X-Git-Url: https://code.wpia.club/?a=blobdiff_plain;f=src%2Fcrypto%2FsimpleOpensslSigner.cpp;h=fa51a9e1ccd85c5c086a323b439c9779d9ea3338;hb=160ba9d844500d1e553a0dab21a4a2a7fabc60d5;hp=f4da68216541ef630df600615698705054f5d1ea;hpb=b256cf9c220e536efa2ad4bf62936336d5703a6b;p=cassiopeia.git diff --git a/src/crypto/simpleOpensslSigner.cpp b/src/crypto/simpleOpensslSigner.cpp index f4da682..fa51a9e 100644 --- a/src/crypto/simpleOpensslSigner.cpp +++ b/src/crypto/simpleOpensslSigner.cpp @@ -10,6 +10,8 @@ #include #include +#include "log/logger.hpp" + #include "X509.h" #include "util.h" #include "sslUtil.h" @@ -33,7 +35,7 @@ std::pair, std::string> SimpleOpensslSigner::nextSerial( if( res == "" ) { bn = BN_new(); - if( !bn ) { + if( !bn || !BN_hex2bn( &bn, "1" )) { throw "Initing serial failed"; } } else { @@ -70,26 +72,27 @@ std::pair, std::string> SimpleOpensslSigner::nextSerial( std::shared_ptr SimpleOpensslSigner::sign( std::shared_ptr cert ) { std::stringstream signlog; + logger::logger_set log_set_sign({logger::log_target(signlog, logger::level::debug)}, logger::auto_register::on); - signlog << "FINE: profile is " << cert->profile << std::endl; + logger::note( "FINE: Profile name is: ", cert->profile ); Profile& prof = profiles.at( cert->profile ); - signlog << "FINE: Profile id is: " << prof.id << std::endl; + logger::note( "FINE: Profile ID is: ", prof.id ); std::shared_ptr ca = prof.getCA(); if( !ca ) { - signlog << "ERROR: Signing CA specified in profile could not be loaded." << std::endl; + logger::error( "ERROR: Signing CA specified in profile could not be loaded." ); throw "CA-key not found"; } - signlog << "FINE: Key for Signing CA is correctly loaded." << std::endl; + logger::note( "FINE: Key for Signing CA is correctly loaded." ); - signlog << "INFO: Baseline Key Usage is: " << prof.ku << std::endl; - signlog << "INFO: Extended Key Usage is: " << prof.eku << std::endl; + logger::note( "INFO: Baseline Key Usage is: ", prof.ku ); + logger::note( "INFO: Extended Key Usage is: ", prof.eku ); - signlog << "FINE: Signing is wanted by: " << cert->wishFrom << std::endl; - signlog << "FINE: Signing is wanted for: " << cert->wishTo << std::endl; + logger::note( "FINE: Signing is wanted by: ", cert->wishFrom ); + logger::note( "FINE: Signing is wanted for: ", cert->wishTo ); std::shared_ptr req; @@ -98,8 +101,8 @@ std::shared_ptr SimpleOpensslSigner::sign( std::shared_ptrcsr_type == "CSR" ) { req = X509Req::parseCSR( cert->csr_content ); } else { - signlog << "ERROR: Unknown type of certification in request: " << cert->csr_type << std::endl; - throw "Error, unknown REQ rype " + ( cert->csr_type ); + logger::errorf( "ERROR: Unknown type (\"%s\") of certification in request.", cert->csr_type ); + throw "Error, unknown REQ rype " + ( cert->csr_type ); //! \fixme: Pointer instead of string, please use proper exception classes } int i = req->verify(); @@ -109,16 +112,20 @@ std::shared_ptr SimpleOpensslSigner::sign( std::shared_ptr a : cert->AVAs ) { - signlog << "INFO: Trying to add RDN: " << a->name << ": " << a->value << std::endl; + logger::note( "INFO: Populating RDN ..." ); + for( std::shared_ptr a : cert->AVAs ) { + logger::notef( "INFO: Trying to add RDN: %s: %s", a->name, a->value ); + if( a-> value == "") { + logger::notef( "INFO: Removing empty RDN: %s", a->name); + continue; + } if( a->name == "CN" ) { c.addRDN( NID_commonName, a->value ); } else if( a->name == "EMAIL" ) { @@ -134,34 +141,34 @@ std::shared_ptr SimpleOpensslSigner::sign( std::shared_ptrname == "OU" ) { c.addRDN( NID_organizationalUnitName, a->value ); } else { - signlog << "ERROR: Trying to add illegal RDN/AVA type: " << a->name << std::endl; + logger::error( "ERROR: Trying to add illegal RDN/AVA type: ", a->name ); throw "Unhandled/Illegal AVA type"; } } - signlog << "INFO: Populating Issuer ..." << std::endl; + logger::note( "INFO: Populating Issuer ..." ); c.setIssuerNameFrom( ca->ca ); - signlog << "INFO: Validating Public key for use in certificate" << std::endl; - signlog << "INFO: - Checking generic key parameters" << std::endl; - signlog << "FINE: ->Public Key parameters are okay" << std::endl; + logger::note( "INFO: Validating Public key for use in certificate" ); + logger::note( "INFO: - Checking generic key parameters" ); + logger::note( "FINE: ->Public Key parameters are okay" ); - signlog << "INFO: - Checking blacklists" << std::endl; - signlog << "FINE: ->Does not appear on any blacklist" << std::endl; + logger::note( "INFO: - Checking blacklists" ); + logger::note( "FINE: ->Does not appear on any blacklist" ); - signlog << "INFO: - Checking trivial factorization" << std::endl; - signlog << "FINE: ->Trivial factorization not possible" << std::endl; + logger::note( "INFO: - Checking trivial factorization" ); + logger::note( "FINE: ->Trivial factorization not possible" ); - signlog << "INFO: - Checking astrological signs" << std::endl; - signlog << "FINE: ->The stars look good for this one" << std::endl; - signlog << "FINE: Public key is fine for use in certificate" << std::endl; + logger::note( "INFO: - Checking astrological signs" ); + logger::note( "FINE: ->The stars look good for this one" ); + logger::note( "FINE: Public key is fine for use in certificate" ); - signlog << "INFO: Copying Public Key from Request ..." << std::endl; + logger::note( "INFO: Copying Public Key from Request ..." ); c.setPubkeyFrom( req ); - signlog << "FINE: Public Key successfully copied from Request." << std::endl; + logger::note( "FINE: Public Key successfully copied from Request." ); { - signlog << "INFO: Determining Validity Period ..." << std::endl; + logger::note( "INFO: Determining Validity Period ..." ); std::time_t from, to; std::time_t now = time( 0 ); std::pair parsed; @@ -176,7 +183,7 @@ std::shared_ptr SimpleOpensslSigner::sign( std::shared_ptr /* 2 Weeks */ (2 * 7 * 24 * 60 * 60)) || ((now - from) >= 0) ) { + if( ( ( from - now ) > /* 2 Weeks */ ( 2 * 7 * 24 * 60 * 60 ) ) || ( ( now - from ) >= 0 ) ) { from = now; } @@ -196,58 +203,74 @@ std::shared_ptr SimpleOpensslSigner::sign( std::shared_ptr limit) || (to - from < 0) ) { + if( ( to - from > limit ) || ( to - from < 0 ) ) { to = from + limit; } c.setTimes( from, to ); - signlog << "FINE: Setting validity period successful:" << std::endl; - signlog << "FINE: - Valid not before: " << timeToString(from) << std::endl; - signlog << "FINE: - Valid not after: " << timeToString(to) << std::endl; + logger::note( "FINE: Setting validity period successful:" ); + { + struct tm* timeobj; + std::vector timebuf; + + timeobj = gmtime( &from ); + timebuf.resize( 128 ); + timebuf.resize( std::strftime( const_cast( timebuf.data() ), timebuf.size(), "%F %T %Z", timeobj ) ); + logger::note( "FINE: - Valid not before: ", std::string( timebuf.cbegin(), timebuf.cend() ) ); + + timeobj = gmtime( &to ); + timebuf.resize( 128 ); + timebuf.resize( std::strftime( const_cast( timebuf.data() ), timebuf.size(), "%F %T %Z", timeobj ) ); + logger::note( "FINE: - Valid not after: ", std::string( timebuf.cbegin(), timebuf.cend() ) ); + } } - signlog << "INFO: Setting extensions:" << std::endl; - c.setExtensions( ca->ca, cert->SANs, prof ); - signlog << "FINE: Setting extensions successful." << std::endl; + logger::note( "INFO: Setting extensions:" ); + c.setExtensions( ca->ca, cert->SANs, prof, ca->crlURL, ca->crtURL ); + logger::note( "FINE: Setting extensions successful." ); - signlog << "INFO: Generating next Serial Number ..." << std::endl; + logger::note( "INFO: Generating next Serial Number ..." ); std::shared_ptr ser; std::string num; std::tie( ser, num ) = nextSerial( prof, ca ); c.setSerialNumber( ser.get() ); - signlog << "FINE: Certificate Serial Number set to:" << num << std::endl; + logger::note( "FINE: Certificate Serial Number set to: ", num ); { - signlog << "INFO: Trying to sign Certificate:" << std::endl; + logger::note( "INFO: Trying to sign Certificate:" ); std::shared_ptr output = c.sign( ca->caKey, cert->md ); - signlog << "INFO: Writing certificate to local file." << std::endl; + logger::note( "INFO: Writing certificate to local file." ); std::string fn = writeBackFile( num, output->certificate, ca->path ); if( fn.empty() ) { - signlog << "ERROR: failed to get filename for storage of signed certificate." << std::endl; + logger::error( "ERROR: failed to get filename for storage of signed certificate." ); throw "Storage location could not be determined"; } - signlog << "FINE: Certificate signed successfully." << std::endl; - signlog << "FINE: - Certificate written to: " << fn << std::endl; + + logger::note( "FINE: Certificate signed successfully." ); + logger::note( "FINE: - Certificate written to: ", fn ); output->ca_name = ca->name; output->log = signlog.str(); return output; } - } std::pair, std::string> SimpleOpensslSigner::revoke( std::shared_ptr ca, std::vector serials ) { + logger::note( "revoking" ); std::string crlpath = ca->path + "/ca.crl"; - std::shared_ptr crl( new CRL( crlpath ) ); + auto crl = std::make_shared( crlpath ); std::string date = ""; + logger::note( "adding serials" ); for( std::string serial : serials ) { date = crl->revoke( serial, "" ); } + logger::note( "signing CRL" ); crl->sign( ca ); writeFile( crlpath, crl->toString() ); + logger::note( "wrote CRL" ); return std::pair, std::string>( crl, date ); }