Implement CSR validation

This commit adds CSR validation and generation of a baseline requirements
compatible request token instead of a UUID.

Logging has been configured to use timestamps.
This commit is contained in:
Jan Dittberner 2020-12-14 06:59:30 +01:00
parent 2093bf2429
commit 743b8e6853
4 changed files with 78 additions and 31 deletions

View file

@ -2,6 +2,7 @@ package handlers
import ( import (
"bytes" "bytes"
"crypto/sha256"
"crypto/x509" "crypto/x509"
"encoding/pem" "encoding/pem"
"errors" "errors"
@ -11,7 +12,6 @@ import (
"os/exec" "os/exec"
"time" "time"
"github.com/google/uuid"
log "github.com/sirupsen/logrus" log "github.com/sirupsen/logrus"
) )
@ -29,20 +29,58 @@ func NewSigningRequestRegistry(caCertificates []*x509.Certificate) *SigningReque
} }
} }
type SigningRequestAttributes struct {
CommonName string
CSRBytes []byte
RequestToken string
}
func (registry *SigningRequestRegistry) AddSigningRequest(request *requestData) (string, error) { func (registry *SigningRequestRegistry) AddSigningRequest(request *requestData) (string, error) {
requestUuid, err := uuid.NewRandom() requestToken, csrBytes, err := validateCsr(request.Csr)
if err != nil { if err != nil {
return "", err return "", err
} }
requestAttributes := &SigningRequestAttributes{
CommonName: request.CommonName,
CSRBytes: csrBytes,
RequestToken: requestToken,
}
go func() { go func() {
responseChannel := make(chan *responseData, 1) responseChannel := make(chan *responseData, 1)
registry.requests[requestUuid.String()] = responseChannel registry.requests[requestToken] = responseChannel
registry.signCertificate(responseChannel, request) registry.signCertificate(responseChannel, requestAttributes)
}() }()
return requestUuid.String(), nil return requestToken, nil
} }
func (registry *SigningRequestRegistry) signCertificate(channel chan *responseData, request *requestData) { func validateCsr(csr string) (string, []byte, error) {
csrBlock, _ := pem.Decode([]byte(csr))
if csrBlock == nil {
return "", nil, errors.New("request data did not contain valid PEM data")
}
if csrBlock.Type != "CERTIFICATE REQUEST" {
return "", nil, fmt.Errorf("request is not valid, type in PEM data is %s", csrBlock.Type)
}
var err error
var csrContent *x509.CertificateRequest
csrContent, err = x509.ParseCertificateRequest(csrBlock.Bytes)
if err != nil {
return "", nil, err
}
if err = csrContent.CheckSignature(); err != nil {
log.Errorf("invalid CSR signature %v", err)
return "", nil, err
}
// generate request token as defined in CAB Baseline Requirements 1.7.3 Request Token definition
requestToken := fmt.Sprintf(
"%s%x", time.Now().UTC().Format("200601021504"), sha256.Sum256(csrContent.Raw),
)
log.Debugf("generated request token %s", requestToken)
return requestToken, csrContent.Raw, nil
}
func (registry *SigningRequestRegistry) signCertificate(channel chan *responseData, request *SigningRequestAttributes) {
responseData, err := registry.sign(request) responseData, err := registry.sign(request)
if err != nil { if err != nil {
log.Error(err) log.Error(err)
@ -52,21 +90,26 @@ func (registry *SigningRequestRegistry) signCertificate(channel chan *responseDa
channel <- responseData channel <- responseData
} }
func (registry *SigningRequestRegistry) sign(request *requestData) (response *responseData, err error) { func (registry *SigningRequestRegistry) sign(request *SigningRequestAttributes) (*responseData, error) {
log.Debugf("received CSR for %s:\n\n%s", request.CommonName, request.Csr) log.Infof("handling signing request %s", request.RequestToken)
subjectDN := fmt.Sprintf("/CN=%s", request.CommonName) subjectDN := fmt.Sprintf("/CN=%s", request.CommonName)
var err error
var csrFile *os.File var csrFile *os.File
if csrFile, err = ioutil.TempFile("", "*.csr.pem"); err != nil { if csrFile, err = ioutil.TempFile("", "*.csr.pem"); err != nil {
log.Errorf("could not open temporary file: %s", err) log.Errorf("could not open temporary file: %s", err)
return return nil, err
} }
if _, err = csrFile.Write([]byte(request.Csr)); err != nil { if err = pem.Encode(csrFile, &pem.Block{
Type: "CERTIFICATE REQUEST",
Bytes: request.CSRBytes,
}); err != nil {
log.Errorf("could not write CSR to file: %s", err) log.Errorf("could not write CSR to file: %s", err)
return return nil, err
} }
if err = csrFile.Close(); err != nil { if err = csrFile.Close(); err != nil {
log.Errorf("could not close CSR file: %s", err) log.Errorf("could not close CSR file: %s", err)
return return nil, err
} }
defer func(file *os.File) { defer func(file *os.File) {
err = os.Remove(file.Name()) err = os.Remove(file.Name())
@ -81,7 +124,7 @@ func (registry *SigningRequestRegistry) sign(request *requestData) (response *re
opensslCommand := exec.Command( opensslCommand := exec.Command(
"openssl", "ca", "-config", "ca.cnf", "openssl", "ca", "-config", "ca.cnf",
"-policy", "policy_match", "-extensions", "client_ext", "-policy", "policy_match", "-extensions", "client_ext",
"-batch", "-subj", subjectDN, "-utf8", "-rand_serial", "-in", "in.pem") "-batch", "-subj", subjectDN, "-utf8", "-rand_serial", "-in", csrFile.Name())
var out, cmdErr bytes.Buffer var out, cmdErr bytes.Buffer
opensslCommand.Stdout = &out opensslCommand.Stdout = &out
opensslCommand.Stderr = &cmdErr opensslCommand.Stderr = &cmdErr
@ -89,32 +132,32 @@ func (registry *SigningRequestRegistry) sign(request *requestData) (response *re
if err != nil { if err != nil {
log.Error(err) log.Error(err)
log.Error(cmdErr.String()) log.Error(cmdErr.String())
return return nil, err
} }
var block *pem.Block var block *pem.Block
if block, _ = pem.Decode(out.Bytes()); block == nil { if block, _ = pem.Decode(out.Bytes()); block == nil {
err = fmt.Errorf("could not decode pem") err = fmt.Errorf("could not decode pem")
return return nil, err
} }
var certificate *x509.Certificate var certificate *x509.Certificate
if certificate, err = x509.ParseCertificate(block.Bytes); err != nil { if certificate, err = x509.ParseCertificate(block.Bytes); err != nil {
return return nil, err
} }
var caChain []string var caChain []string
if caChain, err = registry.getCAChain(certificate); err != nil { if caChain, err = registry.getCAChain(certificate); err != nil {
return return nil, err
} }
response = &responseData{ response := &responseData{
Certificate: string(pem.EncodeToMemory(&pem.Block{ Certificate: string(pem.EncodeToMemory(&pem.Block{
Type: "CERTIFICATE", Type: "CERTIFICATE",
Bytes: certificate.Raw, Bytes: certificate.Raw,
})), })),
CAChain: caChain, CAChain: caChain,
} }
return return response, nil
} }
func (registry *SigningRequestRegistry) GetResponseChannel(requestUuid string) (chan *responseData, error) { func (registry *SigningRequestRegistry) GetResponseChannel(requestUuid string) (chan *responseData, error) {

View file

@ -53,7 +53,7 @@ func (h *CertificateSigningHandler) ServeHTTP(w http.ResponseWriter, r *http.Req
type requestData struct { type requestData struct {
Csr string `json:"csr"` Csr string `json:"csr"`
CommonName string `json:"commonName"` CommonName string `json:"common_name"`
} }
type responseData struct { type responseData struct {

24
main.go
View file

@ -25,16 +25,9 @@ import (
) )
func main() { func main() {
tlsConfig := &tls.Config{ log.SetFormatter(&log.TextFormatter{
CipherSuites: []uint16{ FullTimestamp: true,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, })
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
},
NextProtos: []string{"h2"},
PreferServerCipherSuites: true,
MinVersion: tls.VersionTLS12,
}
bundle := loadI18nBundle() bundle := loadI18nBundle()
mux := http.NewServeMux() mux := http.NewServeMux()
@ -49,6 +42,17 @@ func main() {
mux.Handle("/js/", fileServer) mux.Handle("/js/", fileServer)
mux.Handle("/locales/", handlers.NewJSLocalesHandler(bundle)) mux.Handle("/locales/", handlers.NewJSLocalesHandler(bundle))
mux.Handle("/ws/", handlers.NewWebSocketHandler(signingRequestRegistry)) mux.Handle("/ws/", handlers.NewWebSocketHandler(signingRequestRegistry))
tlsConfig := &tls.Config{
CipherSuites: []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
},
NextProtos: []string{"h2"},
PreferServerCipherSuites: true,
MinVersion: tls.VersionTLS12,
}
server := http.Server{ server := http.Server{
Addr: ":8000", Addr: ":8000",
Handler: csrf.Protect(csrfKey, csrf.FieldName("csrfToken"), csrf.RequestHeader("X-CSRF-Token"))(mux), Handler: csrf.Protect(csrfKey, csrf.FieldName("csrfToken"), csrf.RequestHeader("X-CSRF-Token"))(mux),

View file

@ -150,7 +150,7 @@
progressBar.setAttribute("aria-valuenow", "3"); progressBar.setAttribute("aria-valuenow", "3");
progressBar.classList.add('progress-bar-striped', 'progress-bar-animated'); progressBar.classList.add('progress-bar-striped', 'progress-bar-animated');
progressBar.innerHTML = i18n.t('keygen.generated', {seconds: seconds}) + ', ' + i18n.t('certificate.waiting'); progressBar.innerHTML = i18n.t('keygen.generated', {seconds: seconds}) + ', ' + i18n.t('certificate.waiting');
postData("/sign/", {"csr": csrPem, "commonName": subject}, csrfToken) postData("/sign/", {"csr": csrPem, "common_name": subject}, csrfToken)
.then(data => { .then(data => {
const request_id = data["request_id"] const request_id = data["request_id"]
const webSocket = new WebSocket( const webSocket = new WebSocket(