cln: Simplified revoking code

[cassiopeia.git] / src / crypto / remoteSigner.cpp

diff --git a/src/crypto/remoteSigner.cpp b/src/crypto/remoteSigner.cpp
index 335c2ff3d52561c11cff13f401c70c05c3e07c1f..eaeede065c6e50c98bbb2eba9203f49d679732c1 100644 (file)
--- a/src/crypto/remoteSigner.cpp
+++ b/src/crypto/remoteSigner.cpp
@@ -70,7 +70,7 @@ std::shared_ptr<SignedCertificate> RemoteSigner::sign( std::shared_ptr<TBSCertif
     std::shared_ptr<SignedCertificate> result = std::shared_ptr<SignedCertificate>( new SignedCertificate() );
     std::vector<char> buffer( 2048 * 4 );
 
-    for( int i = 0; i < 2; i++ ) {
+    for( int i = 0; i < 3; i++ ) {
         try {
             int length = conn->read( buffer.data(), buffer.size() );
 
@@ -92,6 +92,10 @@ std::shared_ptr<SignedCertificate> RemoteSigner::sign( std::shared_ptr<TBSCertif
                 result->log = payload;
                 break;
 
+            case RecordHeader::SignerResult::SIGNING_CA:
+                result->ca_name = payload;
+                break;
+
             default:
                 std::cout << "Invalid Message" << std::endl;
                 break;
@@ -161,46 +165,65 @@ std::pair<std::shared_ptr<CRL>, std::string> RemoteSigner::revoke( std::shared_p
     int length = conn->read( buffer.data(), buffer.size() );
 
     if( length <= 0 ) {
-        std::cout << "Error, no response data" << std::endl;
-        return std::pair<std::shared_ptr<CRL>, std::string>( std::shared_ptr<CRL>(), "" );
+        throw "Error, no response data";
     }
 
     payload = parseCommand( head, std::string( buffer.data(), length ), log );
 
     std::shared_ptr<CRL> crl( new CRL( ca->path + std::string( "/ca.crl" ) ) );
+    std::string date;
+
+    if( ( RecordHeader::SignerResult ) head.command != RecordHeader::SignerResult::REVOKED ) {
+        throw "Protocol violation";
+    }
+
+    const unsigned char* buffer2 = ( const unsigned char* ) payload.data();
+    const unsigned char* pos = buffer2;
+    ASN1_TIME* time = d2i_ASN1_TIME( NULL, &pos, payload.size() );
+    ASN1_TIME_free( time );
+    date = payload.substr( 0, pos - buffer2 );
+    std::string rest = payload.substr( pos - buffer2 );
+    crl->revoke( serial, date );
+    crl->setSignature( rest );
+    bool ok = crl->verify( ca );
+
+    if( ok ) {
+        ( *log ) << "CRL verificated successfully" << std::endl;
+        writeFile( ca->path + std::string( "/ca.crl" ), crl->toString() );
+    } else {
+        ( *log ) << "CRL is broken" << std::endl;
+        send( conn, head, RecordHeader::SignerCommand::GET_FULL_CRL, ca->name );
+        length = conn->read( buffer.data(), buffer.size() );
+
+        if( length <= 0 ) {
+            throw "Error, no response data";
+        }
+
+        payload = parseCommand( head, std::string( buffer.data(), length ), log );
+
+        if( ( RecordHeader::SignerResult ) head.command != RecordHeader::SignerResult::FULL_CRL ) {
+            throw "Protocol violation";
+        }
 
-    switch( ( RecordHeader::SignerResult ) head.command ) {
-    case RecordHeader::SignerResult::REVOKED: {
-        const unsigned char* buffer = ( const unsigned char* ) payload.data();
-        const unsigned char* pos = buffer;
-        ASN1_UTCTIME* time = d2i_ASN1_UTCTIME( NULL, &pos, payload.size() );
-        ASN1_UTCTIME_free( time );
-        std::string rest = payload.substr( pos - buffer );
-        crl->revoke( serial, payload.substr( 0, pos - buffer ) );
-        crl->setSignature( rest );
-        bool ok = crl->verify( ca );
-
-        if( ok ) {
-            ( *log ) << "CRL verificated successfully" << std::endl;
+        writeFile( ca->path + std::string( "/ca.crl.bak" ), payload );
+        crl = std::shared_ptr<CRL>( new CRL( ca->path + std::string( "/ca.crl.bak" ) ) );
+
+        if( crl->verify( ca ) ) {
             writeFile( ca->path + std::string( "/ca.crl" ), crl->toString() );
+            ( *log ) << "CRL is now valid" << std::endl;
         } else {
-            ( *log ) << "CRL is broken" << std::endl;
+            ( *log ) << "CRL is still broken... Please, help me" << std::endl;
         }
 
-        ( *log ) << "CRL: " << std::endl << crl->toString() << std::endl;
-        break;
-    }
-
-    default:
-        throw "Invalid response command.";
     }
 
+    ( *log ) << "CRL: " << std::endl << crl->toString() << std::endl;
 
     if( !SSL_shutdown( ssl.get() ) && !SSL_shutdown( ssl.get() ) ) { // need to close the connection twice
         std::cout << "SSL shutdown failed" << std::endl;
     }
 
-    return std::pair<std::shared_ptr<CRL>, std::string>( std::shared_ptr<CRL>(), "" );
+    return std::pair<std::shared_ptr<CRL>, std::string>( crl, date );
 }
 
 void RemoteSigner::setLog( std::shared_ptr<std::ostream> target ) {