src/crypto/remoteSigner.cpp

   1 #include "remoteSigner.h"
   2
   3 #include <iostream>
   4
   5 #include <openssl/ssl.h>
   6 #include <openssl/bn.h>
   7
   8 RemoteSigner::RemoteSigner( std::shared_ptr<BIO> target, std::shared_ptr<SSL_CTX> ctx ) {
   9     this->target = target;
  10     this->ctx = ctx;
  11 }
  12
  13 RemoteSigner::~RemoteSigner() {
  14 }
  15
  16 void RemoteSigner::send( std::shared_ptr<OpensslBIOWrapper> bio, RecordHeader& head, RecordHeader::SignerCommand cmd, std::string data ) {
  17     head.command = ( uint16_t ) cmd;
  18     head.command_count++;
  19     head.totalLength = data.size();
  20     sendCommand( head, data, bio, log );
  21
  22 }
  23
  24 std::shared_ptr<SignedCertificate> RemoteSigner::sign( std::shared_ptr<TBSCertificate> cert ) {
  25     ( void )BIO_reset( target.get() );
  26
  27     std::shared_ptr<SSL> ssl( SSL_new( ctx.get() ), SSL_free );
  28     std::shared_ptr<BIO> bio( BIO_new( BIO_f_ssl() ), BIO_free );
  29     SSL_set_connect_state( ssl.get() );
  30     SSL_set_bio( ssl.get(), target.get(), target.get() );
  31     BIO_set_ssl( bio.get(), ssl.get(), BIO_NOCLOSE );
  32     std::shared_ptr<OpensslBIOWrapper> conn( new OpensslBIOWrapper( bio ) );
  33     RecordHeader head;
  34     head.flags = 0;
  35     head.sessid = 13;
  36
  37     if( cert->csr_type == "CSR" ) {
  38         send( conn, head, RecordHeader::SignerCommand::SET_CSR, cert->csr_content );
  39     } else if( cert->csr_type == "SPKAC" ) {
  40         send( conn, head, RecordHeader::SignerCommand::SET_SPKAC, cert->csr_content );
  41     } else {
  42         std::cout << "Unknown csr_type: " << cert->csr_type;
  43         return std::shared_ptr<SignedCertificate>();
  44     }
  45
  46     send( conn, head, RecordHeader::SignerCommand::SET_SIGNATURE_TYPE, cert->md );
  47     send( conn, head, RecordHeader::SignerCommand::SET_PROFILE, cert->profile );
  48
  49     for( auto ava : cert->AVAs ) {
  50         if( ava->name.find( "," ) != std::string::npos ) {
  51             // invalid ava
  52             return std::shared_ptr<SignedCertificate>();
  53         }
  54
  55         send( conn, head, RecordHeader::SignerCommand::ADD_AVA, ava->name + "," + ava->value );
  56     }
  57
  58     for( auto san : cert->SANs ) {
  59         if( san->type.find( "," ) != std::string::npos ) {
  60             // invalid ava
  61             return std::shared_ptr<SignedCertificate>();
  62         }
  63
  64         send( conn, head, RecordHeader::SignerCommand::ADD_SAN, san->type + "," + san->content );
  65     }
  66
  67     send( conn, head, RecordHeader::SignerCommand::SIGN, "" );
  68     send( conn, head, RecordHeader::SignerCommand::LOG_SAVED, "" );
  69     std::shared_ptr<SignedCertificate> result = std::shared_ptr<SignedCertificate>( new SignedCertificate() );
  70     std::vector<char> buffer( 2048 * 4 );
  71
  72     for( int i = 0; i < 2; i++ ) {
  73         try {
  74             int length = conn->read( buffer.data(), buffer.size() );
  75
  76             if( length <= 0 ) {
  77                 std::cout << "Error, no response data" << std::endl;
  78                 result = std::shared_ptr<SignedCertificate>();
  79                 break;
  80             }
  81
  82             RecordHeader head;
  83             std::string payload = parseCommand( head, std::string( buffer.data(), length ), log );
  84
  85             switch( ( RecordHeader::SignerResult ) head.command ) {
  86             case RecordHeader::SignerResult::CERTIFICATE:
  87                 result->certificate = payload;
  88                 break;
  89
  90             case RecordHeader::SignerResult::SAVE_LOG:
  91                 result->log = payload;
  92                 break;
  93
  94             default:
  95                 std::cout << "Invalid Message" << std::endl;
  96                 break;
  97             }
  98         } catch( const char* msg ) {
  99             std::cout << msg << std::endl;
 100             return std::shared_ptr<SignedCertificate>();
 101         }
 102     }
 103
 104     if( result ) {
 105         std::shared_ptr<BIO> bios( BIO_new( BIO_s_mem() ), BIO_free );
 106         const char* buf = result->certificate.data();
 107         unsigned int len = result->certificate.size();
 108
 109         while( len > 0 ) {
 110             int dlen = BIO_write( bios.get(), buf, len );
 111
 112             if( dlen <= 0 ) {
 113                 throw "Memory error.";
 114             }
 115
 116             len -= dlen;
 117             buf += dlen;
 118         }
 119
 120         std::shared_ptr<X509> pem( PEM_read_bio_X509( bios.get(), NULL, 0, NULL ) );
 121
 122         if( !pem ) {
 123             throw "Pem was not readable";
 124         }
 125
 126         std::shared_ptr<BIGNUM> ser( ASN1_INTEGER_to_BN( pem->cert_info->serialNumber, NULL ), BN_free );
 127         std::shared_ptr<char> serStr(
 128             BN_bn2hex( ser.get() ),
 129             []( char* p ) {
 130                 OPENSSL_free( p );
 131             } ); // OPENSSL_free is a macro...
 132         result->serial = std::string( serStr.get() );
 133     }
 134
 135     if( !SSL_shutdown( ssl.get() ) && !SSL_shutdown( ssl.get() ) ) { // need to close the connection twice
 136         std::cout << "SSL shutdown failed" << std::endl;
 137     }
 138
 139     return result;
 140 }
 141
 142 std::shared_ptr<X509_CRL> RemoteSigner::revoke( std::shared_ptr<CAConfig> ca, std::string serial ) {
 143     ( void )BIO_reset( target.get() );
 144
 145     std::shared_ptr<SSL> ssl( SSL_new( ctx.get() ), SSL_free );
 146     std::shared_ptr<BIO> bio( BIO_new( BIO_f_ssl() ), BIO_free );
 147     SSL_set_connect_state( ssl.get() );
 148     SSL_set_bio( ssl.get(), target.get(), target.get() );
 149     BIO_set_ssl( bio.get(), ssl.get(), BIO_NOCLOSE );
 150     std::shared_ptr<OpensslBIOWrapper> conn( new OpensslBIOWrapper( bio ) );
 151
 152     RecordHeader head;
 153     head.flags = 0;
 154     head.sessid = 13;
 155
 156     std::string payload = ca->name + std::string( "\0", 1 ) + serial;
 157     send( conn, head, RecordHeader::SignerCommand::REVOKE, payload );
 158
 159     std::vector<char> buffer( 2048 * 4 );
 160     int length = conn->read( buffer.data(), buffer.size() );
 161
 162     if( length <= 0 ) {
 163         std::cout << "Error, no response data" << std::endl;
 164         return std::shared_ptr<X509_CRL>();
 165     }
 166
 167     payload = parseCommand( head, std::string( buffer.data(), length ), log );
 168
 169     switch( ( RecordHeader::SignerResult ) head.command ) {
 170     case RecordHeader::SignerResult::REVOKED:
 171         std::cout << "CRL: " << std::endl << payload << std::endl;
 172         break;
 173
 174     default:
 175         throw "Invalid response command.";
 176     }
 177
 178     if( !SSL_shutdown( ssl.get() ) && !SSL_shutdown( ssl.get() ) ) { // need to close the connection twice
 179         std::cout << "SSL shutdown failed" << std::endl;
 180     }
 181
 182     return std::shared_ptr<X509_CRL>();
 183 }
 184
 185 void RemoteSigner::setLog( std::shared_ptr<std::ostream> target ) {
 186     this->log = target;
 187 }