LD=libtool --mode=link g++
ifneq (,$(filter debug,$(DEB_BUILD_OPTIONS)))
-CFLAGS+=-DNO_DAEMON -g
+CFLAGS+=-DNO_DAEMON -g -Og
endif
ifneq (,$(filter noopt,$(DEB_BUILD_OPTIONS)))
CFLAGS += -O0
install: build
${INSTALL_PROGRAM} bin/cassiopeia ${DESTDIR}/usr/bin/cassiopeia
${INSTALL_PROGRAM} bin/cassiopeia-signer ${DESTDIR}/usr/bin/cassiopeia-signer
- ${INSTALL_DIR} ${DESTDIR}/etc/cacert/cassiopeia
+ ${INSTALL_DIR} ${DESTDIR}/etc/wpia/cassiopeia
.PHONY: libs
libs: ${LIBS}
Cassiopeia
=================
-Signing Module for CAcert
+Signing Module for WPIA
/files
-/cacert-cassiopeia
-/cacert-cassiopeia-doc
-/cacert-cassiopeia-signer
+/wpia-cassiopeia
+/wpia-cassiopeia-doc
+/wpia-cassiopeia-signer
/*.substvars
/*.debhelper
Comments regarding the Package
- -- CAcert Software Team <cacert-devel@cacert.org> Tue, 04 Feb 2014 23:42:00 +0100
+ -- WPIA Software Team <software@wpia.club> Tue, 04 Feb 2014 23:42:00 +0100
+++ /dev/null
-/usr/bin/cassiopeia
-/etc/cacert/cassiopeia
.\" Hey, EMACS: -*- nroff -*-
-.\" (C) Copyright 2014 CAcert Software Team <software@cacert.org>,
+.\" (C) Copyright 2014-2017 WPIA Software Team <software@wpia.club>,
.\"
.TH cassiopeia 1 "November 2, 2014"
.SH NAME
-cassiopeia \- the CAcert.org signing software
+cassiopeia \- the WPIA signing software
.SH SYNOPSIS
.B cassiopeia
.RI [options]
.SH DESCRIPTION
.B cassiopeia
-is the signing software that will be used to operate the CAcert.org system.
+is the signing software that will be used to operate the WPIA system.
.SH OPTIONS
.TP
.B --once
-cacert-cassiopeia (0.1) unstable; urgency=low
+wpia-cassiopeia (0.1) unstable; urgency=low
* Initial Release.
- -- CAcert Software Team <cacert-devel@cacert.org> Tue, 04 Feb 2014 23:42:00 +0100
+ -- WPIA Software Team <software@wpia.club> Tue, 04 Feb 2014 23:42:00 +0100
-Source: cacert-cassiopeia
+Source: wpia-cassiopeia
Section: utils
Priority: extra
-Maintainer: CAcert Software Team <cacert-devel@cacert.org>
+Maintainer: WPIA Software Team <software@wpia.club>
Build-Depends: debhelper (>= 8.0.0), libtool, libpqxx-dev, libboost-test-dev
Standards-Version: 3.9.4
-Homepage: https://cacert.org/
+Homepage: https://wpia.club
#Vcs-Git: git://git.debian.org/collab-maint/cassiopeia.git
#Vcs-Browser: http://git.debian.org/?p=collab-maint/cassiopeia.git;a=summary
-Package: cacert-cassiopeia
+Package: wpia-cassiopeia
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}
-Description: CAcert Certificate Signing Software
+Description: WPIA Certificate Signing Software
This package provides the necessary tools to run a
- certificate signing instance on https://cacert.org
+ certificate signing instance
-Package: cacert-cassiopeia-signer
+Package: wpia-cassiopeia-signer
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}
-Description: CAcert Certificate Signing Software
+Description: WPIA Certificate Signing Software
This package provides the signer-side part of the
- CAcert signing software.
+ WPIA signing software.
-Package: cacert-cassiopeia-doc
+Package: wpia-cassiopeia-doc
Architecture: all
-Description: Documentation for the CAcert Certificate Signing Software
+Description: Documentation for the WPIA Certificate Signing Software
This package provides the necessary tools to run a
- certificate signing instance on https://cacert.org
+ certificate signing instance
Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: cassiopeia
-Source: <https://github.com/CAcertOrg/cacert-cassiopeia>
+Source: <https://code.wpia.club/?p=cassiopeia.git;a=summary>
Files: *
-Copyright: 2014 CAcert Software Team <cacert-devel@cacert.org>
+Copyright: 2014-2017 WPIA Software Team <software@wpia.club>
License: GPL-2.0+
Files: debian/*
-Copyright: 2014 CAcert Software Team <cacert-devel@cacert.org>
+Copyright: 2014-2017 WPIA Software Team <software@wpia.club>
License: GPL-2.0+
License: GPL-2.0+
/usr/bin/cassiopeia-signer
-/etc/cacert/cassiopeia
+/etc/wpia/cassiopeia
# <...>
### END INIT INFO
-# Author: CAcert Software Team <cacert-devel@cacert.org>
+# Author: WPIA Software Team <software@wpia.club>
# Do NOT "set -e"
# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/usr/sbin:/bin:/usr/bin
-DESC="cacert's signer software"
-NAME=cacert-cassiopeia
+DESC="wpia's signer software"
+NAME=wpia-cassiopeia
DAEMON=/usr/bin/cassiopeia
DAEMON_ARGS=
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME
-DIR=/var/lib/cacert-gigi
+DIR=/var/lib/wpia-gigi
# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0
#
do_start()
{
- if [ ! -f /etc/cacert/cassiopeia/cassiopeia.conf ]; then
+ if [ ! -f /etc/wpia/cassiopeia/cassiopeia.conf ]; then
echo Missing cassiopeia-configfile
exit 2
fi
start-stop-daemon -b --start --quiet --pidfile $PIDFILE -d $DIR --exec $DAEMON --test > /dev/null \
|| return 1
start-stop-daemon -b --start --quiet --pidfile $PIDFILE --make-pidfile -d $DIR -c nobody --exec $DAEMON --no-close -- \
- >> /var/log/cacert-cassiopeia.log 2>&1 \
+ >> /var/log/wpia-cassiopeia.log 2>&1 \
|| return 2
# The above code will not work for interpreted scripts, use the next
# six lines below instead (Ref: #643337, start-stop-daemon(8) )
--- /dev/null
+/usr/bin/cassiopeia
+/etc/wpia/cassiopeia
--- /dev/null
+Requirements for building of cassiopeia
+=================
+
+Operation System Debian 9.0 (Stretch)
+
+Install the following packages:
+
+ apt-get install wget curl debhelper fakeroot build-essential libboost-test-dev libtool-bin libpqxx-dev libasan3
+
+Clone the repository:
+
+ git clone https://code.wpia.club/cassiopeia.git
+
+Generate the changelog file for the Debian packages:
+
+ cassiopeia/scripts/genchangelog.sh
+
+Compile the source code and build the Debian packages:
+
+ cd cassiopeia && dpkg-buildpackage -b -us -uc
# echo $^
openssl/libcrypto.a: ${LIB_SSL_FILES}
- cd ${LIB_SSL} && ( [ -f Makefile ] || ./config -DPURIFY )
+ cd ${LIB_SSL} && ( [ -f Makefile ] || ./config -DPURIFY no-md2 no-md4 no-rc4 no-ssl3 no-weak-ssl-ciphers no-unit-test )
${MAKE} -C ${LIB_SSL} depend
${MAKE} -C ${LIB_SSL}
ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
cd "$(dirname $0)"
cat > ../debian/changelog <<EOF
-cacert-cassiopeia (0.1.b${BUILD_NUMBER}-$(git rev-parse HEAD)) unstable; urgency=low
+wpia-cassiopeia (0.1.b${BUILD_NUMBER}-$(git rev-parse HEAD)) unstable; urgency=low
* Initial Release.
- -- CAcert Software Team <cacert-devel@cacert.org> $(LANG=C date "+%a, %d %b %Y %H:%M:%S %z")
+ -- WPIA Software Team <software@wpia.club> $(LANG=C date "+%a, %d %b %Y %H:%M:%S %z")
EOF
std::string path;
#ifdef NDEBUG
- path = "/etc/cacert/cassiopeia/cassiopeia.conf";
+ path = "/etc/wpia/cassiopeia/cassiopeia.conf";
#else
path = "config.txt";
#endif
std::string path;
#ifdef NDEBUG
- path = "/etc/cacert/cassiopeia/cassiopeia.conf";
+ path = "/etc/wpia/cassiopeia/cassiopeia.conf";
#else
path = "config.txt";
#endif
}
void CRL::sign( std::shared_ptr<CAConfig> ca ) {
+ if(!ca->caKey){
+ throw new std::invalid_argument("Cannot sign CRL with CA " + ca->name + " because it has no private key.");
+ }
+
// Updating necessary CRL props
std::shared_ptr<ASN1_TIME> tmptm( ASN1_TIME_new(), ASN1_TIME_free );
} else if( signAlg == "sha256" ) {
md = EVP_sha256();
} else if( signAlg == "sha1" ) {
- md = EVP_sha1();
+ throw std::runtime_error("Refusing to sign with weak signature algorithm (SHA-1).");
+ } else if( signAlg == "md5" ) {
+ throw std::runtime_error("Refusing to sign with weak signature algorithm (MD5).");
} else {
- throw std::runtime_error("Unknown md-type");
+ throw std::runtime_error("Unknown signature algorithm");
}
if( !X509_sign( target.get(), caKey.get(), md ) ) {
logger::error( "ERROR: Signing CA specified in profile could not be loaded." );
throw std::runtime_error("CA-key not found");
}
+ if(!ca->caKey){
+ throw std::runtime_error("Cannot sign certificate with CA " + ca->name + " because it has no private key.");
+ }
logger::note( "FINE: Key for Signing CA is correctly loaded." );
CAConfig::CAConfig( const std::string& name ) : path( "ca/" + name ), name( name ) {
ca = loadX509FromFile( path + "/ca.crt" );
+ if (!ca) {
+ throw new std::invalid_argument("ca name: " + name + " contains unreadable certificate.");
+ }
+
caKey = loadPkeyFromFile( path + "/ca.key" );
- ASN1_TIME* tm = X509_get_notBefore( ca.get() );
- auto ca0 = ca;
- notBefore = std::shared_ptr<ASN1_TIME>( tm, [ca0](auto p){(void)p;} );
+
+ ASN1_TIME* tm = X509_get_notBefore( ca.get() ); // tm MUST NOT be free'd; duplicate for owning copy.
+ notBefore = std::shared_ptr<ASN1_TIME>( ASN1_STRING_dup(tm), ASN1_TIME_free );
+
std::size_t pos = name.find("_");
if (pos == std::string::npos) {
throw new std::invalid_argument("ca name: " + name + " is malformed.");
if (pos2 == std::string::npos) {
throw new std::invalid_argument("ca name: " + name + " is malformed.");
}
+
crlURL = crlPrefix + "/g2/" + name.substr(pos+1, pos2-pos - 1) + "/" + name.substr(0,pos) + "-" + name.substr(pos2+1) + ".crl";
crtURL = crtPrefix + "/g2/" + name.substr(pos+1, pos2-pos - 1) + "/" + name.substr(0,pos) + "-" + name.substr(pos2+1) + ".crt";
}
LD=libtool --mode=link g++
ifneq (,$(filter debug,$(DEB_BUILD_OPTIONS)))
-CFLAGS+=-DNO_DAEMON -g
+CFLAGS+=-DNO_DAEMON -g -Og
endif
CFLAGS+=${ADDFLAGS} -Wall -Werror -Wextra -pedantic -std=c++11 -I../src -I../lib/openssl/include