// ocspSignerMain is the main CLI of OCSP signer functionality. func ocspSignerMain(args []string, c cli.Config) (err error) { // Read the cert to be revoked from file certBytes, err := ioutil.ReadFile(c.CertFile) if err != nil { log.Critical("Unable to read certificate: ", err) return } cert, err := helpers.ParseCertificatePEM(certBytes) if err != nil { log.Critical("Unable to parse certificate: ", err) return } req := ocsp.SignRequest{ Certificate: cert, Status: c.Status, } if c.Status == "revoked" { req.Reason = c.Reason req.RevokedAt = time.Now() if c.RevokedAt != "now" { req.RevokedAt, err = time.Parse("2006-01-02", c.RevokedAt) if err != nil { log.Critical("Malformed revocation time: ", c.RevokedAt) return } } } s, err := ocsp.NewSignerFromFile(c.CAFile, c.ResponderFile, c.KeyFile, time.Duration(c.Interval)) if err != nil { log.Critical("Unable to create OCSP signer: ", err) return } resp, err := s.Sign(req) if err != nil { log.Critical("Unable to sign OCSP response: ", err) return } cli.PrintOCSPResponse(resp) return }
func main() { // Validate input // All flags are required flag.Parse() missing := false flag.VisitAll(func(f *flag.Flag) { if len(f.Value.String()) == 0 { missing = true } }) if missing { log.Critical("All flags must be provided.") flag.Usage() return } jsonConfig, err := ioutil.ReadFile(*configFile) if err != nil { log.Criticalf("Unable to read config: %v", err) return } var config Config err = json.Unmarshal(jsonConfig, &config) if err != nil { log.Criticalf("Unable to parse config: %v", err) return } if len(config.Name.C) == 0 || len(config.Name.O) == 0 || len(config.Name.CN) == 0 { log.Criticalf("Config must provide country, organizationName, and commonName") return } if config.NotBefore.After(config.NotAfter) { log.Criticalf("Invalid validity: notAfter is before notBefore") return } // Set up PKCS#11 key priv, err := pkcs11key.New(*module, *token, *pin, *label) if err != nil { log.Criticalf("Unable to instantiate PKCS#11 private key: %v", err) return } pub := priv.Public() // Generate serial number serialLimit := new(big.Int).Lsh(big.NewInt(1), 128) serialNumber, err := rand.Int(rand.Reader, serialLimit) if err != nil { log.Criticalf("Error generating serial number: %v", err) return } // Generate subject key ID pubDER, err := x509.MarshalPKIXPublicKey(pub) if err != nil { log.Criticalf("Error serializing public key: %v", err) return } h := sha1.New() h.Write(pubDER) keyID := h.Sum(nil) // Sign the certificate rootTemplate := &x509.Certificate{ SignatureAlgorithm: x509.SHA256WithRSA, SerialNumber: serialNumber, Subject: pkix.Name{ Country: []string{config.Name.C}, Organization: []string{config.Name.O}, CommonName: config.Name.CN, }, NotBefore: config.NotBefore, NotAfter: config.NotAfter, BasicConstraintsValid: true, IsCA: true, SubjectKeyId: keyID, } rootDER, err := x509.CreateCertificate(rand.Reader, rootTemplate, rootTemplate, pub, priv) if err != nil { log.Criticalf("Error signing certificate: %v", err) return } fmt.Println(string(pem.EncodeToMemory(&pem.Block{ Type: "CERTIFICATE", Bytes: rootDER, }))) }
// Handle receives the incoming request, validates it, and processes it. func (h *AuthHandler) Handle(w http.ResponseWriter, r *http.Request) error { log.Info("signature request received") body, err := ioutil.ReadAll(r.Body) if err != nil { log.Errorf("failed to read response body: %v", err) return err } r.Body.Close() var aReq auth.AuthenticatedRequest err = json.Unmarshal(body, &aReq) if err != nil { log.Errorf("failed to unmarshal authenticated request: %v", err) return errors.NewBadRequest(err) } var req jsonSignRequest err = json.Unmarshal(aReq.Request, &req) if err != nil { log.Errorf("failed to unmarshal request from authenticated request: %v", err) return errors.NewBadRequestString("Unable to parse authenticated sign request") } // Sanity checks to ensure that we have a valid policy. This // should have been checked in NewAuthHandler. policy := h.signer.Policy() if policy == nil { log.Critical("signer was initialised without a signing policy") return errors.NewBadRequestString("invalid policy") } profile := policy.Default if policy.Profiles != nil && req.Profile != "" { profile = policy.Profiles[req.Profile] } if profile == nil { log.Critical("signer was initialised without any valid profiles") return errors.NewBadRequestString("invalid profile") } if profile.Provider == nil { log.Error("profile has no authentication provider") return errors.NewBadRequestString("no authentication provider") } if !profile.Provider.Verify(&aReq) { log.Warning("received authenticated request with invalid token") return errors.NewBadRequestString("invalid token") } signReq := jsonReqToTrue(req) if signReq.Hosts == nil { return errors.NewBadRequestString("missing parameter 'hostname' or 'hosts'") } if signReq.Request == "" { return errors.NewBadRequestString("missing parameter 'certificate_request'") } cert, err := h.signer.Sign(signReq) if err != nil { log.Errorf("signature failed: %v", err) return err } result := map[string]string{"certificate": string(cert)} log.Info("wrote response") return api.SendResponse(w, result) }
func main() { // Validate input // All flags are required flag.Parse() missing := false flag.VisitAll(func(f *flag.Flag) { if len(f.Value.String()) == 0 { missing = true } }) if missing { log.Critical("All flags must be provided.") flag.Usage() return } // Read the issuer cert certPEM, err := ioutil.ReadFile(*certFile) if err != nil { log.Criticalf("Unable to read certificate: %v", err) return } certBlock, _ := pem.Decode(certPEM) cert, err := x509.ParseCertificate(certBlock.Bytes) if err != nil { log.Criticalf("Unable to parse certificate: %v", err) return } // Read the list of revoked certs jsonConfig, err := ioutil.ReadFile(*listFile) if err != nil { log.Criticalf("Unable to read list of revoked certs: %v", err) return } var config Config err = json.Unmarshal(jsonConfig, &config) if err != nil { log.Criticalf("Unable to parse list of revoked certs: %v", err) return } // Set up PKCS#11 key priv, err := pkcs11key.New(*module, *token, *pin, *label) if err != nil { log.Criticalf("Unable to instantiate PKCS#11 private key: %v", err) return } // Sign the CRL crlDER, err := cert.CreateCRL(rand.Reader, priv, config.RevokedCerts, config.ThisUpdate, config.NextUpdate) if err != nil { log.Criticalf("Error signing certificate: %v", err) return } fmt.Println(string(pem.EncodeToMemory(&pem.Block{ Type: "X509 CRL", Bytes: crlDER, }))) }