AVA->name, AVA->value );
+ }
+
+ logger::note( "FINE: CSR content:\n", cert->csr_content );
+
+ std::shared_ptr<SignedCertificate> res = sign->sign( cert );
+
+ if( !res ) {
+ logger::error( "ERROR: The signer failed. No certificate was returned." );
+ jp->failJob( job );
+ continue;
+ }
+
+ logger::note( "FINE: CERTIFICATE LOG:\n", res->log,
+ "FINE: CERTIFICATE:\n", res->certificate );
+
+ jp->writeBack( job, res ); //! \FIXME: Check return value
+ logger::note( "FINE: signing done." );
+
+ if( DAEMON ) {
+ jp->finishJob( job );
+ }
- if( !res ) {
- log << "ERROR: The signer failed. There was no certificate." << std::endl;
- jp->failJob( job );
continue;
+ } catch( std::exception& c ) {
+ logger::error( "ERROR: ", c.what() );
}
- log << "FINE: CERTIFICATE LOG: " << res->log << std::endl;
- log << "FINE: CERTIFICATE:" << std::endl << res->certificate << std::endl;
- std::string fn = writeBackFile( job->target.c_str(), res->certificate, keyDir );
- if( fn.empty() ) {
- log << "ERROR: Writeback of the certificate failed." << std::endl;
+ try {
jp->failJob( job );
- continue;
+ } catch( std::exception& c ) {
+ logger::error( "ERROR: ", c.what() );
}
-
- res->crt_name = fn;
- jp->writeBack( job, res ); //! \FIXME: Check return value
- log << "FINE: signing done." << std::endl;
-
- if( DAEMON ) {
+ } else if( job->task == "revoke" ) {
+ try {
+ logger::note( "revoking" );
+ auto data = jp->getRevocationInfo( job );
+ std::vector<std::string> serials;
+ serials.push_back( data.first );
+ logger::note( "revoking" );
+ std::pair<std::shared_ptr<CRL>, std::string> rev = sign->revoke( CAs.at( data.second ), serials );
+ std::string date = rev.second;
+ const unsigned char *pos = ( const unsigned char * ) date.data();
+ std::shared_ptr<ASN1_TIME> time( d2i_ASN1_TIME( NULL, &pos, date.size() ), ASN1_TIME_free );
+
+ jp->writeBackRevocation( job, timeToString( time ) );
jp->finishJob( job );
+ } catch( const std::exception& c ) {
+ logger::error( "Exception: ", c.what() );
}
-
- continue;
- } catch( const char* c ) {
- log << "ERROR: " << c << std::endl;
- } catch( std::string& c ) {
- log << "ERROR: " << c << std::endl;
- }
-
- try {
+ } else {
+ logger::errorf( "Unknown job type (\"%s\")", job->task );
jp->failJob( job );
- } catch( const char* c ) {
- log << "ERROR: " << c << std::endl;
- } catch( std::string& c ) {
- log << "ERROR: " << c << std::endl;
}
- } else if( job->task == "revoke" ) {
- try {
- auto data = jp->getRevocationInfo( job );
- std::vector<std::string> serials;
- serials.push_back( data.first );
- std::pair<std::shared_ptr<CRL>, std::string> rev = sign->revoke( CAs.at( data.second ), serials );
- std::string date = rev.second;
- const unsigned char* pos = ( const unsigned char* ) date.data();
- std::shared_ptr<ASN1_TIME> time( d2i_ASN1_TIME( NULL, &pos, date.size() ), ASN1_TIME_free );
-
- jp->writeBackRevocation( job, timeToString( time ) );
- jp->finishJob( job );
- } catch( const char* c ) {
- std::cout << "Exception: " << c << std::endl;
+
+ if( !DAEMON || once ) {
+ return 0;
}
- } else {
- log << "Unknown job type" << job->task << std::endl;
- jp->failJob( job );
+ } catch( std::exception& e ) {
+ logger::errorf( "std::exception in mainloop: %s", e.what() );
}
- if( !DAEMON || once ) {
- return 0;
- }
}
}
projects / cassiopeia.git / blobdiff