std::unordered_map<std::string, std::shared_ptr<CAConfig>> CAs;
std::string sqlHost, sqlUser, sqlPass, sqlDB;
std::string serialPath;
+std::string crlPrefix;
+std::string crtPrefix;
std::shared_ptr<std::unordered_map<std::string, std::string>> parseConf( std::string path ) {
auto map = std::make_shared<std::unordered_map<std::string, std::string>>();
sqlPass = masterConf->at( "sql.password" );
sqlDB = masterConf->at( "sql.database" );
serialPath = masterConf->at( "serialPath" );
+ crlPrefix = masterConf->at( "crlPrefix" );
+ crtPrefix = masterConf->at( "crtPrefix" );
if( keyDir == "" ) {
logger::error( "Missing config property key.directory" );
throw "memerr";
}
-void X509Cert::setExtensions( std::shared_ptr<X509> caCert, std::vector<std::shared_ptr<SAN>>& sans, Profile& prof ) {
+void X509Cert::setExtensions( std::shared_ptr<X509> caCert, std::vector<std::shared_ptr<SAN>>& sans, Profile& prof, std::string crlURL, std::string crtURL ) {
add_ext( caCert, target, NID_basic_constraints, "critical,CA:FALSE" );
add_ext( caCert, target, NID_subject_key_identifier, "hash" );
add_ext( caCert, target, NID_authority_key_identifier, "keyid,issuer:always" );
std::string ku = std::string( "critical," ) + prof.ku;
add_ext( caCert, target, NID_key_usage, ku.c_str() );
add_ext( caCert, target, NID_ext_key_usage, prof.eku.c_str() );
- add_ext( caCert, target, NID_info_access, "OCSP;URI:http://ocsp.cacert.org" );
- add_ext( caCert, target, NID_crl_distribution_points, "URI:http://crl.cacert.org/class3-revoke.crl" );
+ add_ext( caCert, target, NID_info_access, ("OCSP;URI:http://ocsp.cacert.org,caIssuers;URI:" + crtURL).c_str() );
+ add_ext( caCert, target, NID_crl_distribution_points, ("URI:" + crlURL).c_str() );
if( sans.empty() ) {
return;
void setIssuerNameFrom( std::shared_ptr<X509> ca );
void setPubkeyFrom( std::shared_ptr<X509Req> r );
void setSerialNumber( BIGNUM* num );
- void setExtensions( std::shared_ptr<X509> caCert, std::vector<std::shared_ptr<SAN>>& sans, Profile& prof );
+ void setExtensions( std::shared_ptr<X509> caCert, std::vector<std::shared_ptr<SAN>>& sans, Profile& prof, std::string crlURL, std::string crtURL );
void setTimes( uint32_t before, uint32_t after );
std::shared_ptr<SignedCertificate> sign( std::shared_ptr<EVP_PKEY> caKey, std::string signAlg );
};
}
logger::note( "INFO: Setting extensions:" );
- c.setExtensions( ca->ca, cert->SANs, prof );
+ c.setExtensions( ca->ca, cert->SANs, prof, ca->crlURL, ca->crtURL );
logger::note( "FINE: Setting extensions successful." );
logger::note( "INFO: Generating next Serial Number ..." );
} );
}
+extern std::string crlPrefix;
+extern std::string crtPrefix;
+
CAConfig::CAConfig( const std::string& name ) : path( "ca/" + name ), name( name ) {
ca = loadX509FromFile( path + "/ca.crt" );
caKey = loadPkeyFromFile( path + "/ca.key" );
ASN1_TIME* tm = X509_get_notBefore( ca );
notBefore = std::shared_ptr<ASN1_TIME>( tm, ASN1_TIME_free );
+ std::size_t pos = name.find("_");
+ if (pos == std::string::npos) {
+ throw new std::invalid_argument("ca name: " + name + " is malformed.");
+ }
+ std::size_t pos2 = name.find("_", pos + 1);
+ if (pos2 == std::string::npos) {
+ throw new std::invalid_argument("ca name: " + name + " is malformed.");
+ }
+ crlURL = crlPrefix + "/g2/" + name.substr(pos+1, pos2-pos - 1) + "/" + name.substr(0,pos) + "-" + name.substr(pos2+1) + ".crl";
+ crtURL = crtPrefix + "/g2/" + name.substr(pos+1, pos2-pos - 1) + "/" + name.substr(0,pos) + "-" + name.substr(pos2+1) + ".crt";
}
std::string timeToString( std::shared_ptr<ASN1_TIME> time ) {
struct CAConfig {
std::string path;
std::string name;
+ std::string crlURL;
+ std::string crtURL;
std::shared_ptr<X509> ca;
std::shared_ptr<EVP_PKEY> caKey;