upd: reduce logging of successful CRL signing

[cassiopeia.git] / src / apps / client.cpp

diff --git a/src/apps/client.cpp b/src/apps/client.cpp
index 92a2369f471465e273cbeebce0119092f0ffff92..e26ebbb83d4b875bb00d64a0c32a0533701e6402 100644 (file)
--- a/src/apps/client.cpp
+++ b/src/apps/client.cpp
@@ -17,6 +17,8 @@
 #include "io/slipBio.h"
 #include "config.h"
 #include <internal/bio.h>
+#include <dirent.h>
+#include <crypto/X509.h>
 
 #ifdef NO_DAEMON
 #define DAEMON false
@@ -34,10 +36,7 @@ void checkCRLs( std::shared_ptr<Signer> sign ) {
     logger::note( "Signing CRLs" );
 
     for( auto& x : CAs ) {
-        logger::notef( "Checking: %s ...", x.first );
-
         if( !x.second->crlNeedsResign() ) {
-            logger::warnf( "Skipping Resigning CRL: %s ...", x.second->name );
             continue;
         }
 
@@ -52,6 +51,91 @@ void checkCRLs( std::shared_ptr<Signer> sign ) {
     }
 }
 
+bool pathExists( const std::string& name ) {
+    struct stat buffer;
+    return stat( name.c_str(), &buffer ) == 0;
+}
+
+void signOCSP( std::shared_ptr<Signer> sign, std::string profileName, std::string req, std::string crtName, std::string failName ) {
+    auto cert = std::make_shared<TBSCertificate>();
+    cert->ocspCA = profileName;
+    cert->wishFrom = "now";
+    cert->wishTo = "1y";
+    cert->md = "sha512";
+
+    logger::note( "INFO: Message Digest: ", cert->md );
+
+    cert->csr_content = req;
+    cert->csr_type = "CSR";
+    auto nAVA = std::make_shared<AVA>();
+    nAVA->name = "CN";
+    nAVA->value = "OCSP Responder";
+    cert->AVAs.push_back( nAVA );
+
+    std::shared_ptr<SignedCertificate> res = sign->sign( cert );
+
+    if( !res ) {
+        writeFile( failName, "failed" );
+        logger::error( "OCSP Cert signing failed." );
+        return;
+    }
+
+    writeFile( crtName, res->certificate );
+    logger::notef( "Cert log: %s", res->log );
+}
+
+void checkOCSP( std::shared_ptr<Signer> sign ) {
+    std::unique_ptr<DIR, std::function<void( DIR * )>> dp( opendir( "ca" ), []( DIR * d ) {
+        closedir( d );
+    } );
+
+    // When opendir fails and returns 0 the unique_ptr will be considered unintialized and will not call closedir.
+    // Even if closedir would be called, according to POSIX it MAY handle nullptr properly (for glibc it does).
+    if( !dp ) {
+        logger::error( "CA directory not found" );
+        return;
+    }
+
+    struct dirent *ep;
+
+    while( ( ep = readdir( dp.get() ) ) ) {
+        if( ep->d_name[0] == '.' ) {
+            continue;
+        }
+
+        std::string profileName( ep->d_name );
+        std::string csr = "ca/" + profileName + "/ocsp.csr";
+
+        if( ! pathExists( csr ) ) {
+            continue;
+        }
+
+        std::string crtName = "ca/" + profileName + "/ocsp.crt";
+
+        if( pathExists( crtName ) ) {
+            continue;
+        }
+
+        std::string failName = "ca/" + profileName + "/ocsp.fail";
+
+        if( pathExists( failName ) ) {
+            continue;
+        }
+
+        logger::notef( "Discovered OCSP CSR that needs action: %s", csr );
+        std::string req = readFile( csr );
+        std::shared_ptr<X509Req> parsed = X509Req::parseCSR( req );
+
+        if( parsed->verify() <= 0 ) {
+            logger::errorf( "Invalid CSR for %s", profileName );
+            continue;
+        }
+
+        signOCSP( sign, profileName, req, crtName, failName );
+    }
+}
+
+
 int main( int argc, const char *argv[] ) {
     bool once = false;
     bool resetOnly = false;
@@ -114,6 +198,8 @@ int main( int argc, const char *argv[] ) {
                 lastCRLCheck = current;
             }
 
+            checkOCSP( sign );
+
             std::shared_ptr<Job> job;
 
             try {