#include <iostream>
#include <fstream>
#include <streambuf>
+#include <unordered_map>
#include "database.h"
#include "mysql.h"
#endif
extern std::string keyDir;
-extern std::vector<Profile> profiles;
extern std::string sqlHost, sqlUser, sqlPass, sqlDB;
extern std::string serialPath;
+extern std::unordered_map<std::string, std::shared_ptr<CAConfig>> CAs;
int main( int argc, const char* argv[] ) {
( void ) argc;
} catch( std::string c ) {
log << "ERROR: " << c << std::endl;
}
+ } else if( job->task == "revoke" ) {
+ std::cout << "Revoking!" << std::endl;
+
+ for( auto& x : CAs ) {
+ std::cout << " [" << x.first << ']' << std::endl;
+ }
+
+ sign->revoke( CAs.at( "unassured" ), "12345" );
+ jp->finishJob( job );
} else {
log << "Unknown job type" << job->task << std::endl;
+ jp->failJob( job );
}
if( !DAEMON || once ) {
std::string keyDir;
std::unordered_map<std::string, Profile> profiles;
+std::unordered_map<std::string, std::shared_ptr<CAConfig>> CAs;
std::string sqlHost, sqlUser, sqlPass, sqlDB;
std::string serialPath;
sqlDB = masterConf->at( "sql.database" );
serialPath = masterConf->at( "serialPath" );
- std::shared_ptr<std::unordered_map<std::string, std::shared_ptr<CAConfig>>> CAs( new std::unordered_map<std::string, std::shared_ptr<CAConfig>>() );
+ CAs = std::unordered_map<std::string, std::shared_ptr<CAConfig>>();
DIR* dp;
struct dirent* ep;
prof.eku = map->at( "eku" );
prof.ku = map->at( "ku" );
- if( CAs->find( map->at( "ca" ) ) == CAs->end() ) {
- std::shared_ptr<CAConfig> ca( new CAConfig( "ca/" + map->at( "ca" ) ) );
- CAs->emplace( map->at( "ca" ), ca );
+ if( CAs.find( map->at( "ca" ) ) == CAs.end() ) {
+ std::shared_ptr<CAConfig> ca( new CAConfig( map->at( "ca" ) ) );
+ CAs.emplace( map->at( "ca" ), ca );
}
- prof.ca = CAs->at( map->at( "ca" ) );
+ prof.ca = CAs.at( map->at( "ca" ) );
profiles.emplace( profileName, prof );
std::cout << "Profile: " << profileName << " up and running." << std::endl;
ADD_PROOF_LINE = 0x40,
SIGN = 0x80,
LOG_SAVED = 0x81,
+ REVOKE = 0x100,
GET_TIMESTAMP = 0xC0,
GET_STATUS_REPORT = 0xD0
};
enum class SignerResult : uint16_t {
+ REVOKED = 0x100,
SAVE_LOG = 0x80,
CERTIFICATE = 0x81
};
#include <iostream>
#include <fstream>
#include <ctime>
+#include <unordered_map>
#include <openssl/ssl.h>
#include "slipBio.h"
extern std::vector<Profile> profiles;
+extern std::unordered_map<std::string, std::shared_ptr<CAConfig>> CAs;
class RecordHandlerSession {
public:
size_t pos = data.find( "," );
if( pos == std::string::npos ) {
+ // error
} else {
std::shared_ptr<SAN> san( new SAN() );
san->type = data.substr( 0, pos );
break;
+ case RecordHeader::SignerCommand::REVOKE: {
+ ( *log ) << "got revoking command: " << data.size() << std::endl;
+ std::string nullstr( "\0", 1 );
+ size_t t = data.find( nullstr );
+
+ if( t == std::string::npos ) {
+ // error
+ ( *log ) << "error while parsing revoking command." << data << std::endl;
+ break;
+ }
+
+ std::string ca = data.substr( 0, t );
+ std::string serial = data.substr( t + 1 );
+ ( *log ) << "revoking " << ca << "<->" << serial << std::endl;
+
+ ( *log ) << "[";
+
+ for( auto x : CAs ) {
+ ( *log ) << x.first << ", ";
+ }
+
+ ( *log ) << "]" << std::endl;
+
+ auto reqCA = CAs.at( ca );
+ ( *log ) << "CA found" << std::endl;
+ std::shared_ptr<X509_CRL> crl = signer->revoke( reqCA, serial );
+
+ std::shared_ptr<BIO> mem( BIO_new( BIO_s_mem() ), BIO_free );
+
+ PEM_write_bio_X509_CRL( mem.get(), crl.get() );
+ BUF_MEM* bptr;
+ BIO_get_mem_ptr( mem.get(), &bptr );
+
+ std::string newCRL( bptr->data, bptr->length );
+ respondCommand( RecordHeader::SignerResult::REVOKED, newCRL );
+
+ if( !SSL_shutdown( ssl.get() ) && !SSL_shutdown( ssl.get() ) ) {
+ ( *log ) << "ERROR: SSL close failed" << std::endl;
+ }
+
+ break;
+ }
+
default:
throw "Unimplemented";
}
case RecordHeader::SignerResult::SAVE_LOG:
result->log = payload;
break;
+
+ default:
+ std::cout << "Invalid Message" << std::endl;
+ break;
}
} catch( const char* msg ) {
std::cout << msg << std::endl;
return result;
}
+std::shared_ptr<X509_CRL> RemoteSigner::revoke( std::shared_ptr<CAConfig> ca, std::string serial ) {
+ ( void )BIO_reset( target.get() );
+
+ std::shared_ptr<SSL> ssl( SSL_new( ctx.get() ), SSL_free );
+ std::shared_ptr<BIO> bio( BIO_new( BIO_f_ssl() ), BIO_free );
+ SSL_set_connect_state( ssl.get() );
+ SSL_set_bio( ssl.get(), target.get(), target.get() );
+ BIO_set_ssl( bio.get(), ssl.get(), BIO_NOCLOSE );
+ std::shared_ptr<OpensslBIOWrapper> conn( new OpensslBIOWrapper( bio ) );
+
+ RecordHeader head;
+ head.flags = 0;
+ head.sessid = 13;
+
+ std::string payload = ca->name + std::string( "\0", 1 ) + serial;
+ send( conn, head, RecordHeader::SignerCommand::REVOKE, payload );
+
+ std::vector<char> buffer( 2048 * 4 );
+ int length = conn->read( buffer.data(), buffer.size() );
+
+ if( length <= 0 ) {
+ std::cout << "Error, no response data" << std::endl;
+ return std::shared_ptr<X509_CRL>();
+ }
+
+ payload = parseCommand( head, std::string( buffer.data(), length ), log );
+
+ switch( ( RecordHeader::SignerResult ) head.command ) {
+ case RecordHeader::SignerResult::REVOKED:
+ std::cout << "CRL: " << std::endl << payload << std::endl;
+ break;
+
+ default:
+ throw "Invalid response command.";
+ }
+
+ if( !SSL_shutdown( ssl.get() ) && !SSL_shutdown( ssl.get() ) ) { // need to close the connection twice
+ std::cout << "SSL shutdown failed" << std::endl;
+ }
+
+ return std::shared_ptr<X509_CRL>();
+}
+
void RemoteSigner::setLog( std::shared_ptr<std::ostream> target ) {
this->log = target;
}
RemoteSigner( std::shared_ptr<BIO> target, std::shared_ptr<SSL_CTX> ctx );
~RemoteSigner();
std::shared_ptr<SignedCertificate> sign( std::shared_ptr<TBSCertificate> cert );
+ std::shared_ptr<X509_CRL> revoke( std::shared_ptr<CAConfig> ca, std::string serial );
+
void setLog( std::shared_ptr<std::ostream> target );
};
#include <memory>
#include "database.h"
+#include "sslUtil.h"
class Signer {
public:
virtual std::shared_ptr<SignedCertificate> sign( std::shared_ptr<TBSCertificate> cert ) = 0;
+ virtual std::shared_ptr<X509_CRL> revoke( std::shared_ptr<CAConfig> ca, std::string serial ) = 0;
};
output->log = signlog.str();
return output;
}
+
+
+std::shared_ptr<X509_CRL> SimpleOpensslSigner::revoke( std::shared_ptr<CAConfig> ca, std::string serial ) {
+ std::string crlpath = ca->path + "/ca.crl";
+
+ std::shared_ptr<BIO> bio( BIO_new_file( crlpath.c_str(), "r" ), free );
+ std::shared_ptr<X509_CRL> crl( PEM_read_bio_X509_CRL( bio.get(), 0, NULL, 0 ), X509_CRL_free );
+ std::cout << "Starting revocation" << std::endl;
+
+ if( !crl ) {
+ std::cout << "CRL was not loaded" << std::endl;
+ crl = std::shared_ptr<X509_CRL>( X509_CRL_new(), X509_CRL_free );
+ }
+
+ BIGNUM* serBN = 0;
+
+ if( ! BN_hex2bn( &serBN, serial.c_str() ) ) {
+ //error
+ }
+
+ std::shared_ptr<BIGNUM> serBNP( serBN, BN_free );
+ std::shared_ptr<ASN1_INTEGER> ser( BN_to_ASN1_INTEGER( serBN, NULL ), ASN1_INTEGER_free );
+
+ if( !ser ) {
+ // error
+ }
+
+ std::shared_ptr<ASN1_TIME> tmptm( ASN1_TIME_new(), ASN1_TIME_free );
+
+ if( !tmptm ) {
+ // error
+ }
+
+ X509_gmtime_adj( tmptm.get(), 0 );
+
+ X509_REVOKED* rev = X509_REVOKED_new();
+ X509_REVOKED_set_serialNumber( rev, ser.get() );
+ X509_REVOKED_set_revocationDate( rev, tmptm.get() );
+
+ X509_CRL_add0_revoked( crl.get(), rev );
+
+ if( !X509_CRL_set_issuer_name( crl.get(), X509_get_subject_name( ca->ca.get() ) ) ) {
+ // error
+ }
+
+ X509_CRL_set_lastUpdate( crl.get(), tmptm.get() );
+
+ if( !X509_time_adj_ex( tmptm.get(), 1, 10, NULL ) ) {
+ // error
+ }
+
+ X509_CRL_set_nextUpdate( crl.get(), tmptm.get() );
+
+
+ std::cout << "Signing" << std::endl;
+ X509_CRL_sort( crl.get() );
+ X509_CRL_sign( crl.get(), ca->caKey.get(), EVP_sha256() );
+
+ std::cout << "writing bio" << std::endl;
+ std::shared_ptr<BIO> bioOut( BIO_new_file( crlpath.c_str(), "w" ), BIO_free );
+ PEM_write_bio_X509_CRL( bioOut.get(), crl.get() );
+ std::cout << "finished crl" << std::endl;
+
+ return crl;
+}
SimpleOpensslSigner();
~SimpleOpensslSigner();
std::shared_ptr<SignedCertificate> sign( std::shared_ptr<TBSCertificate> cert );
+ std::shared_ptr<X509_CRL> revoke( std::shared_ptr<CAConfig> ca, std::string serial );
};
return b;
}
-CAConfig::CAConfig( std::string path ) {
- this->path = path;
+CAConfig::CAConfig( std::string name ) {
+ this->name = name;
+ this->path = "ca/" + name;
ca = loadX509FromFile( path + "/ca.crt" );
caKey = loadPkeyFromFile( path + "/ca.key" );
}
class CAConfig {
public:
std::string path;
+ std::string name;
std::shared_ptr<X509> ca;
std::shared_ptr<EVP_PKEY> caKey;
- CAConfig( std::string path );
+ CAConfig( std::string name );
};