package signer import ( "crypto" "crypto/x509" "fmt" "path" "git.cacert.org/cacert-gosigner/shared" "git.cacert.org/cacert-gosigner/signer/openpgp_ops" "git.cacert.org/cacert-gosigner/signer/x509_ops" ) const ( CsX509 shared.CryptoSystemId = 1 CsOpenPGP shared.CryptoSystemId = 2 ) const ( X509RootDefault shared.CryptoSystemRootId = 0 X509RootClass3 shared.CryptoSystemRootId = 1 // The following roots existed in the old server.pl but had // no profile configurations and were thus unusable // // X509RootClass3s shared.CryptoSystemRootId = 2 // X509Root3 shared.CryptoSystemRootId = 3 // X509Root4 shared.CryptoSystemRootId = 4 // X509Root5 shared.CryptoSystemRootId = 5 ) const ( X509ProfileClient shared.CertificateProfileId = 0 X509ProfileClientOrg shared.CertificateProfileId = 1 X509ProfileClientCodesign shared.CertificateProfileId = 2 X509ProfileServer shared.CertificateProfileId = 5 X509ProfileServerOrg shared.CertificateProfileId = 6 X509ProfileOCSP shared.CertificateProfileId = 8 X509ProfileTimestamp shared.CertificateProfileId = 9 // the following profiles where valid options in the original signer code but had no configurations // // X509ProfileClientMachine shared.CertificateProfileId = 3 // no configuration on original signer // X509ProfileClientAds shared.CertificateProfileId = 4 // no configuration on original signer // X509ProfileServerJabber shared.CertificateProfileId = 7 // no configuration on original signer // X509ProfileProxy shared.CertificateProfileId = 10 // no configuration on original signer // X509ProfileSubCA shared.CertificateProfileId = 11 // no configuration on original signer ) const ( X509MDDefault shared.MessageDigestAlgorithmId = 0 X509MDMd5 shared.MessageDigestAlgorithmId = 1 X509MDSha1 shared.MessageDigestAlgorithmId = 2 // X509MDRipeMD160 shared.MessageDigestAlgorithmId = 3 x509 package does not support RIPEMD160 X509MDSha256 shared.MessageDigestAlgorithmId = 8 X509MDSha384 shared.MessageDigestAlgorithmId = 9 X509MDSha512 shared.MessageDigestAlgorithmId = 10 ) const ( OpenPGPRoot0 shared.CryptoSystemRootId = 0 ) const ( OpenPGPDefaultProfile shared.CertificateProfileId = 0 ) const ( OpenPGPDefaultMD shared.MessageDigestAlgorithmId = 0 ) func NewCommandProcessor() *CommandProcessor { settings := NewCommandProcessorSettings() clientPrototype := &x509.Certificate{ KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement, ExtKeyUsage: []x509.ExtKeyUsage{ x509.ExtKeyUsageEmailProtection, x509.ExtKeyUsageClientAuth, // x509.ExtKeyUsageMicrosoftServerGatedCrypto, // 1.3.6.1.4.1.311.10.3.4 msEFS not supported by golang.org/crypto // x509.ExtKeyUsageNetscapeServerGatedCrypto, }, } codeSignPrototype := &x509.Certificate{ KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement, ExtKeyUsage: []x509.ExtKeyUsage{ x509.ExtKeyUsageEmailProtection, x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageCodeSigning, // 1.3.6.1.4.1.311.2.1.21 msCodeInd not supported by golang.org/crypto // x509.ExtKeyUsageMicrosoftCommercialCodeSigning, // x509.ExtKeyUsageMicrosoftServerGatedCrypto, // 1.3.6.1.4.1.311.10.3.4 msEFS not supported by golang.org/crypto // x509.ExtKeyUsageNetscapeServerGatedCrypto, }, } serverPrototype := &x509.Certificate{ KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement, ExtKeyUsage: []x509.ExtKeyUsage{ x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth, // x509.ExtKeyUsageMicrosoftServerGatedCrypto, // x509.ExtKeyUsageNetscapeServerGatedCrypto, }, } ocspPrototype := &x509.Certificate{ KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement, ExtKeyUsage: []x509.ExtKeyUsage{ x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageOCSPSigning, // x509.ExtKeyUsageMicrosoftServerGatedCrypto, // x509.ExtKeyUsageNetscapeServerGatedCrypto, }, } timestampPrototype := &x509.Certificate{ KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement, ExtKeyUsage: []x509.ExtKeyUsage{ x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageOCSPSigning, // x509.ExtKeyUsageMicrosoftServerGatedCrypto, // x509.ExtKeyUsageNetscapeServerGatedCrypto, }, } cryptoSystems := map[shared.CryptoSystemId]*CryptoSystem{ CsX509: { Name: "X.509", Roots: map[shared.CryptoSystemRootId]interface{}{ X509RootDefault: x509_ops.NewRoot( settings.CABaseDir, "openssl", "CA", X509RootDefault, // TODO: parse crl distribution points from configuration []string{"http://crl.cacert.localhost/revoke.crl"}, // TODO: parse OCSP endpoints from configuration []string{"http://ocsp.cacert.localhost"}, ), X509RootClass3: x509_ops.NewRoot( settings.CABaseDir, "class3", "class3", X509RootClass3, // TODO: parse crl distribution points from configuration []string{"http://crl.cacert.localhost/class3-revoke.crl"}, // TODO: parse OCSP endpoints from configuration []string{"http://ocsp.cacert.localhost"}, ), // The following roots existed in the old server.pl but had // no profile configurations and were thus unusable // // X509RootClass3s: &x509_ops.Root{Name: "class3s"}, // no profile configs // X509Root3: &x509_ops.Root{Name: "root3"}, // X509Root4: &x509_ops.Root{Name: "root4"}, // X509Root5: &x509_ops.Root{Name: "root5"}, }, Profiles: map[shared.CertificateProfileId]interface{}{ X509ProfileClient: x509_ops.NewProfile( "client", clientPrototype, []x509_ops.SubjectDnField{ x509_ops.SubjectDnFieldCommonName, x509_ops.SubjectDnFieldEmailAddress, }, nil, true, ), X509ProfileClientOrg: x509_ops.NewProfile("client-org", clientPrototype, []x509_ops.SubjectDnField{ x509_ops.SubjectDnFieldCountryName, x509_ops.SubjectDnFieldStateOrProvinceName, x509_ops.SubjectDnFieldLocalityName, x509_ops.SubjectDnFieldOrganizationName, x509_ops.SubjectDnFieldOrganizationalUnitName, x509_ops.SubjectDnFieldCommonName, x509_ops.SubjectDnFieldEmailAddress, }, nil, true, ), X509ProfileClientCodesign: x509_ops.NewProfile("client-codesign", codeSignPrototype, []x509_ops.SubjectDnField{ x509_ops.SubjectDnFieldCountryName, x509_ops.SubjectDnFieldStateOrProvinceName, x509_ops.SubjectDnFieldLocalityName, x509_ops.SubjectDnFieldCommonName, x509_ops.SubjectDnFieldEmailAddress, }, nil, true, ), // X509ProfileClientMachine: &x509_ops.Profile{Name: "client-machine"}, // X509ProfileClientAds: &x509_ops.Profile{Name: "client-ads"}, X509ProfileServer: x509_ops.NewProfile("server", serverPrototype, []x509_ops.SubjectDnField{ x509_ops.SubjectDnFieldCommonName, }, []x509_ops.AltNameType{x509_ops.NameTypeDNS, x509_ops.NameTypeXmppJid}, false, ), X509ProfileServerOrg: x509_ops.NewProfile("server-org", serverPrototype, []x509_ops.SubjectDnField{ x509_ops.SubjectDnFieldCountryName, x509_ops.SubjectDnFieldStateOrProvinceName, x509_ops.SubjectDnFieldLocalityName, x509_ops.SubjectDnFieldOrganizationName, x509_ops.SubjectDnFieldOrganizationalUnitName, x509_ops.SubjectDnFieldCommonName, }, []x509_ops.AltNameType{x509_ops.NameTypeDNS, x509_ops.NameTypeXmppJid}, false, ), // X509ProfileServerJabber: &x509_ops.Profile{Name: "server-jabber"}, X509ProfileOCSP: x509_ops.NewProfile("ocsp", ocspPrototype, []x509_ops.SubjectDnField{ x509_ops.SubjectDnFieldCountryName, x509_ops.SubjectDnFieldStateOrProvinceName, x509_ops.SubjectDnFieldLocalityName, x509_ops.SubjectDnFieldOrganizationName, x509_ops.SubjectDnFieldOrganizationalUnitName, x509_ops.SubjectDnFieldCommonName, x509_ops.SubjectDnFieldEmailAddress, }, nil, false, ), X509ProfileTimestamp: x509_ops.NewProfile("timestamp", timestampPrototype, []x509_ops.SubjectDnField{ x509_ops.SubjectDnFieldCountryName, x509_ops.SubjectDnFieldStateOrProvinceName, x509_ops.SubjectDnFieldLocalityName, x509_ops.SubjectDnFieldOrganizationName, x509_ops.SubjectDnFieldOrganizationalUnitName, x509_ops.SubjectDnFieldCommonName, }, nil, true, ), // X509ProfileProxy: &x509_ops.Profile{Name: "proxy"}, // X509ProfileSubCA: &x509_ops.Profile{Name: "subca"}, }, // constants for openssl invocations. Should be replaced with // something more useful DigestAlgorithms: map[shared.MessageDigestAlgorithmId]interface{}{ X509MDDefault: x509.SHA256WithRSA, X509MDMd5: x509.MD5WithRSA, X509MDSha1: x509.SHA1WithRSA, X509MDSha256: x509.SHA256WithRSA, X509MDSha384: x509.SHA384WithRSA, X509MDSha512: x509.SHA512WithRSA, }, }, CsOpenPGP: { Name: "OpenPGP", Roots: map[shared.CryptoSystemRootId]interface{}{ OpenPGPRoot0: &openpgp_ops.OpenPGPRoot{ Name: "OpenPGP Root", SecretKeyRing: path.Join( settings.OpenPGPKeyRingDir, fmt.Sprintf("gpg_root_%d", OpenPGPRoot0), "secring.gpg", ), Identifier: settings.OpenPGPUidEmail, }, }, Profiles: map[shared.CertificateProfileId]interface{}{ OpenPGPDefaultProfile: &openpgp_ops.OpenPGPProfile{Name: "default"}, }, // constants for gnupg cert-digest-algo parameter. Should be replaced with // something more useful DigestAlgorithms: map[shared.MessageDigestAlgorithmId]interface{}{ OpenPGPDefaultMD: crypto.SHA256, }, }, } return &CommandProcessor{CryptoSystems: cryptoSystems, Settings: settings} }