Implement X.509 signing

signer/protocol_elements.go

@@ -19,25 +19,31 @@ const (
 const (
 	X509RootDefault shared.CryptoSystemRootId = 0
 	X509RootClass3  shared.CryptoSystemRootId = 1
-	X509RootClass3s shared.CryptoSystemRootId = 2
-	X509Root3       shared.CryptoSystemRootId = 3
-	X509Root4       shared.CryptoSystemRootId = 4
-	X509Root5       shared.CryptoSystemRootId = 5
+	// The following roots existed in the old server.pl but had
+	// no profile configurations and were thus unusable
+	//
+	// X509RootClass3s shared.CryptoSystemRootId = 2
+	// X509Root3       shared.CryptoSystemRootId = 3
+	// X509Root4       shared.CryptoSystemRootId = 4
+	// X509Root5       shared.CryptoSystemRootId = 5
 )
 
 const (
 	X509ProfileClient         shared.CertificateProfileId = 0
 	X509ProfileClientOrg      shared.CertificateProfileId = 1
 	X509ProfileClientCodesign shared.CertificateProfileId = 2
-	X509ProfileClientMachine  shared.CertificateProfileId = 3
-	X509ProfileClientAds      shared.CertificateProfileId = 4
 	X509ProfileServer         shared.CertificateProfileId = 5
 	X509ProfileServerOrg      shared.CertificateProfileId = 6
-	X509ProfileServerJabber   shared.CertificateProfileId = 7
 	X509ProfileOCSP           shared.CertificateProfileId = 8
 	X509ProfileTimestamp      shared.CertificateProfileId = 9
-	X509ProfileProxy          shared.CertificateProfileId = 10
-	X509ProfileSubCA          shared.CertificateProfileId = 11
+
+	// the following profiles where valid options in the original signer code but had no configurations
+	//
+	// X509ProfileClientMachine  shared.CertificateProfileId = 3  // no configuration on original signer
+	// X509ProfileClientAds      shared.CertificateProfileId = 4  // no configuration on original signer
+	// X509ProfileServerJabber   shared.CertificateProfileId = 7  // no configuration on original signer
+	// X509ProfileProxy          shared.CertificateProfileId = 10  // no configuration on original signer
+	// X509ProfileSubCA          shared.CertificateProfileId = 11  // no configuration on original signer
 )
 
 const (
@@ -65,30 +71,172 @@ const (
 func NewCommandProcessor() *CommandProcessor {
 	settings := NewCommandProcessorSettings()
 
+	clientPrototype := &x509.Certificate{
+		KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement,
+		ExtKeyUsage: []x509.ExtKeyUsage{
+			x509.ExtKeyUsageEmailProtection,
+			x509.ExtKeyUsageClientAuth,
+			// x509.ExtKeyUsageMicrosoftServerGatedCrypto,
+			// 1.3.6.1.4.1.311.10.3.4 msEFS not supported by golang.org/crypto
+			// x509.ExtKeyUsageNetscapeServerGatedCrypto,
+		},
+	}
+	codeSignPrototype := &x509.Certificate{
+		KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement,
+		ExtKeyUsage: []x509.ExtKeyUsage{
+			x509.ExtKeyUsageEmailProtection,
+			x509.ExtKeyUsageClientAuth,
+			x509.ExtKeyUsageCodeSigning,
+			// 1.3.6.1.4.1.311.2.1.21 msCodeInd not supported by golang.org/crypto
+			// x509.ExtKeyUsageMicrosoftCommercialCodeSigning,
+			// x509.ExtKeyUsageMicrosoftServerGatedCrypto,
+			// 1.3.6.1.4.1.311.10.3.4 msEFS not supported by golang.org/crypto
+			// x509.ExtKeyUsageNetscapeServerGatedCrypto,
+		},
+	}
+	serverPrototype := &x509.Certificate{
+		KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement,
+		ExtKeyUsage: []x509.ExtKeyUsage{
+			x509.ExtKeyUsageClientAuth,
+			x509.ExtKeyUsageServerAuth,
+			// x509.ExtKeyUsageMicrosoftServerGatedCrypto,
+			// x509.ExtKeyUsageNetscapeServerGatedCrypto,
+		},
+	}
+	ocspPrototype := &x509.Certificate{
+		KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement,
+		ExtKeyUsage: []x509.ExtKeyUsage{
+			x509.ExtKeyUsageServerAuth,
+			x509.ExtKeyUsageOCSPSigning,
+			// x509.ExtKeyUsageMicrosoftServerGatedCrypto,
+			// x509.ExtKeyUsageNetscapeServerGatedCrypto,
+		},
+	}
+	timestampPrototype := &x509.Certificate{
+		KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement,
+		ExtKeyUsage: []x509.ExtKeyUsage{
+			x509.ExtKeyUsageServerAuth,
+			x509.ExtKeyUsageOCSPSigning,
+			// x509.ExtKeyUsageMicrosoftServerGatedCrypto,
+			// x509.ExtKeyUsageNetscapeServerGatedCrypto,
+		},
+	}
 	cryptoSystems := map[shared.CryptoSystemId]*CryptoSystem{
 		CsX509: {
 			Name: "X.509",
 			Roots: map[shared.CryptoSystemRootId]interface{}{
-				X509RootDefault: x509_ops.NewRoot(settings.CABaseDir, "openssl", "CA", X509RootDefault),
-				X509RootClass3:  x509_ops.NewRoot(settings.CABaseDir, "class3", "class3", X509RootClass3),
-				X509RootClass3s: &x509_ops.Root{Name: "class3s"},
-				X509Root3:       &x509_ops.Root{Name: "root3"},
-				X509Root4:       &x509_ops.Root{Name: "root4"},
-				X509Root5:       &x509_ops.Root{Name: "root5"},
+				X509RootDefault: x509_ops.NewRoot(
+					settings.CABaseDir,
+					"openssl",
+					"CA",
+					X509RootDefault,
+					// TODO: parse crl distribution points from configuration
+					[]string{"http://crl.cacert.localhost/revoke.crl"},
+					// TODO: parse OCSP endpoints from configuration
+					[]string{"http://ocsp.cacert.localhost"},
+				),
+				X509RootClass3: x509_ops.NewRoot(
+					settings.CABaseDir,
+					"class3",
+					"class3",
+					X509RootClass3,
+					// TODO: parse crl distribution points from configuration
+					[]string{"http://crl.cacert.localhost/class3-revoke.crl"},
+					// TODO: parse OCSP endpoints from configuration
+					[]string{"http://ocsp.cacert.localhost"},
+				),
+				// The following roots existed in the old server.pl but had
+				// no profile configurations and were thus unusable
+				//
+				// X509RootClass3s: &x509_ops.Root{Name: "class3s"},  // no profile configs
+				// X509Root3:       &x509_ops.Root{Name: "root3"},
+				// X509Root4:       &x509_ops.Root{Name: "root4"},
+				// X509Root5:       &x509_ops.Root{Name: "root5"},
 			},
 			Profiles: map[shared.CertificateProfileId]interface{}{
-				X509ProfileClient:         &x509_ops.Profile{Name: "client"},
-				X509ProfileClientOrg:      &x509_ops.Profile{Name: "client-org"},
-				X509ProfileClientCodesign: &x509_ops.Profile{Name: "client-codesign"},
-				X509ProfileClientMachine:  &x509_ops.Profile{Name: "client-machine"},
-				X509ProfileClientAds:      &x509_ops.Profile{Name: "client-ads"},
-				X509ProfileServer:         &x509_ops.Profile{Name: "server"},
-				X509ProfileServerOrg:      &x509_ops.Profile{Name: "server-org"},
-				X509ProfileServerJabber:   &x509_ops.Profile{Name: "server-jabber"},
-				X509ProfileOCSP:           &x509_ops.Profile{Name: "ocsp"},
-				X509ProfileTimestamp:      &x509_ops.Profile{Name: "timestamp"},
-				X509ProfileProxy:          &x509_ops.Profile{Name: "proxy"},
-				X509ProfileSubCA:          &x509_ops.Profile{Name: "subca"},
+				X509ProfileClient: x509_ops.NewProfile(
+					"client",
+					clientPrototype,
+					[]x509_ops.SubjectDnField{
+						x509_ops.SubjectDnFieldCommonName,
+						x509_ops.SubjectDnFieldEmailAddress,
+					},
+					nil,
+					true,
+				),
+				X509ProfileClientOrg: x509_ops.NewProfile("client-org", clientPrototype,
+					[]x509_ops.SubjectDnField{
+						x509_ops.SubjectDnFieldCountryName,
+						x509_ops.SubjectDnFieldStateOrProvinceName,
+						x509_ops.SubjectDnFieldLocalityName,
+						x509_ops.SubjectDnFieldOrganizationName,
+						x509_ops.SubjectDnFieldOrganizationalUnitName,
+						x509_ops.SubjectDnFieldCommonName,
+						x509_ops.SubjectDnFieldEmailAddress,
+					},
+					nil,
+					true,
+				),
+				X509ProfileClientCodesign: x509_ops.NewProfile("client-codesign", codeSignPrototype,
+					[]x509_ops.SubjectDnField{
+						x509_ops.SubjectDnFieldCountryName,
+						x509_ops.SubjectDnFieldStateOrProvinceName,
+						x509_ops.SubjectDnFieldLocalityName,
+						x509_ops.SubjectDnFieldCommonName,
+						x509_ops.SubjectDnFieldEmailAddress,
+					},
+					nil,
+					true,
+				),
+				// X509ProfileClientMachine:  &x509_ops.Profile{Name: "client-machine"},
+				// X509ProfileClientAds:      &x509_ops.Profile{Name: "client-ads"},
+				X509ProfileServer: x509_ops.NewProfile("server", serverPrototype,
+					[]x509_ops.SubjectDnField{
+						x509_ops.SubjectDnFieldCommonName,
+					},
+					[]x509_ops.AltNameType{x509_ops.NameTypeDNS, x509_ops.NameTypeXmppJid},
+					false,
+				),
+				X509ProfileServerOrg: x509_ops.NewProfile("server-org", serverPrototype,
+					[]x509_ops.SubjectDnField{
+						x509_ops.SubjectDnFieldCountryName,
+						x509_ops.SubjectDnFieldStateOrProvinceName,
+						x509_ops.SubjectDnFieldLocalityName,
+						x509_ops.SubjectDnFieldOrganizationName,
+						x509_ops.SubjectDnFieldOrganizationalUnitName,
+						x509_ops.SubjectDnFieldCommonName,
+					},
+					[]x509_ops.AltNameType{x509_ops.NameTypeDNS, x509_ops.NameTypeXmppJid},
+					false,
+				),
+				// X509ProfileServerJabber: &x509_ops.Profile{Name: "server-jabber"},
+				X509ProfileOCSP: x509_ops.NewProfile("ocsp", ocspPrototype,
+					[]x509_ops.SubjectDnField{
+						x509_ops.SubjectDnFieldCountryName,
+						x509_ops.SubjectDnFieldStateOrProvinceName,
+						x509_ops.SubjectDnFieldLocalityName,
+						x509_ops.SubjectDnFieldOrganizationName,
+						x509_ops.SubjectDnFieldOrganizationalUnitName,
+						x509_ops.SubjectDnFieldCommonName,
+						x509_ops.SubjectDnFieldEmailAddress,
+					},
+					nil,
+					false,
+				),
+				X509ProfileTimestamp: x509_ops.NewProfile("timestamp", timestampPrototype,
+					[]x509_ops.SubjectDnField{
+						x509_ops.SubjectDnFieldCountryName,
+						x509_ops.SubjectDnFieldStateOrProvinceName,
+						x509_ops.SubjectDnFieldLocalityName,
+						x509_ops.SubjectDnFieldOrganizationName,
+						x509_ops.SubjectDnFieldOrganizationalUnitName,
+						x509_ops.SubjectDnFieldCommonName,
+					},
+					nil,
+					true,
+				),
+				// X509ProfileProxy:          &x509_ops.Profile{Name: "proxy"},
+				// X509ProfileSubCA:          &x509_ops.Profile{Name: "subca"},
 			},
 			// constants for openssl invocations. Should be replaced with
 			// something more useful