X-Git-Url: https://code.wpia.club/?a=blobdiff_plain;f=src%2Fapps%2Fclient.cpp;h=80422b3bc0e13046ee40dee913a5e7f3648b7aa3;hb=HEAD;hp=9423cb85a0d87b580047e744e35ef6fee65b8777;hpb=4dcc14eba3c118e286b9e3fec1221c34ab674f13;p=cassiopeia.git diff --git a/src/apps/client.cpp b/src/apps/client.cpp index 9423cb8..80422b3 100644 --- a/src/apps/client.cpp +++ b/src/apps/client.cpp @@ -7,14 +7,18 @@ #include #include "db/database.h" -#include "db/mysql.h" +#include "db/psql.h" #include "crypto/simpleOpensslSigner.h" #include "crypto/remoteSigner.h" #include "crypto/sslUtil.h" +#include "log/logger.hpp" #include "util.h" #include "io/bios.h" #include "io/slipBio.h" #include "config.h" +#include +#include +#include #ifdef NO_DAEMON #define DAEMON false @@ -27,140 +31,271 @@ extern std::string sqlHost, sqlUser, sqlPass, sqlDB; extern std::string serialPath; extern std::unordered_map> CAs; -int main( int argc, const char* argv[] ) { - ( void ) argc; - ( void ) argv; +void checkCRLs( std::shared_ptr sign ) { + + logger::note( "Signing CRLs" ); + + for( auto& x : CAs ) { + if( !x.second->crlNeedsResign() ) { + continue; + } + + logger::notef( "Resigning CRL: %s ...", x.second->name ); + + try { + std::vector serials; + std::pair, std::string> rev = sign->revoke( x.second, serials ); + } catch( const std::exception& e ) { + logger::error( "Exception: ", e.what() ); + } + } +} + +bool pathExists( const std::string& name ) { + struct stat buffer; + return stat( name.c_str(), &buffer ) == 0; +} + +void signOCSP( std::shared_ptr sign, std::string profileName, std::string req, std::string crtName, std::string failName ) { + auto cert = std::make_shared(); + cert->ocspCA = profileName; + cert->wishFrom = "now"; + cert->wishTo = "1y"; + cert->md = "sha512"; + + logger::note( "INFO: Message Digest: ", cert->md ); + + cert->csr_content = req; + cert->csr_type = "CSR"; + auto nAVA = std::make_shared(); + nAVA->name = "CN"; + nAVA->value = "OCSP Responder"; + cert->AVAs.push_back( nAVA ); + + std::shared_ptr res = sign->sign( cert ); + + if( !res ) { + writeFile( failName, "failed" ); + logger::error( "OCSP Cert signing failed." ); + return; + } + + writeFile( crtName, res->certificate ); + logger::notef( "Cert log: %s", res->log ); +} + +void checkOCSP( std::shared_ptr sign ) { + std::unique_ptr> dp( opendir( "ca" ), []( DIR * d ) { + closedir( d ); + } ); + + // When opendir fails and returns 0 the unique_ptr will be considered unintialized and will not call closedir. + // Even if closedir would be called, according to POSIX it MAY handle nullptr properly (for glibc it does). + if( !dp ) { + logger::error( "CA directory not found" ); + return; + } + + struct dirent *ep; + + while( ( ep = readdir( dp.get() ) ) ) { + if( ep->d_name[0] == '.' ) { + continue; + } + + std::string profileName( ep->d_name ); + std::string csr = "ca/" + profileName + "/ocsp.csr"; + + if( ! pathExists( csr ) ) { + continue; + } + + std::string crtName = "ca/" + profileName + "/ocsp.crt"; + + if( pathExists( crtName ) ) { + continue; + } + + std::string failName = "ca/" + profileName + "/ocsp.fail"; + + if( pathExists( failName ) ) { + continue; + } + + logger::notef( "Discovered OCSP CSR that needs action: %s", csr ); + std::string req = readFile( csr ); + std::shared_ptr parsed = X509Req::parseCSR( req ); + + if( parsed->verify() <= 0 ) { + logger::errorf( "Invalid CSR for %s", profileName ); + continue; + } + + signOCSP( sign, profileName, req, crtName, failName ); + } +} + + +int main( int argc, const char *argv[] ) { bool once = false; + bool resetOnly = false; - if( argc == 2 && std::string( "--once" ) == std::string( argv[1] ) ) { + if( argc == 2 && std::string( "--once" ) == argv[1] ) { once = true; } + if( argc == 2 && std::string( "--reset" ) == argv[1] ) { + resetOnly = true; + } + std::string path; #ifdef NDEBUG - path = "/etc/cacert/cassiopeia/cassiopeia.conf"; + path = "/etc/wpia/cassiopeia/cassiopeia.conf"; #else path = "config.txt"; #endif if( parseConfig( path ) != 0 ) { + logger::fatal( "Error: Could not parse the configuration file." ); return -1; } if( serialPath == "" ) { - std::cout << "Error: no serial device is given" << std::endl; + logger::fatal( "Error: no serial device is given!" ); return -1; } - std::shared_ptr jp( new MySQLJobProvider( sqlHost, sqlUser, sqlPass, sqlDB ) ); + std::shared_ptr jp = std::make_shared( sqlHost, sqlUser, sqlPass, sqlDB ); std::shared_ptr b = openSerial( serialPath ); - std::shared_ptr slip1( BIO_new( toBio() ), BIO_free ); - ( ( SlipBIO* )slip1->ptr )->setTarget( std::shared_ptr( new OpensslBIOWrapper( b ) ) ); - std::shared_ptr sign( new RemoteSigner( slip1, generateSSLContext( false ) ) ); + std::shared_ptr m( toBio(), BIO_meth_free ); + std::shared_ptr slip1( BIO_new( m.get() ), BIO_free ); + static_cast( slip1->ptr )->setTarget( std::make_shared( b ), false ); + auto sign = std::make_shared( slip1, generateSSLContext( false ) ); // std::shared_ptr sign( new SimpleOpensslSigner() ); + if( resetOnly ) { + std::cout << "Doing BIO reset" << std::endl; + int result = BIO_reset( slip1.get() ); + std::cout << "Did BIO reset, result " << result << ", exiting." << std::endl; + return result; + } + + time_t lastCRLCheck = 0; + while( true ) { - std::shared_ptr job = jp->fetchJob(); + try { + time_t current; + time( ¤t ); - if( !job ) { - std::cout << "Nothing to work on" << std::endl; - sleep( 5 ); - continue; - } + if( lastCRLCheck + 30 * 60 < current ) { + // todo set good log TODO FIXME + auto ostreamFree = []( std::ostream * o ) { + ( void ) o; + }; + sign->setLog( std::shared_ptr( &std::cout, ostreamFree ) ); + checkCRLs( sign ); + lastCRLCheck = current; + } + + checkOCSP( sign ); + + std::shared_ptr job; - std::ofstream* logP = new std::ofstream( std::string( "logs/" ) + job->id + std::string( "_" ) + job->warning + std::string( ".log" ) ); - std::shared_ptr logPtr( - logP, - []( std::ofstream * ptr ) { - ( *ptr ).close(); - delete ptr; - } ); - std::ofstream& log = *logP; - - sign->setLog( logPtr ); - log << "TASK ID: " << job->id << std::endl; - log << "TRY: " << job->warning << std::endl; - log << "TARGET: " << job->target << std::endl; - log << "TASK: " << job->task << std::endl << std::endl; - - if( job->task == "sign" ) { try { - std::shared_ptr cert = jp->fetchTBSCert( job ); - log << "INFO: message digest: " << cert->md << std::endl; - log << "INFO: profile id: " << cert->profile << std::endl; + job = jp->fetchJob(); + } catch( std::exception& e ) { + logger::errorf( "Exception while fetchJob: %s", e.what() ); + } - for( auto& SAN : cert->SANs ) { - log << "INFO: SAN " << SAN->type << ": " << SAN->content; - } + if( !job ) { + sleep( 5 ); + continue; + } - for( auto& AVA : cert->AVAs ) { - log << "INFO: AVA " << AVA->name << ": " << AVA->value; - } + logger::logger_set log_set( {logger::log_target( job->log, logger::level::debug )}, logger::auto_register::on ); - if( !cert ) { - std::cout << "wasn't able to load CSR" << std::endl; - jp->failJob( job ); - continue; - } + logger::note( "TASK ID: ", job->id ); + logger::note( "TRY: ", job->attempt ); + logger::note( "TARGET: ", job->target ); + logger::note( "TASK: ", job->task ); + + if( job->task == "sign" ) { + try { + std::shared_ptr cert = jp->fetchTBSCert( job ); + + if( !cert ) { + logger::error( "Unable to load CSR" ); + jp->failJob( job ); + continue; + } + + cert->wishFrom = job->from; + cert->wishTo = job->to; + logger::note( "INFO: Message Digest: ", cert->md ); + logger::note( "INFO: Profile ID: ", cert->profile ); + + for( auto& SAN : cert->SANs ) { + logger::notef( "INFO: SAN %s: %s", SAN->type, SAN->content ); + } + + for( auto& AVA : cert->AVAs ) { + logger::notef( "INFO: AVA %s: %s", AVA->name, AVA->value ); + } - log << "FINE: Found the CSR at '" << cert->csr << "'" << std::endl; - cert->csr_content = readFile( keyDir + "/../" + cert->csr ); - log << "FINE: CSR is " << std::endl << cert->csr_content << std::endl; + logger::note( "FINE: CSR content:\n", cert->csr_content ); - std::shared_ptr res = sign->sign( cert ); + std::shared_ptr res = sign->sign( cert ); - if( !res ) { - log << "ERROR: The signer failed. There was no certificate." << std::endl; + if( !res ) { + logger::error( "ERROR: The signer failed. No certificate was returned." ); + jp->failJob( job ); + continue; + } + + logger::note( "FINE: CERTIFICATE LOG:\n", res->log, + "FINE: CERTIFICATE:\n", res->certificate ); + + jp->writeBack( job, res ); //! \FIXME: Check return value + logger::note( "FINE: signing done." ); + + if( DAEMON ) { + jp->finishJob( job ); + } + } catch( std::exception& c ) { jp->failJob( job ); - continue; + logger::error( "ERROR: ", c.what() ); } + } else if( job->task == "revoke" ) { + try { + logger::note( "revoking" ); + auto data = jp->getRevocationInfo( job ); + std::vector serials; + serials.push_back( data.first ); + logger::note( "revoking" ); + std::pair, std::string> rev = sign->revoke( CAs.at( data.second ), serials ); + std::string date = rev.second; + const unsigned char *pos = ( const unsigned char * ) date.data(); + std::shared_ptr time( d2i_ASN1_TIME( NULL, &pos, date.size() ), ASN1_TIME_free ); - log << "FINE: CERTIFICATE LOG: " << res->log << std::endl; - log << "FINE: CERTIFICATE:" << std::endl << res->certificate << std::endl; - std::string fn = writeBackFile( job->target.c_str(), res->certificate, keyDir ); - res->crt_name = fn; - jp->writeBack( job, res ); - log << "FINE: signing done." << std::endl; - - if( DAEMON ) { + jp->writeBackRevocation( job, timeToString( time ) ); jp->finishJob( job ); + continue; + } catch( const std::exception& c ) { + jp->failJob( job ); + logger::error( "Exception: ", c.what() ); } - - continue; - } catch( const char* c ) { - log << "ERROR: " << c << std::endl; - } catch( std::string c ) { - log << "ERROR: " << c << std::endl; - } - - try { + } else { + logger::errorf( "Unknown job type (\"%s\")", job->task ); jp->failJob( job ); - } catch( const char* c ) { - log << "ERROR: " << c << std::endl; - } catch( std::string c ) { - log << "ERROR: " << c << std::endl; } - } else if( job->task == "revoke" ) { - try { - auto data = jp->getRevocationInfo( job ); - std::pair, std::string> rev = sign->revoke( CAs.at( data.second ), data.first ); - std::string date = rev.second; - const unsigned char* pos = ( const unsigned char* ) date.data(); - std::shared_ptr time( d2i_ASN1_TIME( NULL, &pos, date.size() ), ASN1_TIME_free ); - - jp->writeBackRevocation( job, timeToString( time ) ); - jp->finishJob( job ); - } catch( const char* c ) { - std::cout << "Exception: " << c << std::endl; + + if( !DAEMON || once ) { + return 0; } - } else { - log << "Unknown job type" << job->task << std::endl; - jp->failJob( job ); + } catch( std::exception& e ) { + logger::errorf( "std::exception in mainloop: %s", e.what() ); } - if( !DAEMON || once ) { - return 0; - } } }