jan
/
cacert-gosigner
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Configure golangci-lint and fix warnings

This commit is contained in:
Jan Dittberner 2021-01-09 11:24:40 +01:00
parent ecd1846975
commit 2e467b3d2e
20 changed files with 915 additions and 559 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
.golangci.yml Normal file
View File

@ -0,0 +1,39 @@
---
output:
sort-results: true
linter-settings:
goimports:
local-prefixes: git.cacert.org/cacert-gosigner
misspell:
locale: US
ignore-words:
- CAcert
linters:
disable-all: false
enable:
- errorlint
- gocognit
- goconst
- gocritic
- gofmt
- goheader
- goimports
- golint
- gomnd
- gosec
- interfacer
- lll
- makezero
- misspell
- nakedret
- nestif
- nlreturn
- nolintlint
- predeclared
- rowserrcheck
- scopelint
- sqlclosecheck
- wrapcheck
- wsl

46
client/config.go
View File

@ -2,10 +2,17 @@ package main
import (
"fmt"
"github.com/sirupsen/logrus"
"io/ioutil"
log "github.com/sirupsen/logrus"
"go.bug.st/serial"
"gopkg.in/yaml.v2"
"io/ioutil"
)
const (
dataBits = 8
defaultBaudRate = 115200
defaultBufferSize = 2048
)
type ClientConfig struct {
@ -21,8 +28,8 @@ type ClientConfig struct {
var defaultConfig = ClientConfig{
SerialAddress: "/dev/ttyUSB0",
BaudRate: 115200,
BufferSize: 2048,
BaudRate: defaultBaudRate,
BufferSize: defaultBufferSize,
Paranoid: false,
Debug: false,
OpenSSLBinary: "/usr/bin/openssl",
@ -30,31 +37,36 @@ var defaultConfig = ClientConfig{
MySQLDSN: "<username>:<password>@/database?parseTime=true",
}
func generateExampleConfig(configFile string) (config *ClientConfig, err error) {
config = &defaultConfig
func generateExampleConfig(configFile string) (*ClientConfig, error) {
config := &defaultConfig
configBytes, err := yaml.Marshal(config)
if err != nil {
logrus.Errorf("could not generate configuration data")
return
return nil, fmt.Errorf("could not generate configuration data: %w", err)
}
logrus.Infof("example data for %s:\n\n---\n%s\n", configFile, configBytes)
return
log.Infof("example data for %s:\n\n---\n%s\n", configFile, configBytes)
return config, nil
}
func readConfig(configFile string) (config *ClientConfig, err error) {
source, err := ioutil.ReadFile(configFile)
if err != nil {
logrus.Errorf("opening configuration file failed: %v", err)
if exampleConfig, err := generateExampleConfig(configFile); err != nil {
log.Errorf("opening configuration file failed: %v", err)
exampleConfig, err := generateExampleConfig(configFile)
if err != nil {
return nil, err
} else {
logrus.Info("starting with default config")
}
log.Info("starting with default config")
return exampleConfig, nil
}
}
if err := yaml.Unmarshal(source, &config); err != nil {
return nil, fmt.Errorf("loading configuration file failed: %v", err)
return nil, fmt.Errorf("loading configuration file failed: %w", err)
}
return config, nil
@ -63,7 +75,7 @@ func readConfig(configFile string) (config *ClientConfig, err error) {
func fillSerialMode(clientConfig *ClientConfig) *serial.Mode {
return &serial.Mode{
BaudRate: clientConfig.BaudRate,
DataBits: 8,
DataBits: dataBits,
StopBits: serial.OneStopBit,
Parity: serial.NoParity,
}

5
client/config_test.go
View File

@ -2,14 +2,15 @@ package main
import (
"bytes"
"github.com/sirupsen/logrus"
"strings"
"testing"
log "github.com/sirupsen/logrus"
)
func TestGenerateExampleConfig(t *testing.T) {
testOutput := bytes.Buffer{}
logrus.SetOutput(&testOutput)
log.SetOutput(&testOutput)
config, err := generateExampleConfig("test.yaml")

44
client/main.go
View File

@ -16,29 +16,37 @@ import (
"git.cacert.org/cacert-gosigner/datastructures"
)
const mainLoopSleep = 2700
func main() {
var configFile string
flag.StringVar(&configFile, "c", "client.yaml", "client configuration file in YAML format")
flag.Parse()
var clientConfig *ClientConfig
var serialConfig *serial.Mode
var err error
var (
clientConfig *ClientConfig
serialConfig *serial.Mode
err error
)
if clientConfig, err = readConfig(configFile); err != nil {
log.Panic(err)
}
serialConfig = fillSerialMode(clientConfig)
if clientConfig.Debug {
log.SetLevel(log.TraceLevel)
}
log.Infof("connecting to %s using %+v", clientConfig.SerialAddress, serialConfig)
port, err := serial.Open(clientConfig.SerialAddress, serialConfig)
if err != nil {
log.Fatal(err)
}
log.Debug("serial port connected")
requestChannel := protocol.NewSignerProtocolRequestChannel()
@ -48,6 +56,7 @@ func main() {
if clientConfig.BufferSize != 0 {
clientProtocolConfig.BufferSize = int(clientConfig.BufferSize)
}
protocolHandler := protocol.NewProtocolHandler(
requestChannel, &responseChannel, port, clientProtocolConfig,
)
@ -55,14 +64,17 @@ func main() {
cancelChannel := make(chan os.Signal, 1)
signal.Notify(cancelChannel, syscall.SIGTERM, syscall.SIGINT)
const goRoutines = 2
wg := sync.WaitGroup{}
wg.Add(2)
wg.Add(goRoutines)
go func() {
if err := protocolHandler.HandleSignerProtocol(); err != nil {
log.Errorf("terminating because of %v", err)
close(cancelChannel)
}
wg.Done()
}()
@ -75,20 +87,26 @@ func main() {
if sig != nil {
log.Infof("caught %+v", sig)
}
if err := protocolHandler.Close(); err != nil {
log.Error(err)
} else {
log.Infof("protocol handler closed")
}
if err := port.Close(); err != nil {
log.Error(err)
} else {
log.Infof("serial port closed")
}
wg.Wait()
}
func runMainLoop(requestChannel *protocol.SignerProtocolRequestChannel, responseChannel *chan *datastructures.SignerResponse) {
func runMainLoop(
requestChannel *protocol.SignerProtocolRequestChannel,
responseChannel *chan *datastructures.SignerResponse,
) {
crlCheck := 0
log.Debug("starting main loop")
@ -99,30 +117,28 @@ func runMainLoop(requestChannel *protocol.SignerProtocolRequestChannel, response
log.Error(err)
}
}
log.Trace("processing goroutine terminated")
}()
for {
log.Debug("handling GPG database ...")
// HandleGPG(&requestChannel)
log.Debug("issuing certificates ...")
// HandleCertificates(&requestChannel)
log.Debug("revoking certificates ...")
// RevokeCertificates(&requestChannel)
log.Debug("handling GPG database ...") // HandleGPG(&requestChannel)
log.Debug("issuing certificates ...") // HandleCertificates(&requestChannel)
log.Debug("revoking certificates ...") // RevokeCertificates(&requestChannel)
crlCheck++
if crlCheck%100 == 0 {
log.Debug("refresh CRLs ...")
// RefreshCRLs(&requestChannel)
log.Debug("refresh CRLs ...") // RefreshCRLs(&requestChannel)
}
if requestChannel.IsClosed() {
return
}
log.Debug("send NUL request to keep connection open")
requestChannel.C <- datastructures.NewNulRequest()
log.Debug("sleep for 2.7 seconds")
time.Sleep(2700 * time.Millisecond)
time.Sleep(mainLoopSleep * time.Millisecond)
}
}

1
client/processing/process.go
View File

@ -16,6 +16,7 @@ func Process(response *datastructures.SignerResponse) (err error) {
switch response.Action {
case shared.ActionNul:
logrus.Trace("received response for NUL request")
return
default:
return fmt.Errorf("unsupported action in response 0x%x", response.Action)

205
client/protocol/protocol.go
View File

@ -2,6 +2,7 @@ package protocol
import (
"bytes"
"errors"
"fmt"
"io"
"sync"
@ -13,17 +14,24 @@ import (
"git.cacert.org/cacert-gosigner/shared"
)
const (
waitForHeader = 20
waitForData = 5
waitForHandShake = 120
bufferSize = 2048
)
type SignerProtocolHandler interface {
io.Closer
HandleSignerProtocol() error
}
type signerProtocolConfig struct {
type SignerProtocolConfig struct {
BufferSize int
}
func NewSignerProtocolConfig() *signerProtocolConfig {
return &signerProtocolConfig{BufferSize: 2048}
func NewSignerProtocolConfig() *SignerProtocolConfig {
return &SignerProtocolConfig{BufferSize: bufferSize}
}
type SignerProtocolRequestChannel struct {
@ -39,6 +47,7 @@ func NewSignerProtocolRequestChannel() *SignerProtocolRequestChannel {
func (rc *SignerProtocolRequestChannel) SafeClose() {
rc.mutex.Lock()
defer rc.mutex.Unlock()
if !rc.closed {
close(rc.C)
rc.closed = true
@ -48,6 +57,7 @@ func (rc *SignerProtocolRequestChannel) SafeClose() {
func (rc *SignerProtocolRequestChannel) IsClosed() bool {
rc.mutex.Lock()
defer rc.mutex.Unlock()
return rc.closed
}
@ -55,7 +65,7 @@ type protocolHandler struct {
requestChannel *SignerProtocolRequestChannel
responseChannel *chan *datastructures.SignerResponse
serialConnection io.ReadWriteCloser
config *signerProtocolConfig
config *SignerProtocolConfig
}
type UnExpectedAcknowledgeByte struct {
@ -75,6 +85,7 @@ func (e UnExpectedAcknowledgeByte) Error() string {
func (ph *protocolHandler) Close() error {
close(*ph.responseChannel)
ph.requestChannel.SafeClose()
return nil
}
@ -82,7 +93,7 @@ func NewProtocolHandler(
requests *SignerProtocolRequestChannel,
response *chan *datastructures.SignerResponse,
serialConnection io.ReadWriteCloser,
config *signerProtocolConfig,
config *SignerProtocolConfig,
) SignerProtocolHandler {
return &protocolHandler{
requestChannel: requests,
@ -93,85 +104,115 @@ func NewProtocolHandler(
}
func (ph *protocolHandler) HandleSignerProtocol() error {
for {
select {
case request := <-ph.requestChannel.C:
for request := range ph.requestChannel.C {
log.Tracef("handle request %+v", request)
var err error
var lengthBytes, responseBytes *[]byte
var checksum byte
var (
err error
lengthBytes, responseBytes *[]byte
checksum byte
)
if err = ph.sendHandshake(); err != nil {
switch err.(type) {
case UnExpectedAcknowledgeByte:
log.Errorf("unexpected handshake byte: 0x%x", err.(UnExpectedAcknowledgeByte).ResponseByte)
// TODO drain input
var e *UnExpectedHandshakeByte
if errors.As(err, &e) {
log.Errorf("unexpected handshake byte: 0x%x", e.ResponseByte)
}
return err
}
requestBytes := request.Serialize()
if err = ph.sendRequest(&requestBytes); err != nil {
return err
}
if err = ph.waitForResponseHandshake(); err != nil {
return err
}
if lengthBytes, responseBytes, checksum, err = ph.readResponse(); err != nil {
return err
}
response, err := datastructures.SignerResponseFromData(*lengthBytes, *responseBytes, checksum)
if err != nil {
return err
}
*ph.responseChannel <- response
}
}
return fmt.Errorf("could not create response: %w", err)
}
*ph.responseChannel <- response
}
return nil
}
func (ph *protocolHandler) sendHandshake() error {
var (
bytesWritten, bytesRead int
err error
)
data := make([]byte, 0)
bytesWritten, err = ph.serialConnection.Write([]byte{shared.HandshakeByte})
if err != nil {
return fmt.Errorf("could not send handshake byte: %w", err)
}
func (ph *protocolHandler) sendHandshake() (err error) {
var bytesWritten, bytesRead int
if bytesWritten, err = ph.serialConnection.Write([]byte{shared.HandshakeByte}); err != nil {
return
} else {
log.Tracef("wrote %d bytes of handshake info", bytesWritten)
bytesRead, err = ph.serialConnection.Read(data)
if err != nil {
return fmt.Errorf("could not receieve ACK byte: %w", err)
}
data := make([]byte, 1)
if bytesRead, err = ph.serialConnection.Read(data); err != nil {
return
}
log.Tracef("%d bytes read", bytesRead)
if bytesRead != 1 || data[0] != shared.AckByte {
log.Warnf("received invalid handshake byte 0x%x", data[0])
return UnExpectedAcknowledgeByte{data[0]}
}
return
return nil
}
func (ph *protocolHandler) sendRequest(requestBytes *[]byte) error {
var (
n int
err error
)
for {
if length, err := ph.serialConnection.Write(*requestBytes); err != nil {
return err
} else {
log.Tracef("wrote %d request bytes", length)
}
if length, err := ph.serialConnection.Write([]byte{
datastructures.CalculateXorCheckSum([][]byte{*requestBytes}),
}); err != nil {
return err
} else {
log.Tracef("wrote %d checksum bytes", length)
}
if length, err := ph.serialConnection.Write([]byte(shared.MagicTrailer)); err != nil {
return err
} else {
log.Tracef("wrote %d trailer bytes", length)
}
header, err := shared.ReceiveBytes(ph.serialConnection, 1, 20*time.Second)
n, err = ph.serialConnection.Write(*requestBytes)
if err != nil {
return err
return fmt.Errorf("could not send request bytes: %w", err)
}
log.Tracef("wrote %d request bytes", n)
n, err = ph.serialConnection.Write([]byte{
datastructures.CalculateXorCheckSum([][]byte{*requestBytes}),
})
if err != nil {
return fmt.Errorf("could not send checksum byte: %w", err)
}
log.Tracef("wrote %d checksum bytes", n)
n, err = ph.serialConnection.Write([]byte(shared.MagicTrailer))
if err != nil {
return fmt.Errorf("could not send trailer bytes: %w", err)
}
log.Tracef("wrote %d trailer bytes", n)
header, err := shared.ReceiveBytes(ph.serialConnection, 1, waitForHeader*time.Second)
if err != nil {
return fmt.Errorf("could not read header bytes: %w", err)
}
switch header[0] {
case shared.AckByte:
return nil
@ -182,62 +223,78 @@ func (ph *protocolHandler) sendRequest(requestBytes *[]byte) error {
}
}
func (ph *protocolHandler) waitForResponseHandshake() (err error) {
data, err := shared.ReceiveBytes(ph.serialConnection, 1, 120*time.Second)
func (ph *protocolHandler) waitForResponseHandshake() error {
data, err := shared.ReceiveBytes(ph.serialConnection, 1, waitForHandShake*time.Second)
if err != nil {
return err
}
if len(data) != 1 || data[0] != shared.HandshakeByte {
log.Warnf("received invalid handshake byte 0x%x", data[0])
return UnExpectedHandshakeByte{data[0]}
}
if err = shared.SendBytes(ph.serialConnection, []byte{shared.AckByte}); err != nil {
return
return fmt.Errorf("could not receive handshake byte: %w", err)
}
return
if len(data) != 1 || data[0] != shared.HandshakeByte {
log.Warnf("received invalid handshake byte 0x%x", data[0])
return UnExpectedHandshakeByte{data[0]}
}
if err = shared.SendBytes(ph.serialConnection, []byte{shared.AckByte}); err != nil {
return fmt.Errorf("could not send ACK: %w", err)
}
return nil
}
func (ph *protocolHandler) readResponse() (*[]byte, *[]byte, byte, error) {
dataLength := -1
var lengthBuffer = bytes.NewBuffer(make([]byte, 0))
var byteBuffer = bytes.NewBuffer(make([]byte, 0))
var (
lengthBuffer = bytes.NewBuffer(make([]byte, 0))
byteBuffer = bytes.NewBuffer(make([]byte, 0))
)
for {
readBuffer, err := shared.ReceiveBytes(ph.serialConnection, ph.config.BufferSize, 5*time.Second)
readBuffer, err := shared.ReceiveBytes(ph.serialConnection, ph.config.BufferSize, waitForData*time.Second)
if err != nil {
return nil, nil, 0, err
return nil, nil, 0, fmt.Errorf("could not receive response: %w", err)
}
bytesRead := len(readBuffer)
if bytesRead > 0 {
byteBuffer.Write(readBuffer[0:bytesRead])
for _, b := range readBuffer {
if lengthBuffer.Len() < 3 {
if lengthBuffer.Len() < shared.LengthFieldSize {
lengthBuffer.WriteByte(b)
} else {
break
}
}
}
if dataLength < 0 && lengthBuffer.Len() == 3 {
if dataLength < 0 && lengthBuffer.Len() == shared.LengthFieldSize {
dataLength = datastructures.Decode24BitLength(lengthBuffer.Bytes())
log.Tracef("expect to read %d data bytes", dataLength)
}
if dataLength == byteBuffer.Len()-4-len(shared.MagicTrailer) {
trailerOffset := shared.LengthFieldSize + shared.CheckSumFieldSize
if dataLength == byteBuffer.Len()-trailerOffset-len(shared.MagicTrailer) {
allBytes := byteBuffer.Bytes()
trailer := string(allBytes[4+dataLength:])
trailer := string(allBytes[trailerOffset+dataLength:])
if trailer != shared.MagicTrailer {
return nil, nil, 0, fmt.Errorf("invalid trailer bytes: %v", trailer)
}
lengthBytes := allBytes[0:3]
dataBytes := allBytes[3 : 3+dataLength]
checkSum := allBytes[3+dataLength]
lengthBytes := allBytes[0:shared.LengthFieldSize]
dataBytes := allBytes[shared.LengthFieldSize : shared.LengthFieldSize+dataLength]
checkSum := allBytes[shared.LengthFieldSize+dataLength]
calculatedChecksum := datastructures.CalculateXorCheckSum([][]byte{lengthBytes, dataBytes})
if calculatedChecksum != checkSum {
return nil, nil, 0, fmt.Errorf("calculated checksum mismatch 0x%x vs 0x%x", calculatedChecksum, checkSum)
}
if err := shared.SendBytes(ph.serialConnection, []byte{shared.AckByte}); err != nil {
return nil, nil, 0, err
return nil, nil, 0, fmt.Errorf("could not send ACK byte: %w", err)
}
return &lengthBytes, &dataBytes, checkSum, nil

9
cmd/signer/main.go
View File

@ -14,11 +14,12 @@ import (
func main() {
var (
address string
baudRate int
baudRate, dataBits int
)
flag.StringVar(&address, "a", "/dev/ttyUSB0", "address")
flag.IntVar(&baudRate, "b", 115200, "baud rate")
flag.IntVar(&dataBits, "d", 8, "data bits")
flag.Parse()
log.SetFormatter(&log.TextFormatter{
@ -29,15 +30,18 @@ func main() {
serialMode := &serial.Mode{
BaudRate: baudRate,
DataBits: 8,
DataBits: dataBits,
StopBits: serial.OneStopBit,
Parity: serial.NoParity,
}
log.Infof("connecting to %s using %+v", address, serialMode)
port, err := serial.Open(address, serialMode)
if err != nil {
log.Fatalf("could not open serial port: %v", err)
}
log.Info("connected")
defer func() {
@ -45,6 +49,7 @@ func main() {
if err != nil {
log.Fatalf("could not close port: %v", err)
}
log.Info("serial port closed")
}()

3
datastructures/common.go
View File

@ -7,6 +7,7 @@ const signerTimeFormat = "010203042006.05"
func Encode24BitLength(data []byte) []byte {
lengthBytes := make([]byte, 4)
binary.BigEndian.PutUint32(lengthBytes, uint32(len(data)))
return lengthBytes[1:]
}
@ -17,10 +18,12 @@ func Decode24BitLength(bytes []byte) int {
func CalculateXorCheckSum(byteBlocks [][]byte) byte {
var result byte = 0x0
for _, byteBlock := range byteBlocks {
for _, b := range byteBlock {
result ^= b
}
}
return result
}

65
datastructures/signerrequest.go
View File

@ -9,13 +9,21 @@ import (
"git.cacert.org/cacert-gosigner/shared"
)
const (
headerPosSystem = 2
headerPosRoot = 3
headerPosProfile = 4
headerPosSignatureAlgorithm = 5
headerPosDay = 6
)
type SignerRequest struct {
Version uint8
Action shared.Action
System shared.CryptoSystemId
Root shared.CryptoSystemRootId
Profile shared.CertificateProfileId
MdAlgorithm shared.MessageDigestAlgorithmId
System shared.CryptoSystemID
Root shared.CryptoSystemRootID
Profile shared.CertificateProfileID
MdAlgorithm shared.SignatureAlgorithmID
Days uint16
Spkac uint8
Content1 []byte
@ -24,33 +32,33 @@ type SignerRequest struct {
}
func SignerRequestFromData(blockData []byte) (*SignerRequest, error) {
headerLength := Decode24BitLength(blockData[0:3])
headerBytes := blockData[3 : 3+headerLength]
headerLength := Decode24BitLength(blockData[0:shared.LengthFieldSize])
headerBytes := blockData[shared.LengthFieldSize : shared.LengthFieldSize+headerLength]
contentBytes := blockData[3+headerLength:]
content1Length := Decode24BitLength(contentBytes[0:3])
content1 := contentBytes[3 : 3+content1Length]
contentBytes := blockData[shared.LengthFieldSize+headerLength:]
contentLen := Decode24BitLength(contentBytes[0:shared.LengthFieldSize])
content := contentBytes[shared.LengthFieldSize : shared.LengthFieldSize+contentLen]
content2Offset := 3 + content1Length
content2Length := Decode24BitLength(contentBytes[content2Offset : content2Offset+3])
content2 := contentBytes[3+content2Offset : 3+content2Offset+content2Length]
argument1Offset := shared.LengthFieldSize + contentLen
argument1Len := Decode24BitLength(contentBytes[argument1Offset : argument1Offset+shared.LengthFieldSize])
argument1 := contentBytes[shared.LengthFieldSize+argument1Offset : shared.LengthFieldSize+argument1Offset+argument1Len]
content3Offset := 3 + content2Offset + content2Length
content3Length := Decode24BitLength(contentBytes[content3Offset : content3Offset+3])
content3 := contentBytes[3+content3Offset : 3+content3Offset+content3Length]
argument2Offset := shared.LengthFieldSize + argument1Offset + argument1Len
argument2Len := Decode24BitLength(contentBytes[argument2Offset : argument2Offset+shared.LengthFieldSize])
argument2 := contentBytes[shared.LengthFieldSize+argument2Offset : shared.LengthFieldSize+argument2Offset+argument2Len]
return &SignerRequest{
Version: headerBytes[0],
Action: shared.Action(headerBytes[1]),
System: shared.CryptoSystemId(headerBytes[2]),
Root: shared.CryptoSystemRootId(headerBytes[3]),
Profile: shared.CertificateProfileId(headerBytes[4]),
MdAlgorithm: shared.MessageDigestAlgorithmId(headerBytes[5]),
Days: binary.BigEndian.Uint16([]byte{headerBytes[6], headerBytes[7]}),
Version: headerBytes[headerPosVersion],
Action: shared.Action(headerBytes[headerPosAction]),
System: shared.CryptoSystemID(headerBytes[headerPosSystem]),
Root: shared.CryptoSystemRootID(headerBytes[headerPosRoot]),
Profile: shared.CertificateProfileID(headerBytes[headerPosProfile]),
MdAlgorithm: shared.SignatureAlgorithmID(headerBytes[headerPosSignatureAlgorithm]),
Days: binary.BigEndian.Uint16(headerBytes[headerPosDay : headerPosDay+1]),
Spkac: headerBytes[8],
Content1: content1,
Content2: content2,
Content3: content3,
Content1: content,
Content2: argument1,
Content3: argument2,
}, nil
}
@ -76,6 +84,7 @@ func (r *SignerRequest) Serialize() []byte {
Encode24BitLength(content2Bytes), content2Bytes,
Encode24BitLength(content3Bytes), content3Bytes,
}, []byte{})
return bytes.Join([][]byte{Encode24BitLength(blockBytes), blockBytes}, []byte{})
}
@ -97,9 +106,11 @@ func (r *SignerRequest) String() string {
}
func shorten(original []byte) []byte {
if len(original) > 20 {
return original[:20]
const maxLength = 20
if len(original) > maxLength {
return original[:maxLength]
}
return original
}

39
datastructures/signerresponse.go
View File

@ -8,6 +8,16 @@ import (
"git.cacert.org/cacert-gosigner/shared"
)
const (
headerPosVersion = 0
headerPosAction = 1
headerPosReserved1 = 2
headerPosReserved2 = 3
blockPosContent = 0
blockPosArgument1 = 1
blockPosArgument2 = 2
)
type SignerResponse struct {
Version uint8
Action shared.Action
@ -19,23 +29,25 @@ type SignerResponse struct {
}
func SignerResponseFromData(lengthBytes []byte, blockData []byte, checkSum byte) (*SignerResponse, error) {
if len(blockData) < 3 {
if len(blockData) < shared.LengthFieldSize {
return nil, errors.New("begin of structure corrupt")
}
offset := 0
headerLength := Decode24BitLength(blockData[offset : offset+3])
offset += 3
headerLength := Decode24BitLength(blockData[offset : offset+shared.LengthFieldSize])
offset += shared.LengthFieldSize
headerBytes := blockData[offset : offset+headerLength]
offset += headerLength
content := make([][]byte, 3)
content := make([][]byte, 0)
for offset < len(blockData) {
dataLength := Decode24BitLength(blockData[offset : offset+3])
if len(blockData)-3 < dataLength {
if len(blockData)-shared.LengthFieldSize < dataLength {
return nil, errors.New("structure cut off")
}
offset += 3
offset += shared.LengthFieldSize
content = append(content, blockData[offset:offset+dataLength])
offset += dataLength
}
@ -46,13 +58,13 @@ func SignerResponseFromData(lengthBytes []byte, blockData []byte, checkSum byte)
}
return &SignerResponse{
Version: headerBytes[0],
Action: shared.Action(headerBytes[1]),
Reserved1: headerBytes[2],
Reserved2: headerBytes[3],
Content: content[0],
Argument1: content[1],
Argument2: content[2],
Version: headerBytes[headerPosVersion],
Action: shared.Action(headerBytes[headerPosAction]),
Reserved1: headerBytes[headerPosReserved1],
Reserved2: headerBytes[headerPosReserved2],
Content: content[blockPosContent],
Argument1: content[blockPosArgument1],
Argument2: content[blockPosArgument2],
}, nil
}
@ -64,6 +76,7 @@ func (r SignerResponse) Serialize() []byte {
Encode24BitLength(r.Argument1), r.Argument1,
Encode24BitLength(r.Argument2), r.Argument2,
}, []byte{})
return bytes.Join([][]byte{Encode24BitLength(blockBytes), blockBytes}, []byte{})
}

17
shared/io.go
View File

@ -13,12 +13,15 @@ import (
func ReceiveBytes(port io.Reader, count int, timeout time.Duration) ([]byte, error) {
readCh := make(chan []byte, 1)
errCh := make(chan error, 1)
go func() {
buffer := bytes.NewBuffer([]byte{})
for remainder := count; remainder > 0; {
data := make([]byte, remainder)
if readBytes, err := port.Read(data); err != nil {
errCh <- err
return
} else if readBytes > 0 {
buffer.Write(data[0:readBytes])
@ -26,6 +29,7 @@ func ReceiveBytes(port io.Reader, count int, timeout time.Duration) ([]byte, err
log.Tracef("%d bytes read, remaining %d", readBytes, remainder)
}
}
readCh <- buffer.Bytes()
close(readCh)
}()
@ -38,19 +42,24 @@ func ReceiveBytes(port io.Reader, count int, timeout time.Duration) ([]byte, err
return nil, err
case data := <-readCh:
log.Tracef("received %d bytes from channel", len(data))
if data == nil {
break
}
buffer.Write(data)
}
return buffer.Bytes(), nil
}
func SendBytes(port io.Writer, data []byte) error {
if bytesWritten, err := port.Write(data); err != nil {
return err
} else {
log.Tracef("wrote %d bytes", bytesWritten)
n, err := port.Write(data)
if err != nil {
return fmt.Errorf("could not send bytes: %w", err)
}
log.Tracef("wrote %d bytes", n)
return nil
}

10
shared/shared.go
View File

@ -19,7 +19,7 @@ type Action byte
const (
ActionNul = Action(0)
ActionSign = Action(1)
ActionRevoke = Action(2)
ActionRevoke = Action(2) // nolint:gomnd
)
func (a Action) String() string {
@ -35,10 +35,10 @@ func (a Action) String() string {
}
}
type CryptoSystemRootId byte
type CryptoSystemRootID byte
type CertificateProfileId byte
type CertificateProfileID byte
type MessageDigestAlgorithmId byte
type SignatureAlgorithmID byte
type CryptoSystemId byte
type CryptoSystemID byte

199
signer/command_processor.go
View File

@ -19,8 +19,8 @@ import (
"git.cacert.org/cacert-gosigner/datastructures"
"git.cacert.org/cacert-gosigner/shared"
"git.cacert.org/cacert-gosigner/signer/openpgp_ops"
"git.cacert.org/cacert-gosigner/signer/x509_ops"
"git.cacert.org/cacert-gosigner/signer/openpgpops"
"git.cacert.org/cacert-gosigner/signer/x509ops"
)
type CommandProcessorSettings struct {
@ -34,7 +34,7 @@ type CommandProcessorSettings struct {
// functionality.
type CommandProcessor struct {
Settings *CommandProcessorSettings
CryptoSystems map[shared.CryptoSystemId]*CryptoSystem
CryptoSystems map[shared.CryptoSystemID]*CryptoSystem
}
// Process the signer request
@ -56,11 +56,11 @@ func (p *CommandProcessor) Process(command *datastructures.SignerRequest) (
case shared.ActionRevoke:
return p.handleRevokeAction(command)
default:
return nil, errors.New(fmt.Sprintf(
return nil, fmt.Errorf(
"unsupported Action 0x%02x %s",
int(command.Action),
command.Action,
))
)
}
}
@ -69,10 +69,12 @@ func (*CommandProcessor) handleNulAction(command *datastructures.SignerRequest)
error,
) {
var timeSpec unix.Timespec
err := unix.ClockGettime(unix.CLOCK_REALTIME, &timeSpec)
if err != nil {
log.Errorf("could not get system time: %v", err)
}
log.Debugf("current system time is %v", timeSpec)
// TODO: calculate the actual system time from the payload
_, _, e1 := unix.Syscall(
@ -101,6 +103,7 @@ func (p *CommandProcessor) handleSignAction(
if err != nil {
return nil, err
}
log.Debugf("identified id system: %s", idSystem)
switch command.System {
@ -109,19 +112,21 @@ func (p *CommandProcessor) handleSignAction(
san := command.Content2
subject := command.Content3
if content, err := p.signX509Certificate(idSystem, command.Days, command.Spkac, request, san, subject); err != nil {
return nil, err
} else {
return datastructures.NewSignResponse(command.Version, content), nil
content, err := p.signX509Certificate(idSystem, command.Days, command.Spkac, request, san, subject)
if err != nil {
return nil, fmt.Errorf("could not sign X.509 certificate: %w", err)
}
return datastructures.NewSignResponse(command.Version, content), nil
case CsOpenPGP:
pubKey := command.Content1
if content, err := p.signOpenpgpKey(idSystem, command.Days, pubKey); err != nil {
return nil, err
} else {
return datastructures.NewSignResponse(command.Version, content), nil
content, err := p.signOpenpgpKey(idSystem, command.Days, pubKey)
if err != nil {
return nil, fmt.Errorf("could not sign OpenPGP key: %w", err)
}
return datastructures.NewSignResponse(command.Version, content), nil
default:
return nil, fmt.Errorf("sign not implemented for crypto system %s", idSystem.System)
}
@ -144,71 +149,78 @@ func (p *CommandProcessor) handleRevokeAction(
if err != nil {
return nil, err
}
log.Debugf("identified id system: %+v", idSystem)
switch command.System {
case CsX509:
request := command.Content1
clientHash := command.Content3
if content, err := p.revokeX509(idSystem, request, clientHash); err != nil {
return nil, err
} else {
return datastructures.NewRevokeResponse(command.Version, content), nil
content, err := p.revokeX509(idSystem, request, clientHash)
if err != nil {
return nil, fmt.Errorf("could not revoke X.509 certificate: %w", err)
}
return datastructures.NewRevokeResponse(command.Version, content), nil
default:
return nil, fmt.Errorf("revoke not implemented for crypto system %s", idSystem.System)
}
}
type IdSystemParameters struct {
type IDSystemParams struct {
System *CryptoSystem
Root interface{}
Profile interface{}
MessageDigestAlgorithm interface{}
}
func (s *IdSystemParameters) String() string {
func (s *IDSystemParams) String() string {
return fmt.Sprintf("%s r:%s p:%s m:%s", s.System, s.Root, s.Profile, s.MessageDigestAlgorithm)
}
func (p *CommandProcessor) checkIdentitySystem(
systemId shared.CryptoSystemId,
rootId shared.CryptoSystemRootId,
profileId shared.CertificateProfileId,
algorithmId shared.MessageDigestAlgorithmId,
) (*IdSystemParameters, error) {
cryptoSystem, ok := p.CryptoSystems[systemId]
systemID shared.CryptoSystemID,
rootID shared.CryptoSystemRootID,
profileID shared.CertificateProfileID,
algorithmID shared.SignatureAlgorithmID,
) (*IDSystemParams, error) {
cryptoSystem, ok := p.CryptoSystems[systemID]
if !ok {
return nil, fmt.Errorf(
"unsupported crypto system %d",
systemId,
systemID,
)
}
root, ok := p.CryptoSystems[systemId].Roots[rootId]
root, ok := p.CryptoSystems[systemID].Roots[rootID]
if !ok {
return nil, fmt.Errorf(
"unsupported root %d for crypto system %s",
rootId,
rootID,
cryptoSystem,
)
}
profile, ok := p.CryptoSystems[systemId].Profiles[profileId]
profile, ok := p.CryptoSystems[systemID].Profiles[profileID]
if !ok {
return nil, fmt.Errorf(
"invalid profile %d for crypto system %s",
profileId,
profileID,
cryptoSystem,
)
}
mdAlgorithm, ok := p.CryptoSystems[systemId].DigestAlgorithms[algorithmId]
mdAlgorithm, ok := p.CryptoSystems[systemID].DigestAlgorithms[algorithmID]
if !ok {
return nil, fmt.Errorf(
"unsupported digest algorithm %d for crypto system %s",
algorithmId,
algorithmID,
cryptoSystem,
)
}
return &IdSystemParameters{
return &IDSystemParams{
System: cryptoSystem,
Root: root,
Profile: profile,
@ -216,8 +228,8 @@ func (p *CommandProcessor) checkIdentitySystem(
}, nil
}
func (p *CommandProcessor) revokeX509(system *IdSystemParameters, request []byte, clientHash []byte) ([]byte, error) {
x509Root := system.Root.(*x509_ops.Root)
func (p *CommandProcessor) revokeX509(system *IDSystemParams, request []byte, clientHash []byte) ([]byte, error) {
x509Root := system.Root.(*x509ops.Root)
signatureAlgorithm := system.MessageDigestAlgorithm.(x509.SignatureAlgorithm)
log.Debugf("revoke X.509 for root %s", x509Root)
@ -232,17 +244,19 @@ func (p *CommandProcessor) revokeX509(system *IdSystemParameters, request []byte
if len(request) > 0 {
_, err = x509Root.RevokeCertificate(request)
if err != nil {
return nil, fmt.Errorf("could not revoke certificate / create CRL: %v", err)
return nil, fmt.Errorf("could not revoke certificate / create CRL: %w", err)
}
}
crlBytes, newHash, err = x509Root.GenerateCrl(signatureAlgorithm)
if err != nil {
return nil, fmt.Errorf("could not generate a new CRL for root %s: %v", x509Root, err)
return nil, fmt.Errorf("could not generate a new CRL for root %s: %w", x509Root, err)
}
log.Debugf("crlBytes: %d", len(crlBytes))
var content []byte
oldCrlFile := x509Root.GetCrlFileName(string(clientHash))
newCrlFile := x509Root.GetCrlFileName(hex.EncodeToString(newHash[:]))
@ -254,8 +268,10 @@ func (p *CommandProcessor) revokeX509(system *IdSystemParameters, request []byte
if err != nil {
log.Warnf("could not generate xdelta: %v", err)
}
log.Tracef("xdelta produced %d bytes", len(content))
}
if content == nil {
content = pem.EncodeToMemory(&pem.Block{
Type: "X509 CRL",
@ -270,50 +286,56 @@ func (p *CommandProcessor) revokeX509(system *IdSystemParameters, request []byte
func (p *CommandProcessor) buildXDelta(oldFile string, newFile string) ([]byte, error) {
patchFile, err := ioutil.TempFile(os.TempDir(), "*.patch")
if err != nil {
return nil, fmt.Errorf("could not create temporary file for patch: %v", err)
}
defer func() {
if err := os.Remove(patchFile.Name()); err != nil {
log.Warnf("could not remove temporary file %s: %v", patchFile.Name(), err)
}
}()
if err = patchFile.Close(); err != nil {
return nil, fmt.Errorf("could not close temporary file: %v", err)
}
buf := bytes.NewBuffer([]byte{})
cmd := exec.Command(p.Settings.XDeltaPath, "delta", oldFile, newFile, patchFile.Name())
cmd.Stdout = buf
cmd.Stderr = buf
err = cmd.Run()
if err != nil {
switch err.(type) {
case *exec.ExitError:
if err.(*exec.ExitError).ExitCode() == 1 {
// xdelta delta exits with status code 1 if a delta has been found
break
}
return nil, fmt.Errorf(
"xdelta command '%s' did not work correctly: %v\noutput was:\n%s",
strings.Join(cmd.Args, " "),
err,
buf.String(),
)
default:
return nil, fmt.Errorf(
"xdelta command '%s' did not work correctly: %v\noutput was:\n%s",
strings.Join(cmd.Args, " "),
err,
buf.String(),
)
}
}
return ioutil.ReadFile(patchFile.Name())
return nil, fmt.Errorf("could not create temporary file for patch: %w", err)
}
func (p *CommandProcessor) signX509Certificate(system *IdSystemParameters, days uint16, spkac uint8, request []byte, san []byte, subject []byte) ([]byte, error) {
x509Root := system.Root.(*x509_ops.Root)
patchName := patchFile.Name()
defer func() {
if err := os.Remove(patchName); err != nil {
log.Warnf("could not remove temporary file %s: %v", patchName, err)
}
}()
if err = patchFile.Close(); err != nil {
return nil, fmt.Errorf("could not close temporary file: %w", err)
}
buf := bytes.NewBuffer([]byte{})
// #nosec G204 no parameters are based on user input
cmd := exec.Command(p.Settings.XDeltaPath, "delta", oldFile, newFile, patchName)
cmd.Stdout = buf
cmd.Stderr = buf
err = cmd.Run()
if err != nil {
var e *exec.ExitError
if !errors.As(err, &e) || e.ExitCode() != 1 {
// xdelta delta exits with status code 1 if a delta has been found
return nil, fmt.Errorf(
"xdelta command '%s' did not work correctly: %w\noutput was:\n%s",
strings.Join(cmd.Args, " "),
err,
buf.String(),
)
}
}
return ioutil.ReadFile(patchName)
}
func (p *CommandProcessor) signX509Certificate(
system *IDSystemParams,
days uint16,
spkac uint8,
request []byte,
san []byte,
subject []byte,
) ([]byte, error) {
x509Root := system.Root.(*x509ops.Root)
signatureAlgorithm := system.MessageDigestAlgorithm.(x509.SignatureAlgorithm)
profile := system.Profile.(*x509_ops.Profile)
profile := system.Profile.(*x509ops.Profile)
log.Debugf(
"sign X.509 certificate for root %s using profile %s and signature algorithm %s",
@ -330,7 +352,7 @@ func (p *CommandProcessor) signX509Certificate(system *IdSystemParameters, days
content, err := x509Root.SignCertificate(
profile,
signatureAlgorithm,
&x509_ops.SigningRequestParameters{
&x509ops.SigningRequestParameters{
Request: request,
Subject: subject,
SubjectAlternativeNames: san,
@ -339,21 +361,21 @@ func (p *CommandProcessor) signX509Certificate(system *IdSystemParameters, days
},
)
if err != nil {
return nil, fmt.Errorf("could not sign X.509 CSR with root %s and profile %s: %v", x509Root, profile, err)
return nil, fmt.Errorf("could not sign X.509 CSR with root %s and profile %s: %w", x509Root, profile, err)
}
return content, nil
}
func (p *CommandProcessor) signOpenpgpKey(system *IdSystemParameters, days uint16, pubKey []byte) ([]byte, error) {
openPgpRoot := system.Root.(*openpgp_ops.OpenPGPRoot)
func (p *CommandProcessor) signOpenpgpKey(system *IDSystemParams, days uint16, pubKey []byte) ([]byte, error) {
openPgpRoot := system.Root.(*openpgpops.OpenPGPRoot)
signatureAlgorithm := system.MessageDigestAlgorithm.(crypto.Hash)
log.Debugf("sign openpgp for root %s", openPgpRoot)
log.Debugf("sign openpgpops for root %s", openPgpRoot)
content, err := openPgpRoot.SignPublicKey(pubKey, signatureAlgorithm, days)
if err != nil {
return nil, fmt.Errorf("could not sign openpgp public key with root %s: %v", openPgpRoot, err)
return nil, fmt.Errorf("could not sign openpgpops public key with root %s: %w", openPgpRoot, err)
}
return content, nil
@ -364,18 +386,21 @@ func NewCommandProcessorSettings() *CommandProcessorSettings {
if !ok {
caBasedir = "."
}
gpgKeyringDir, ok := os.LookupEnv("SIGNER_GPG_KEYRING_DIR")
if !ok {
gpgKeyringDir = "."
}
gpgUidEmail, ok := os.LookupEnv("SIGNER_GPG_ID")
gpgUIDEmail, ok := os.LookupEnv("SIGNER_GPG_ID")
if !ok {
gpgUidEmail = "gpg@cacert.org"
gpgUIDEmail = "gpg@cacert.org"
}
return &CommandProcessorSettings{
CABaseDir: caBasedir,
OpenPGPKeyRingDir: gpgKeyringDir,
OpenPGPUidEmail: gpgUidEmail,
OpenPGPUidEmail: gpgUIDEmail,
XDeltaPath: "/usr/bin/xdelta",
}
}

17
signer/common/helpers.go
View File

@ -1,17 +0,0 @@
package common
import (
"fmt"
"math/big"
"strconv"
"strings"
)
func StringAsBigInt(data []byte) (*big.Int, error) {
dataString := strings.TrimSpace(string(data))
parseInt, err := strconv.ParseInt(dataString, 16, 64)
if err != nil {
return nil, fmt.Errorf("could not parse %s as big int: %v", dataString, err)
}
return big.NewInt(parseInt), nil
}

6
signer/crypto_system.go
View File

@ -6,9 +6,9 @@ import (
type CryptoSystem struct {
Name string
Roots map[shared.CryptoSystemRootId]interface{}
Profiles map[shared.CertificateProfileId]interface{}
DigestAlgorithms map[shared.MessageDigestAlgorithmId]interface{}
Roots map[shared.CryptoSystemRootID]interface{}
Profiles map[shared.CertificateProfileID]interface{}
DigestAlgorithms map[shared.SignatureAlgorithmID]interface{}
}
func (system CryptoSystem) String() string {

36
signer/openpgp_ops/operations.go → signer/openpgpops/openpgpops.go
View File

@ -1,8 +1,9 @@
package openpgp_ops
package openpgpops
import (
"bytes"
"crypto"
"errors"
"fmt"
"os"
"time"
@ -13,6 +14,8 @@ import (
"golang.org/x/crypto/openpgp/packet"
)
const hoursInADay = 24
type OpenPGPRoot struct {
Name string
SecretKeyRing string
@ -22,24 +25,27 @@ type OpenPGPRoot struct {
func (r *OpenPGPRoot) SignPublicKey(pubKey []byte, algorithm crypto.Hash, days uint16) ([]byte, error) {
signingKey, err := r.findSigningKey(r.Identifier)
if err != nil {
return nil, fmt.Errorf("could not find a signing key matching %s: %v", r.Identifier, err)
return nil, fmt.Errorf("could not find a signing key matching %s: %w", r.Identifier, err)
}
pubKeyRing, err := openpgp.ReadKeyRing(bytes.NewReader(pubKey))
if err != nil {
return nil, fmt.Errorf("could not read openpgp keyring: %v", err)
return nil, fmt.Errorf("could not read openpgpops keyring: %w", err)
}
output := bytes.NewBuffer([]byte{})
armorOutput, err := armor.Encode(output, "PGP PUBLIC KEY BLOCK", map[string]string{})
if err != nil {
return nil, fmt.Errorf("could not create ASCII armor wrapper for openpgp output: %v", err)
return nil, fmt.Errorf("could not create ASCII armor wrapper for openpgpops output: %w", err)
}
for _, pe := range pubKeyRing {
log.Tracef("found %+v", pe.PrimaryKey.KeyIdString())
for _, i := range pe.Identities {
expiry := calculateExpiry(i, days)
if !i.SelfSignature.KeyExpired(time.Now()) {
sig := &packet.Signature{
SigType: packet.SigTypeGenericCert,
@ -52,14 +58,16 @@ func (r *OpenPGPRoot) SignPublicKey(pubKey []byte, algorithm crypto.Hash, days u
if err := sig.SignUserId(i.Name, pe.PrimaryKey, signingKey.PrivateKey, &packet.Config{
DefaultHash: algorithm,
}); err != nil {
return nil, fmt.Errorf("could not sign identity %s: %v", i.Name, err)
return nil, fmt.Errorf("could not sign identity %s: %w", i.Name, err)
}
i.Signatures = append(i.Signatures, sig)
}
}
if err = pe.Serialize(armorOutput); err != nil {
return nil, fmt.Errorf(
"could not write signed public key %s to output: %v",
"could not write signed public key %s to output: %w",
pe.PrimaryKey.KeyIdString(),
err,
)
@ -67,7 +75,7 @@ func (r *OpenPGPRoot) SignPublicKey(pubKey []byte, algorithm crypto.Hash, days u
}
if err = armorOutput.Close(); err != nil {
return nil, fmt.Errorf("could not close output stream: %v", err)
return nil, fmt.Errorf("could not close output stream: %w", err)
}
log.Tracef("signed public key\n%s", output.String())
@ -77,35 +85,41 @@ func (r *OpenPGPRoot) SignPublicKey(pubKey []byte, algorithm crypto.Hash, days u
func calculateExpiry(i *openpgp.Identity, days uint16) *uint32 {
maxExpiry := time.Second * time.Duration(*i.SelfSignature.KeyLifetimeSecs)
calcExpiry := time.Hour * 24 * time.Duration(days)
calcExpiry := time.Hour * hoursInADay * time.Duration(days)
if calcExpiry > maxExpiry {
calcExpiry = maxExpiry
}
expirySeconds := uint32(calcExpiry.Seconds())
return &expirySeconds
}
func (r *OpenPGPRoot) findSigningKey(identifier string) (*openpgp.Entity, error) {
keyring, err := os.Open(r.SecretKeyRing)
if err != nil {
return nil, fmt.Errorf("could not open secret keyring: %v", err)
return nil, fmt.Errorf("could not open secret keyring: %w", err)
}
defer func() { _ = keyring.Close() }()
el, err := openpgp.ReadKeyRing(keyring)
if err != nil {
return nil, fmt.Errorf("could not read keyring: %v", err)
return nil, fmt.Errorf("could not read keyring: %w", err)
}
for _, e := range el {
log.Tracef("found %s", e.PrimaryKey.KeyIdString())
for _, i := range e.Identities {
if i.UserId.Email == identifier && len(e.Revocations) == 0 && !i.SelfSignature.KeyExpired(time.Now()) {
return e, nil
}
}
}
return nil, fmt.Errorf("no matching key found")
return nil, errors.New("no matching key found")
}
type OpenPGPProfile struct {

120
signer/port_handler.go
View File

@ -33,6 +33,7 @@ type PortHandler struct {
func (p *PortHandler) MainLoop() {
count := 0
for {
go p.Receive()
@ -40,9 +41,12 @@ func (p *PortHandler) MainLoop() {
case command := <-p.commandChan:
if command == nil {
log.Infof("command channel has been closed. stopping execution.")
return
}
log.Debugf("received command %v", command)
response, err := p.processor.Process(command)
if err != nil {
log.Errorf("error processing command: %v", err)
@ -61,68 +65,62 @@ func (p *PortHandler) MainLoop() {
// Receive a request and generate a request data structure
func (p *PortHandler) Receive() {
header, err := shared.ReceiveBytes(p.port, 1, waitForInitialByte)
if err != nil {
if err := p.receiveHandshake(); err != nil {
p.errors <- err
return
}
if header[0] != shared.HandshakeByte {
p.errors <- fmt.Errorf(
"unexpected byte 0x%x expected 0x%x",
header[0],
shared.HandshakeByte,
)
return
}
tries := maxTriesPerBlock
return
}
var command *datastructures.SignerRequest
for {
if tries <= 0 {
p.errors <- errors.New("tried reading block too often")
break
}
tries--
for tries := maxTriesPerBlock; tries > 0; tries-- {
if err := shared.SendBytes(p.port, []byte{shared.AckByte}); err != nil {
p.errors <- fmt.Errorf("could not write ACK byte: %v", err)
break
p.errors <- fmt.Errorf("could not write ACK byte: %w", err)
return
}
lengthBytes, err := shared.ReceiveBytes(p.port, shared.LengthFieldSize, waitForLengthBytes)
if err != nil {
p.errors <- fmt.Errorf("could not read lenght bytes: %v", err)
break
p.errors <- fmt.Errorf("could not read length bytes: %w", err)
return
}
blockLength := datastructures.Decode24BitLength(lengthBytes)
blockData, err := shared.ReceiveBytes(p.port, blockLength, waitForBlock)
if err != nil {
p.errors <- fmt.Errorf("could not read data block: %v", err)
p.errors <- fmt.Errorf("could not read data block: %w", err)
if !p.requestResend() {
break
return
}
continue
}
checkSum, err := shared.ReceiveBytes(p.port, shared.CheckSumFieldSize, waitForChecksumByte)
if err != nil {
p.errors <- fmt.Errorf("could not read checksum byte: %v", err)
break
p.errors <- fmt.Errorf("could not read checksum byte: %w", err)
return
}
calculated := datastructures.CalculateXorCheckSum([][]byte{lengthBytes, blockData})
if checkSum[0] != calculated {
p.errors <- fmt.Errorf("CRC error. expected 0x%02x, got 0x%02x", calculated, checkSum[0])
if !p.requestResend() {
break
return
}
continue
}
trailer, err := shared.ReceiveBytes(p.port, shared.TrailerFieldSize, waitForTrailerBytes)
if err != nil {
p.errors <- fmt.Errorf("could not read trailer bytes: %v", err)
break
p.errors <- fmt.Errorf("could not read trailer bytes: %w", err)
return
}
if string(trailer) != shared.MagicTrailer {
@ -131,70 +129,99 @@ func (p *PortHandler) Receive() {
shared.MagicTrailer,
trailer,
)
if !p.requestResend() {
break
}
continue
}
command, err = datastructures.SignerRequestFromData(blockData)
if err != nil {
p.errors <- fmt.Errorf("failed to parse block as signer request: %v", err)
break
p.errors <- fmt.Errorf("failed to parse block as signer request: %w", err)
return
}
if err := shared.SendBytes(p.port, []byte{shared.AckByte}); err != nil {
p.errors <- fmt.Errorf("failed to send ACK byte: %v", err)
break
p.errors <- fmt.Errorf("failed to send ACK byte: %w", err)
return
}
p.commandChan <- command
break
return
}
p.errors <- errors.New("tried reading block too often")
}
func (p *PortHandler) receiveHandshake() error {
header, err := shared.ReceiveBytes(p.port, 1, waitForInitialByte)
if err != nil {
return fmt.Errorf("could not receive initial byte: %w", err)
}
if header[0] != shared.HandshakeByte {
return fmt.Errorf(
"unexpected byte 0x%x expected 0x%x",
header[0],
shared.HandshakeByte,
)
}
return nil
}
func (p *PortHandler) requestResend() bool {
if err := shared.SendBytes(p.port, []byte{shared.ResendByte}); err != nil {
p.errors <- err
return false
}
return true
}
// Send a response to the client
func (p *PortHandler) SendResponse(response *datastructures.SignerResponse) error {
if err := shared.SendBytes(p.port, []byte{shared.HandshakeByte}); err != nil {
return err
return fmt.Errorf("could not send handshake: %w", err)
}
if ack, err := shared.ReceiveBytes(p.port, 1, waitForHandShake); err != nil {
return err
return fmt.Errorf("could not receive ACK: %w", err)
} else if ack[0] != shared.AckByte {
return errors.New(fmt.Sprintf("invalid ack byte 0x%02x", ack[0]))
return fmt.Errorf("invalid ack byte 0x%02x", ack[0])
}
tryAgain := true
for tryAgain {
data := response.Serialize()
if err := shared.SendBytes(p.port, data); err != nil {
return err
return fmt.Errorf("could not send data block: %w", err)
}
checksum := datastructures.CalculateXorCheckSum([][]byte{data})
if err := shared.SendBytes(p.port, []byte{checksum}); err != nil {
return err
return fmt.Errorf("could not send checksum: %w", err)
}
if err := shared.SendBytes(p.port, []byte(shared.MagicTrailer)); err != nil {
return err
return fmt.Errorf("could not send trailer: %w", err)
}
if ack, err := shared.ReceiveBytes(p.port, 1, waitForHandShake); err != nil {
return err
} else if ack[0] == shared.AckByte {
ack, err := shared.ReceiveBytes(p.port, 1, waitForHandShake)
if err != nil {
return fmt.Errorf("could not receive ACK: %w", err)
}
if ack[0] == shared.AckByte {
tryAgain = false
} else if ack[0] != 0x11 {
return errors.New(fmt.Sprintf("invalid ack byte 0x%02x", ack[0]))
} else {
return fmt.Errorf("invalid ack byte 0x%02x", ack[0])
}
}
@ -203,6 +230,7 @@ func (p *PortHandler) SendResponse(response *datastructures.SignerResponse) erro
func NewSignerProcess(port io.ReadWriteCloser) *PortHandler {
errorChan := make(chan error)
return &PortHandler{
port: port,
errors: errorChan,

226
signer/protocol_elements.go
View File

@ -7,65 +7,65 @@ import (
"path"
"git.cacert.org/cacert-gosigner/shared"
"git.cacert.org/cacert-gosigner/signer/openpgp_ops"
"git.cacert.org/cacert-gosigner/signer/x509_ops"
"git.cacert.org/cacert-gosigner/signer/openpgpops"
"git.cacert.org/cacert-gosigner/signer/x509ops"
)
const (
CsX509 shared.CryptoSystemId = 1
CsOpenPGP shared.CryptoSystemId = 2
CsX509 shared.CryptoSystemID = 1
CsOpenPGP shared.CryptoSystemID = 2
)
const (
X509RootDefault shared.CryptoSystemRootId = 0
X509RootClass3 shared.CryptoSystemRootId = 1
X509RootDefault shared.CryptoSystemRootID = 0
X509RootClass3 shared.CryptoSystemRootID = 1
// The following roots existed in the old server.pl but had
// no profile configurations and were thus unusable
//
// X509RootClass3s shared.CryptoSystemRootId = 2
// X509Root3 shared.CryptoSystemRootId = 3
// X509Root4 shared.CryptoSystemRootId = 4
// X509Root5 shared.CryptoSystemRootId = 5
// X509RootClass3s shared.CryptoSystemRootID = 2
// X509Root3 shared.CryptoSystemRootID = 3
// X509Root4 shared.CryptoSystemRootID = 4
// X509Root5 shared.CryptoSystemRootID = 5
)
const (
X509ProfileClient shared.CertificateProfileId = 0
X509ProfileClientOrg shared.CertificateProfileId = 1
X509ProfileClientCodesign shared.CertificateProfileId = 2
X509ProfileServer shared.CertificateProfileId = 5
X509ProfileServerOrg shared.CertificateProfileId = 6
X509ProfileOCSP shared.CertificateProfileId = 8
X509ProfileTimestamp shared.CertificateProfileId = 9
X509ProfileClient shared.CertificateProfileID = 0
X509ProfileClientOrg shared.CertificateProfileID = 1
X509ProfileClientCodesign shared.CertificateProfileID = 2
X509ProfileServer shared.CertificateProfileID = 5
X509ProfileServerOrg shared.CertificateProfileID = 6
X509ProfileOCSP shared.CertificateProfileID = 8
X509ProfileTimestamp shared.CertificateProfileID = 9
// the following profiles where valid options in the original signer code but had no configurations
//
// X509ProfileClientMachine shared.CertificateProfileId = 3 // no configuration on original signer
// X509ProfileClientAds shared.CertificateProfileId = 4 // no configuration on original signer
// X509ProfileServerJabber shared.CertificateProfileId = 7 // no configuration on original signer
// X509ProfileProxy shared.CertificateProfileId = 10 // no configuration on original signer
// X509ProfileSubCA shared.CertificateProfileId = 11 // no configuration on original signer
// X509ProfileClientMachine shared.CertificateProfileID = 3 // no configuration on original signer
// X509ProfileClientAds shared.CertificateProfileID = 4 // no configuration on original signer
// X509ProfileServerJabber shared.CertificateProfileID = 7 // no configuration on original signer
// X509ProfileProxy shared.CertificateProfileID = 10 // no configuration on original signer
// X509ProfileSubCA shared.CertificateProfileID = 11 // no configuration on original signer
)
const (
X509MDDefault shared.MessageDigestAlgorithmId = 0
X509MDMd5 shared.MessageDigestAlgorithmId = 1
X509MDSha1 shared.MessageDigestAlgorithmId = 2
// X509MDRipeMD160 shared.MessageDigestAlgorithmId = 3 x509 package does not support RIPEMD160
X509MDSha256 shared.MessageDigestAlgorithmId = 8
X509MDSha384 shared.MessageDigestAlgorithmId = 9
X509MDSha512 shared.MessageDigestAlgorithmId = 10
X509MDDefault shared.SignatureAlgorithmID = 0
X509MDMd5 shared.SignatureAlgorithmID = 1
X509MDSha1 shared.SignatureAlgorithmID = 2
// X509MDRipeMD160 shared.SignatureAlgorithmID = 3 x509ops package does not support RIPEMD160
X509MDSha256 shared.SignatureAlgorithmID = 8
X509MDSha384 shared.SignatureAlgorithmID = 9
X509MDSha512 shared.SignatureAlgorithmID = 10
)
const (
OpenPGPRoot0 shared.CryptoSystemRootId = 0
OpenPGPRoot0 shared.CryptoSystemRootID = 0
)
const (
OpenPGPDefaultProfile shared.CertificateProfileId = 0
OpenPGPDefaultProfile shared.CertificateProfileID = 0
)
const (
OpenPGPDefaultMD shared.MessageDigestAlgorithmId = 0
OpenPGPDefaultMD shared.SignatureAlgorithmID = 0
)
func NewCommandProcessor() *CommandProcessor {
@ -76,9 +76,9 @@ func NewCommandProcessor() *CommandProcessor {
ExtKeyUsage: []x509.ExtKeyUsage{
x509.ExtKeyUsageEmailProtection,
x509.ExtKeyUsageClientAuth,
// x509.ExtKeyUsageMicrosoftServerGatedCrypto,
// x509ops.ExtKeyUsageMicrosoftServerGatedCrypto,
// 1.3.6.1.4.1.311.10.3.4 msEFS not supported by golang.org/crypto
// x509.ExtKeyUsageNetscapeServerGatedCrypto,
// x509ops.ExtKeyUsageNetscapeServerGatedCrypto,
},
}
codeSignPrototype := &x509.Certificate{
@ -88,10 +88,10 @@ func NewCommandProcessor() *CommandProcessor {
x509.ExtKeyUsageClientAuth,
x509.ExtKeyUsageCodeSigning,
// 1.3.6.1.4.1.311.2.1.21 msCodeInd not supported by golang.org/crypto
// x509.ExtKeyUsageMicrosoftCommercialCodeSigning,
// x509.ExtKeyUsageMicrosoftServerGatedCrypto,
// x509ops.ExtKeyUsageMicrosoftCommercialCodeSigning,
// x509ops.ExtKeyUsageMicrosoftServerGatedCrypto,
// 1.3.6.1.4.1.311.10.3.4 msEFS not supported by golang.org/crypto
// x509.ExtKeyUsageNetscapeServerGatedCrypto,
// x509ops.ExtKeyUsageNetscapeServerGatedCrypto,
},
}
serverPrototype := &x509.Certificate{
@ -99,8 +99,8 @@ func NewCommandProcessor() *CommandProcessor {
ExtKeyUsage: []x509.ExtKeyUsage{
x509.ExtKeyUsageClientAuth,
x509.ExtKeyUsageServerAuth,
// x509.ExtKeyUsageMicrosoftServerGatedCrypto,
// x509.ExtKeyUsageNetscapeServerGatedCrypto,
// x509ops.ExtKeyUsageMicrosoftServerGatedCrypto,
// x509ops.ExtKeyUsageNetscapeServerGatedCrypto,
},
}
ocspPrototype := &x509.Certificate{
@ -108,8 +108,8 @@ func NewCommandProcessor() *CommandProcessor {
ExtKeyUsage: []x509.ExtKeyUsage{
x509.ExtKeyUsageServerAuth,
x509.ExtKeyUsageOCSPSigning,
// x509.ExtKeyUsageMicrosoftServerGatedCrypto,
// x509.ExtKeyUsageNetscapeServerGatedCrypto,
// x509ops.ExtKeyUsageMicrosoftServerGatedCrypto,
// x509ops.ExtKeyUsageNetscapeServerGatedCrypto,
},
}
timestampPrototype := &x509.Certificate{
@ -117,15 +117,15 @@ func NewCommandProcessor() *CommandProcessor {
ExtKeyUsage: []x509.ExtKeyUsage{
x509.ExtKeyUsageServerAuth,
x509.ExtKeyUsageOCSPSigning,
// x509.ExtKeyUsageMicrosoftServerGatedCrypto,
// x509.ExtKeyUsageNetscapeServerGatedCrypto,
// x509ops.ExtKeyUsageMicrosoftServerGatedCrypto,
// x509ops.ExtKeyUsageNetscapeServerGatedCrypto,
},
}
cryptoSystems := map[shared.CryptoSystemId]*CryptoSystem{
cryptoSystems := map[shared.CryptoSystemID]*CryptoSystem{
CsX509: {
Name: "X.509",
Roots: map[shared.CryptoSystemRootId]interface{}{
X509RootDefault: x509_ops.NewRoot(
Roots: map[shared.CryptoSystemRootID]interface{}{
X509RootDefault: x509ops.NewRoot(
settings.CABaseDir,
"openssl",
"CA",
@ -135,7 +135,7 @@ func NewCommandProcessor() *CommandProcessor {
// TODO: parse OCSP endpoints from configuration
[]string{"http://ocsp.cacert.localhost"},
),
X509RootClass3: x509_ops.NewRoot(
X509RootClass3: x509ops.NewRoot(
settings.CABaseDir,
"class3",
"class3",
@ -148,99 +148,99 @@ func NewCommandProcessor() *CommandProcessor {
// The following roots existed in the old server.pl but had
// no profile configurations and were thus unusable
//
// X509RootClass3s: &x509_ops.Root{Name: "class3s"}, // no profile configs
// X509Root3: &x509_ops.Root{Name: "root3"},
// X509Root4: &x509_ops.Root{Name: "root4"},
// X509Root5: &x509_ops.Root{Name: "root5"},
// X509RootClass3s: &x509ops.Root{Name: "class3s"}, // no profile configs
// X509Root3: &x509ops.Root{Name: "root3"},
// X509Root4: &x509ops.Root{Name: "root4"},
// X509Root5: &x509ops.Root{Name: "root5"},
},
Profiles: map[shared.CertificateProfileId]interface{}{
X509ProfileClient: x509_ops.NewProfile(
Profiles: map[shared.CertificateProfileID]interface{}{
X509ProfileClient: x509ops.NewProfile(
"client",
clientPrototype,
[]x509_ops.SubjectDnField{
x509_ops.SubjectDnFieldCommonName,
x509_ops.SubjectDnFieldEmailAddress,
[]x509ops.SubjectDnField{
x509ops.SubjectDnFieldCommonName,
x509ops.SubjectDnFieldEmailAddress,
},
nil,
true,
),
X509ProfileClientOrg: x509_ops.NewProfile("client-org", clientPrototype,
[]x509_ops.SubjectDnField{
x509_ops.SubjectDnFieldCountryName,
x509_ops.SubjectDnFieldStateOrProvinceName,
x509_ops.SubjectDnFieldLocalityName,
x509_ops.SubjectDnFieldOrganizationName,
x509_ops.SubjectDnFieldOrganizationalUnitName,
x509_ops.SubjectDnFieldCommonName,
x509_ops.SubjectDnFieldEmailAddress,
X509ProfileClientOrg: x509ops.NewProfile("client-org", clientPrototype,
[]x509ops.SubjectDnField{
x509ops.SubjectDnFieldCountryName,
x509ops.SubjectDnFieldStateOrProvinceName,
x509ops.SubjectDnFieldLocalityName,
x509ops.SubjectDnFieldOrganizationName,
x509ops.SubjectDnFieldOrganizationalUnitName,
x509ops.SubjectDnFieldCommonName,
x509ops.SubjectDnFieldEmailAddress,
},
nil,
true,
),
X509ProfileClientCodesign: x509_ops.NewProfile("client-codesign", codeSignPrototype,
[]x509_ops.SubjectDnField{
x509_ops.SubjectDnFieldCountryName,
x509_ops.SubjectDnFieldStateOrProvinceName,
x509_ops.SubjectDnFieldLocalityName,
x509_ops.SubjectDnFieldCommonName,
x509_ops.SubjectDnFieldEmailAddress,
X509ProfileClientCodesign: x509ops.NewProfile("client-codesign", codeSignPrototype,
[]x509ops.SubjectDnField{
x509ops.SubjectDnFieldCountryName,
x509ops.SubjectDnFieldStateOrProvinceName,
x509ops.SubjectDnFieldLocalityName,
x509ops.SubjectDnFieldCommonName,
x509ops.SubjectDnFieldEmailAddress,
},
nil,
true,
),
// X509ProfileClientMachine: &x509_ops.Profile{Name: "client-machine"},
// X509ProfileClientAds: &x509_ops.Profile{Name: "client-ads"},
X509ProfileServer: x509_ops.NewProfile("server", serverPrototype,
[]x509_ops.SubjectDnField{
x509_ops.SubjectDnFieldCommonName,
// X509ProfileClientMachine: &x509ops.Profile{Name: "client-machine"},
// X509ProfileClientAds: &x509ops.Profile{Name: "client-ads"},
X509ProfileServer: x509ops.NewProfile("server", serverPrototype,
[]x509ops.SubjectDnField{
x509ops.SubjectDnFieldCommonName,
},
[]x509_ops.AltNameType{x509_ops.NameTypeDNS, x509_ops.NameTypeXmppJid},
[]x509ops.AltNameType{x509ops.NameTypeDNS, x509ops.NameTypeXMPPJid},
false,
),
X509ProfileServerOrg: x509_ops.NewProfile("server-org", serverPrototype,
[]x509_ops.SubjectDnField{
x509_ops.SubjectDnFieldCountryName,
x509_ops.SubjectDnFieldStateOrProvinceName,
x509_ops.SubjectDnFieldLocalityName,
x509_ops.SubjectDnFieldOrganizationName,
x509_ops.SubjectDnFieldOrganizationalUnitName,
x509_ops.SubjectDnFieldCommonName,
X509ProfileServerOrg: x509ops.NewProfile("server-org", serverPrototype,
[]x509ops.SubjectDnField{
x509ops.SubjectDnFieldCountryName,
x509ops.SubjectDnFieldStateOrProvinceName,
x509ops.SubjectDnFieldLocalityName,
x509ops.SubjectDnFieldOrganizationName,
x509ops.SubjectDnFieldOrganizationalUnitName,
x509ops.SubjectDnFieldCommonName,
},
[]x509_ops.AltNameType{x509_ops.NameTypeDNS, x509_ops.NameTypeXmppJid},
[]x509ops.AltNameType{x509ops.NameTypeDNS, x509ops.NameTypeXMPPJid},
false,
),
// X509ProfileServerJabber: &x509_ops.Profile{Name: "server-jabber"},
X509ProfileOCSP: x509_ops.NewProfile("ocsp", ocspPrototype,
[]x509_ops.SubjectDnField{
x509_ops.SubjectDnFieldCountryName,
x509_ops.SubjectDnFieldStateOrProvinceName,
x509_ops.SubjectDnFieldLocalityName,
x509_ops.SubjectDnFieldOrganizationName,
x509_ops.SubjectDnFieldOrganizationalUnitName,
x509_ops.SubjectDnFieldCommonName,
x509_ops.SubjectDnFieldEmailAddress,
// X509ProfileServerJabber: &x509ops.Profile{Name: "server-jabber"},
X509ProfileOCSP: x509ops.NewProfile("ocsp", ocspPrototype,
[]x509ops.SubjectDnField{
x509ops.SubjectDnFieldCountryName,
x509ops.SubjectDnFieldStateOrProvinceName,
x509ops.SubjectDnFieldLocalityName,
x509ops.SubjectDnFieldOrganizationName,
x509ops.SubjectDnFieldOrganizationalUnitName,
x509ops.SubjectDnFieldCommonName,
x509ops.SubjectDnFieldEmailAddress,
},
nil,
false,
),
X509ProfileTimestamp: x509_ops.NewProfile("timestamp", timestampPrototype,
[]x509_ops.SubjectDnField{
x509_ops.SubjectDnFieldCountryName,
x509_ops.SubjectDnFieldStateOrProvinceName,
x509_ops.SubjectDnFieldLocalityName,
x509_ops.SubjectDnFieldOrganizationName,
x509_ops.SubjectDnFieldOrganizationalUnitName,
x509_ops.SubjectDnFieldCommonName,
X509ProfileTimestamp: x509ops.NewProfile("timestamp", timestampPrototype,
[]x509ops.SubjectDnField{
x509ops.SubjectDnFieldCountryName,
x509ops.SubjectDnFieldStateOrProvinceName,
x509ops.SubjectDnFieldLocalityName,
x509ops.SubjectDnFieldOrganizationName,
x509ops.SubjectDnFieldOrganizationalUnitName,
x509ops.SubjectDnFieldCommonName,
},
nil,
true,
),
// X509ProfileProxy: &x509_ops.Profile{Name: "proxy"},
// X509ProfileSubCA: &x509_ops.Profile{Name: "subca"},
// X509ProfileProxy: &x509ops.Profile{Name: "proxy"},
// X509ProfileSubCA: &x509ops.Profile{Name: "subca"},
},
// constants for openssl invocations. Should be replaced with
// something more useful
DigestAlgorithms: map[shared.MessageDigestAlgorithmId]interface{}{
DigestAlgorithms: map[shared.SignatureAlgorithmID]interface{}{
X509MDDefault: x509.SHA256WithRSA,
X509MDMd5: x509.MD5WithRSA,
X509MDSha1: x509.SHA1WithRSA,
@ -251,8 +251,8 @@ func NewCommandProcessor() *CommandProcessor {
},
CsOpenPGP: {
Name: "OpenPGP",
Roots: map[shared.CryptoSystemRootId]interface{}{
OpenPGPRoot0: &openpgp_ops.OpenPGPRoot{
Roots: map[shared.CryptoSystemRootID]interface{}{
OpenPGPRoot0: &openpgpops.OpenPGPRoot{
Name: "OpenPGP Root",
SecretKeyRing: path.Join(
settings.OpenPGPKeyRingDir,
@ -262,12 +262,12 @@ func NewCommandProcessor() *CommandProcessor {
Identifier: settings.OpenPGPUidEmail,
},
},
Profiles: map[shared.CertificateProfileId]interface{}{
OpenPGPDefaultProfile: &openpgp_ops.OpenPGPProfile{Name: "default"},
Profiles: map[shared.CertificateProfileID]interface{}{
OpenPGPDefaultProfile: &openpgpops.OpenPGPProfile{Name: "default"},
},
// constants for gnupg cert-digest-algo parameter. Should be replaced with
// something more useful
DigestAlgorithms: map[shared.MessageDigestAlgorithmId]interface{}{
DigestAlgorithms: map[shared.SignatureAlgorithmID]interface{}{
OpenPGPDefaultMD: crypto.SHA256,
},
},

338
signer/x509_ops/operations.go → signer/x509ops/x509ops.go
View File

@ -1,4 +1,4 @@
package x509_ops
package x509ops
import (
"bufio"
@ -6,7 +6,7 @@ import (
"crypto"
"crypto/rand"
"crypto/rsa"
"crypto/sha1"
"crypto/sha1" // #nosec G505 needed for protocol version 1
"crypto/x509"
"crypto/x509/pkix"
"encoding/base64"
@ -27,11 +27,16 @@ import (
log "github.com/sirupsen/logrus"
"git.cacert.org/cacert-gosigner/shared"
"git.cacert.org/cacert-gosigner/signer/common"
)
const crlLifetime = time.Hour * 24 * 7
const (
pemTypeCertificate = "CERTIFICATE"
pemTypeCertificateRequest = "CERTIFICATE REQUEST"
pemTypePrivateKey = "PRIVATE KEY"
)
var (
oidPkcs9EmailAddress = []int{1, 2, 840, 113549, 1, 9, 1}
)
@ -57,27 +62,30 @@ func loadCertificate(certificateFile string) (*x509.Certificate, error) {
pemBytes, err := ioutil.ReadFile(certificateFile)
if err != nil {
return nil, fmt.Errorf(
"could not load certificate %s: %v",
"could not load certificate %s: %w",
certificateFile,
err,
)
}
pemBlock, _ := pem.Decode(pemBytes)
if pemBlock.Type != "CERTIFICATE" {
if pemBlock.Type != pemTypeCertificate {
log.Warnf(
"PEM in %s is probably not a certificate. PEM block has type %s",
certificateFile,
pemBlock.Type,
)
}
certificate, err := x509.ParseCertificate(pemBlock.Bytes)
if err != nil {
return nil, fmt.Errorf(
"could no parse certificate from %s: %v",
"could no parse certificate from %s: %w",
certificateFile,
err,
)
}
return certificate, nil
}
@ -85,30 +93,34 @@ func loadPrivateKey(filename string) (crypto.Signer, error) {
pemBytes, err := ioutil.ReadFile(filename)
if err != nil {
return nil, fmt.Errorf(
"could not load private key %s: %v",
"could not load private key %s: %w",
filename,
err,
)
}
pemBlock, _ := pem.Decode(pemBytes)
if pemBlock == nil {
return nil, fmt.Errorf("no PEM data found in %s", filename)
}
if pemBlock.Type != "PRIVATE KEY" {
if pemBlock.Type != pemTypePrivateKey {
log.Warnf(
"PEM in %s is probably not a private key. PEM block has type %s",
filename,
pemBlock.Type,
)
}
privateKey, err := x509.ParsePKCS8PrivateKey(pemBlock.Bytes)
if err != nil {
return nil, fmt.Errorf(
"could no parse private key from %s: %v",
"could no parse private key from %s: %w",
filename,
err,
)
}
return privateKey.(*rsa.PrivateKey), nil
}
@ -116,19 +128,24 @@ func (x *Root) getNextSerialNumber() (*big.Int, error) {
// TODO: decide whether we should use 64 bit random serial numbers as
// recommended by CAB forum baseline requirements
serialNumberFile := x.serialNumberFile
_, err := os.Stat(serialNumberFile)
if err != nil {
log.Warnf("serial number file %s does not exist: %v", x.serialNumberFile, err)
return big.NewInt(1), nil
}
data, err := ioutil.ReadFile(x.serialNumberFile)
if err != nil {
return nil, fmt.Errorf("could not read serial number file %s: %v", x.serialNumberFile, err)
return nil, fmt.Errorf("could not read serial number file %s: %w", x.serialNumberFile, err)
}
result, err := common.StringAsBigInt(data)
result, err := stringAsBigInt(data)
if err != nil {
return nil, fmt.Errorf("could not parse content of %s as serial number: %v", x.serialNumberFile, err)
return nil, fmt.Errorf("could not parse content of %s as serial number: %w", x.serialNumberFile, err)
}
return result, err
}
@ -136,26 +153,32 @@ func (x *Root) getNextCRLNumber() (*big.Int, error) {
_, err := os.Stat(x.crlNumberFile)
if err != nil {
log.Warnf("CRL number file %s does not exist: %v", x.crlNumberFile, err)
return big.NewInt(1), nil
}
data, err := ioutil.ReadFile(x.crlNumberFile)
if err != nil {
return nil, fmt.Errorf("could not read CRL number file %s: %v", x.crlNumberFile, err)
return nil, fmt.Errorf("could not read CRL number file %s: %w", x.crlNumberFile, err)
}
result, err := common.StringAsBigInt(data)
result, err := stringAsBigInt(data)
if err != nil {
return nil, fmt.Errorf("could not parse content of %s as CRL number: %v", x.crlNumberFile, err)
return nil, fmt.Errorf("could not parse content of %s as CRL number: %w", x.crlNumberFile, err)
}
return result, nil
}
func (x *Root) bumpCRLNumber(current *big.Int) error {
serial := current.Int64() + 1
crlNumberFile := x.crlNumberFile
outFile, err := ioutil.TempFile(path.Dir(crlNumberFile), "*.txt")
if err != nil {
return fmt.Errorf("could not create temporary crl number file: %v", err)
return fmt.Errorf("could not create temporary crl number file: %w", err)
}
defer func() { _ = outFile.Close() }()
_, err = outFile.WriteString(fmt.Sprintf(
@ -163,27 +186,32 @@ func (x *Root) bumpCRLNumber(current *big.Int) error {
strings.ToUpper(strconv.FormatInt(serial, 16)),
))
if err != nil {
return fmt.Errorf("could not write new CRL number %d to %s: %v", serial, outFile.Name(), err)
return fmt.Errorf("could not write new CRL number %d to %s: %w", serial, outFile.Name(), err)
}
if err = outFile.Close(); err != nil {
return fmt.Errorf("could not close temporary file %s: %v", outFile.Name(), err)
return fmt.Errorf("could not close temporary file %s: %w", outFile.Name(), err)
}
if err = os.Rename(crlNumberFile, fmt.Sprintf("%s.old", crlNumberFile)); err != nil {
return fmt.Errorf("could not rename %s to %s.old: %v", crlNumberFile, crlNumberFile, err)
return fmt.Errorf("could not rename %s to %s.old: %w", crlNumberFile, crlNumberFile, err)
}
if err = os.Rename(outFile.Name(), crlNumberFile); err != nil {
return fmt.Errorf("could not rename %s to %s: %v", outFile.Name(), crlNumberFile, err)
return fmt.Errorf("could not rename %s to %s: %w", outFile.Name(), crlNumberFile, err)
}
return nil
}
func (x *Root) bumpSerialNumber(current *big.Int) error {
serial := current.Int64() + 1
outFile, err := ioutil.TempFile(path.Dir(x.serialNumberFile), "*.txt")
if err != nil {
return fmt.Errorf("could not open temporary serial number file: %v", err)
return fmt.Errorf("could not open temporary serial number file: %w", err)
}
defer func() { _ = outFile.Close() }()
_, err = outFile.WriteString(fmt.Sprintf(
@ -191,49 +219,59 @@ func (x *Root) bumpSerialNumber(current *big.Int) error {
strings.ToUpper(strconv.FormatInt(serial, 16)),
))
if err != nil {
return fmt.Errorf("could not write new serial number %d to %s: %v", serial, outFile.Name(), err)
return fmt.Errorf("could not write new serial number %d to %s: %w", serial, outFile.Name(), err)
}
if err = outFile.Close(); err != nil {
return fmt.Errorf("could not close temporary file %s: %v", outFile.Name(), err)
return fmt.Errorf("could not close temporary file %s: %w", outFile.Name(), err)
}
if _, err = os.Stat(x.serialNumberFile); err == nil {
if err = os.Rename(x.serialNumberFile, fmt.Sprintf("%s.old", x.serialNumberFile)); err != nil {
return fmt.Errorf("could not rename %s to %s.old: %v", x.serialNumberFile, x.serialNumberFile, err)
return fmt.Errorf("could not rename %s to %s.old: %w", x.serialNumberFile, x.serialNumberFile, err)
}
}
if err = os.Rename(outFile.Name(), x.serialNumberFile); err != nil {
return fmt.Errorf("could not rename %s to %s: %v", outFile.Name(), x.serialNumberFile, err)
return fmt.Errorf("could not rename %s to %s: %w", outFile.Name(), x.serialNumberFile, err)
}
return nil
}
func (x *Root) loadRevokedCertificatesFromDatabase() ([]pkix.RevokedCertificate, error) {
databaseFile := x.databaseFile
_, err := os.Stat(databaseFile)
if err != nil {
log.Warnf("openssl certificate database file %s does not exist: %v", databaseFile, err)
return []pkix.RevokedCertificate{}, nil
}
file, err := os.Open(databaseFile)
if err != nil {
return nil, fmt.Errorf("could not open openssl certificate database file %s: %v", databaseFile, err)
return nil, fmt.Errorf("could not open openssl certificate database file %s: %w", databaseFile, err)
}
defer func() { _ = file.Close() }()
result := make([]pkix.RevokedCertificate, 0)
scanner := bufio.NewScanner(file)
for scanner.Scan() {
line := strings.Split(scanner.Text(), "\t")
if line[0] == "R" {
serialNumber, err := common.StringAsBigInt([]byte(line[3]))
serialNumber, err := stringAsBigInt([]byte(line[3]))
if err != nil {
return nil, fmt.Errorf("could not parse serial number %s as big int: %v", line[3], err)
return nil, fmt.Errorf("could not parse serial number %s as big int: %w", line[3], err)
}
revokeTs, err := strconv.ParseInt(line[2][:len(line[2])-1], 10, 64)
if err != nil {
return nil, fmt.Errorf("could not parse serial number: %v", err)
return nil, fmt.Errorf("could not parse serial number: %w", err)
}
result = append(result, pkix.RevokedCertificate{
SerialNumber: serialNumber,
RevocationTime: time.Unix(revokeTs, 0),
@ -241,24 +279,29 @@ func (x *Root) loadRevokedCertificatesFromDatabase() ([]pkix.RevokedCertificate,
})
}
}
return result, nil
}
func (x *Root) recordRevocation(certificate *x509.Certificate) (*pkix.RevokedCertificate, error) {
_, err := os.Stat(x.databaseFile)
if err != nil {
return nil, fmt.Errorf("openssl certificate database file %s does not exist: %v", x.databaseFile, err)
return nil, fmt.Errorf("openssl certificate database file %s does not exist: %w", x.databaseFile, err)
}
inFile, err := os.Open(x.databaseFile)
if err != nil {
return nil, fmt.Errorf("could not open openssl certificate database file %s: %v", x.databaseFile, err)
return nil, fmt.Errorf("could not open openssl certificate database file %s: %w", x.databaseFile, err)
}
defer func() { _ = inFile.Close() }()
outFile, err := ioutil.TempFile(path.Dir(x.databaseFile), "*.txt")
defer func() { _ = outFile.Close() }()
if err != nil {
return nil, fmt.Errorf("could not open temporary database file: %v", err)
return nil, fmt.Errorf("could not open temporary database file: %w", err)
}
scanner := bufio.NewScanner(inFile)
@ -270,10 +313,12 @@ func (x *Root) recordRevocation(certificate *x509.Certificate) (*pkix.RevokedCer
for scanner.Scan() {
line := scanner.Text()
parts := strings.Split(line, "\t")
serialNumber, err := common.StringAsBigInt([]byte(parts[3]))
serialNumber, err := stringAsBigInt([]byte(parts[3]))
if err != nil {
return nil, fmt.Errorf("could not parse serial number %s as big int: %v", parts[3], err)
return nil, fmt.Errorf("could not parse serial number %s as big int: %w", parts[3], err)
}
if serialNumber == certificate.SerialNumber {
line = strings.Join(
[]string{"R", parts[1], strconv.FormatInt(revocationTime.Unix(), 10) + "Z", parts[3], parts[4]},
@ -281,24 +326,26 @@ func (x *Root) recordRevocation(certificate *x509.Certificate) (*pkix.RevokedCer
)
found = true
}
if _, err = writer.WriteString(fmt.Sprintf("%s\n", line)); err != nil {
return nil, fmt.Errorf("could not write '%s' to %s: %v", line, outFile.Name(), err)
return nil, fmt.Errorf("could not write '%s' to %s: %w", line, outFile.Name(), err)
}
}
if err = outFile.Close(); err != nil {
return nil, fmt.Errorf("could not close temporary file %s: %v", outFile.Name(), err)
return nil, fmt.Errorf("could not close temporary file %s: %w", outFile.Name(), err)
}
if err = inFile.Close(); err != nil {
return nil, fmt.Errorf("could not close %s: %v", x.databaseFile, err)
return nil, fmt.Errorf("could not close %s: %w", x.databaseFile, err)
}
if err = os.Rename(x.databaseFile, fmt.Sprintf("%s.old", x.databaseFile)); err != nil {
return nil, fmt.Errorf("could not rename %s to %s.old: %v", x.databaseFile, x.databaseFile, err)
return nil, fmt.Errorf("could not rename %s to %s.old: %w", x.databaseFile, x.databaseFile, err)
}
if err = os.Rename(outFile.Name(), x.databaseFile); err != nil {
return nil, fmt.Errorf("could not rename temporary file %s to %s: %v", outFile.Name(), x.databaseFile, err)
return nil, fmt.Errorf("could not rename temporary file %s to %s: %w", outFile.Name(), x.databaseFile, err)
}
if !found {
@ -313,22 +360,22 @@ func (x *Root) recordRevocation(certificate *x509.Certificate) (*pkix.RevokedCer
func (x *Root) RevokeCertificate(request []byte) (*pkix.RevokedCertificate, error) {
pemBlock, _ := pem.Decode(request)
if pemBlock.Type != "CERTIFICATE" {
if pemBlock.Type != "CERTIFICATE" {
if pemBlock.Type != pemTypeCertificate {
log.Warnf(
"PEM structure is probably not a certificate. PEM block has type %s",
pemBlock.Type,
)
log.Trace(request)
}
}
certificate, err := x509.ParseCertificate(pemBlock.Bytes)
if err != nil {
return nil, fmt.Errorf(
"could no parse certificate: %v",
"could no parse certificate: %w",
err,
)
}
return x.recordRevocation(certificate)
}
@ -337,10 +384,12 @@ func (x *Root) GenerateCrl(algorithm x509.SignatureAlgorithm) ([]byte, *[20]byte
if err != nil {
return nil, nil, err
}
nextCrlNumber, err := x.getNextCRLNumber()
if err != nil {
return nil, nil, err
}
crlTemplate := &x509.RevocationList{
SignatureAlgorithm: algorithm,
RevokedCertificates: certificatesToRevoke,
@ -363,20 +412,23 @@ func (x *Root) GenerateCrl(algorithm x509.SignatureAlgorithm) ([]byte, *[20]byte
x.privateKey,
)
if err != nil {
return nil, nil, fmt.Errorf("could not create new CRL: %v", err)
return nil, nil, fmt.Errorf("could not create new CRL: %w", err)
}
if err = ioutil.WriteFile(x.crlFileName, crlBytes, 0644); err != nil {
return nil, nil, fmt.Errorf("could not write new CRL to %s: %v", x.crlFileName, err)
if err = ioutil.WriteFile(x.crlFileName, crlBytes, 0600); err != nil {
return nil, nil, fmt.Errorf("could not write new CRL to %s: %w", x.crlFileName, err)
}
// sha1 is implied by protocol version 1
// #nosec G401
newCrlHash := sha1.Sum(crlBytes)
hashedCrlFileName := path.Join(
x.crlHashDir,
fmt.Sprintf("%s.crl", hex.EncodeToString(newCrlHash[:])),
)
if err = ioutil.WriteFile(hashedCrlFileName, crlBytes, 0644); err != nil {
return nil, nil, fmt.Errorf("could not write new CRL to %s: %v", hashedCrlFileName, err)
if err = ioutil.WriteFile(hashedCrlFileName, crlBytes, 0600); err != nil {
return nil, nil, fmt.Errorf("could not write new CRL to %s: %w", hashedCrlFileName, err)
}
return crlBytes, &newCrlHash, nil
@ -388,6 +440,7 @@ func (x *Root) DeleteOldCRLs(keepHashes ...string) error {
found, err := filepath.Glob(path.Join(x.crlHashDir, "*.crl"))
if err != nil {
log.Warnf("could not match files: %v", err)
return nil
}
@ -399,7 +452,7 @@ nextFound:
}
}
if err := os.Remove(filename); err != nil {
return fmt.Errorf("could not delete %s: %v", filename, err)
return fmt.Errorf("could not delete %s: %w", filename, err)
}
}
@ -421,6 +474,7 @@ func (x *Root) checkPreconditions() {
for _, success := range results {
if !success {
log.Warnf("preconditions for %s failed, operations may fail too", x)
break
}
}
@ -428,26 +482,34 @@ func (x *Root) checkPreconditions() {
func (x *Root) checkFile(path, prefix string) bool {
ok := true
if s, e := os.Stat(path); e != nil {
log.Warnf("%s file %s of %s has issues: %v", prefix, path, x, e)
ok = false
} else if s.IsDir() {
log.Warnf("%s file %s of %s is a directory", prefix, path, x)
ok = false
}
return ok
}
func (x *Root) checkDir(path, prefix string) bool {
ok := true
if s, e := os.Stat(path); e != nil {
log.Warnf("%s %s of %s has issues: %v", prefix, path, x, e)
if err := os.MkdirAll(path, 0755); err != nil {
log.Warnf("could not create %s %s of %s: %v", prefix, path, x, err)
}
ok = false
} else if !s.IsDir() {
log.Warnf("%s %s of %s is not a directory", prefix, path, x)
ok = false
}
@ -468,35 +530,45 @@ func (x *Root) SignCertificate(
params *SigningRequestParameters,
) ([]byte, error) {
var publicKey interface{}
// nolint:nestif
if params.IsSpkac {
var err error
const spkacPrefix = "SPKAC="
if !bytes.Equal([]byte(spkacPrefix), params.Request[:len(spkacPrefix)]) {
return nil, fmt.Errorf("request does not contain a valid SPKAC string")
}
derBytes, err := base64.StdEncoding.DecodeString(string(params.Request[len(spkacPrefix):]))
if err != nil {
return nil, fmt.Errorf("could not decode SPKAC bytes: %v", err)
return nil, fmt.Errorf("could not decode SPKAC bytes: %w", err)
}
publicKey, err = pkac.ParseSPKAC(derBytes)
if err != nil {
return nil, fmt.Errorf("could not parse SPKAC: %v", err)
return nil, fmt.Errorf("could not parse SPKAC: %w", err)
}
} else {
csrBlock, _ := pem.Decode(params.Request)
if csrBlock.Type != "CERTIFICATE REQUEST" {
return nil, fmt.Errorf("unexpected PEM block '%s' instead of 'CERTIFICATE REQUEST'", csrBlock.Type)
if csrBlock.Type != pemTypeCertificateRequest {
return nil, fmt.Errorf(
"unexpected PEM block '%s' instead of '%s'",
csrBlock.Type,
pemTypeCertificateRequest,
)
}
csr, err := x509.ParseCertificateRequest(csrBlock.Bytes)
if err != nil {
return nil, fmt.Errorf("could not parse CSR: %v", err)
return nil, fmt.Errorf("could not parse CSR: %w", err)
}
publicKey = csr.PublicKey
}
nextSerialNumber, err := x.getNextSerialNumber()
if err != nil {
return nil, fmt.Errorf("could not get next serial number: %v", err)
return nil, fmt.Errorf("could not get next serial number: %w", err)
}
// copy profile
@ -516,14 +588,15 @@ func (x *Root) SignCertificate(
// check subject
subject, err := profile.parseSubject(params.Subject)
if err != nil {
return nil, fmt.Errorf("could not parse subject: %v", err)
return nil, fmt.Errorf("could not parse subject: %w", err)
}
certificate.Subject = *subject
// check altNames
err = profile.parseAltNames(certificate, params.SubjectAlternativeNames)
if err != nil {
return nil, fmt.Errorf("could not parse subject alternative names: %v", err)
return nil, fmt.Errorf("could not parse subject alternative names: %w", err)
}
moveEmailsFromSubjectToAlternativeNames(certificate)
@ -532,24 +605,24 @@ func (x *Root) SignCertificate(
certBytes, err := x509.CreateCertificate(rand.Reader, certificate, x.certificate, publicKey, x.privateKey)
if err != nil {
return nil, fmt.Errorf("could not sign certificate: %v", err)
return nil, fmt.Errorf("could not sign certificate: %w", err)
}
parsedCertificate, err := x509.ParseCertificate(certBytes)
if err != nil {
return nil, fmt.Errorf("could not parse signed certificate: %v", err)
return nil, fmt.Errorf("could not parse signed certificate: %w", err)
}
if err = x.bumpSerialNumber(nextSerialNumber); err != nil {
log.Errorf("could not bump serial number: %v", err)
return nil, fmt.Errorf("could not bump serial number: %w", err)
}
err = x.recordIssuedCertificate(parsedCertificate)
if err != nil {
return nil, fmt.Errorf("could not record signed certificate in database: %v", err)
return nil, fmt.Errorf("could not record signed certificate in database: %w", err)
}
pemBytes := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certBytes})
pemBytes := pem.EncodeToMemory(&pem.Block{Type: pemTypeCertificate, Bytes: certBytes})
log.Tracef("signed new certificate\n%s", pemBytes)
return pemBytes, nil
@ -559,36 +632,46 @@ func (x *Root) SignCertificate(
// otherwise which is not compliant to RFC-5280
func moveEmailsFromSubjectToAlternativeNames(certificate *x509.Certificate) {
extraNames := make([]pkix.AttributeTypeAndValue, 0)
for _, p := range certificate.Subject.ExtraNames {
if p.Type.Equal(oidPkcs9EmailAddress) {
email := p.Value.(string)
if certificate.EmailAddresses == nil {
certificate.EmailAddresses = []string{email}
continue
}
for _, e := range certificate.EmailAddresses {
if e == p.Value {
continue
}
}
certificate.EmailAddresses = append(certificate.EmailAddresses, email)
} else {
extraNames = append(extraNames, p)
}
}
certificate.Subject.ExtraNames = extraNames
}
func (x *Root) recordIssuedCertificate(certificate *x509.Certificate) error {
log.Tracef("recording %+v", certificate)
tempFile, err := ioutil.TempFile(path.Dir(x.databaseFile), "*.txt")
if err != nil {
return fmt.Errorf("could not create temporary file: %v", err)
return fmt.Errorf("could not create temporary file: %w", err)
}
defer func() { _ = tempFile.Close() }()
tempName := tempFile.Name()
dbExists := false
_, err = os.Stat(x.databaseFile)
if err != nil {
log.Warnf("openssl certificate database file %s does not exist: %v", x.databaseFile, err)
@ -597,76 +680,105 @@ func (x *Root) recordIssuedCertificate(certificate *x509.Certificate) error {
inFile, err := os.Open(x.databaseFile)
defer func() { _ = inFile.Close() }()
if err != nil {
return fmt.Errorf("could not open openssl certificate database file %s: %v", x.databaseFile, err)
return fmt.Errorf("could not open openssl certificate database file %s: %w", x.databaseFile, err)
}
_, err = io.Copy(tempFile, inFile)
if err != nil {
return fmt.Errorf("could not copy %s to temporary file %s: %v", x.databaseFile, tempName, err)
return fmt.Errorf("could not copy %s to temporary file %s: %w", x.databaseFile, tempName, err)
}
if err = inFile.Close(); err != nil {
return fmt.Errorf("could not close %s: %v", x.databaseFile, err)
return fmt.Errorf("could not close %s: %w", x.databaseFile, err)
}
}
if err = tempFile.Close(); err != nil {
return fmt.Errorf("could not close temporary file %s: %v", tempName, err)
return fmt.Errorf("could not close temporary file %s: %w", tempName, err)
}
outFile, err := os.OpenFile(tempName, os.O_APPEND|os.O_WRONLY, 0644)
if err != nil {
return fmt.Errorf("could not open temporary file for writing %s: %v", tempName, err)
return fmt.Errorf("could not open temporary file for writing %s: %w", tempName, err)
}
defer func() { _ = outFile.Close() }()
line := strings.Join([]string{"V", strconv.FormatInt(certificate.NotBefore.Unix(), 10) + "Z", "", strings.ToUpper(certificate.SerialNumber.Text(16)), "unknown", opensslFormatDN(certificate.Subject)}, "\t")
line := strings.Join(
// nolint:gomnd
[]string{
"V",
strconv.FormatInt(certificate.NotBefore.Unix(), 10) + "Z",
"",
strings.ToUpper(certificate.SerialNumber.Text(16)),
"unknown",
opensslFormatDN(certificate.Subject),
},
"\t",
)
_, err = fmt.Fprintln(outFile, line)
if err != nil {
return fmt.Errorf("could not write '%s' to %s: %v", line, tempName, err)
return fmt.Errorf("could not write '%s' to %s: %w", line, tempName, err)
}
if err = outFile.Close(); err != nil {
return fmt.Errorf("could not close temporary file %s: %v", tempName, err)
return fmt.Errorf("could not close temporary file %s: %w", tempName, err)
}
if dbExists {
if err = os.Rename(x.databaseFile, fmt.Sprintf("%s.old", x.databaseFile)); err != nil {
return fmt.Errorf("could not rename %s to %s.old: %v", x.databaseFile, x.databaseFile, err)
return fmt.Errorf("could not rename %s to %s.old: %w", x.databaseFile, x.databaseFile, err)
}
}
if err = os.Rename(tempName, x.databaseFile); err != nil {
return fmt.Errorf("could not rename temporary file %s to %s: %v", tempName, x.databaseFile, err)
return fmt.Errorf("could not rename temporary file %s to %s: %w", tempName, x.databaseFile, err)
}
return nil
}
func opensslFormatDN(subject pkix.Name) string {
const (
oidSuffixCommonName = 3
oidSuffixCountryName = 6
oidSuffixLocalityName = 7
oidSuffixProvinceName = 8
oidSuffixOrganization = 10
oidSuffixOrganizationalUnit = 11
)
var buf strings.Builder
for _, rdn := range subject.ToRDNSequence() {
if len(rdn) == 0 {
continue
}
for _, atv := range rdn {
value, ok := atv.Value.(string)
if !ok {
continue
}
t := atv.Type
if len(t) == 4 && t[:3].Equal([]int{2, 5, 4}) {
switch t[3] {
case 3:
case oidSuffixCommonName:
buf.WriteString("/CN=")
buf.WriteString(value)
case 6:
case oidSuffixCountryName:
buf.WriteString("/C=")
buf.WriteString(value)
case 7:
case oidSuffixLocalityName:
buf.WriteString("/L=")
buf.WriteString(value)
case 8:
case oidSuffixProvinceName:
buf.WriteString("/ST=")
buf.WriteString(value)
case 10:
case oidSuffixOrganization:
buf.WriteString("/O=")
buf.WriteString(value)
case 11:
case oidSuffixOrganizationalUnit:
buf.WriteString("/OU=")
buf.WriteString(value)
}
@ -676,22 +788,25 @@ func opensslFormatDN(subject pkix.Name) string {
}
}
}
return buf.String()
}
func NewRoot(
basedir, name, subdir string,
id shared.CryptoSystemRootId,
id shared.CryptoSystemRootID,
crlDistributionPoints, ocspServers []string,
) *Root {
key, err := loadPrivateKey(path.Join(basedir, subdir, "private", "ca.key.pem"))
if err != nil {
log.Fatalf("could not load private key: %v", err)
}
cert, err := loadCertificate(path.Join(basedir, subdir, "ca.crt.pem"))
if err != nil {
log.Fatalf("could not load CA certificate: %v", err)
}
root := &Root{
Name: name,
privateKey: key,
@ -709,6 +824,7 @@ func NewRoot(
ocspServers: ocspServers,
}
root.checkPreconditions()
return root
}
@ -716,7 +832,7 @@ type AltNameType string
const (
NameTypeDNS AltNameType = "DNS"
NameTypeXmppJid AltNameType = "otherName:1.3.6.1.5.5.7.8.5;UTF8" // from RFC 3920, 6120
NameTypeXMPPJid AltNameType = "otherName:1.3.6.1.5.5.7.8.5;UTF8" // from RFC 3920, 6120
)
type SubjectDnField string
@ -744,73 +860,55 @@ func (p *Profile) String() string {
}
func (p *Profile) parseSubject(subject []byte) (*pkix.Name, error) {
parts := strings.Split(string(subject), "/")
subjectDN := &pkix.Name{}
for _, part := range parts {
if len(strings.TrimSpace(part)) == 0 {
continue
}
handled := false
item := strings.SplitN(part, "=", 2)
for _, f := range p.subjectDNFields {
if !strings.EqualFold(item[0], string(f)) {
continue
}
value := item[1]
handled = true
switch f {
case SubjectDnFieldCountryName:
if subjectDN.Country == nil {
subjectDN.Country = []string{value}
} else {
subjectDN.Country = append(subjectDN.Country, value)
}
case SubjectDnFieldStateOrProvinceName:
if subjectDN.Province == nil {
subjectDN.Province = []string{value}
} else {
subjectDN.Province = append(subjectDN.Province, value)
}
case SubjectDnFieldLocalityName:
if subjectDN.Locality == nil {
subjectDN.Locality = []string{value}
} else {
subjectDN.Locality = append(subjectDN.Locality, value)
}
case SubjectDnFieldOrganizationName:
if subjectDN.Organization == nil {
subjectDN.Organization = []string{value}
} else {
subjectDN.Organization = append(subjectDN.Organization, value)
}
case SubjectDnFieldOrganizationalUnitName:
if subjectDN.OrganizationalUnit == nil {
subjectDN.OrganizationalUnit = []string{value}
} else {
subjectDN.OrganizationalUnit = append(subjectDN.OrganizationalUnit, value)
}
case SubjectDnFieldCommonName:
subjectDN.CommonName = value
case SubjectDnFieldEmailAddress:
emailIA5 := pkix.AttributeTypeAndValue{
subjectDN.ExtraNames = append(subjectDN.ExtraNames, pkix.AttributeTypeAndValue{
Type: oidPkcs9EmailAddress,
Value: value,
}
if subjectDN.ExtraNames == nil {
subjectDN.ExtraNames = []pkix.AttributeTypeAndValue{emailIA5}
} else {
subjectDN.ExtraNames = append(subjectDN.ExtraNames, emailIA5)
}
})
default:
log.Warnf("unhandled subject DN type %s", f)
}
}
if !handled {
return nil, fmt.Errorf("skipped part %s because it is not supported by profile %s", part, p)
}
}
log.Debugf("created subject DN %s", subjectDN)
return subjectDN, nil
}
@ -820,19 +918,24 @@ func (p *Profile) parseAltNames(template *x509.Certificate, altNames []byte) err
if len(strings.TrimSpace(part)) == 0 {
continue
}
handled := false
item := strings.SplitN(part, ":", 3)
if item[0] == "otherName" {
item = []string{strings.Join(item[:2], ":"), item[2]}
} else {
item = []string{item[0], strings.Join(item[1:], ":")}
}
for _, f := range p.altNameTypes {
if item[0] != string(f) {
continue
}
value := item[1]
handled = true
switch f {
case NameTypeDNS:
if template.DNSNames == nil {
@ -840,17 +943,19 @@ func (p *Profile) parseAltNames(template *x509.Certificate, altNames []byte) err
} else {
template.DNSNames = append(template.DNSNames, value)
}
case NameTypeXmppJid:
// x509.Certificate has no support for otherName alternative names
case NameTypeXMPPJid:
// x509ops.Certificate has no support for otherName alternative names
log.Warnf("skipping %s because it cannot be supported", part)
default:
log.Warnf("unhandled alternative name type %s", f)
}
}
if !handled {
return fmt.Errorf("skipped alternative name %s because it is not supported by profile %s", part, p)
}
}
return nil
}
@ -869,3 +974,14 @@ func NewProfile(
copyEmail: copyEmail,
}
}
func stringAsBigInt(data []byte) (*big.Int, error) {
dataString := strings.TrimSpace(string(data))
parseInt, err := strconv.ParseInt(dataString, 16, 64)
if err != nil {
return nil, fmt.Errorf("could not parse %s as big int: %w", dataString, err)
}
return big.NewInt(parseInt), nil
}

35
signer/x509_ops/operations_test.go → signer/x509ops/x509ops_test.go
View File

@ -1,4 +1,4 @@
package x509_ops
package x509ops
import (
"crypto"
@ -33,6 +33,7 @@ func TestRoot_SignClientCertificateWithCSR(t *testing.T) {
subjectDNFields: []SubjectDnField{SubjectDnFieldCommonName, SubjectDnFieldEmailAddress},
copyEmail: true,
}
certificate, err := root.SignCertificate(clientProfile, x509.SHA256WithRSA, &SigningRequestParameters{
Request: decodeToBytes(t, testRequest),
Subject: []byte(testClientSubject),
@ -42,17 +43,21 @@ func TestRoot_SignClientCertificateWithCSR(t *testing.T) {
})
if err != nil {
t.Errorf("error signing certificate: %v", err)
return
}
certificateDer, _ := pem.Decode(certificate)
if certificateDer.Type != "CERTIFICATE" {
t.Errorf("invalid PEM type '%s' instead of 'CERTIFICATE'", certificateDer.Type)
if certificateDer.Type != pemTypeCertificate {
t.Errorf("invalid PEM type '%s' instead of '%s'", certificateDer.Type, pemTypeCertificate)
return
}
_, err = x509.ParseCertificate(certificateDer.Bytes)
if err != nil {
t.Errorf("could not parse generated certificate: %v", err)
return
}
}
@ -90,17 +95,21 @@ func TestRoot_SignClientCertificateWithSPKAC(t *testing.T) {
if err != nil {
t.Errorf("error signing certificate: %v", err)
return
}
certificateDer, _ := pem.Decode(certificate)
if certificateDer.Type != "CERTIFICATE" {
t.Errorf("invalid PEM type '%s' instead of 'CERTIFICATE'", certificateDer.Type)
if certificateDer.Type != pemTypeCertificate {
t.Errorf("invalid PEM type '%s' instead of '%s'", certificateDer.Type, pemTypeCertificate)
return
}
_, err = x509.ParseCertificate(certificateDer.Bytes)
if err != nil {
t.Errorf("could not parse generated certificate: %v", err)
return
}
}
@ -134,9 +143,10 @@ func TestRoot_SignServerCertificateWithCSR(t *testing.T) {
SubjectDnFieldOrganizationalUnitName,
SubjectDnFieldCommonName,
},
altNameTypes: []AltNameType{NameTypeDNS, NameTypeXmppJid},
altNameTypes: []AltNameType{NameTypeDNS, NameTypeXMPPJid},
copyEmail: false,
}
certificate, err := root.SignCertificate(clientProfile, x509.SHA256WithRSA, &SigningRequestParameters{
Request: decodeToBytes(t, testRequest),
Subject: []byte(testServerSubject),
@ -146,36 +156,44 @@ func TestRoot_SignServerCertificateWithCSR(t *testing.T) {
})
if err != nil {
t.Errorf("error signing certificate: %v", err)
return
}
certificateDer, _ := pem.Decode(certificate)
if certificateDer.Type != "CERTIFICATE" {
t.Errorf("invalid PEM type '%s' instead of 'CERTIFICATE'", certificateDer.Type)
return
}
_, err = x509.ParseCertificate(certificateDer.Bytes)
if err != nil {
t.Errorf("could not parse generated certificate: %v", err)
return
}
}
func loadTestKey(t *testing.T) crypto.Signer {
testKeyBytes := decodeToBytes(t, testCAKey)
key, err := x509.ParsePKCS1PrivateKey(testKeyBytes)
if err != nil {
t.Fatal(err)
}
return key
}
func loadTestCACertificate(t *testing.T) *x509.Certificate {
testCertBytes := decodeToBytes(t, testCACertificate)
cert, err := x509.ParseCertificate(testCertBytes)
if err != nil {
t.Fatal(err)
}
return cert
}
@ -184,11 +202,14 @@ func decodeToBytes(t *testing.T, request string) []byte {
if err != nil {
t.Fatal(err)
}
return decodeString
}
// nolint:lll
const testRequest = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZEQ0NBVHdDQVFBd0R6RU5NQXNHQTFVRUF3d0VWR1Z6ZERDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRApnZ0VQQURDQ0FRb0NnZ0VCQU9wQ1JmMVZWQjVwK3RscVFjM25qekYyZVAydG40bGZ2NVlJU3RFMktMSmxJRDRECi9YZTRVUGdodlNuMUN3R1VzeCtQcFBDaTdZVFdQNXRKSWYwbmNLMm02YVZIWUtqcDN2K3NvMnRENkJ4V0lMSFAKS0tQSm5qbnBjU0l1Q3hKUytRU2xyMHh0aEJYYzZ2UzVWRE5Ib285VXJWRUYzSVlTd3VDTklqTWpMR25kYmpCagprNm5TUk5JZWVmeVBaVGI4MHFsVTJFZ3hJMFdFYTA1dm5sQTY5L2tQZGhmTjVRRHBHQ1NxU25GdXo1cGFmRXVIClZMOE1aQXVtVDJySkVkYnorcHRPRjBqMWZSWEQ4b1RKZ0ppQmszbGR6YlBqeFpndW5LSTl3NVcrSWdEWmxsNm8KRzM2TUN6WHNYREdkb25NbCt0K1JIbEdocjN0VDQrKzBobXVYL2pzQ0F3RUFBYUFBTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRRFBlYnhmR3pRaWRud1pxUGdQYUliRmxNM0xsWXpROEJFbFUrYXV5bC90VjhJRC85a0dkekNxClN4N0QyRWVNVC83QmZ6L29XUjRMczVUeFpzdjR0N3RiSEUrSStFdEcwS3FnUDhNTTJPWStGckJBMXVnY3JJa2YKNmVpbXFEVkFtUFBNMHhCNUg3aFdNY1BMVUhzbW1GNlV4ajNsVXphOVQ5OXpxTWppMXlyYlpIc1pkMEM0RFd6RQo1YWtZU1hTTGNuK1F3R25LY1pvV1QwczNWZU5pMHNUK3BTNEVkdk1SbzV6Q3JUMW1SbFlYQkNqU0tpQzZEVjNpCnhyaDI2WWJqMjRKSys5dlNUR3N4RFlpMXUzOG04a1AxRVR2L0lCVnRDSVpKVmJ2eXhWbUpuemV2QnJONHpxdncKV1QvQi9jOGdrK0FQR1BKM3ZaZDUxNVhvM2QzVld4NkwKLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg=="
// nolint:lll
const testSpkac = "U1BLQUM9TUlJQ1FEQ0NBU2d3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRHFRa1g5VlZRZWFmclpha0hONTQ4eGRuajlyWitKWDcrV0NFclJOaWl5WlNBK0EvMTN1RkQ0SWIwcDlRc0JsTE1majZUd291MkUxaitiU1NIOUozQ3RwdW1sUjJDbzZkNy9yS05yUStnY1ZpQ3h6eWlqeVo0NTZYRWlMZ3NTVXZrRXBhOU1iWVFWM09yMHVWUXpSNktQVksxUkJkeUdFc0xnalNJekl5eHAzVzR3WTVPcDBrVFNIbm44ajJVMi9OS3BWTmhJTVNORmhHdE9iNTVRT3ZmNUQzWVh6ZVVBNlJna3FrcHhicythV254TGgxUy9ER1FMcGs5cXlSSFc4L3FiVGhkSTlYMFZ3L0tFeVlDWWdaTjVYYzJ6NDhXWUxweWlQY09WdmlJQTJaWmVxQnQrakFzMTdGd3huYUp6SmZyZmtSNVJvYTk3VStQdnRJWnJsLzQ3QWdNQkFBRVdBREFOQmdrcWhraUc5dzBCQVFRRkFBT0NBUUVBaDdqWmxaYXpPOXdHRkl3Mll1SVN5WjVYb2JjU0pSS2dMbG52UDh5cUkyVkxTdVBmdkNXOGJxKzNMWnNWcFZ6U0dhbDgwUTk5empOVy9lRm0xTElMRXZNZ0FCeEFtdk9UNlNKZURyajc4WkQyL0haazdmdHVLWU1VbkZTOWhzUWlkWmoveUttbDd4Nm9hQnlpalg5UVU0eTZYcCs3NzlhREFSenZOWTR5RGlRZmNuaFBVN1dablJyTUJZOHBSTVJVVjNKc2MvZXBQclZjOVhoaVE0KzBRNHFVQW1VNlVHNWNQeXFROVJJK2ZIL3VMbm8vZkNHUGZFVjM1NDV3WG5NeXNubC9HYlNLa0FHdVFmcm5ZT2dReFV4dUx1aHBoazVIaGtlMzNUUy9FYVlGc2JTZEhzRktoaCt4Uks3NW9wWExJTkpzNTFpYVdySUFTVmZvRTI0a3FRPT0K"
const testClientSubject = "/CN=Test/emailAddress=test@example.org"
@ -199,6 +220,8 @@ const testServerSubject = "/CN=www.example.org"
const testServerSan = "DNS:www.example.org,otherName:1.3.6.1.5.5.7.8.5;UTF8:www.example.org"
// nolint:lll
const testCAKey = "MIIG5AIBAAKCAYEAqMWP2Ec/DxJ5n5bCv0e6oTBoGvsplq1qHVtwPDEL/bwlhUbTigGPQGoUK+Y3eS2T5FY/qpdfqjUBi/FnPiKNwEnmkYuSakSSS6GyrgsP876z1xXth50CIkUnAPR1YJ0bYmhUpEitRJgoWa5my3bS+LuNt1gVHD+zyCOlbfNJZTILnQHFLtzi/wPivlTWpUDJzHWvvo+Ki4e29qWRMaAatiXLUq/wW06fsRSa9plkhNv7jlg9hq8Y2SEie0mRvuyFgIKvkBmcT3X5yPhCWZPomsqQnEJXKnxno0SkrM+XoWWBeusYPsZkfXknGwy/wvoMbVT5MfqyMYY1CTw8/zaSDoC/sj8XmAL44t+EsZ+JEUYgSVW6Y3L2KieuqCibg4B+G8qI4AQm2cjXanjX1kWTUCCtGO6ylxRKNq0zCWhflE2i2s/+4v+RuHQ1laYnfl3vIQZHz0/gtQIlR2AqXc2ODRoTO8d80dXZjwImnrjHQ/yHx4LErHMprNjQb0BprtCDAgMBAAECggGAEF7hfhQjHL4pB/7isxUtGDeO0ZctSI1XrrNQ5rXHOPyIEy50lH1kPNZNUJjLJrjyEIMBN/Xo9KShmsZ2wkMtxsokUFfegupV2no7z8AI8xa7cRCScsYbD+HvT5tmy1FR97CxDSJzlCTCPTi6hd/nxPLEY1Vq7suLD83NXSXtJ6C8GaWzT8FjT2M8GkQ2cd8f8/IycuSPhstKRxB2Tf7+uE5gM4wXX3P374BVK7hjVLPV6c/LYAYZ/e3F33maZo+glyRP0DIWUtVQHhn7ZxlhatLYPrzwoM9MBFVjX4KHjRBWpZ/eSRKmDske0KnQ8nKPo2MsXxm6aKRNr4XJRC0FXqvz1CEa22ANOtCyfNmHHH6PC7R9rCCt8TZFAPDyyVq31KJe89cwdPngPBOIZdnW9U5pmG0aQrwU9ubafX5Yf+uDP0N9rEPEw5sU0QZHMai5751jQFIpej/6IA3mv0rscxP5Bjc8gGJynhj4BvpHWHZzdRQZquQG1CPKDm5yItuBAoHBANhF+ukAUkIvWMuD9WXSGcUuDsfPOSvx5Fx2riQYhbDFhb2W5zZ75Pi4E2OnQ8RDxCbUJ/iubLwm69LixW5e2+hvR8+AFV3bBgXQUl4uJHKCChz94JZHNgaUae1jjqWNxINLWNAIGUzR9ABslWRiE15InjOjMLf0is0IqryPUX1JtHLM9HnDtR5RbuZUhEUxp3a/msJJeM1sVbOMELolmC0O6ChhMM2mj7mSkexSE7XZwJLn+pIP5GZBhdi0Jz++wQKBwQDHxd55McC7gEIOPjy4SUHhE/JnJd0MRr6R2kHiZs7yMy8WBjDp+Ez2JiHHj00HY9hTRswO45ZtfaMFzfAjLJ7Dja7Pvbh48QkZJV+bul1pLdsLnzHtxqDaZSZluGBBUMoh+PE7WauGgflxtWrH0QX1kv+E0Z70F1fgsJkJ7L9j+M9TkKJxOtqS0BVo13Ko2LHN+6hFOeE5J7ItvdapWPXBGUySw9ELmLd38br0wTdzpWD6OupcM8M8Qb+vncEc5EMCgcEA1Vby07VFb5RU+y0IfZBra16rpd58fyT2J1/LGEA4YM/3xbV+DvjYPaEXP05YQtq2O7c8Vst454FdT4HzT5SzSO284KtwaE0N+94r4kuSGIK+hyrIyHUmjgcJFusGY7kdCIbi7ROQIX9aOrDiDUvR30ezBy0Leer4oJjUE30s3XI/Vp9m6lZr66RYyUzFzZvVngYUG2NujvU29Q5N0dIT8x6pVGvLQJH1ZRF4cK3mU5Shqki7nCmhHF22MrZDoVYBAoHBALCmIC5sty9Vn5N2pzyR0sZTXBKnoYo8eEECjSXEoRP7/JPuD4ykenFikJYk+gkh2eTxgnlb9+WDpgb47nI7/3uOKlkaOyf+g3wP1zYeGoFqAfqJ352Q+SWFMenamorHBKX7ulwv04OSJN/OesiL5UgcnwN0VKkkhxlxLzJefXLKTZJoH6weTa5qf7QAZyw0yS0KbeYg4y4mEuFtr4Z52n3QgCx7KLunY/yU7SuGOyFwyIscU6YKQ4Zh4T1KMrv4fwKBwExZH2XIvvu7setxg6IkNMnNJdeJ6mefk3kxdZX+ZprO3cyh60bv0lSjqrKADQuy2MknQKjx0NvI4vbzmhUUb18Koy66oh4r7M5iSKofWs3rybfeGjF4StETSW7fS1nLGlicYqIbX6TT4Hhg91RwT33vrEvvlBQFowV8cR5OmGq6aW6H6bh3UkzcxV2HI/QvwW2mvRvDQycnjfGjuYbVwi6tn2O2wet0Dka7y/AZfp9OBLJRBZJNoIViTn4Lx9FHlQ=="
// nolint:lll
const testCACertificate = "MIIFmDCCBACgAwIBAgIUOlITUGXFrKZesL4LlawzVxLTXFYwDQYJKoZIhvcNAQELBQAwNzELMAkGA1UEBhMCQVUxFDASBgNVBAoMC0NBY2VydCBJbmMuMRIwEAYDVQQDDAlUZXN0IFJvb3QwHhcNMjEwMTA4MTMwNDM5WhcNMjYwMTA3MTMwNDM5WjA9MQswCQYDVQQGEwJBVTEUMBIGA1UECgwLQ0FjZXJ0IEluYy4xGDAWBgNVBAMMD0NsYXNzIDMgVGVzdCBDQTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAKjFj9hHPw8SeZ+Wwr9HuqEwaBr7KZatah1bcDwxC/28JYVG04oBj0BqFCvmN3ktk+RWP6qXX6o1AYvxZz4ijcBJ5pGLkmpEkkuhsq4LD/O+s9cV7YedAiJFJwD0dWCdG2JoVKRIrUSYKFmuZst20vi7jbdYFRw/s8gjpW3zSWUyC50BxS7c4v8D4r5U1qVAycx1r76PiouHtvalkTGgGrYly1Kv8FtOn7EUmvaZZITb+45YPYavGNkhIntJkb7shYCCr5AZnE91+cj4QlmT6JrKkJxCVyp8Z6NEpKzPl6FlgXrrGD7GZH15JxsMv8L6DG1U+TH6sjGGNQk8PP82kg6Av7I/F5gC+OLfhLGfiRFGIElVumNy9ionrqgom4OAfhvKiOAEJtnI12p419ZFk1AgrRjuspcUSjatMwloX5RNotrP/uL/kbh0NZWmJ35d7yEGR89P4LUCJUdgKl3Njg0aEzvHfNHV2Y8CJp64x0P8h8eCxKxzKazY0G9Aaa7QgwIDAQABo4IBlDCCAZAwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBRI3ALoQ7dcRqu0gHtxaLVAv2DcOzAfBgNVHSMEGDAWgBTrwahlUMEoV1OavhMbkLcSar8PIzB3BggrBgEFBQcBAQRrMGkwNwYIKwYBBQUHMAKGK2h0dHA6Ly90ZXN0LmNhY2VydC5sb2NhbGhvc3QvY2Evcm9vdC9jYS5jcnQwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLnRlc3QuY2FjZXJ0LmxvY2FsaG9zdC8wPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC50ZXN0LmNhY2VydC5sb2NhbGhvc3QvY2xhc3MzLmNybDBUBgNVHSAETTBLMEkGCCsGAQUFBwIBMD0wOwYIKwYBBQUHAgEWL2h0dHA6Ly90ZXN0LmNhY2VydC5sb2NhbGhvc3QvY2EvY2xhc3MzL2Nwcy5odG1sMA0GCSqGSIb3DQEBCwUAA4IBgQAcqK68GOxTfM9zSRbHWHchsbiyKcbxPo42se9dm/nLHT/N2XEW9Ycj5dZD8+XgoW8dVPS3uVZGj57Pr8ix3OXhMKGqcdO2QRAQaoyjw7t9dCkaJ8b7h39sY/5pFSSIdYAyyb9uPgJ1FPLueOqm3bZHVFcbiiA8/miiwGWPVEfK7zdEmFKMAkY2wYtWBeovKNVnCbuQ1Pd8CxvkCs5R9KnMfbU7bgJK8zkhlHwdtalmg2IS4yMuvYeL9S3QwL7fYcCjjTLCKwkj3frsnkRC5pGPHQ6/iVVbdsqAI70A1Uqcl15Jcpzg0Nc2EABjhbWO7gLpHpzMI5Alt+Tr+oWhe2M7wnBhuojgwASA10CnXT27GYXziIzr8d3P+T0PVLD2WcvQeEUJoQySw6W8CIkaZEZG6YBWjrAkGcO6JB+YJ5UiJOCHA6W4pmwNkGR2oh6JMQCUikaFVywb1HMIGOINOBHymj4KkuywC2w6SXMD4OqJcsCmHSNcqjFvcT/22kYCtDE="