cacert-gosigner/signer/protocol_elements.go

278 lines
9.7 KiB
Go

package signer
import (
"crypto"
"crypto/x509"
"fmt"
"path"
"git.cacert.org/cacert-gosigner/shared"
"git.cacert.org/cacert-gosigner/signer/openpgpops"
"git.cacert.org/cacert-gosigner/signer/x509ops"
)
const (
CsX509 shared.CryptoSystemID = 1
CsOpenPGP shared.CryptoSystemID = 2
)
const (
X509RootDefault shared.CryptoSystemRootID = 0
X509RootClass3 shared.CryptoSystemRootID = 1
// The following roots existed in the old server.pl but had
// no profile configurations and were thus unusable
//
// X509RootClass3s shared.CryptoSystemRootID = 2
// X509Root3 shared.CryptoSystemRootID = 3
// X509Root4 shared.CryptoSystemRootID = 4
// X509Root5 shared.CryptoSystemRootID = 5
)
const (
X509ProfileClient shared.CertificateProfileID = 0
X509ProfileClientOrg shared.CertificateProfileID = 1
X509ProfileClientCodesign shared.CertificateProfileID = 2
X509ProfileServer shared.CertificateProfileID = 5
X509ProfileServerOrg shared.CertificateProfileID = 6
X509ProfileOCSP shared.CertificateProfileID = 8
X509ProfileTimestamp shared.CertificateProfileID = 9
// the following profiles where valid options in the original signer code but had no configurations
//
// X509ProfileClientMachine shared.CertificateProfileID = 3 // no configuration on original signer
// X509ProfileClientAds shared.CertificateProfileID = 4 // no configuration on original signer
// X509ProfileServerJabber shared.CertificateProfileID = 7 // no configuration on original signer
// X509ProfileProxy shared.CertificateProfileID = 10 // no configuration on original signer
// X509ProfileSubCA shared.CertificateProfileID = 11 // no configuration on original signer
)
const (
X509MDDefault shared.SignatureAlgorithmID = 0
X509MDMd5 shared.SignatureAlgorithmID = 1
X509MDSha1 shared.SignatureAlgorithmID = 2
// X509MDRipeMD160 shared.SignatureAlgorithmID = 3 x509ops package does not support RIPEMD160
X509MDSha256 shared.SignatureAlgorithmID = 8
X509MDSha384 shared.SignatureAlgorithmID = 9
X509MDSha512 shared.SignatureAlgorithmID = 10
)
const (
OpenPGPRoot0 shared.CryptoSystemRootID = 0
)
const (
OpenPGPDefaultProfile shared.CertificateProfileID = 0
)
const (
OpenPGPDefaultMD shared.SignatureAlgorithmID = 0
)
func NewCommandProcessor() *CommandProcessor {
settings := NewCommandProcessorSettings()
clientPrototype := &x509.Certificate{
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement,
ExtKeyUsage: []x509.ExtKeyUsage{
x509.ExtKeyUsageEmailProtection,
x509.ExtKeyUsageClientAuth,
// x509ops.ExtKeyUsageMicrosoftServerGatedCrypto,
// 1.3.6.1.4.1.311.10.3.4 msEFS not supported by golang.org/crypto
// x509ops.ExtKeyUsageNetscapeServerGatedCrypto,
},
}
codeSignPrototype := &x509.Certificate{
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement,
ExtKeyUsage: []x509.ExtKeyUsage{
x509.ExtKeyUsageEmailProtection,
x509.ExtKeyUsageClientAuth,
x509.ExtKeyUsageCodeSigning,
// 1.3.6.1.4.1.311.2.1.21 msCodeInd not supported by golang.org/crypto
// x509ops.ExtKeyUsageMicrosoftCommercialCodeSigning,
// x509ops.ExtKeyUsageMicrosoftServerGatedCrypto,
// 1.3.6.1.4.1.311.10.3.4 msEFS not supported by golang.org/crypto
// x509ops.ExtKeyUsageNetscapeServerGatedCrypto,
},
}
serverPrototype := &x509.Certificate{
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement,
ExtKeyUsage: []x509.ExtKeyUsage{
x509.ExtKeyUsageClientAuth,
x509.ExtKeyUsageServerAuth,
// x509ops.ExtKeyUsageMicrosoftServerGatedCrypto,
// x509ops.ExtKeyUsageNetscapeServerGatedCrypto,
},
}
ocspPrototype := &x509.Certificate{
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement,
ExtKeyUsage: []x509.ExtKeyUsage{
x509.ExtKeyUsageServerAuth,
x509.ExtKeyUsageOCSPSigning,
// x509ops.ExtKeyUsageMicrosoftServerGatedCrypto,
// x509ops.ExtKeyUsageNetscapeServerGatedCrypto,
},
}
timestampPrototype := &x509.Certificate{
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement,
ExtKeyUsage: []x509.ExtKeyUsage{
x509.ExtKeyUsageServerAuth,
x509.ExtKeyUsageOCSPSigning,
// x509ops.ExtKeyUsageMicrosoftServerGatedCrypto,
// x509ops.ExtKeyUsageNetscapeServerGatedCrypto,
},
}
cryptoSystems := map[shared.CryptoSystemID]*CryptoSystem{
CsX509: {
Name: "X.509",
Roots: map[shared.CryptoSystemRootID]interface{}{
X509RootDefault: x509ops.NewRoot(
settings.CABaseDir,
"openssl",
"CA",
X509RootDefault,
// TODO: parse crl distribution points from configuration
[]string{"http://crl.cacert.localhost/revoke.crl"},
// TODO: parse OCSP endpoints from configuration
[]string{"http://ocsp.cacert.localhost"},
),
X509RootClass3: x509ops.NewRoot(
settings.CABaseDir,
"class3",
"class3",
X509RootClass3,
// TODO: parse crl distribution points from configuration
[]string{"http://crl.cacert.localhost/class3-revoke.crl"},
// TODO: parse OCSP endpoints from configuration
[]string{"http://ocsp.cacert.localhost"},
),
// The following roots existed in the old server.pl but had
// no profile configurations and were thus unusable
//
// X509RootClass3s: &x509ops.Root{Name: "class3s"}, // no profile configs
// X509Root3: &x509ops.Root{Name: "root3"},
// X509Root4: &x509ops.Root{Name: "root4"},
// X509Root5: &x509ops.Root{Name: "root5"},
},
Profiles: map[shared.CertificateProfileID]interface{}{
X509ProfileClient: x509ops.NewProfile(
"client",
clientPrototype,
[]x509ops.SubjectDnField{
x509ops.SubjectDnFieldCommonName,
x509ops.SubjectDnFieldEmailAddress,
},
nil,
true,
),
X509ProfileClientOrg: x509ops.NewProfile("client-org", clientPrototype,
[]x509ops.SubjectDnField{
x509ops.SubjectDnFieldCountryName,
x509ops.SubjectDnFieldStateOrProvinceName,
x509ops.SubjectDnFieldLocalityName,
x509ops.SubjectDnFieldOrganizationName,
x509ops.SubjectDnFieldOrganizationalUnitName,
x509ops.SubjectDnFieldCommonName,
x509ops.SubjectDnFieldEmailAddress,
},
nil,
true,
),
X509ProfileClientCodesign: x509ops.NewProfile("client-codesign", codeSignPrototype,
[]x509ops.SubjectDnField{
x509ops.SubjectDnFieldCountryName,
x509ops.SubjectDnFieldStateOrProvinceName,
x509ops.SubjectDnFieldLocalityName,
x509ops.SubjectDnFieldCommonName,
x509ops.SubjectDnFieldEmailAddress,
},
nil,
true,
),
// X509ProfileClientMachine: &x509ops.Profile{Name: "client-machine"},
// X509ProfileClientAds: &x509ops.Profile{Name: "client-ads"},
X509ProfileServer: x509ops.NewProfile("server", serverPrototype,
[]x509ops.SubjectDnField{
x509ops.SubjectDnFieldCommonName,
},
[]x509ops.AltNameType{x509ops.NameTypeDNS, x509ops.NameTypeXMPPJid},
false,
),
X509ProfileServerOrg: x509ops.NewProfile("server-org", serverPrototype,
[]x509ops.SubjectDnField{
x509ops.SubjectDnFieldCountryName,
x509ops.SubjectDnFieldStateOrProvinceName,
x509ops.SubjectDnFieldLocalityName,
x509ops.SubjectDnFieldOrganizationName,
x509ops.SubjectDnFieldOrganizationalUnitName,
x509ops.SubjectDnFieldCommonName,
},
[]x509ops.AltNameType{x509ops.NameTypeDNS, x509ops.NameTypeXMPPJid},
false,
),
// X509ProfileServerJabber: &x509ops.Profile{Name: "server-jabber"},
X509ProfileOCSP: x509ops.NewProfile("ocsp", ocspPrototype,
[]x509ops.SubjectDnField{
x509ops.SubjectDnFieldCountryName,
x509ops.SubjectDnFieldStateOrProvinceName,
x509ops.SubjectDnFieldLocalityName,
x509ops.SubjectDnFieldOrganizationName,
x509ops.SubjectDnFieldOrganizationalUnitName,
x509ops.SubjectDnFieldCommonName,
x509ops.SubjectDnFieldEmailAddress,
},
nil,
false,
),
X509ProfileTimestamp: x509ops.NewProfile("timestamp", timestampPrototype,
[]x509ops.SubjectDnField{
x509ops.SubjectDnFieldCountryName,
x509ops.SubjectDnFieldStateOrProvinceName,
x509ops.SubjectDnFieldLocalityName,
x509ops.SubjectDnFieldOrganizationName,
x509ops.SubjectDnFieldOrganizationalUnitName,
x509ops.SubjectDnFieldCommonName,
},
nil,
true,
),
// X509ProfileProxy: &x509ops.Profile{Name: "proxy"},
// X509ProfileSubCA: &x509ops.Profile{Name: "subca"},
},
// constants for openssl invocations. Should be replaced with
// something more useful
DigestAlgorithms: map[shared.SignatureAlgorithmID]interface{}{
X509MDDefault: x509.SHA256WithRSA,
X509MDMd5: x509.MD5WithRSA,
X509MDSha1: x509.SHA1WithRSA,
X509MDSha256: x509.SHA256WithRSA,
X509MDSha384: x509.SHA384WithRSA,
X509MDSha512: x509.SHA512WithRSA,
},
},
CsOpenPGP: {
Name: "OpenPGP",
Roots: map[shared.CryptoSystemRootID]interface{}{
OpenPGPRoot0: &openpgpops.OpenPGPRoot{
Name: "OpenPGP Root",
SecretKeyRing: path.Join(
settings.OpenPGPKeyRingDir,
fmt.Sprintf("gpg_root_%d", OpenPGPRoot0),
"secring.gpg",
),
Identifier: settings.OpenPGPUidEmail,
},
},
Profiles: map[shared.CertificateProfileID]interface{}{
OpenPGPDefaultProfile: &openpgpops.OpenPGPProfile{Name: "default"},
},
// constants for gnupg cert-digest-algo parameter. Should be replaced with
// something more useful
DigestAlgorithms: map[shared.SignatureAlgorithmID]interface{}{
OpenPGPDefaultMD: crypto.SHA256,
},
},
}
return &CommandProcessor{CryptoSystems: cryptoSystems, Settings: settings}
}