#include "io/slipBio.h"
#include "config.h"
#include <internal/bio.h>
+#include <dirent.h>
+#include <crypto/X509.h>
#ifdef NO_DAEMON
#define DAEMON false
logger::note( "Signing CRLs" );
for( auto& x : CAs ) {
- logger::notef( "Checking: %s ...", x.first );
-
if( !x.second->crlNeedsResign() ) {
- logger::warnf( "Skipping Resigning CRL: %s ...", x.second->name );
continue;
}
}
}
+bool pathExists( const std::string& name ) {
+ struct stat buffer;
+ return stat( name.c_str(), &buffer ) == 0;
+}
+
+void signOCSP( std::shared_ptr<Signer> sign, std::string profileName, std::string req, std::string crtName, std::string failName ) {
+ auto cert = std::make_shared<TBSCertificate>();
+ cert->ocspCA = profileName;
+ cert->wishFrom = "now";
+ cert->wishTo = "1y";
+ cert->md = "sha512";
+
+ logger::note( "INFO: Message Digest: ", cert->md );
+
+ cert->csr_content = req;
+ cert->csr_type = "CSR";
+ auto nAVA = std::make_shared<AVA>();
+ nAVA->name = "CN";
+ nAVA->value = "OCSP Responder";
+ cert->AVAs.push_back( nAVA );
+
+ std::shared_ptr<SignedCertificate> res = sign->sign( cert );
+
+ if( !res ) {
+ writeFile( failName, "failed" );
+ logger::error( "OCSP Cert signing failed." );
+ return;
+ }
+
+ writeFile( crtName, res->certificate );
+ logger::notef( "Cert log: %s", res->log );
+}
+
+void checkOCSP( std::shared_ptr<Signer> sign ) {
+ std::unique_ptr<DIR, std::function<void( DIR * )>> dp( opendir( "ca" ), []( DIR * d ) {
+ closedir( d );
+ } );
+
+ // When opendir fails and returns 0 the unique_ptr will be considered unintialized and will not call closedir.
+ // Even if closedir would be called, according to POSIX it MAY handle nullptr properly (for glibc it does).
+ if( !dp ) {
+ logger::error( "CA directory not found" );
+ return;
+ }
+
+ struct dirent *ep;
+
+ while( ( ep = readdir( dp.get() ) ) ) {
+ if( ep->d_name[0] == '.' ) {
+ continue;
+ }
+
+ std::string profileName( ep->d_name );
+ std::string csr = "ca/" + profileName + "/ocsp.csr";
+
+ if( ! pathExists( csr ) ) {
+ continue;
+ }
+
+ std::string crtName = "ca/" + profileName + "/ocsp.crt";
+
+ if( pathExists( crtName ) ) {
+ continue;
+ }
+
+ std::string failName = "ca/" + profileName + "/ocsp.fail";
+
+ if( pathExists( failName ) ) {
+ continue;
+ }
+
+ logger::notef( "Discovered OCSP CSR that needs action: %s", csr );
+ std::string req = readFile( csr );
+ std::shared_ptr<X509Req> parsed = X509Req::parseCSR( req );
+
+ if( parsed->verify() <= 0 ) {
+ logger::errorf( "Invalid CSR for %s", profileName );
+ continue;
+ }
+
+ signOCSP( sign, profileName, req, crtName, failName );
+ }
+}
+
+
int main( int argc, const char *argv[] ) {
bool once = false;
bool resetOnly = false;
if( lastCRLCheck + 30 * 60 < current ) {
// todo set good log TODO FIXME
- sign->setLog( std::shared_ptr<std::ostream>(
- &std::cout,
- []( std::ostream* o ) {
- ( void ) o;
- } ) );
+ auto ostreamFree = []( std::ostream * o ) {
+ ( void ) o;
+ };
+ sign->setLog( std::shared_ptr<std::ostream>( &std::cout, ostreamFree ) );
checkCRLs( sign );
lastCRLCheck = current;
}
+ checkOCSP( sign );
+
std::shared_ptr<Job> job;
try {