X-Git-Url: https://code.wpia.club/?a=blobdiff_plain;f=src%2Fcrypto%2FremoteSigner.cpp;h=c06af91bc3a48700300c6cd89fdb774d1e1289cb;hb=25b4018f92fc3245ad91ff6c0d12fc5dacc3cadd;hp=a8907115dd89b475d222103e0357aa9f757e666b;hpb=e6410538775681e2ec88521f05e530b79e8cbe7b;p=cassiopeia.git

diff --git a/src/crypto/remoteSigner.cpp b/src/crypto/remoteSigner.cpp
index a890711..c06af91 100644
--- a/src/crypto/remoteSigner.cpp
+++ b/src/crypto/remoteSigner.cpp
@@ -44,11 +44,17 @@ std::shared_ptr<SignedCertificate> RemoteSigner::sign( std::shared_ptr<TBSCertif
     }
 
     send( conn, head, RecordHeader::SignerCommand::SET_SIGNATURE_TYPE, cert->md );
-    send( conn, head, RecordHeader::SignerCommand::SET_PROFILE, cert->profile );
+
+    if( !cert->ocspCA.empty() ) {
+        send( conn, head, RecordHeader::SignerCommand::SET_OCSP_TARGET_CA, cert->ocspCA );
+    } else {
+        send( conn, head, RecordHeader::SignerCommand::SET_PROFILE, cert->profile );
+    }
+
     send( conn, head, RecordHeader::SignerCommand::SET_WISH_FROM, cert->wishFrom );
     send( conn, head, RecordHeader::SignerCommand::SET_WISH_TO, cert->wishTo );
 
-    for( auto &ava : cert->AVAs ) {
+    for( auto& ava : cert->AVAs ) {
         if( ava->name.find( "," ) != std::string::npos ) {
             // invalid ava
             return nullptr;
@@ -57,7 +63,7 @@ std::shared_ptr<SignedCertificate> RemoteSigner::sign( std::shared_ptr<TBSCertif
         send( conn, head, RecordHeader::SignerCommand::ADD_AVA, ava->name + "," + ava->value );
     }
 
-    for( auto &san : cert->SANs ) {
+    for( auto& san : cert->SANs ) {
         if( san->type.find( "," ) != std::string::npos ) {
             // invalid ava
             return nullptr;
@@ -75,7 +81,7 @@ std::shared_ptr<SignedCertificate> RemoteSigner::sign( std::shared_ptr<TBSCertif
             RecordHeader head;
             std::string payload = parseCommandChunked( head, conn );
 
-            switch( static_cast<RecordHeader::SignerResult>( head.command )) {
+            switch( static_cast<RecordHeader::SignerResult>( head.command ) ) {
             case RecordHeader::SignerResult::CERTIFICATE:
                 result->certificate = payload;
                 break;
@@ -92,40 +98,39 @@ std::shared_ptr<SignedCertificate> RemoteSigner::sign( std::shared_ptr<TBSCertif
                 logger::error( "Invalid Message" );
                 break;
             }
-        } catch( const char* msg ) {
-            logger::error( msg );
+        } catch( const std::exception& msg ) {
+            logger::error( msg.what() );
             return std::shared_ptr<SignedCertificate>();
         }
     }
 
     if( result ) {
         std::shared_ptr<BIO> bios( BIO_new( BIO_s_mem() ), BIO_free );
-        const char* buf = result->certificate.data();
+        const char *buf = result->certificate.data();
         unsigned int len = result->certificate.size();
 
         while( len > 0 ) {
             int dlen = BIO_write( bios.get(), buf, len );
 
             if( dlen <= 0 ) {
-                throw "Memory error.";
+                throw std::runtime_error( "Memory error." );
             }
 
             len -= dlen;
             buf += dlen;
         }
 
-        std::shared_ptr<X509> pem( PEM_read_bio_X509( bios.get(), NULL, 0, NULL ) );
+        std::shared_ptr<X509> pem( PEM_read_bio_X509( bios.get(), NULL, 0, NULL ), X509_free );
 
         if( !pem ) {
-            throw "Pem was not readable";
+            throw std::runtime_error( "Pem was not readable" );
         }
 
-        std::shared_ptr<BIGNUM> ser( ASN1_INTEGER_to_BN( pem->cert_info->serialNumber, NULL ), BN_free );
-        std::shared_ptr<char> serStr(
-            BN_bn2hex( ser.get() ),
-            []( char* p ) {
-                OPENSSL_free( p );
-            } ); // OPENSSL_free is a macro...
+        std::shared_ptr<BIGNUM> ser( ASN1_INTEGER_to_BN( X509_get_serialNumber( pem.get() ), NULL ), BN_free );
+        auto freeMem = []( char *p ) {
+            OPENSSL_free( p );
+        }; // OPENSSL_free is a macro...
+        std::shared_ptr<char> serStr( BN_bn2hex( ser.get() ), freeMem );
 
         extractTimes( pem, result );
 
@@ -133,9 +138,11 @@ std::shared_ptr<SignedCertificate> RemoteSigner::sign( std::shared_ptr<TBSCertif
     }
 
     logger::note( "Closing SSL connection" );
+
     if( !SSL_shutdown( ssl.get() ) && !SSL_shutdown( ssl.get() ) ) { // need to close the connection twice
         logger::warn( "SSL shutdown failed" );
     }
+
     logger::note( "SSL connection closed" );
 
     return result;
@@ -155,7 +162,7 @@ std::pair<std::shared_ptr<CRL>, std::string> RemoteSigner::revoke( std::shared_p
     head.flags = 0;
     head.sessid = 13;
 
-    for( auto &serial : serials ) {
+    for( auto& serial : serials ) {
         send( conn, head, RecordHeader::SignerCommand::ADD_SERIAL, serial );
     }
 
@@ -169,17 +176,17 @@ std::pair<std::shared_ptr<CRL>, std::string> RemoteSigner::revoke( std::shared_p
     std::string date;
 
     if( static_cast<RecordHeader::SignerResult>( head.command ) != RecordHeader::SignerResult::REVOKED ) {
-        throw "Protocol violation";
+        throw std::runtime_error( "Protocol violation" );
     }
 
-    const unsigned char* buffer2 = reinterpret_cast<const unsigned char*>( payload.data() );
-    const unsigned char* pos = buffer2;
-    ASN1_TIME* time = d2i_ASN1_TIME( NULL, &pos, payload.size() );
+    const unsigned char *buffer2 = reinterpret_cast<const unsigned char *>( payload.data() );
+    const unsigned char *pos = buffer2;
+    ASN1_TIME *time = d2i_ASN1_TIME( NULL, &pos, payload.size() );
     ASN1_TIME_free( time );
     date = payload.substr( 0, pos - buffer2 );
     std::string rest = payload.substr( pos - buffer2 );
 
-    for( std::string &serial : serials ) {
+    for( std::string& serial : serials ) {
         crl->revoke( serial, date );
     }
 
@@ -196,7 +203,7 @@ std::pair<std::shared_ptr<CRL>, std::string> RemoteSigner::revoke( std::shared_p
         payload = parseCommandChunked( head, conn );
 
         if( static_cast<RecordHeader::SignerResult>( head.command ) != RecordHeader::SignerResult::FULL_CRL ) {
-            throw "Protocol violation";
+            throw std::runtime_error( "Protocol violation" );
         }
 
         std::string name_bak = ca->path + std::string( "/ca.crl.bak" );
@@ -204,9 +211,10 @@ std::pair<std::shared_ptr<CRL>, std::string> RemoteSigner::revoke( std::shared_p
         crl = std::make_shared<CRL>( name_bak );
 
         if( crl->verify( ca ) ) {
-            if( rename( name_bak.c_str(), tgtName.c_str() ) != 0 ){
+            if( rename( name_bak.c_str(), tgtName.c_str() ) != 0 ) {
                 logger::warn( "Moving new CRL over old CRL failed" );
             }
+
             logger::note( "CRL is now valid again" );
         } else {
             logger::warn( "CRL is still broken... Please, help me" );
@@ -214,9 +222,11 @@ std::pair<std::shared_ptr<CRL>, std::string> RemoteSigner::revoke( std::shared_p
     }
 
     logger::note( "Closing SSL connection" );
+
     if( !SSL_shutdown( ssl.get() ) && !SSL_shutdown( ssl.get() ) ) { // need to close the connection twice
         logger::warn( "SSL shutdown failed" );
     }
+
     logger::note( "SSL connection closed" );
 
     return { crl, date };