277 lines
9.7 KiB
Go
277 lines
9.7 KiB
Go
package signer
|
|
|
|
import (
|
|
"crypto"
|
|
"crypto/x509"
|
|
"fmt"
|
|
"path"
|
|
|
|
"git.cacert.org/cacert-gosigner/shared"
|
|
"git.cacert.org/cacert-gosigner/signer/openpgpops"
|
|
"git.cacert.org/cacert-gosigner/signer/x509ops"
|
|
)
|
|
|
|
const (
|
|
CsX509 shared.CryptoSystemID = 1
|
|
CsOpenPGP shared.CryptoSystemID = 2
|
|
)
|
|
|
|
const (
|
|
X509RootDefault shared.CryptoSystemRootID = 0
|
|
X509RootClass3 shared.CryptoSystemRootID = 1
|
|
// The following roots existed in the old server.pl but had
|
|
// no profile configurations and were thus unusable
|
|
//
|
|
// X509RootClass3s shared.CryptoSystemRootID = 2
|
|
// X509Root3 shared.CryptoSystemRootID = 3
|
|
// X509Root4 shared.CryptoSystemRootID = 4
|
|
// X509Root5 shared.CryptoSystemRootID = 5
|
|
)
|
|
|
|
const (
|
|
X509ProfileClient shared.CertificateProfileID = 0
|
|
X509ProfileClientOrg shared.CertificateProfileID = 1
|
|
X509ProfileClientCodesign shared.CertificateProfileID = 2
|
|
X509ProfileServer shared.CertificateProfileID = 5
|
|
X509ProfileServerOrg shared.CertificateProfileID = 6
|
|
X509ProfileOCSP shared.CertificateProfileID = 8
|
|
X509ProfileTimestamp shared.CertificateProfileID = 9
|
|
|
|
// the following profiles where valid options in the original signer code but had no configurations
|
|
//
|
|
// X509ProfileClientMachine shared.CertificateProfileID = 3 // no configuration on original signer
|
|
// X509ProfileClientAds shared.CertificateProfileID = 4 // no configuration on original signer
|
|
// X509ProfileServerJabber shared.CertificateProfileID = 7 // no configuration on original signer
|
|
// X509ProfileProxy shared.CertificateProfileID = 10 // no configuration on original signer
|
|
// X509ProfileSubCA shared.CertificateProfileID = 11 // no configuration on original signer
|
|
)
|
|
|
|
const (
|
|
X509MDDefault shared.SignatureAlgorithmID = 0
|
|
X509MDMd5 shared.SignatureAlgorithmID = 1
|
|
X509MDSha1 shared.SignatureAlgorithmID = 2
|
|
// X509MDRipeMD160 shared.SignatureAlgorithmID = 3 x509ops package does not support RIPEMD160
|
|
X509MDSha256 shared.SignatureAlgorithmID = 8
|
|
X509MDSha384 shared.SignatureAlgorithmID = 9
|
|
X509MDSha512 shared.SignatureAlgorithmID = 10
|
|
)
|
|
|
|
const (
|
|
OpenPGPRoot0 shared.CryptoSystemRootID = 0
|
|
)
|
|
|
|
const (
|
|
OpenPGPDefaultProfile shared.CertificateProfileID = 0
|
|
)
|
|
|
|
const (
|
|
OpenPGPDefaultMD shared.SignatureAlgorithmID = 0
|
|
)
|
|
|
|
func NewCommandProcessor() *CommandProcessor {
|
|
settings := NewCommandProcessorSettings()
|
|
|
|
clientPrototype := &x509.Certificate{
|
|
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement,
|
|
ExtKeyUsage: []x509.ExtKeyUsage{
|
|
x509.ExtKeyUsageEmailProtection,
|
|
x509.ExtKeyUsageClientAuth,
|
|
// x509ops.ExtKeyUsageMicrosoftServerGatedCrypto,
|
|
// 1.3.6.1.4.1.311.10.3.4 msEFS not supported by golang.org/crypto
|
|
// x509ops.ExtKeyUsageNetscapeServerGatedCrypto,
|
|
},
|
|
}
|
|
codeSignPrototype := &x509.Certificate{
|
|
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement,
|
|
ExtKeyUsage: []x509.ExtKeyUsage{
|
|
x509.ExtKeyUsageEmailProtection,
|
|
x509.ExtKeyUsageClientAuth,
|
|
x509.ExtKeyUsageCodeSigning,
|
|
// 1.3.6.1.4.1.311.2.1.21 msCodeInd not supported by golang.org/crypto
|
|
// x509ops.ExtKeyUsageMicrosoftCommercialCodeSigning,
|
|
// x509ops.ExtKeyUsageMicrosoftServerGatedCrypto,
|
|
// 1.3.6.1.4.1.311.10.3.4 msEFS not supported by golang.org/crypto
|
|
// x509ops.ExtKeyUsageNetscapeServerGatedCrypto,
|
|
},
|
|
}
|
|
serverPrototype := &x509.Certificate{
|
|
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement,
|
|
ExtKeyUsage: []x509.ExtKeyUsage{
|
|
x509.ExtKeyUsageClientAuth,
|
|
x509.ExtKeyUsageServerAuth,
|
|
// x509ops.ExtKeyUsageMicrosoftServerGatedCrypto,
|
|
// x509ops.ExtKeyUsageNetscapeServerGatedCrypto,
|
|
},
|
|
}
|
|
ocspPrototype := &x509.Certificate{
|
|
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement,
|
|
ExtKeyUsage: []x509.ExtKeyUsage{
|
|
x509.ExtKeyUsageServerAuth,
|
|
x509.ExtKeyUsageOCSPSigning,
|
|
// x509ops.ExtKeyUsageMicrosoftServerGatedCrypto,
|
|
// x509ops.ExtKeyUsageNetscapeServerGatedCrypto,
|
|
},
|
|
}
|
|
timestampPrototype := &x509.Certificate{
|
|
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement,
|
|
ExtKeyUsage: []x509.ExtKeyUsage{
|
|
x509.ExtKeyUsageServerAuth,
|
|
x509.ExtKeyUsageOCSPSigning,
|
|
// x509ops.ExtKeyUsageMicrosoftServerGatedCrypto,
|
|
// x509ops.ExtKeyUsageNetscapeServerGatedCrypto,
|
|
},
|
|
}
|
|
cryptoSystems := map[shared.CryptoSystemID]*CryptoSystem{
|
|
CsX509: {
|
|
Name: "X.509",
|
|
Roots: map[shared.CryptoSystemRootID]interface{}{
|
|
X509RootDefault: x509ops.NewRoot(
|
|
settings.CABaseDir,
|
|
"openssl",
|
|
"CA",
|
|
X509RootDefault,
|
|
// TODO: parse crl distribution points from configuration
|
|
[]string{"http://crl.cacert.localhost/revoke.crl"},
|
|
// TODO: parse OCSP endpoints from configuration
|
|
[]string{"http://ocsp.cacert.localhost"},
|
|
),
|
|
X509RootClass3: x509ops.NewRoot(
|
|
settings.CABaseDir,
|
|
"class3",
|
|
"class3",
|
|
X509RootClass3,
|
|
// TODO: parse crl distribution points from configuration
|
|
[]string{"http://crl.cacert.localhost/class3-revoke.crl"},
|
|
// TODO: parse OCSP endpoints from configuration
|
|
[]string{"http://ocsp.cacert.localhost"},
|
|
),
|
|
// The following roots existed in the old server.pl but had
|
|
// no profile configurations and were thus unusable
|
|
//
|
|
// X509RootClass3s: &x509ops.Root{Name: "class3s"}, // no profile configs
|
|
// X509Root3: &x509ops.Root{Name: "root3"},
|
|
// X509Root4: &x509ops.Root{Name: "root4"},
|
|
// X509Root5: &x509ops.Root{Name: "root5"},
|
|
},
|
|
Profiles: map[shared.CertificateProfileID]interface{}{
|
|
X509ProfileClient: x509ops.NewProfile(
|
|
"client",
|
|
clientPrototype,
|
|
[]x509ops.SubjectDnField{
|
|
x509ops.SubjectDnFieldCommonName,
|
|
x509ops.SubjectDnFieldEmailAddress,
|
|
},
|
|
nil,
|
|
true,
|
|
),
|
|
X509ProfileClientOrg: x509ops.NewProfile("client-org", clientPrototype,
|
|
[]x509ops.SubjectDnField{
|
|
x509ops.SubjectDnFieldCountryName,
|
|
x509ops.SubjectDnFieldStateOrProvinceName,
|
|
x509ops.SubjectDnFieldLocalityName,
|
|
x509ops.SubjectDnFieldOrganizationName,
|
|
x509ops.SubjectDnFieldOrganizationalUnitName,
|
|
x509ops.SubjectDnFieldCommonName,
|
|
x509ops.SubjectDnFieldEmailAddress,
|
|
},
|
|
nil,
|
|
true,
|
|
),
|
|
X509ProfileClientCodesign: x509ops.NewProfile("client-codesign", codeSignPrototype,
|
|
[]x509ops.SubjectDnField{
|
|
x509ops.SubjectDnFieldCountryName,
|
|
x509ops.SubjectDnFieldStateOrProvinceName,
|
|
x509ops.SubjectDnFieldLocalityName,
|
|
x509ops.SubjectDnFieldCommonName,
|
|
x509ops.SubjectDnFieldEmailAddress,
|
|
},
|
|
nil,
|
|
true,
|
|
),
|
|
// X509ProfileClientMachine: &x509ops.Profile{Name: "client-machine"},
|
|
// X509ProfileClientAds: &x509ops.Profile{Name: "client-ads"},
|
|
X509ProfileServer: x509ops.NewProfile("server", serverPrototype,
|
|
[]x509ops.SubjectDnField{
|
|
x509ops.SubjectDnFieldCommonName,
|
|
},
|
|
[]x509ops.AltNameType{x509ops.NameTypeDNS, x509ops.NameTypeXMPPJid},
|
|
false,
|
|
),
|
|
X509ProfileServerOrg: x509ops.NewProfile("server-org", serverPrototype,
|
|
[]x509ops.SubjectDnField{
|
|
x509ops.SubjectDnFieldCountryName,
|
|
x509ops.SubjectDnFieldStateOrProvinceName,
|
|
x509ops.SubjectDnFieldLocalityName,
|
|
x509ops.SubjectDnFieldOrganizationName,
|
|
x509ops.SubjectDnFieldOrganizationalUnitName,
|
|
x509ops.SubjectDnFieldCommonName,
|
|
},
|
|
[]x509ops.AltNameType{x509ops.NameTypeDNS, x509ops.NameTypeXMPPJid},
|
|
false,
|
|
),
|
|
// X509ProfileServerJabber: &x509ops.Profile{Name: "server-jabber"},
|
|
X509ProfileOCSP: x509ops.NewProfile("ocsp", ocspPrototype,
|
|
[]x509ops.SubjectDnField{
|
|
x509ops.SubjectDnFieldCountryName,
|
|
x509ops.SubjectDnFieldStateOrProvinceName,
|
|
x509ops.SubjectDnFieldLocalityName,
|
|
x509ops.SubjectDnFieldOrganizationName,
|
|
x509ops.SubjectDnFieldOrganizationalUnitName,
|
|
x509ops.SubjectDnFieldCommonName,
|
|
x509ops.SubjectDnFieldEmailAddress,
|
|
},
|
|
nil,
|
|
false,
|
|
),
|
|
X509ProfileTimestamp: x509ops.NewProfile("timestamp", timestampPrototype,
|
|
[]x509ops.SubjectDnField{
|
|
x509ops.SubjectDnFieldCountryName,
|
|
x509ops.SubjectDnFieldStateOrProvinceName,
|
|
x509ops.SubjectDnFieldLocalityName,
|
|
x509ops.SubjectDnFieldOrganizationName,
|
|
x509ops.SubjectDnFieldOrganizationalUnitName,
|
|
x509ops.SubjectDnFieldCommonName,
|
|
},
|
|
nil,
|
|
true,
|
|
),
|
|
// X509ProfileProxy: &x509ops.Profile{Name: "proxy"},
|
|
// X509ProfileSubCA: &x509ops.Profile{Name: "subca"},
|
|
},
|
|
// constants for openssl invocations. Should be replaced with
|
|
// something more useful
|
|
DigestAlgorithms: map[shared.SignatureAlgorithmID]interface{}{
|
|
X509MDDefault: x509.SHA256WithRSA,
|
|
X509MDMd5: x509.MD5WithRSA,
|
|
X509MDSha1: x509.SHA1WithRSA,
|
|
X509MDSha256: x509.SHA256WithRSA,
|
|
X509MDSha384: x509.SHA384WithRSA,
|
|
X509MDSha512: x509.SHA512WithRSA,
|
|
},
|
|
},
|
|
CsOpenPGP: {
|
|
Name: "OpenPGP",
|
|
Roots: map[shared.CryptoSystemRootID]interface{}{
|
|
OpenPGPRoot0: &openpgpops.OpenPGPRoot{
|
|
Name: "OpenPGP Root",
|
|
SecretKeyRing: path.Join(
|
|
settings.OpenPGPKeyRingDir,
|
|
fmt.Sprintf("gpg_root_%d", OpenPGPRoot0),
|
|
"secring.gpg",
|
|
),
|
|
Identifier: settings.OpenPGPUidEmail,
|
|
},
|
|
},
|
|
Profiles: map[shared.CertificateProfileID]interface{}{
|
|
OpenPGPDefaultProfile: &openpgpops.OpenPGPProfile{Name: "default"},
|
|
},
|
|
// constants for gnupg cert-digest-algo parameter. Should be replaced with
|
|
// something more useful
|
|
DigestAlgorithms: map[shared.SignatureAlgorithmID]interface{}{
|
|
OpenPGPDefaultMD: crypto.SHA256,
|
|
},
|
|
},
|
|
}
|
|
|
|
return &CommandProcessor{CryptoSystems: cryptoSystems, Settings: settings}
|
|
}
|