// NewSignerFromFile reads the issuer cert, the responder cert and the responder key
// from PEM files, and takes an interval in seconds
func NewSignerFromFile(issuerFile, responderFile, keyFile string, interval time.Duration) (Signer, error) {
log.Debug("Loading issuer cert: ", issuerFile)
issuerBytes, err := ioutil.ReadFile(issuerFile)
if err != nil {
return nil, err
}
log.Debug("Loading responder cert: ", responderFile)
responderBytes, err := ioutil.ReadFile(responderFile)
if err != nil {
return nil, err
}
log.Debug("Loading responder key: ", keyFile)
keyBytes, err := ioutil.ReadFile(keyFile)
if err != nil {
return nil, cferr.Wrap(cferr.CertificateError, cferr.ReadFailed, err)
}
issuerCert, err := helpers.ParseCertificatePEM(issuerBytes)
if err != nil {
return nil, err
}
responderCert, err := helpers.ParseCertificatePEM(responderBytes)
if err != nil {
return nil, err
}
key, err := helpers.ParsePrivateKeyPEM(keyBytes)
if err != nil {
log.Debug("Malformed private key %v", err)
return nil, err
}
return NewSigner(issuerCert, responderCert, key, interval)
}
func TestCAIssuing(t *testing.T) {
var caCerts = []string{testCaFile, testECDSACaFile}
var caKeys = []string{testCaKeyFile, testECDSACaKeyFile}
var interCSRs = []string{ecdsaInterCSR, rsaInterCSR}
var interKeys = []string{ecdsaInterKey, rsaInterKey}
var CAPolicy = &config.Signing{
Default: &config.SigningProfile{
Usage: []string{"cert sign", "crl sign"},
ExpiryString: "1h",
Expiry: 1 * time.Hour,
CA: true,
},
}
var hostname = "cloudflare-inter.com"
// Each RSA or ECDSA root CA issues two intermediate CAs (one ECDSA and one RSA).
// For each intermediate CA, use it to issue additional RSA and ECDSA intermediate CSRs.
for i, caFile := range caCerts {
caKeyFile := caKeys[i]
s := newCustomSigner(t, caFile, caKeyFile)
s.policy = CAPolicy
for j, csr := range interCSRs {
csrBytes, _ := ioutil.ReadFile(csr)
certBytes, err := s.Sign(signer.SignRequest{Hosts: signer.SplitHosts(hostname), Request: string(csrBytes)})
if err != nil {
t.Fatal(err)
}
interCert, err := helpers.ParseCertificatePEM(certBytes)
if err != nil {
t.Fatal(err)
}
keyBytes, _ := ioutil.ReadFile(interKeys[j])
interKey, _ := helpers.ParsePrivateKeyPEM(keyBytes)
interSigner := &Signer{interCert, interKey, CAPolicy, signer.DefaultSigAlgo(interKey), nil}
for _, anotherCSR := range interCSRs {
anotherCSRBytes, _ := ioutil.ReadFile(anotherCSR)
bytes, err := interSigner.Sign(
signer.SignRequest{
Hosts: signer.SplitHosts(hostname),
Request: string(anotherCSRBytes),
})
if err != nil {
t.Fatal(err)
}
cert, err := helpers.ParseCertificatePEM(bytes)
if err != nil {
t.Fatal(err)
}
if cert.SignatureAlgorithm != interSigner.SigAlgo() {
t.Fatal("Cert Signature Algorithm does not match the issuer.")
}
}
}
}
}
func TestECDSASigner(t *testing.T) {
s := newCustomSigner(t, testECDSACaFile, testECDSACaKeyFile)
hostname := "cloudflare.com"
for _, test := range csrTests {
csr, err := ioutil.ReadFile(test.file)
if err != nil {
t.Fatal("CSR loading error:", err)
}
// Try all ECDSA SignatureAlgorithm
SigAlgos := []x509.SignatureAlgorithm{x509.ECDSAWithSHA1, x509.ECDSAWithSHA256, x509.ECDSAWithSHA384, x509.ECDSAWithSHA512}
for _, sigAlgo := range SigAlgos {
s.sigAlgo = sigAlgo
certBytes, err := s.Sign(signer.SignRequest{Hosts: signer.SplitHosts(hostname), Request: string(csr)})
if test.errorCallback != nil {
test.errorCallback(t, err)
} else {
if err != nil {
t.Fatalf("Expected no error. Got %s. Param %s %d", err.Error(), test.keyAlgo, test.keyLen)
}
cert, _ := helpers.ParseCertificatePEM(certBytes)
if cert.SignatureAlgorithm != s.SigAlgo() {
t.Fatal("Cert Signature Algorithm does not match the issuer.")
}
}
}
}
}
func TestRemoteSignBadServerAndOverride(t *testing.T) {
remoteServer := newTestSignServer(t)
defer closeTestServer(t, remoteServer)
// remoteConfig contains port 80 that no test server will listen on
remoteConfig := testsuite.NewConfig(t, []byte(validMinimalRemoteConfig))
s := newRemoteSigner(t, remoteConfig.Signing)
hosts := []string{"cloudflare.com"}
csr, err := ioutil.ReadFile("../local/testdata/rsa2048.csr")
if err != nil {
t.Fatal("CSR loading error:", err)
}
_, err = s.Sign(signer.SignRequest{Hosts: hosts, Request: string(csr)})
if err == nil {
t.Fatal("Should return error")
}
remoteConfig.Signing.OverrideRemotes(remoteServer.URL[7:])
s.SetPolicy(remoteConfig.Signing)
certBytes, err := s.Sign(signer.SignRequest{
Hosts: hosts,
Request: string(csr),
Serial: big.NewInt(1),
})
if err != nil {
t.Fatalf("Expected no error. Got %s.", err.Error())
}
_, err = helpers.ParseCertificatePEM(certBytes)
if err != nil {
t.Fatal("Fail to parse returned certificate:", err)
}
}
// fetchRemoteCertificate retrieves a single URL pointing to a certificate
// and attempts to first parse it as a DER-encoded certificate; if
// this fails, it attempts to decode it as a PEM-encoded certificate.
func fetchRemoteCertificate(certURL string) (fi *fetchedIntermediate, err error) {
log.Debugf("fetching remote certificate: %s", certURL)
var resp *http.Response
resp, err = http.Get(certURL)
if err != nil {
log.Debugf("failed HTTP get: %v", err)
return
}
defer resp.Body.Close()
var certData []byte
certData, err = ioutil.ReadAll(resp.Body)
if err != nil {
log.Debugf("failed to read response body: %v", err)
return
}
log.Debugf("attempting to parse certificate as DER")
crt, err := x509.ParseCertificate(certData)
if err != nil {
log.Debugf("attempting to parse certificate as PEM")
crt, err = helpers.ParseCertificatePEM(certData)
if err != nil {
log.Debugf("failed to parse certificate: %v", err)
return
}
}
log.Debugf("certificate fetch succeeds")
fi = &fetchedIntermediate{Cert: crt, Name: constructCertFileName(crt)}
return
}
func makeCASigner(certBytes, keyBytes []byte, sigAlgo x509.SignatureAlgorithm, t *testing.T) signer.Signer {
cert, err := helpers.ParseCertificatePEM(certBytes)
if err != nil {
t.Fatal(err)
}
key, err := helpers.ParsePrivateKeyPEM(keyBytes)
if err != nil {
t.Fatal(err)
}
defaultProfile := &config.SigningProfile{
Usage: []string{"cert sign"},
CA: true,
Expiry: time.Hour,
ExpiryString: "1h",
}
policy := &config.Signing{
Profiles: map[string]*config.SigningProfile{},
Default: defaultProfile,
}
s, err := local.NewSigner(key, cert, sigAlgo, policy)
if err != nil {
t.Fatal(err)
}
return s
}
func TestExtractCertificateRequest(t *testing.T) {
certPEM, err := ioutil.ReadFile(testECDSACertificateFile)
if err != nil {
t.Fatal(err)
}
// must parse ok
cert, err := helpers.ParseCertificatePEM(certPEM)
if err != nil {
t.Fatal(err)
}
req := ExtractCertificateRequest(cert)
if req.CN != "" {
t.Fatal("Bad Certificate Request!")
}
if len(req.Names) != 1 {
t.Fatal("Bad Certificate Request!")
}
name := req.Names[0]
if name.C != "US" || name.ST != "California" || name.O != "CloudFlare, Inc." ||
name.OU != "Test Certificate Authority" || name.L != "San Francisco" {
t.Fatal("Bad Certificate Request!")
}
if req.CA == nil || req.CA.PathLength != 2 {
t.Fatal("Bad Certificate Request!")
}
}
// NewSignerFromFile generates a new local signer from a caFile
// and a caKey file, both PEM encoded.
func NewSignerFromFile(caFile, caKeyFile string, policy *config.Signing) (*Signer, error) {
log.Debug("Loading CA: ", caFile)
ca, err := ioutil.ReadFile(caFile)
if err != nil {
return nil, err
}
log.Debug("Loading CA key: ", caKeyFile)
cakey, err := ioutil.ReadFile(caKeyFile)
if err != nil {
return nil, cferr.Wrap(cferr.CertificateError, cferr.ReadFailed, err)
}
parsedCa, err := helpers.ParseCertificatePEM(ca)
if err != nil {
return nil, err
}
priv, err := helpers.ParsePrivateKeyPEM(cakey)
if err != nil {
log.Debug("Malformed private key %v", err)
return nil, err
}
return NewSigner(priv, parsedCa, signer.DefaultSigAlgo(priv), policy)
}
func TestSignCSRs(t *testing.T) {
s := newTestSigner(t)
hostname := "cloudflare.com"
for _, test := range csrTests {
csr, err := ioutil.ReadFile(test.file)
if err != nil {
t.Fatal("CSR loading error:", err)
}
// It is possible to use different SHA2 algorithm with RSA CA key.
rsaSigAlgos := []x509.SignatureAlgorithm{x509.SHA1WithRSA, x509.SHA256WithRSA, x509.SHA384WithRSA, x509.SHA512WithRSA}
for _, sigAlgo := range rsaSigAlgos {
s.sigAlgo = sigAlgo
certBytes, err := s.Sign(signer.SignRequest{Hosts: signer.SplitHosts(hostname), Request: string(csr)})
if test.errorCallback != nil {
test.errorCallback(t, err)
} else {
if err != nil {
t.Fatalf("Expected no error. Got %s. Param %s %d", err.Error(), test.keyAlgo, test.keyLen)
}
cert, _ := helpers.ParseCertificatePEM(certBytes)
if cert.SignatureAlgorithm != s.SigAlgo() {
t.Fatal("Cert Signature Algorithm does not match the issuer.")
}
}
}
}
}
// ParseCertificatePEM parses an x509 certificate PEM.
func ParseCertificatePEM(certPEM []byte) (*Certificate, error) {
cert, err := helpers.ParseCertificatePEM(certPEM)
if err != nil {
return nil, err
}
return ParseCertificate(cert), nil
}
// LoadRoot parses a config structure into a Root structure
func LoadRoot(cfg map[string]string) (*Root, error) {
var root Root
var err error
spec, ok := cfg["private"]
if !ok {
return nil, ErrMissingPrivateKey
}
certPath, ok := cfg["certificate"]
if !ok {
return nil, ErrMissingCertificatePath
}
configPath, ok := cfg["config"]
if !ok {
return nil, ErrMissingConfigPath
}
root.PrivateKey, err = parsePrivateKeySpec(spec, cfg)
if err != nil {
return nil, err
}
in, err := ioutil.ReadFile(certPath)
if err != nil {
return nil, err
}
root.Certificate, err = helpers.ParseCertificatePEM(in)
if err != nil {
return nil, err
}
conf, err := config.LoadFile(configPath)
if err != nil {
return nil, err
}
root.Config = conf.Signing
nets := cfg["nets"]
if nets != "" {
root.ACL, err = parseACL(nets)
if err != nil {
return nil, err
}
}
dbConfig := cfg["dbconfig"]
if dbConfig != "" {
db, err := certdb.DBFromConfig(dbConfig)
if err != nil {
return nil, err
}
root.DB = db
}
return &root, nil
}
func TestOverrideSubject(t *testing.T) {
csrPEM, err := ioutil.ReadFile(fullSubjectCSR)
if err != nil {
t.Fatalf("%v", err)
}
req := &signer.Subject{
Names: []csr.Name{
{O: "example.net"},
},
}
s := newCustomSigner(t, testECDSACaFile, testECDSACaKeyFile)
request := signer.SignRequest{
Hosts: []string{"127.0.0.1", "localhost", "*****@*****.**"},
Request: string(csrPEM),
Subject: req,
}
certPEM, err := s.Sign(request)
if err != nil {
t.Fatalf("%v", err)
}
cert, err := helpers.ParseCertificatePEM(certPEM)
if err != nil {
t.Fatalf("%v", err)
}
block, _ := pem.Decode(csrPEM)
template, err := x509.ParseCertificateRequest(block.Bytes)
if err != nil {
t.Fatal(err.Error())
}
if cert.Subject.Organization[0] != "example.net" {
t.Fatalf("Failed to override subject: want example.net but have %s", cert.Subject.Organization[0])
}
if cert.Subject.Country[0] != template.Subject.Country[0] {
t.Fatal("Failed to override Country")
}
if cert.Subject.Locality[0] != template.Subject.Locality[0] {
t.Fatal("Failed to override Locality")
}
if cert.Subject.Organization[0] == template.Subject.Organization[0] {
t.Fatal("Shouldn't have overrode Organization")
}
if cert.Subject.OrganizationalUnit[0] != template.Subject.OrganizationalUnit[0] {
t.Fatal("Failed to override OrganizationalUnit")
}
log.Info("Overrode subject info")
}
func TestUniversalRemoteAndLocalSign(t *testing.T) {
// set up remote server
remoteConfig := testsuite.NewConfig(t, []byte(validNoAuthRemoteConfig))
remoteServer := newTestSignServer(t, newTestUniversalSigner(t, remoteConfig.Signing))
defer closeTestServer(t, remoteServer)
universalConfig := testsuite.NewConfig(t, []byte(validNoAuthUniversalConfig))
// override with test server address, ignore url prefix "http://"
for name, profile := range universalConfig.Signing.Profiles {
if profile.RemoteServer != "" {
universalConfig.Signing.Profiles[name].RemoteServer = remoteServer.URL[7:]
}
}
s := newTestUniversalSigner(t, universalConfig.Signing)
checkSign := func(name string, profile *config.SigningProfile) {
hosts := []string{"cloudflare.com"}
for _, test := range testsuite.CSRTests {
csr, err := ioutil.ReadFile(test.File)
if err != nil {
t.Fatalf("CSR loading error (%s): %v", name, err)
}
testSerial := big.NewInt(0x7007F)
certBytes, err := s.Sign(signer.SignRequest{
Hosts: hosts,
Request: string(csr),
Serial: testSerial,
Profile: name,
})
if test.ErrorCallback != nil {
test.ErrorCallback(t, err)
} else {
if err != nil {
t.Fatalf("Expected no error. Got %s. Param %s %d", err.Error(), test.KeyAlgo, test.KeyLen)
}
cert, err := helpers.ParseCertificatePEM(certBytes)
if err != nil {
t.Fatal("Fail to parse returned certificate:", err)
}
ku, _, _ := profile.Usages()
if cert.KeyUsage != ku {
t.Fatalf("Key usage was incorrect expected %+v, got %+v", ku, cert.KeyUsage)
}
}
}
}
for name, profile := range universalConfig.Signing.Profiles {
checkSign(name, profile)
}
// add check for default profile
checkSign("", universalConfig.Signing.Default)
}
func TestNoWhitelistSign(t *testing.T) {
csrPEM, err := ioutil.ReadFile(fullSubjectCSR)
if err != nil {
t.Fatalf("%v", err)
}
req := &signer.Subject{
Names: []csr.Name{
{O: "sam certificate authority"},
},
CN: "localhost",
}
s := newCustomSigner(t, testECDSACaFile, testECDSACaKeyFile)
// No policy CSR whitelist: the normal set of CSR fields get passed through to
// certificate.
s.policy = &config.Signing{
Default: &config.SigningProfile{
Usage: []string{"cert sign", "crl sign"},
ExpiryString: "1h",
Expiry: 1 * time.Hour,
CA: true,
},
}
request := signer.SignRequest{
Hosts: []string{"127.0.0.1", "localhost"},
Request: string(csrPEM),
Subject: req,
}
certPEM, err := s.Sign(request)
if err != nil {
t.Fatalf("%v", err)
}
cert, err := helpers.ParseCertificatePEM(certPEM)
if err != nil {
t.Fatalf("%v", err)
}
name := cert.Subject
if name.CommonName != "localhost" {
t.Fatalf("Expected certificate common name to be 'localhost' but have '%v'", name.CommonName)
}
// CSR has: Subject: C=US, O=CloudFlare, OU=WWW, L=Ithaca, ST=New York
// Expect all to be passed through.
expectOneValueOf(t, name.Organization, "sam certificate authority", "O")
expectOneValueOf(t, name.OrganizationalUnit, "WWW", "OU")
expectOneValueOf(t, name.Province, "New York", "ST")
expectOneValueOf(t, name.Locality, "Ithaca", "L")
expectOneValueOf(t, name.Country, "US", "C")
}
func TestSHA2Preferences(t *testing.T) {
// create a CA signer and signs a new intermediate with SHA-1
sha1CASigner := makeCASignerFromFile(sha1CA, sha1CAKey, x509.SHA1WithRSA, t)
// create a CA signer and signs a new intermediate with SHA-2
sha2CASigner := makeCASignerFromFile(sha1CA, sha1CAKey, x509.SHA256WithRSA, t)
// sign two different intermediates
sha1InterBytes := signCSRFile(sha1CASigner, intermediateCSR, t)
sha2InterBytes := signCSRFile(sha2CASigner, intermediateCSR, t)
interKeyBytes, err := ioutil.ReadFile(intermediateKey)
if err != nil {
t.Fatal(err)
}
// create a intermediate signer from SHA-1 intermediate cert/key
sha2InterSigner := makeCASigner(sha1InterBytes, interKeyBytes, x509.SHA256WithRSA, t)
// sign a leaf cert
leafBytes := signCSRFile(sha2InterSigner, leafCSR, t)
// create a bundler with SHA-1 and SHA-2 intermediate certs of same key.
b := newCustomizedBundlerFromFile(t, sha1CA, sha1Intermediate, "")
if err != nil {
t.Fatal(err)
}
sha1Inter, _ := helpers.ParseCertificatePEM(sha1InterBytes)
sha2Inter, _ := helpers.ParseCertificatePEM(sha2InterBytes)
b.IntermediatePool.AddCert(sha1Inter)
b.IntermediatePool.AddCert(sha2Inter)
bundle, err := b.BundleFromPEMorDER(leafBytes, nil, Ubiquitous, "")
if err != nil {
t.Fatal("bundling failed: ", err)
}
if bundle.Chain[1].SignatureAlgorithm != x509.SHA256WithRSA {
t.Fatal("ubiquity selection by SHA-2 homogenity failed.")
}
}
// ocspSignerMain is the main CLI of OCSP signer functionality.
func ocspSignerMain(args []string, c cli.Config) (err error) {
// Read the cert to be revoked from file
certBytes, err := ioutil.ReadFile(c.CertFile)
if err != nil {
log.Critical("Unable to read certificate: ", err)
return
}
cert, err := helpers.ParseCertificatePEM(certBytes)
if err != nil {
log.Critical("Unable to parse certificate: ", err)
return
}
req := ocsp.SignRequest{
Certificate: cert,
Status: c.Status,
}
if c.Status == "revoked" {
var reasonCode int
reasonCode, err = ocsp.ReasonStringToCode(c.Reason)
if err != nil {
log.Critical("Invalid reason code: ", err)
return
}
req.Reason = reasonCode
req.RevokedAt = time.Now()
if c.RevokedAt != "now" {
req.RevokedAt, err = time.Parse("2006-01-02", c.RevokedAt)
if err != nil {
log.Critical("Malformed revocation time: ", c.RevokedAt)
return
}
}
}
s, err := SignerFromConfig(c)
if err != nil {
log.Critical("Unable to create OCSP signer: ", err)
return
}
resp, err := s.Sign(req)
if err != nil {
log.Critical("Unable to sign OCSP response: ", err)
return
}
cli.PrintOCSPResponse(resp)
return
}
// Handle responds to requests for a ocsp signature. It creates and signs
// a ocsp response for the provided certificate and status. If the status
// is revoked then it also adds reason and revoked_at. The response is
// base64 encoded.
func (h *Handler) Handle(w http.ResponseWriter, r *http.Request) error {
body, err := ioutil.ReadAll(r.Body)
if err != nil {
return err
}
r.Body.Close()
// Default the status to good so it matches the cli
req := &jsonSignRequest{
Status: "good",
}
err = json.Unmarshal(body, req)
if err != nil {
return errors.NewBadRequestString("Unable to parse sign request")
}
cert, err := helpers.ParseCertificatePEM([]byte(req.Certificate))
if err != nil {
log.Error("Error from ParseCertificatePEM", err)
return errors.NewBadRequestString("Malformed certificate")
}
signReq := ocsp.SignRequest{
Certificate: cert,
Status: req.Status,
}
// We need to convert the time from being a string to a time.Time
if req.Status == "revoked" {
signReq.Reason = req.Reason
// "now" is accepted and the default on the cli so default that here
if req.RevokedAt == "" || req.RevokedAt == "now" {
signReq.RevokedAt = time.Now()
} else {
signReq.RevokedAt, err = time.Parse("2006-01-02", req.RevokedAt)
if err != nil {
return errors.NewBadRequestString("Malformed revocation time")
}
}
}
resp, err := h.signer.Sign(signReq)
if err != nil {
return err
}
b64Resp := base64.StdEncoding.EncodeToString(resp)
result := map[string]string{"ocspResponse": b64Resp}
return api.SendResponse(w, result)
}
// NewCRLFromFile takes in a list of serial numbers, one per line, as well as the issuing certificate
// of the CRL, and the private key. This function is then used to parse the list and generate a CRL
func NewCRLFromFile(serialList, issuerFile, keyFile []byte, expiryTime string) ([]byte, error) {
var revokedCerts []pkix.RevokedCertificate
var oneWeek = time.Duration(604800) * time.Second
expiryInt, err := strconv.ParseInt(expiryTime, 0, 32)
if err != nil {
return nil, err
}
newDurationFromInt := time.Duration(expiryInt) * time.Second
newExpiryTime := time.Now().Add(newDurationFromInt)
if expiryInt == 0 {
newExpiryTime = time.Now().Add(oneWeek)
}
// Parse the PEM encoded certificate
issuerCert, err := helpers.ParseCertificatePEM(issuerFile)
if err != nil {
return nil, err
}
// Split input file by new lines
individualCerts := strings.Split(string(serialList), "\n")
// For every new line, create a new revokedCertificate and add it to slice
for _, value := range individualCerts {
if len(strings.TrimSpace(value)) == 0 {
continue
}
tempBigInt := new(big.Int)
tempBigInt.SetString(value, 10)
tempCert := pkix.RevokedCertificate{
SerialNumber: tempBigInt,
RevocationTime: time.Now(),
}
revokedCerts = append(revokedCerts, tempCert)
}
// Parse the key given
key, err := helpers.ParsePrivateKeyPEM(keyFile)
if err != nil {
log.Debug("Malformed private key %v", err)
return nil, err
}
return CreateGenericCRL(revokedCerts, key, issuerCert, newExpiryTime)
}
func setup(t *testing.T) (SignRequest, time.Duration) {
dur, _ := time.ParseDuration("1ms")
certPEM, err := ioutil.ReadFile(otherCertFile)
if err != nil {
t.Fatal(err)
}
leafCert, err := helpers.ParseCertificatePEM(certPEM)
if err != nil {
t.Fatal(err)
}
req := SignRequest{
Certificate: leafCert,
Status: "good",
}
return req, dur
}
func fetchRemote(url string) (*x509.Certificate, error) {
resp, err := http.Get(url)
if err != nil {
return nil, err
}
in, err := ioutil.ReadAll(resp.Body)
if err != nil {
return nil, err
}
resp.Body.Close()
p, _ := pem.Decode(in)
if p != nil {
return helpers.ParseCertificatePEM(in)
}
return x509.ParseCertificate(in)
}
func getInfoFromRemote(c cli.Config) (resp *info.Resp, err error) {
req := new(info.Req)
req.Label = c.Label
req.Profile = c.Profile
serv := client.NewServer(c.Remote)
reqJSON, _ := json.Marshal(req)
resp, err = serv.Info(reqJSON)
if err != nil {
return
}
_, err = helpers.ParseCertificatePEM([]byte(resp.Certificate))
if err != nil {
return
}
return
}
func TestRemoteSign(t *testing.T) {
remoteServer := newTestSignServer(t)
defer closeTestServer(t, remoteServer)
remoteConfig := testsuite.NewConfig(t, []byte(validMinimalRemoteConfig))
// override with test server address, ignore url prefix "http://"
remoteConfig.Signing.OverrideRemotes(remoteServer.URL[7:])
s := newRemoteSigner(t, remoteConfig.Signing)
hosts := []string{"cloudflare.com"}
for _, test := range testsuite.CSRTests {
csr, err := ioutil.ReadFile(test.File)
if err != nil {
t.Fatal("CSR loading error:", err)
}
testSerial := big.NewInt(0x7007F)
certBytes, err := s.Sign(signer.SignRequest{
Hosts: hosts,
Request: string(csr),
Serial: testSerial,
})
if test.ErrorCallback != nil {
test.ErrorCallback(t, err)
} else {
if err != nil {
t.Fatalf("Expected no error. Got %s. Param %s %d", err.Error(), test.KeyAlgo, test.KeyLen)
}
cert, err := helpers.ParseCertificatePEM(certBytes)
if err != nil {
t.Fatal("Fail to parse returned certificate:", err)
}
sn := fmt.Sprintf("%X", cert.SerialNumber)
if sn != "7007F" {
t.Fatal("Serial Number was incorrect:", sn)
}
}
}
}
// NewPKCS11Signer returns a new PKCS #11 signer.
func NewPKCS11Signer(cfg ocspConfig.Config) (ocsp.Signer, error) {
log.Debugf("Loading PKCS #11 module %s", cfg.PKCS11.Module)
certData, err := ioutil.ReadFile(cfg.CACertFile)
if err != nil {
return nil, errors.New(errors.CertificateError, errors.ReadFailed)
}
cert, err := helpers.ParseCertificatePEM(certData)
if err != nil {
return nil, err
}
PKCS11 := cfg.PKCS11
priv, err := pkcs11key.New(
PKCS11.Module,
PKCS11.TokenLabel,
PKCS11.PIN,
PKCS11.PrivateKeyLabel)
if err != nil {
return nil, errors.New(errors.PrivateKeyError, errors.ReadFailed)
}
return ocsp.NewSigner(cert, cert, priv, cfg.Interval)
}
// RenewFromPEM re-creates a root certificate from the CA cert and key
// files. The resulting root certificate will have the input CA certificate
// as the template and have the same expiry length. E.g. the exsiting CA
// is valid for a year from Jan 01 2015 to Jan 01 2016, the renewed certificate
// will be valid from now and expire in one year as well.
func RenewFromPEM(caFile, keyFile string) ([]byte, error) {
caBytes, err := ioutil.ReadFile(caFile)
if err != nil {
return nil, err
}
ca, err := helpers.ParseCertificatePEM(caBytes)
if err != nil {
return nil, err
}
keyBytes, err := ioutil.ReadFile(keyFile)
if err != nil {
return nil, err
}
key, err := helpers.ParsePrivateKeyPEM(keyBytes)
if err != nil {
return nil, err
}
return RenewFromSigner(ca, key)
}
// New returns a new PKCS #11 signer.
func New(caCertFile string, policy *config.Signing, cfg *Config) (signer.Signer, error) {
if cfg == nil {
return nil, errors.New(errors.PrivateKeyError, errors.ReadFailed)
}
log.Debugf("Loading PKCS #11 module %s", cfg.Module)
certData, err := ioutil.ReadFile(caCertFile)
if err != nil {
return nil, errors.New(errors.PrivateKeyError, errors.ReadFailed)
}
cert, err := helpers.ParseCertificatePEM(certData)
if err != nil {
return nil, err
}
priv, err := pkcs11key.New(cfg.Module, cfg.Token, cfg.PIN, cfg.Label)
if err != nil {
return nil, errors.New(errors.PrivateKeyError, errors.ReadFailed)
}
sigAlgo := signer.DefaultSigAlgo(priv)
return local.NewSigner(priv, cert, sigAlgo, policy)
}
func TestRenewECDSA(t *testing.T) {
certPEM, err := RenewFromPEM(testECDSACAFile, testECDSACAKeyFile)
if err != nil {
t.Fatal(err)
}
// must parse ok
cert, err := helpers.ParseCertificatePEM(certPEM)
if err != nil {
t.Fatal(err)
}
if !cert.IsCA {
t.Fatal("renewed CA certificate is not CA")
}
// cert expiry must be 5 minutes
expiry := cert.NotAfter.Sub(cert.NotBefore).Seconds()
if expiry >= 301 || expiry <= 299 {
t.Fatal("expiry is not correct")
}
// check subject
if cert.Subject.CommonName != "" {
t.Fatal("Bad CommonName")
}
if len(cert.Subject.Country) != 1 || cert.Subject.Country[0] != "US" {
t.Fatal("Bad Subject")
}
if len(cert.Subject.Organization) != 1 || cert.Subject.Organization[0] != "CloudFlare, Inc." {
t.Fatal("Bad Subject")
}
}
// Handle responds to requests for crl generation. It creates this crl
// based off of the given certificate, serial numbers, and private key
func crlHandler(w http.ResponseWriter, r *http.Request) error {
var revokedCerts []pkix.RevokedCertificate
var oneWeek = time.Duration(604800) * time.Second
var newExpiryTime = time.Now()
body, err := ioutil.ReadAll(r.Body)
if err != nil {
return err
}
r.Body.Close()
req := &jsonCRLRequest{}
err = json.Unmarshal(body, req)
if err != nil {
log.Error(err)
}
if req.ExpiryTime != "" {
expiryTime := strings.TrimSpace(req.ExpiryTime)
expiryInt, err := strconv.ParseInt(expiryTime, 0, 32)
if err != nil {
return err
}
newExpiryTime = time.Now().Add((time.Duration(expiryInt) * time.Second))
}
if req.ExpiryTime == "" {
newExpiryTime = time.Now().Add(oneWeek)
}
if err != nil {
return err
}
cert, err := helpers.ParseCertificatePEM([]byte(req.Certificate))
if err != nil {
log.Error("Error from ParseCertificatePEM", err)
return errors.NewBadRequestString("Malformed certificate")
}
for _, value := range req.SerialNumber {
tempBigInt := new(big.Int)
tempBigInt.SetString(value, 10)
tempCert := pkix.RevokedCertificate{
SerialNumber: tempBigInt,
RevocationTime: time.Now(),
}
revokedCerts = append(revokedCerts, tempCert)
}
key, err := helpers.ParsePrivateKeyPEM([]byte(req.PrivateKey))
if err != nil {
log.Debug("Malformed private key %v", err)
return errors.NewBadRequestString("Malformed Private Key")
}
result, err := cert.CreateCRL(rand.Reader, key, revokedCerts, time.Now(), newExpiryTime)
return api.SendResponse(w, result)
}
// readCert read a PEM file and returns a cert.
func readCert(filename string) *x509.Certificate {
bytes, _ := ioutil.ReadFile(filename)
cert, _ := helpers.ParseCertificatePEM(bytes)
return cert
}
// Regression test: ubiquity bundle test with SHA2-homogeneous preference should not override root ubiquity.
func TestSHA2HomogeneityAgainstUbiquity(t *testing.T) {
// create a CA signer and signs a new intermediate with SHA-1
caSigner := makeCASignerFromFile(testCAFile, testCAKeyFile, x509.SHA1WithRSA, t)
interL1Bytes := signCSRFile(caSigner, interL1CSR, t)
// create a inter L1 signer
interL1KeyBytes, err := ioutil.ReadFile(interL1Key)
if err != nil {
t.Fatal(err)
}
interL1Signer := makeCASigner(interL1Bytes, interL1KeyBytes, x509.SHA256WithRSA, t)
// sign a level 2 intermediate
interL2Bytes := signCSRFile(interL1Signer, interL2CSR, t)
// create a inter L2 signer
interL2KeyBytes, err := ioutil.ReadFile(interL2Key)
if err != nil {
t.Fatal(err)
}
interL2Signer := makeCASigner(interL2Bytes, interL2KeyBytes, x509.ECDSAWithSHA256, t)
// interL2 sign a leaf cert
leafBytes := signCSRFile(interL2Signer, leafCSR, t)
// create two platforms
// platform A trusts the CA cert and L1 intermediate
// platform B trusts the CA cert
caBytes, err := ioutil.ReadFile(testCAFile)
if err != nil {
t.Fatal(err)
}
ca, _ := helpers.ParseCertificatePEM(caBytes)
interL1, _ := helpers.ParseCertificatePEM(interL1Bytes)
platformA := ubiquity.Platform{
Name: "A",
Weight: 100,
KeyStore: make(ubiquity.CertSet),
HashUbiquity: ubiquity.SHA2Ubiquity,
KeyAlgoUbiquity: ubiquity.ECDSA521Ubiquity,
}
platformB := ubiquity.Platform{
Name: "B",
Weight: 100,
KeyStore: make(ubiquity.CertSet),
HashUbiquity: ubiquity.SHA2Ubiquity,
KeyAlgoUbiquity: ubiquity.ECDSA521Ubiquity,
}
platformA.KeyStore.Add(ca)
platformA.KeyStore.Add(interL1)
platformB.KeyStore.Add(ca)
ubiquity.Platforms = []ubiquity.Platform{platformA, platformB}
caBundle := string(caBytes) + string(interL1Bytes)
interBundle := string(interL2Bytes) + string(interL1Bytes)
fullChain := string(leafBytes) + string(interL2Bytes) + string(interL1Bytes)
// create bundler
b, err := NewBundlerFromPEM([]byte(caBundle), []byte(interBundle))
if err != nil {
t.Fatal(err)
}
// The input PEM bundle is 3-cert chain.
bundle, err := b.BundleFromPEMorDER([]byte(fullChain), nil, Force, "")
if err != nil {
t.Fatal("Force bundle failed:", err)
}
if len(bundle.Chain) != 3 {
t.Fatal("Force bundle failed:")
}
if len(bundle.Status.Untrusted) != 0 {
t.Fatal("Force bundle failed:")
}
// With ubiquity flavor, we should not sacrifice trust store ubiquity and rebundle with a shorter chain
// with SHA2 homogenity.
bundle, err = b.BundleFromPEMorDER([]byte(fullChain), nil, Ubiquitous, "")
if err != nil {
t.Fatal("Ubiquitous bundle failed:", err)
}
if len(bundle.Chain) != 3 {
t.Fatal("Ubiquitous bundle failed:")
}
if len(bundle.Status.Untrusted) != 0 {
t.Fatal("Ubiquitous bundle failed:")
}
// With optimal flavor, we should have a shorter chain.
bundle, err = b.BundleFromPEMorDER([]byte(fullChain), nil, Optimal, "")
if err != nil {
t.Fatal("Optimal bundle failed:", err)
}
if len(bundle.Chain) != 2 {
t.Fatal("Optimal bundle failed:")
}
if len(bundle.Status.Untrusted) == 0 {
t.Fatal("Optimal bundle failed:")
}
}
// ocsprefreshMain is the main CLI of OCSP refresh functionality.
func ocsprefreshMain(args []string, c cli.Config) (err error) {
if c.DBConfigFile == "" {
log.Error("need DB config file (provide with -db-config)")
return
}
if c.ResponderFile == "" {
log.Error("need responder certificate (provide with -responder)")
return
}
if c.ResponderKeyFile == "" {
log.Error("need responder key (provide with -responder-key)")
return
}
if c.CAFile == "" {
log.Error("need CA certificate (provide with -ca)")
return
}
s, err := SignerFromConfig(c)
if err != nil {
log.Critical("Unable to create OCSP signer: ", err)
return err
}
var db *sql.DB
db, err = certdb.DBFromConfig(c.DBConfigFile)
if err != nil {
return err
}
var certs []*certdb.CertificateRecord
certs, err = certdb.GetUnexpiredCertificates(db)
if err != nil {
return err
}
// Set an expiry timestamp for all certificates refreshed in this batch
ocspExpiry := time.Now().Add(c.Interval)
for _, certRecord := range certs {
cert, err := helpers.ParseCertificatePEM([]byte(certRecord.PEM))
if err != nil {
log.Critical("Unable to parse certificate: ", err)
return err
}
req := ocsp.SignRequest{
Certificate: cert,
Status: certRecord.Status,
}
if certRecord.Status == "revoked" {
req.Reason = int(certRecord.Reason)
req.RevokedAt = certRecord.RevokedAt
}
resp, err := s.Sign(req)
if err != nil {
log.Critical("Unable to sign OCSP response: ", err)
return err
}
err = certdb.UpsertOCSP(db, cert.SerialNumber.String(), string(resp), ocspExpiry)
if err != nil {
log.Critical("Unable to save OCSP response: ", err)
return err
}
}
return nil
}