X-Git-Url: https://code.wpia.club/?a=blobdiff_plain;f=src%2Fcrypto%2FremoteSigner.cpp;h=f4680d650933248c0bb9584f63cc8b892583b549;hb=2fc4b5f8d5400f6ebd284a0e6fbaad23a345b585;hp=335c2ff3d52561c11cff13f401c70c05c3e07c1f;hpb=82849da8a9e36be282c13537fb7e14ad1f021d40;p=cassiopeia.git

diff --git a/src/crypto/remoteSigner.cpp b/src/crypto/remoteSigner.cpp
index 335c2ff..f4680d6 100644
--- a/src/crypto/remoteSigner.cpp
+++ b/src/crypto/remoteSigner.cpp
@@ -1,4 +1,6 @@
 #include "remoteSigner.h"
+
+#include "log/logger.hpp"
 #include "util.h"
 
 #include <iostream>
@@ -6,20 +8,17 @@
 #include <openssl/ssl.h>
 #include <openssl/bn.h>
 
-RemoteSigner::RemoteSigner( std::shared_ptr<BIO> target, std::shared_ptr<SSL_CTX> ctx ) {
-    this->target = target;
-    this->ctx = ctx;
+RemoteSigner::RemoteSigner( std::shared_ptr<BIO> target, std::shared_ptr<SSL_CTX> ctx ) : target( target ), ctx( ctx ) {
 }
 
 RemoteSigner::~RemoteSigner() {
 }
 
 void RemoteSigner::send( std::shared_ptr<OpensslBIOWrapper> bio, RecordHeader& head, RecordHeader::SignerCommand cmd, std::string data ) {
-    head.command = ( uint16_t ) cmd;
+    head.command = static_cast<uint16_t>( cmd );
     head.command_count++;
     head.totalLength = data.size();
-    sendCommand( head, data, bio, log );
-
+    sendCommand( head, data, bio );
 }
 
 std::shared_ptr<SignedCertificate> RemoteSigner::sign( std::shared_ptr<TBSCertificate> cert ) {
@@ -30,7 +29,7 @@ std::shared_ptr<SignedCertificate> RemoteSigner::sign( std::shared_ptr<TBSCertif
     SSL_set_connect_state( ssl.get() );
     SSL_set_bio( ssl.get(), target.get(), target.get() );
     BIO_set_ssl( bio.get(), ssl.get(), BIO_NOCLOSE );
-    std::shared_ptr<OpensslBIOWrapper> conn( new OpensslBIOWrapper( bio ) );
+    auto conn = std::make_shared<OpensslBIOWrapper>( bio );
     RecordHeader head;
     head.flags = 0;
     head.sessid = 13;
@@ -40,26 +39,28 @@ std::shared_ptr<SignedCertificate> RemoteSigner::sign( std::shared_ptr<TBSCertif
     } else if( cert->csr_type == "SPKAC" ) {
         send( conn, head, RecordHeader::SignerCommand::SET_SPKAC, cert->csr_content );
     } else {
-        std::cout << "Unknown csr_type: " << cert->csr_type;
-        return std::shared_ptr<SignedCertificate>();
+        logger::error( "Unknown csr_type: ", cert->csr_type );
+        return nullptr;
     }
 
     send( conn, head, RecordHeader::SignerCommand::SET_SIGNATURE_TYPE, cert->md );
     send( conn, head, RecordHeader::SignerCommand::SET_PROFILE, cert->profile );
+    send( conn, head, RecordHeader::SignerCommand::SET_WISH_FROM, cert->wishFrom );
+    send( conn, head, RecordHeader::SignerCommand::SET_WISH_TO, cert->wishTo );
 
-    for( auto ava : cert->AVAs ) {
+    for( auto &ava : cert->AVAs ) {
         if( ava->name.find( "," ) != std::string::npos ) {
             // invalid ava
-            return std::shared_ptr<SignedCertificate>();
+            return nullptr;
         }
 
         send( conn, head, RecordHeader::SignerCommand::ADD_AVA, ava->name + "," + ava->value );
     }
 
-    for( auto san : cert->SANs ) {
+    for( auto &san : cert->SANs ) {
         if( san->type.find( "," ) != std::string::npos ) {
             // invalid ava
-            return std::shared_ptr<SignedCertificate>();
+            return nullptr;
         }
 
         send( conn, head, RecordHeader::SignerCommand::ADD_SAN, san->type + "," + san->content );
@@ -67,23 +68,14 @@ std::shared_ptr<SignedCertificate> RemoteSigner::sign( std::shared_ptr<TBSCertif
 
     send( conn, head, RecordHeader::SignerCommand::SIGN, "" );
     send( conn, head, RecordHeader::SignerCommand::LOG_SAVED, "" );
-    std::shared_ptr<SignedCertificate> result = std::shared_ptr<SignedCertificate>( new SignedCertificate() );
-    std::vector<char> buffer( 2048 * 4 );
+    auto result = std::make_shared<SignedCertificate>();
 
-    for( int i = 0; i < 2; i++ ) {
+    for( int i = 0; i < 3; i++ ) {
         try {
-            int length = conn->read( buffer.data(), buffer.size() );
-
-            if( length <= 0 ) {
-                std::cout << "Error, no response data" << std::endl;
-                result = std::shared_ptr<SignedCertificate>();
-                break;
-            }
-
             RecordHeader head;
-            std::string payload = parseCommand( head, std::string( buffer.data(), length ), log );
+            std::string payload = parseCommand( head, conn->readLine() );
 
-            switch( ( RecordHeader::SignerResult ) head.command ) {
+            switch( static_cast<RecordHeader::SignerResult>( head.command )) {
             case RecordHeader::SignerResult::CERTIFICATE:
                 result->certificate = payload;
                 break;
@@ -92,12 +84,16 @@ std::shared_ptr<SignedCertificate> RemoteSigner::sign( std::shared_ptr<TBSCertif
                 result->log = payload;
                 break;
 
+            case RecordHeader::SignerResult::SIGNING_CA:
+                result->ca_name = payload;
+                break;
+
             default:
-                std::cout << "Invalid Message" << std::endl;
+                logger::error( "Invalid Message" );
                 break;
             }
         } catch( const char* msg ) {
-            std::cout << msg << std::endl;
+            logger::error( msg );
             return std::shared_ptr<SignedCertificate>();
         }
     }
@@ -130,17 +126,22 @@ std::shared_ptr<SignedCertificate> RemoteSigner::sign( std::shared_ptr<TBSCertif
             []( char* p ) {
                 OPENSSL_free( p );
             } ); // OPENSSL_free is a macro...
+
+        extractTimes( pem, result );
+
         result->serial = std::string( serStr.get() );
     }
 
+    logger::note( "Closing SSL connection" );
     if( !SSL_shutdown( ssl.get() ) && !SSL_shutdown( ssl.get() ) ) { // need to close the connection twice
-        std::cout << "SSL shutdown failed" << std::endl;
+        logger::warn( "SSL shutdown failed" );
     }
+    logger::note( "SSL connection closed" );
 
     return result;
 }
 
-std::pair<std::shared_ptr<CRL>, std::string> RemoteSigner::revoke( std::shared_ptr<CAConfig> ca, std::string serial ) {
+std::pair<std::shared_ptr<CRL>, std::string> RemoteSigner::revoke( std::shared_ptr<CAConfig> ca, std::vector<std::string> serials ) {
     ( void )BIO_reset( target.get() );
 
     std::shared_ptr<SSL> ssl( SSL_new( ctx.get() ), SSL_free );
@@ -148,59 +149,75 @@ std::pair<std::shared_ptr<CRL>, std::string> RemoteSigner::revoke( std::shared_p
     SSL_set_connect_state( ssl.get() );
     SSL_set_bio( ssl.get(), target.get(), target.get() );
     BIO_set_ssl( bio.get(), ssl.get(), BIO_NOCLOSE );
-    std::shared_ptr<OpensslBIOWrapper> conn( new OpensslBIOWrapper( bio ) );
+    auto conn = std::make_shared<OpensslBIOWrapper>( bio );
 
     RecordHeader head;
     head.flags = 0;
     head.sessid = 13;
 
-    std::string payload = ca->name + std::string( "\0", 1 ) + serial;
+    for( auto &serial : serials ) {
+        send( conn, head, RecordHeader::SignerCommand::ADD_SERIAL, serial );
+    }
+
+    std::string payload = ca->name;
     send( conn, head, RecordHeader::SignerCommand::REVOKE, payload );
 
-    std::vector<char> buffer( 2048 * 4 );
-    int length = conn->read( buffer.data(), buffer.size() );
+    payload = parseCommand( head, conn->readLine() );
+
+    auto crl = std::make_shared<CRL>( ca->path + std::string( "/ca.crl" ) );
+    std::string date;
 
-    if( length <= 0 ) {
-        std::cout << "Error, no response data" << std::endl;
-        return std::pair<std::shared_ptr<CRL>, std::string>( std::shared_ptr<CRL>(), "" );
+    if( static_cast<RecordHeader::SignerResult>( head.command ) != RecordHeader::SignerResult::REVOKED ) {
+        throw "Protocol violation";
     }
 
-    payload = parseCommand( head, std::string( buffer.data(), length ), log );
+    const unsigned char* buffer2 = reinterpret_cast<const unsigned char*>( payload.data() );
+    const unsigned char* pos = buffer2;
+    ASN1_TIME* time = d2i_ASN1_TIME( NULL, &pos, payload.size() );
+    ASN1_TIME_free( time );
+    date = payload.substr( 0, pos - buffer2 );
+    std::string rest = payload.substr( pos - buffer2 );
 
-    std::shared_ptr<CRL> crl( new CRL( ca->path + std::string( "/ca.crl" ) ) );
+    for( std::string &serial : serials ) {
+        crl->revoke( serial, date );
+    }
 
-    switch( ( RecordHeader::SignerResult ) head.command ) {
-    case RecordHeader::SignerResult::REVOKED: {
-        const unsigned char* buffer = ( const unsigned char* ) payload.data();
-        const unsigned char* pos = buffer;
-        ASN1_UTCTIME* time = d2i_ASN1_UTCTIME( NULL, &pos, payload.size() );
-        ASN1_UTCTIME_free( time );
-        std::string rest = payload.substr( pos - buffer );
-        crl->revoke( serial, payload.substr( 0, pos - buffer ) );
-        crl->setSignature( rest );
-        bool ok = crl->verify( ca );
+    crl->setSignature( rest );
+    bool ok = crl->verify( ca );
 
-        if( ok ) {
-            ( *log ) << "CRL verificated successfully" << std::endl;
-            writeFile( ca->path + std::string( "/ca.crl" ), crl->toString() );
-        } else {
-            ( *log ) << "CRL is broken" << std::endl;
+    if( ok ) {
+        logger::note( "CRL verificated successfully" );
+        writeFile( ca->path + std::string( "/ca.crl" ), crl->toString() );
+    } else {
+        logger::warn( "CRL is broken, trying to recover" );
+        send( conn, head, RecordHeader::SignerCommand::GET_FULL_CRL, ca->name );
+
+        payload = parseCommand( head, conn->readLine() );
+
+        if( static_cast<RecordHeader::SignerResult>( head.command ) != RecordHeader::SignerResult::FULL_CRL ) {
+            throw "Protocol violation";
         }
 
-        ( *log ) << "CRL: " << std::endl << crl->toString() << std::endl;
-        break;
-    }
+        writeFile( ca->path + std::string( "/ca.crl.bak" ), payload );
+        crl = std::make_shared<CRL>( ca->path + std::string( "/ca.crl.bak" ) );
 
-    default:
-        throw "Invalid response command.";
+        if( crl->verify( ca ) ) {
+            writeFile( ca->path + std::string( "/ca.crl" ), crl->toString() );
+            logger::note( "CRL is now valid again" );
+        } else {
+            logger::warn( "CRL is still broken... Please, help me" );
+        }
     }
 
+    logger::debug( "CRL:\n", crl->toString() );
 
+    logger::note( "Closing SSL connection" );
     if( !SSL_shutdown( ssl.get() ) && !SSL_shutdown( ssl.get() ) ) { // need to close the connection twice
-        std::cout << "SSL shutdown failed" << std::endl;
+        logger::warn( "SSL shutdown failed" );
     }
+    logger::note( "SSL connection closed" );
 
-    return std::pair<std::shared_ptr<CRL>, std::string>( std::shared_ptr<CRL>(), "" );
+    return { crl, date };
 }
 
 void RemoteSigner::setLog( std::shared_ptr<std::ostream> target ) {