X-Git-Url: https://code.wpia.club/?a=blobdiff_plain;f=src%2Fcrypto%2FsimpleOpensslSigner.cpp;h=f7042a29fccee7cbbdc731e5cf16e7d04469b4cd;hb=0141e5a371a97b0cb409d168ea8401bcb4f30923;hp=cd02a969d6553c2441f8889a55f645af089b7606;hpb=9e866a1a2facc8cb1565cd660c6b6d482f18ecb1;p=cassiopeia.git diff --git a/src/crypto/simpleOpensslSigner.cpp b/src/crypto/simpleOpensslSigner.cpp index cd02a96..f7042a2 100644 --- a/src/crypto/simpleOpensslSigner.cpp +++ b/src/crypto/simpleOpensslSigner.cpp @@ -1,6 +1,5 @@ #include "simpleOpensslSigner.h" -#include #include #include @@ -25,9 +24,9 @@ SimpleOpensslSigner::SimpleOpensslSigner() { SimpleOpensslSigner::~SimpleOpensslSigner() { } -std::pair, std::string> SimpleOpensslSigner::nextSerial( Profile& prof ) { +std::pair, std::string> SimpleOpensslSigner::nextSerial( Profile& prof, std::shared_ptr ca ) { uint16_t profile = prof.id; - std::string res = readFile( prof.ca->path + "/serial" ); + std::string res = readFile( ca->path + "/serial" ); BIGNUM* bn = 0; @@ -38,7 +37,7 @@ std::pair, std::string> SimpleOpensslSigner::nextSerial( throw "Initing serial failed"; } } else { - if( !BN_hex2bn( &bn, res.c_str() + 1 ) ) { + if( !BN_hex2bn( &bn, res.c_str() ) ) { throw "Parsing serial failed."; } } @@ -63,7 +62,8 @@ std::pair, std::string> SimpleOpensslSigner::nextSerial( []( char* ref ) { OPENSSL_free( ref ); } ); - writeFile( prof.ca->path + "/serial", serStr.get() ); + + writeFile( ca->path + "/serial", serStr.get() ); return std::pair, std::string>( std::shared_ptr( BN_bin2bn( data.get(), len + 4 + 16 , 0 ), BN_free ), std::string( serStr.get() ) ); } @@ -74,8 +74,9 @@ std::shared_ptr SimpleOpensslSigner::sign( std::shared_ptrprofile << std::endl; Profile& prof = profiles.at( cert->profile ); + std::shared_ptr ca = prof.getCA(); - if( !prof.ca ) { + if( !ca ) { throw "CA-key not found"; } @@ -83,6 +84,8 @@ std::shared_ptr SimpleOpensslSigner::sign( std::shared_ptrwishFrom << std::endl; + signlog << "FINE: Signing is wanted to: " << cert->wishTo << std::endl; std::shared_ptr req; @@ -106,12 +109,6 @@ std::shared_ptr SimpleOpensslSigner::sign( std::shared_ptr retsh = std::shared_ptr( X509_new(), X509_free ); - X509* ret = retsh.get(); - - if( !ret ) { - throw "Creating X509 failed."; - } X509_NAME* subjectP = X509_NAME_new(); @@ -141,85 +138,81 @@ std::shared_ptr SimpleOpensslSigner::sign( std::shared_ptrca ); + c.setIssuerNameFrom( ca->ca ); c.setPubkeyFrom( req ); std::shared_ptr ser; std::string num; - std::tie( ser, num ) = nextSerial( prof ); + std::tie( ser, num ) = nextSerial( prof, ca ); c.setSerialNumber( ser.get() ); - c.setTimes( 0, 60 * 60 * 24 * 10 ); - signlog << "FINE: Setting extensions." << std::endl; - c.setExtensions( prof.ca->ca, cert->SANs, prof ); - signlog << "FINE: Signed" << std::endl; - std::shared_ptr output = c.sign( prof.ca->caKey, cert->md ); - signlog << "FINE: all went well" << std::endl; - signlog << "FINE: crt went to: " << writeBackFile( num, output->certificate, prof.ca->path ) << std::endl; - output->log = signlog.str(); - return output; -} + std::time_t from, to; + std::time_t now = time( 0 ); + std::pair parsed; -std::shared_ptr SimpleOpensslSigner::revoke( std::shared_ptr ca, std::string serial ) { - std::string crlpath = ca->path + "/ca.crl"; - - std::shared_ptr bio( BIO_new_file( crlpath.c_str(), "r" ), free ); - std::shared_ptr crl( PEM_read_bio_X509_CRL( bio.get(), 0, NULL, 0 ), X509_CRL_free ); - std::cout << "Starting revocation" << std::endl; - - if( !crl ) { - std::cout << "CRL was not loaded" << std::endl; - crl = std::shared_ptr( X509_CRL_new(), X509_CRL_free ); + if( ( parsed = parseDate( cert->wishFrom ) ).first /* is of yyyy-mm-dd */ ) { + if( parsed.second > now ) { + from = parsed.second; + } else { // fail + from = now; + } + } else { + from = now; } - BIGNUM* serBN = 0; - - if( ! BN_hex2bn( &serBN, serial.c_str() ) ) { - //error + if( from - now > /* 2 Weeks */ 2 * 7 * 24 * 60 * 60 || now - from >= 0 ) { + from = now; } - std::shared_ptr serBNP( serBN, BN_free ); - std::shared_ptr ser( BN_to_ASN1_INTEGER( serBN, NULL ), ASN1_INTEGER_free ); - - if( !ser ) { - // error - } - - std::shared_ptr tmptm( ASN1_TIME_new(), ASN1_TIME_free ); - - if( !tmptm ) { - // error + if( ( parsed = parseDate( cert->wishTo ) ).first /*is of yyyy-mm-dd */ ) { + if( parsed.second > from ) { + to = parsed.second; + } else { + to = from + /*2 Years */ 2 * 365 * 24 * 60 * 60; + } + } else if( ( parsed = parseYearInterval( from, cert->wishTo ) ).first /*is of [0-9]+y */ ) { + to = parsed.second; + } else if( ( parsed = parseMonthInterval( from, cert->wishTo ) ).first /*is of [0-9]+m */ ) { + to = parsed.second; + } else { + to = from + /*2 Years */ 2 * 365 * 24 * 60 * 60; } - X509_gmtime_adj( tmptm.get(), 0 ); - - X509_REVOKED* rev = X509_REVOKED_new(); - X509_REVOKED_set_serialNumber( rev, ser.get() ); - X509_REVOKED_set_revocationDate( rev, tmptm.get() ); + time_t limit = prof.maxValidity; - X509_CRL_add0_revoked( crl.get(), rev ); - - if( !X509_CRL_set_issuer_name( crl.get(), X509_get_subject_name( ca->ca.get() ) ) ) { - // error + if( to - from > limit || to - from < 0 ) { + to = from + limit; } - X509_CRL_set_lastUpdate( crl.get(), tmptm.get() ); - - if( !X509_time_adj_ex( tmptm.get(), 1, 10, NULL ) ) { - // error + c.setTimes( from, to ); + signlog << "FINE: Setting extensions." << std::endl; + c.setExtensions( ca->ca, cert->SANs, prof ); + signlog << "FINE: Signed" << std::endl; + std::shared_ptr output = c.sign( ca->caKey, cert->md ); + signlog << "FINE: all went well" << std::endl; + std::string fn = writeBackFile( num, output->certificate, ca->path ); + if( fn.empty() ) { + signlog << "ERROR: failed to get filename for storage of signed certificate." << std::endl; + throw "Storage location could not be determined"; } - X509_CRL_set_nextUpdate( crl.get(), tmptm.get() ); + signlog << "FINE: crt went to: " << fn << std::endl; + output->ca_name = ca->name; + output->log = signlog.str(); + return output; +} +std::pair, std::string> SimpleOpensslSigner::revoke( std::shared_ptr ca, std::vector serials ) { + std::string crlpath = ca->path + "/ca.crl"; - std::cout << "Signing" << std::endl; - X509_CRL_sort( crl.get() ); - X509_CRL_sign( crl.get(), ca->caKey.get(), EVP_sha256() ); + std::shared_ptr crl( new CRL( crlpath ) ); + std::string date = ""; - std::cout << "writing bio" << std::endl; - std::shared_ptr bioOut( BIO_new_file( crlpath.c_str(), "w" ), BIO_free ); - PEM_write_bio_X509_CRL( bioOut.get(), crl.get() ); - std::cout << "finished crl" << std::endl; + for( std::string serial : serials ) { + date = crl->revoke( serial, "" ); + } - return crl; + crl->sign( ca ); + writeFile( crlpath, crl->toString() ); + return std::pair, std::string>( crl, date ); }