Start implementation of revoke action

2021-01-04 20:39:35 +01:00 · 2021-01-04 20:39:35 +01:00 · 2de9771472
commit 2de9771472
parent 38566f35ef
9 changed files with 739 additions and 57 deletions
--- a/signer/command_processor.go
+++ b/signer/command_processor.go
@ -1,8 +1,19 @@
 package signer

 import (
+	"bytes"
+	"crypto/rand"
+	"crypto/sha1"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/hex"
+	"encoding/pem"
 	"errors"
 	"fmt"
+	"io/ioutil"
+	"os"
+	"path"
+	"time"
 	"unsafe"

 	log "github.com/sirupsen/logrus"
@ -12,28 +23,45 @@ import (
 	"git.cacert.org/cacert-gosigner/shared"
 )

+const crlLifetime = time.Hour * 24 * 7
+
+var emptyDataSha1 [20]byte
+
+func init() {
+	emptyDataSha1 = sha1.Sum([]byte{})
+}
+
+type CommandProcessorSettings struct {
+	CABaseDir       string
+	XDeltaPath      string
+	OpenPGPUidEmail string
+}
+
 // The CommandProcessor takes parsed protocol data and executes the actual
 // functionality.
 type CommandProcessor struct {
+	Settings      *CommandProcessorSettings
+	CryptoSystems map[shared.CryptoSystemId]*CryptoSystem
 }

 // Process the signer request
-func (p *CommandProcessor) Process(command datastructures.SignerRequest) (
-	response *datastructures.SignerResponse,
-	err error,
+func (p *CommandProcessor) Process(command *datastructures.SignerRequest) (
+	*datastructures.SignerResponse,
+	error,
 ) {
-	log.Infof("analyze %+v", command)
+	log.Infof("process %s", command)
+
+	if command.Version != shared.ProtocolVersion {
+		return nil, fmt.Errorf("unsupported protocol version %d", command.Version)
+	}

 	switch command.Action {
 	case shared.ActionNul:
-		response, err = p.handleNulAction(command)
-		return
+		return p.handleNulAction(command)
 	case shared.ActionSign:
-		response, err = p.handleSignAction(command)
-		return
+		return p.handleSignAction(command)
 	case shared.ActionRevoke:
-		response, err = p.handleRevokeAction(command)
-		return
+		return p.handleRevokeAction(command)
 	default:
 		return nil, errors.New(fmt.Sprintf(
 			"unsupported Action 0x%02x %s",
@ -43,7 +71,7 @@ func (p *CommandProcessor) Process(command datastructures.SignerRequest) (
 	}
 }

-func (*CommandProcessor) handleNulAction(command datastructures.SignerRequest) (
+func (*CommandProcessor) handleNulAction(command *datastructures.SignerRequest) (
 	*datastructures.SignerResponse,
 	error,
 ) {
@ -64,13 +92,11 @@ func (*CommandProcessor) handleNulAction(command datastructures.SignerRequest) (
 		log.Errorf("could not set system time: %v", e1)
 	}

-	return &datastructures.SignerResponse{
-		Version: command.Version, Action: command.Action,
-		Content1: "", Content2: "", Content3: ""}, nil
+	return datastructures.NewNulResponse(command.Version), nil
 }

 func (p *CommandProcessor) handleSignAction(
-	command datastructures.SignerRequest,
+	command *datastructures.SignerRequest,
 ) (
 	*datastructures.SignerResponse,
 	error,
@ -80,11 +106,239 @@ func (p *CommandProcessor) handleSignAction(
 }

 func (p *CommandProcessor) handleRevokeAction(
-	command datastructures.SignerRequest,
+	command *datastructures.SignerRequest,
 ) (
 	*datastructures.SignerResponse,
 	error,
 ) {
 	log.Debugf("handle revoke call: %v", command)
+
+	idSystem, err := p.checkIdentitySystem(
+		command.System,
+		command.Root,
+		command.Profile,
+		command.MdAlgorithm,
+	)
+	if err != nil {
+		return nil, err
+	}
+	log.Debugf("identified id system: %+v", idSystem)
+
+	switch command.System {
+	case CsX509:
+		request := command.Content1
+		clientHash := command.Content3
+		return p.revokeX509(idSystem, request, clientHash)
+	default:
+		return nil, fmt.Errorf("revoke not implemented for crypto system %s", idSystem.System)
+	}
+}
+
+type IdSystemParameters struct {
+	System                 *CryptoSystem
+	Root                   *RootCredentials
+	RootId                 shared.CryptoSystemRootId
+	Profile                string
+	MessageDigestAlgorithm x509.SignatureAlgorithm
+}
+
+func (p *CommandProcessor) checkIdentitySystem(
+	systemId shared.CryptoSystemId,
+	rootId shared.CryptoSystemRootId,
+	profileId shared.CertificateProfileId,
+	algorithmId shared.MessageDigestAlgorithmId,
+) (*IdSystemParameters, error) {
+	cryptoSystem, ok := p.CryptoSystems[systemId]
+	if !ok {
+		return nil, fmt.Errorf(
+			"unsupported crypto system %d",
+			systemId,
+		)
+	}
+	root, ok := p.CryptoSystems[systemId].Roots[rootId]
+	if !ok {
+		return nil, fmt.Errorf(
+			"unsupported root certificate %d for crypto system %s",
+			rootId,
+			cryptoSystem,
+		)
+	}
+	profile, ok := p.CryptoSystems[systemId].Profiles[profileId]
+	if !ok {
+		return nil, fmt.Errorf(
+			"invalid CA profile %d for crypto system %s",
+			profileId,
+			cryptoSystem,
+		)
+	}
+	mdAlgorithm, ok := p.CryptoSystems[systemId].DigestAlgorithms[algorithmId]
+	if !ok {
+		return nil, fmt.Errorf(
+			"unsupported digest algorithm %d for crypto system %s",
+			algorithmId,
+			cryptoSystem,
+		)
+	}
+	return &IdSystemParameters{
+		System:                 cryptoSystem,
+		Root:                   root,
+		RootId:                 rootId,
+		Profile:                profile,
+		MessageDigestAlgorithm: mdAlgorithm,
+	}, nil
+}
+
+func (p *CommandProcessor) revokeX509(
+	system *IdSystemParameters,
+	request string,
+	clientHash string,
+) (*datastructures.SignerResponse, error) {
+	clientHashBytes, err := hex.DecodeString(clientHash)
+	if err != nil {
+		return nil, fmt.Errorf("could not parse '%s' as hex bytes", clientHash)
+	}
+
+	log.Debugf("revoke X.509 for root %s (%d)", system.Root, system.RootId)
+	log.Debugf("hash bytes from client %x", clientHashBytes)
+
+	crlFileName := fmt.Sprintf("revoke-root%d.crl", system.RootId)
+	stat, err := os.Stat(crlFileName)
+	if err != nil {
+		log.Debugf("CRL file %s does not exist", crlFileName)
+	} else if stat.IsDir() {
+		return nil, fmt.Errorf("CRL filename %s points to a directory", crlFileName)
+	}
+
+	currentHash := emptyDataSha1
+	if stat != nil {
+		crlData, err := ioutil.ReadFile(crlFileName)
+		if err != nil {
+			log.Warnf("could not read current CRL, assuming empty CRL")
+		}
+		currentHash = sha1.Sum(crlData)
+	}
+	log.Debugf("hash bytes on signer %x", currentHash)
+
+	crlIsCurrent := false
+	if bytes.Equal(clientHashBytes, currentHash[:]) {
+		log.Debug("client CRL hash and current CRL hash on signer match")
+		err := p.deleteOldCrl(system.RootId, clientHash)
+		if err != nil {
+			log.Warnf("could not delete old CRLs: %v", err)
+		}
+		if !bytes.Equal(clientHashBytes, emptyDataSha1[:]) {
+			crlIsCurrent = true
+		} else {
+			log.Debugf("client has an empty CRL, the signer too")
+		}
+	}
+
+	if len(request) > 0 {
+		_, err = revokeCertificate(request, system.System, system.RootId)
+		if err != nil {
+			return nil, fmt.Errorf("could not revoke certificate / create CRL: %v", err)
+		}
+	}
+
+	var crlBytes []byte
+	crlBytes, err = generateCrl(system.MessageDigestAlgorithm, system.System, system.RootId)
+	if err != nil {
+		return nil, fmt.Errorf("could not generate a new CRL for root %d: %v", system.RootId, err)
+	}
+	log.Debugf("crlIsCurrent: %v, crlBytes: %d", crlIsCurrent, len(crlBytes))
+
+	log.Tracef("New CRL\n%s", pem.EncodeToMemory(&pem.Block{
+		Type:  "X509 CRL",
+		Bytes: crlBytes,
+	}))
+
+	err = ioutil.WriteFile(crlFileName, crlBytes, 0644)
+	if err != nil {
+		return nil, fmt.Errorf("could not write new CRL to %s: %v", crlFileName, err)
+	}
+
 	return nil, errors.New("not implemented yet")
 }
+
+func (p *CommandProcessor) deleteOldCrl(id shared.CryptoSystemRootId, hash string) error {
+	path.Join(p.Settings.CABaseDir, "currentcrls", fmt.Sprintf("%d", id))
+	// TODO: implement
+	return errors.New("not implemented yet")
+}
+
+func generateCrl(
+	algorithm x509.SignatureAlgorithm,
+	system *CryptoSystem,
+	rootId shared.CryptoSystemRootId,
+) ([]byte, error) {
+	caCertificate, err := system.loadCertificate(rootId)
+	if err != nil {
+		return nil, err
+	}
+	caPrivateKey, err := system.getPrivateKey(rootId)
+	if err != nil {
+		return nil, err
+	}
+	certificatesToRevoke, err := system.loadRevokedCertificatesFromDatabase(rootId)
+	if err != nil {
+		return nil, err
+	}
+	nextCrlNumber, err := system.getNextCRLNumber(rootId)
+	if err != nil {
+		return nil, err
+	}
+	crlTemplate := &x509.RevocationList{
+		SignatureAlgorithm:  algorithm,
+		RevokedCertificates: certificatesToRevoke,
+		Number:              nextCrlNumber,
+		ThisUpdate:          time.Now(),
+		NextUpdate:          time.Now().Add(crlLifetime),
+		ExtraExtensions:     nil,
+	}
+
+	defer func() {
+		if err = system.bumpCRLNumber(rootId, nextCrlNumber); err != nil {
+			log.Errorf("could not bump CRL number: %v", err)
+		}
+	}()
+
+	return x509.CreateRevocationList(
+		rand.Reader,
+		crlTemplate,
+		caCertificate,
+		caPrivateKey,
+	)
+}
+
+func revokeCertificate(request string, system *CryptoSystem, rootId shared.CryptoSystemRootId) (*pkix.RevokedCertificate, error) {
+	pemBlock, _ := pem.Decode([]byte(request))
+	if pemBlock.Type != "CERTIFICATE" {
+		if pemBlock.Type != "CERTIFICATE" {
+			log.Warnf(
+				"PEM structure is probably not a certificate. PEM block has type %s",
+				pemBlock.Type,
+			)
+			log.Trace(request)
+		}
+	}
+	certificate, err := x509.ParseCertificate(pemBlock.Bytes)
+	if err != nil {
+		return nil, fmt.Errorf(
+			"could no parse certificate: %v",
+			err,
+		)
+	}
+	return system.recordRevocation(rootId, certificate)
+}
+
+func NewCommandProcessorSettings() *CommandProcessorSettings {
+	caBasedir, ok := os.LookupEnv("SIGNER_BASEDIR")
+	if !ok {
+		caBasedir = "."
+	}
+	gpgUidEmail, ok := os.LookupEnv("SIGNER_GPG_KEYRING_DIR")
+	if !ok {
+		gpgUidEmail = "gpg@cacert.org"
+	}
+	return &CommandProcessorSettings{CABaseDir: caBasedir, OpenPGPUidEmail: gpgUidEmail, XDeltaPath: "/usr/bin/xdelta"}
+}