src/crypto/remoteSigner.cpp

   1 #include "remoteSigner.h"
   2
   3 #include "log/logger.hpp"
   4 #include "util.h"
   5
   6 #include <iostream>
   7
   8 #include <openssl/ssl.h>
   9 #include <openssl/bn.h>
  10
  11 RemoteSigner::RemoteSigner( std::shared_ptr<BIO> target, std::shared_ptr<SSL_CTX> ctx ) : target( target ), ctx( ctx ) {
  12 }
  13
  14 RemoteSigner::~RemoteSigner() {
  15 }
  16
  17 void RemoteSigner::send( std::shared_ptr<OpensslBIOWrapper> bio, RecordHeader& head, RecordHeader::SignerCommand cmd, std::string data ) {
  18     head.command = static_cast<uint16_t>( cmd );
  19     head.command_count++;
  20     head.totalLength = data.size();
  21     sendCommand( head, data, bio );
  22 }
  23
  24 std::shared_ptr<SignedCertificate> RemoteSigner::sign( std::shared_ptr<TBSCertificate> cert ) {
  25     ( void )BIO_reset( target.get() );
  26
  27     std::shared_ptr<SSL> ssl( SSL_new( ctx.get() ), SSL_free );
  28     std::shared_ptr<BIO> bio( BIO_new( BIO_f_ssl() ), BIO_free );
  29     SSL_set_connect_state( ssl.get() );
  30     SSL_set_bio( ssl.get(), target.get(), target.get() );
  31     BIO_set_ssl( bio.get(), ssl.get(), BIO_NOCLOSE );
  32     auto conn = std::make_shared<OpensslBIOWrapper>( bio );
  33     RecordHeader head;
  34     head.flags = 0;
  35     head.sessid = 13;
  36
  37     if( cert->csr_type == "CSR" ) {
  38         send( conn, head, RecordHeader::SignerCommand::SET_CSR, cert->csr_content );
  39     } else if( cert->csr_type == "SPKAC" ) {
  40         send( conn, head, RecordHeader::SignerCommand::SET_SPKAC, cert->csr_content );
  41     } else {
  42         logger::error( "Unknown csr_type: ", cert->csr_type );
  43         return nullptr;
  44     }
  45
  46     send( conn, head, RecordHeader::SignerCommand::SET_SIGNATURE_TYPE, cert->md );
  47     send( conn, head, RecordHeader::SignerCommand::SET_PROFILE, cert->profile );
  48     send( conn, head, RecordHeader::SignerCommand::SET_WISH_FROM, cert->wishFrom );
  49     send( conn, head, RecordHeader::SignerCommand::SET_WISH_TO, cert->wishTo );
  50
  51     for( auto &ava : cert->AVAs ) {
  52         if( ava->name.find( "," ) != std::string::npos ) {
  53             // invalid ava
  54             return nullptr;
  55         }
  56
  57         send( conn, head, RecordHeader::SignerCommand::ADD_AVA, ava->name + "," + ava->value );
  58     }
  59
  60     for( auto &san : cert->SANs ) {
  61         if( san->type.find( "," ) != std::string::npos ) {
  62             // invalid ava
  63             return nullptr;
  64         }
  65
  66         send( conn, head, RecordHeader::SignerCommand::ADD_SAN, san->type + "," + san->content );
  67     }
  68
  69     send( conn, head, RecordHeader::SignerCommand::SIGN, "" );
  70     send( conn, head, RecordHeader::SignerCommand::LOG_SAVED, "" );
  71     auto result = std::make_shared<SignedCertificate>();
  72     std::vector<char> buffer( 2048 * 4 );
  73
  74     for( int i = 0; i < 3; i++ ) {
  75         try {
  76             int length = conn->read( buffer.data(), buffer.size() );
  77
  78             if( length <= 0 ) {
  79                 logger::error( "Error, no response data" );
  80                 result = nullptr;
  81                 break;
  82             }
  83
  84             RecordHeader head;
  85             std::string payload = parseCommand( head, std::string( buffer.data(), length ) );
  86
  87             switch( static_cast<RecordHeader::SignerResult>( head.command )) {
  88             case RecordHeader::SignerResult::CERTIFICATE:
  89                 result->certificate = payload;
  90                 break;
  91
  92             case RecordHeader::SignerResult::SAVE_LOG:
  93                 result->log = payload;
  94                 break;
  95
  96             case RecordHeader::SignerResult::SIGNING_CA:
  97                 result->ca_name = payload;
  98                 break;
  99
 100             default:
 101                 logger::error( "Invalid Message" );
 102                 break;
 103             }
 104         } catch( const char* msg ) {
 105             logger::error( msg );
 106             return std::shared_ptr<SignedCertificate>();
 107         }
 108     }
 109
 110     if( result ) {
 111         std::shared_ptr<BIO> bios( BIO_new( BIO_s_mem() ), BIO_free );
 112         const char* buf = result->certificate.data();
 113         unsigned int len = result->certificate.size();
 114
 115         while( len > 0 ) {
 116             int dlen = BIO_write( bios.get(), buf, len );
 117
 118             if( dlen <= 0 ) {
 119                 throw "Memory error.";
 120             }
 121
 122             len -= dlen;
 123             buf += dlen;
 124         }
 125
 126         std::shared_ptr<X509> pem( PEM_read_bio_X509( bios.get(), NULL, 0, NULL ) );
 127
 128         if( !pem ) {
 129             throw "Pem was not readable";
 130         }
 131
 132         std::shared_ptr<BIGNUM> ser( ASN1_INTEGER_to_BN( pem->cert_info->serialNumber, NULL ), BN_free );
 133         std::shared_ptr<char> serStr(
 134             BN_bn2hex( ser.get() ),
 135             []( char* p ) {
 136                 OPENSSL_free( p );
 137             } ); // OPENSSL_free is a macro...
 138
 139         extractTimes( pem, result );
 140
 141         result->serial = std::string( serStr.get() );
 142     }
 143
 144     logger::note( "Closing SSL connection" );
 145     if( !SSL_shutdown( ssl.get() ) && !SSL_shutdown( ssl.get() ) ) { // need to close the connection twice
 146         logger::warn( "SSL shutdown failed" );
 147     }
 148     logger::note( "SSL connection closed" );
 149
 150     return result;
 151 }
 152
 153 std::pair<std::shared_ptr<CRL>, std::string> RemoteSigner::revoke( std::shared_ptr<CAConfig> ca, std::vector<std::string> serials ) {
 154     ( void )BIO_reset( target.get() );
 155
 156     std::shared_ptr<SSL> ssl( SSL_new( ctx.get() ), SSL_free );
 157     std::shared_ptr<BIO> bio( BIO_new( BIO_f_ssl() ), BIO_free );
 158     SSL_set_connect_state( ssl.get() );
 159     SSL_set_bio( ssl.get(), target.get(), target.get() );
 160     BIO_set_ssl( bio.get(), ssl.get(), BIO_NOCLOSE );
 161     auto conn = std::make_shared<OpensslBIOWrapper>( bio );
 162
 163     RecordHeader head;
 164     head.flags = 0;
 165     head.sessid = 13;
 166
 167     for( auto &serial : serials ) {
 168         send( conn, head, RecordHeader::SignerCommand::ADD_SERIAL, serial );
 169     }
 170
 171     std::string payload = ca->name;
 172     send( conn, head, RecordHeader::SignerCommand::REVOKE, payload );
 173
 174     std::vector<char> buffer( 2048 * 4 );
 175     int length = conn->read( buffer.data(), buffer.size() );
 176
 177     if( length <= 0 ) {
 178         throw "Error, no response data";
 179     }
 180
 181     payload = parseCommand( head, std::string( buffer.data(), length ) );
 182
 183     auto crl = std::make_shared<CRL>( ca->path + std::string( "/ca.crl" ) );
 184     std::string date;
 185
 186     if( static_cast<RecordHeader::SignerResult>( head.command ) != RecordHeader::SignerResult::REVOKED ) {
 187         throw "Protocol violation";
 188     }
 189
 190     const unsigned char* buffer2 = reinterpret_cast<const unsigned char*>( payload.data() );
 191     const unsigned char* pos = buffer2;
 192     ASN1_TIME* time = d2i_ASN1_TIME( NULL, &pos, payload.size() );
 193     ASN1_TIME_free( time );
 194     date = payload.substr( 0, pos - buffer2 );
 195     std::string rest = payload.substr( pos - buffer2 );
 196
 197     for( std::string &serial : serials ) {
 198         crl->revoke( serial, date );
 199     }
 200
 201     crl->setSignature( rest );
 202     bool ok = crl->verify( ca );
 203
 204     if( ok ) {
 205         logger::note( "CRL verificated successfully" );
 206         writeFile( ca->path + std::string( "/ca.crl" ), crl->toString() );
 207     } else {
 208         logger::warn( "CRL is broken, trying to recover" );
 209         send( conn, head, RecordHeader::SignerCommand::GET_FULL_CRL, ca->name );
 210         length = conn->read( buffer.data(), buffer.size() );
 211
 212         if( length <= 0 ) {
 213             throw "Error, no response data";
 214         }
 215
 216         payload = parseCommand( head, std::string( buffer.data(), length ) );
 217
 218         if( static_cast<RecordHeader::SignerResult>( head.command ) != RecordHeader::SignerResult::FULL_CRL ) {
 219             throw "Protocol violation";
 220         }
 221
 222         writeFile( ca->path + std::string( "/ca.crl.bak" ), payload );
 223         crl = std::make_shared<CRL>( ca->path + std::string( "/ca.crl.bak" ) );
 224
 225         if( crl->verify( ca ) ) {
 226             writeFile( ca->path + std::string( "/ca.crl" ), crl->toString() );
 227             logger::note( "CRL is now valid again" );
 228         } else {
 229             logger::warn( "CRL is still broken... Please, help me" );
 230         }
 231     }
 232
 233     logger::debug( "CRL:\n", crl->toString() );
 234
 235     logger::note( "Closing SSL connection" );
 236     if( !SSL_shutdown( ssl.get() ) && !SSL_shutdown( ssl.get() ) ) { // need to close the connection twice
 237         logger::warn( "SSL shutdown failed" );
 238     }
 239     logger::note( "SSL connection closed" );
 240
 241     return { crl, date };
 242 }
 243
 244 void RemoteSigner::setLog( std::shared_ptr<std::ostream> target ) {
 245     this->log = target;
 246 }