7 #include <unordered_map>
9 #include "db/database.h"
11 #include "crypto/simpleOpensslSigner.h"
12 #include "crypto/remoteSigner.h"
13 #include "crypto/sslUtil.h"
14 #include "log/logger.hpp"
17 #include "io/slipBio.h"
19 #include <internal/bio.h>
21 #include <crypto/X509.h>
29 extern std::string keyDir;
30 extern std::string sqlHost, sqlUser, sqlPass, sqlDB;
31 extern std::string serialPath;
32 extern std::unordered_map<std::string, std::shared_ptr<CAConfig>> CAs;
34 void checkCRLs( std::shared_ptr<Signer> sign ) {
36 logger::note( "Signing CRLs" );
38 for( auto& x : CAs ) {
39 if( !x.second->crlNeedsResign() ) {
43 logger::notef( "Resigning CRL: %s ...", x.second->name );
46 std::vector<std::string> serials;
47 std::pair<std::shared_ptr<CRL>, std::string> rev = sign->revoke( x.second, serials );
48 } catch( const std::exception& e ) {
49 logger::error( "Exception: ", e.what() );
54 bool pathExists( const std::string& name ) {
56 return stat( name.c_str(), &buffer ) == 0;
59 void signOCSP( std::shared_ptr<Signer> sign, std::string profileName, std::string req, std::string crtName, std::string failName ) {
60 auto cert = std::make_shared<TBSCertificate>();
61 cert->ocspCA = profileName;
62 cert->wishFrom = "now";
66 logger::note( "INFO: Message Digest: ", cert->md );
68 cert->csr_content = req;
69 cert->csr_type = "CSR";
70 auto nAVA = std::make_shared<AVA>();
72 nAVA->value = "OCSP Responder";
73 cert->AVAs.push_back( nAVA );
75 std::shared_ptr<SignedCertificate> res = sign->sign( cert );
78 writeFile( failName, "failed" );
79 logger::error( "OCSP Cert signing failed." );
83 writeFile( crtName, res->certificate );
84 logger::notef( "Cert log: %s", res->log );
87 void checkOCSP( std::shared_ptr<Signer> sign ) {
88 std::unique_ptr<DIR, std::function<void( DIR * )>> dp( opendir( "ca" ), []( DIR * d ) {
92 // When opendir fails and returns 0 the unique_ptr will be considered unintialized and will not call closedir.
93 // Even if closedir would be called, according to POSIX it MAY handle nullptr properly (for glibc it does).
95 logger::error( "CA directory not found" );
101 while( ( ep = readdir( dp.get() ) ) ) {
102 if( ep->d_name[0] == '.' ) {
106 std::string profileName( ep->d_name );
107 std::string csr = "ca/" + profileName + "/ocsp.csr";
109 if( ! pathExists( csr ) ) {
113 std::string crtName = "ca/" + profileName + "/ocsp.crt";
115 if( pathExists( crtName ) ) {
119 std::string failName = "ca/" + profileName + "/ocsp.fail";
121 if( pathExists( failName ) ) {
125 logger::notef( "Discovered OCSP CSR that needs action: %s", csr );
126 std::string req = readFile( csr );
127 std::shared_ptr<X509Req> parsed = X509Req::parseCSR( req );
129 if( parsed->verify() <= 0 ) {
130 logger::errorf( "Invalid CSR for %s", profileName );
134 signOCSP( sign, profileName, req, crtName, failName );
139 int main( int argc, const char *argv[] ) {
141 bool resetOnly = false;
143 if( argc == 2 && std::string( "--once" ) == argv[1] ) {
147 if( argc == 2 && std::string( "--reset" ) == argv[1] ) {
154 path = "/etc/wpia/cassiopeia/cassiopeia.conf";
159 if( parseConfig( path ) != 0 ) {
160 logger::fatal( "Error: Could not parse the configuration file." );
164 if( serialPath == "" ) {
165 logger::fatal( "Error: no serial device is given!" );
169 std::shared_ptr<JobProvider> jp = std::make_shared<PostgresJobProvider>( sqlHost, sqlUser, sqlPass, sqlDB );
170 std::shared_ptr<BIO> b = openSerial( serialPath );
171 std::shared_ptr<BIO_METHOD> m( toBio<SlipBIO>(), BIO_meth_free );
172 std::shared_ptr<BIO> slip1( BIO_new( m.get() ), BIO_free );
173 static_cast<SlipBIO *>( slip1->ptr )->setTarget( std::make_shared<OpensslBIOWrapper>( b ), false );
174 auto sign = std::make_shared<RemoteSigner>( slip1, generateSSLContext( false ) );
175 // std::shared_ptr<Signer> sign( new SimpleOpensslSigner() );
178 std::cout << "Doing BIO reset" << std::endl;
179 int result = BIO_reset( slip1.get() );
180 std::cout << "Did BIO reset, result " << result << ", exiting." << std::endl;
184 time_t lastCRLCheck = 0;
191 if( lastCRLCheck + 30 * 60 < current ) {
192 // todo set good log TODO FIXME
193 auto ostreamFree = []( std::ostream * o ) {
196 sign->setLog( std::shared_ptr<std::ostream>( &std::cout, ostreamFree ) );
198 lastCRLCheck = current;
203 std::shared_ptr<Job> job;
206 job = jp->fetchJob();
207 } catch( std::exception& e ) {
208 logger::errorf( "Exception while fetchJob: %s", e.what() );
216 std::shared_ptr<std::ofstream> logPtr = openLogfile( std::string( "logs/" ) + job->id + std::string( "_" ) + job->warning + std::string( ".log" ) );
218 logger::logger_set log_set( {logger::log_target( *logPtr, logger::level::debug )}, logger::auto_register::on );
220 logger::note( "TASK ID: ", job->id );
221 logger::note( "TRY: ", job->warning );
222 logger::note( "TARGET: ", job->target );
223 logger::note( "TASK: ", job->task );
225 if( job->task == "sign" ) {
227 std::shared_ptr<TBSCertificate> cert = jp->fetchTBSCert( job );
230 logger::error( "Unable to load CSR" );
235 cert->wishFrom = job->from;
236 cert->wishTo = job->to;
237 logger::note( "INFO: Message Digest: ", cert->md );
238 logger::note( "INFO: Profile ID: ", cert->profile );
240 for( auto& SAN : cert->SANs ) {
241 logger::notef( "INFO: SAN %s: %s", SAN->type, SAN->content );
244 for( auto& AVA : cert->AVAs ) {
245 logger::notef( "INFO: AVA %s: %s", AVA->name, AVA->value );
248 logger::note( "FINE: CSR content:\n", cert->csr_content );
250 std::shared_ptr<SignedCertificate> res = sign->sign( cert );
253 logger::error( "ERROR: The signer failed. No certificate was returned." );
258 logger::note( "FINE: CERTIFICATE LOG:\n", res->log,
259 "FINE: CERTIFICATE:\n", res->certificate );
261 jp->writeBack( job, res ); //! \FIXME: Check return value
262 logger::note( "FINE: signing done." );
265 jp->finishJob( job );
269 } catch( std::exception& c ) {
270 logger::error( "ERROR: ", c.what() );
275 } catch( std::exception& c ) {
276 logger::error( "ERROR: ", c.what() );
278 } else if( job->task == "revoke" ) {
280 logger::note( "revoking" );
281 auto data = jp->getRevocationInfo( job );
282 std::vector<std::string> serials;
283 serials.push_back( data.first );
284 logger::note( "revoking" );
285 std::pair<std::shared_ptr<CRL>, std::string> rev = sign->revoke( CAs.at( data.second ), serials );
286 std::string date = rev.second;
287 const unsigned char *pos = ( const unsigned char * ) date.data();
288 std::shared_ptr<ASN1_TIME> time( d2i_ASN1_TIME( NULL, &pos, date.size() ), ASN1_TIME_free );
290 jp->writeBackRevocation( job, timeToString( time ) );
291 jp->finishJob( job );
292 } catch( const std::exception& c ) {
293 logger::error( "Exception: ", c.what() );
296 logger::errorf( "Unknown job type (\"%s\")", job->task );
300 if( !DAEMON || once ) {
303 } catch( std::exception& e ) {
304 logger::errorf( "std::exception in mainloop: %s", e.what() );