X-Git-Url: https://code.wpia.club/?a=blobdiff_plain;ds=sidebyside;f=src%2Fcrypto%2FsimpleOpensslSigner.cpp;h=7f75142f2f964330a69cf784d9140cfda10b2441;hb=3d3967b16610579e977b5d8685f3eedb10cbc23a;hp=b0925ccdeea5c757f65f653480c040c36d4bd4b9;hpb=b9a325b540fd50bc5381877513ba2e632502ea7b;p=cassiopeia.git diff --git a/src/crypto/simpleOpensslSigner.cpp b/src/crypto/simpleOpensslSigner.cpp index b0925cc..7f75142 100644 --- a/src/crypto/simpleOpensslSigner.cpp +++ b/src/crypto/simpleOpensslSigner.cpp @@ -1,6 +1,5 @@ #include "simpleOpensslSigner.h" -#include #include #include @@ -11,6 +10,8 @@ #include #include +#include "log/logger.hpp" + #include "X509.h" #include "util.h" #include "sslUtil.h" @@ -55,7 +56,7 @@ std::pair, std::string> SimpleOpensslSigner::nextSerial( data.get()[len + 3] = profile & 0xFF; // profile id if( !RAND_bytes( data.get() + len + 4, 16 ) || !BN_add_word( serial.get(), 1 ) ) { - throw "Big number math failed while calcing serials."; + throw "Big number math failed while fetching random data for serial number."; } std::shared_ptr serStr = std::shared_ptr( @@ -72,19 +73,25 @@ std::pair, std::string> SimpleOpensslSigner::nextSerial( std::shared_ptr SimpleOpensslSigner::sign( std::shared_ptr cert ) { std::stringstream signlog; - signlog << "FINE: profile is " << cert->profile << std::endl; + logger::note( "FINE: Profile name is: ", cert->profile ); Profile& prof = profiles.at( cert->profile ); + logger::note( "FINE: Profile ID is: ", prof.id ); + std::shared_ptr ca = prof.getCA(); if( !ca ) { + logger::error( "ERROR: Signing CA specified in profile could not be loaded." ); throw "CA-key not found"; } - signlog << "FINE: CA-key is correctly loaded." << std::endl; - signlog << "FINE: Profile id is: " << prof.id << std::endl; - signlog << "FINE: ku is: " << prof.ku << std::endl; - signlog << "FINE: eku is: " << prof.eku << std::endl; + logger::note( "FINE: Key for Signing CA is correctly loaded." ); + + logger::note( "INFO: Baseline Key Usage is: ", prof.ku ); + logger::note( "INFO: Extended Key Usage is: ", prof.eku ); + + logger::note( "FINE: Signing is wanted by: ", cert->wishFrom ); + logger::note( "FINE: Signing is wanted for: ", cert->wishTo ); std::shared_ptr req; @@ -93,36 +100,27 @@ std::shared_ptr SimpleOpensslSigner::sign( std::shared_ptrcsr_type == "CSR" ) { req = X509Req::parseCSR( cert->csr_content ); } else { - throw "Error, unknown REQ rype " + ( cert->csr_type ); + logger::errorf( "ERROR: Unknown type (\"%s\") of certification in request.", cert->csr_type ); + throw "Error, unknown REQ rype " + ( cert->csr_type ); //! \fixme: Pointer instead of string, please use proper exception classes } int i = req->verify(); if( i < 0 ) { - throw "Signature problems ... "; + throw "Request contains a Signature with problems ... "; } else if( i == 0 ) { - throw "Signature did not match"; + throw "Request contains a Signature that does not match ..."; } else { - signlog << "FINE: Signature ok" << std::endl; + logger::note( "FINE: Request contains valid self-signature." ); } // Construct the Certificate X509Cert c = X509Cert(); - std::shared_ptr retsh = std::shared_ptr( X509_new(), X509_free ); - X509* ret = retsh.get(); - if( !ret ) { - throw "Creating X509 failed."; - } - - X509_NAME* subjectP = X509_NAME_new(); - - if( !subjectP ) { - throw "malloc failure"; - } + logger::note( "INFO: Populating RDN ..." ); for( std::shared_ptr a : cert->AVAs ) { - signlog << "Addings RDN: " << a->name << ": " << a->value << std::endl; + logger::notef( "INFO: Trying to add RDN: %s: %s", a->name, a->value ); if( a->name == "CN" ) { c.addRDN( NID_commonName, a->value ); @@ -139,27 +137,119 @@ std::shared_ptr SimpleOpensslSigner::sign( std::shared_ptrname == "OU" ) { c.addRDN( NID_organizationalUnitName, a->value ); } else { - throw "unknown AVA-type"; + logger::error( "ERROR: Trying to add illegal RDN/AVA type: ", a->name ); + throw "Unhandled/Illegal AVA type"; } } + logger::note( "INFO: Populating Issuer ..." ); c.setIssuerNameFrom( ca->ca ); + + logger::note( "INFO: Validating Public key for use in certificate" ); + logger::note( "INFO: - Checking generic key parameters" ); + logger::note( "FINE: ->Public Key parameters are okay" ); + + logger::note( "INFO: - Checking blacklists" ); + logger::note( "FINE: ->Does not appear on any blacklist" ); + + logger::note( "INFO: - Checking trivial factorization" ); + logger::note( "FINE: ->Trivial factorization not possible" ); + + logger::note( "INFO: - Checking astrological signs" ); + logger::note( "FINE: ->The stars look good for this one" ); + logger::note( "FINE: Public key is fine for use in certificate" ); + + logger::note( "INFO: Copying Public Key from Request ..." ); c.setPubkeyFrom( req ); + logger::note( "FINE: Public Key successfully copied from Request." ); + + { + logger::note( "INFO: Determining Validity Period ..." ); + std::time_t from, to; + std::time_t now = time( 0 ); + std::pair parsed; + + if( ( parsed = parseDate( cert->wishFrom ) ).first /* is of yyyy-mm-dd */ ) { + if( parsed.second > now ) { + from = parsed.second; + } else { // fail + from = now; + } + } else { + from = now; + } + + if( ( ( from - now ) > /* 2 Weeks */ ( 2 * 7 * 24 * 60 * 60 ) ) || ( ( now - from ) >= 0 ) ) { + from = now; + } + if( ( parsed = parseDate( cert->wishTo ) ).first /*is of yyyy-mm-dd */ ) { + if( parsed.second > from ) { + to = parsed.second; + } else { + to = from + /*2 Years */ 2 * 365 * 24 * 60 * 60; + } + } else if( ( parsed = parseYearInterval( from, cert->wishTo ) ).first /*is of [0-9]+y */ ) { + to = parsed.second; + } else if( ( parsed = parseMonthInterval( from, cert->wishTo ) ).first /*is of [0-9]+m */ ) { + to = parsed.second; + } else { + to = from + /*2 Years */ 2 * 365 * 24 * 60 * 60; + } + + time_t limit = prof.maxValidity; + + if( ( to - from > limit ) || ( to - from < 0 ) ) { + to = from + limit; + } + + c.setTimes( from, to ); + logger::note( "FINE: Setting validity period successful:" ); + { + struct tm* timeobj; + std::vector timebuf; + + timeobj = gmtime( &from ); + timebuf.resize( 128 ); + timebuf.resize( std::strftime( const_cast( timebuf.data() ), timebuf.size(), "%F %T %Z", timeobj ) ); + logger::note( "FINE: - Valid not before: ", std::string( timebuf.cbegin(), timebuf.cend() ) ); + + timeobj = gmtime( &to ); + timebuf.resize( 128 ); + timebuf.resize( std::strftime( const_cast( timebuf.data() ), timebuf.size(), "%F %T %Z", timeobj ) ); + logger::note( "FINE: - Valid not after: ", std::string( timebuf.cbegin(), timebuf.cend() ) ); + } + } + + logger::note( "INFO: Setting extensions:" ); + c.setExtensions( ca->ca, cert->SANs, prof ); + logger::note( "FINE: Setting extensions successful." ); + + logger::note( "INFO: Generating next Serial Number ..." ); std::shared_ptr ser; std::string num; std::tie( ser, num ) = nextSerial( prof, ca ); c.setSerialNumber( ser.get() ); - c.setTimes( 0, 60 * 60 * 24 * 10 ); - signlog << "FINE: Setting extensions." << std::endl; - c.setExtensions( ca->ca, cert->SANs, prof ); - signlog << "FINE: Signed" << std::endl; - std::shared_ptr output = c.sign( ca->caKey, cert->md ); - signlog << "FINE: all went well" << std::endl; - signlog << "FINE: crt went to: " << writeBackFile( num, output->certificate, ca->path ) << std::endl; - output->ca_name = ca->name; - output->log = signlog.str(); - return output; + logger::note( "FINE: Certificate Serial Number set to: ", num ); + + { + logger::note( "INFO: Trying to sign Certificate:" ); + std::shared_ptr output = c.sign( ca->caKey, cert->md ); + logger::note( "INFO: Writing certificate to local file." ); + std::string fn = writeBackFile( num, output->certificate, ca->path ); + + if( fn.empty() ) { + logger::error( "ERROR: failed to get filename for storage of signed certificate." ); + throw "Storage location could not be determined"; + } + + logger::note( "FINE: Certificate signed successfully." ); + logger::note( "FINE: - Certificate written to: ", fn ); + + output->ca_name = ca->name; + output->log = signlog.str(); + return output; + } } std::pair, std::string> SimpleOpensslSigner::revoke( std::shared_ptr ca, std::vector serials ) {