예제 #1
0
파일: ocspsign.go 프로젝트: hildjj/boulder
// ocspSignerMain is the main CLI of OCSP signer functionality.
func ocspSignerMain(args []string, c cli.Config) (err error) {
	// Read the cert to be revoked from file
	certBytes, err := ioutil.ReadFile(c.CertFile)
	if err != nil {
		log.Critical("Unable to read certificate: ", err)
		return
	}
	cert, err := helpers.ParseCertificatePEM(certBytes)
	if err != nil {
		log.Critical("Unable to parse certificate: ", err)
		return
	}

	req := ocsp.SignRequest{
		Certificate: cert,
		Status:      c.Status,
	}

	if c.Status == "revoked" {
		req.Reason = c.Reason

		req.RevokedAt = time.Now()
		if c.RevokedAt != "now" {
			req.RevokedAt, err = time.Parse("2006-01-02", c.RevokedAt)
			if err != nil {
				log.Critical("Malformed revocation time: ", c.RevokedAt)
				return
			}
		}
	}

	s, err := ocsp.NewSignerFromFile(c.CAFile, c.ResponderFile, c.KeyFile, time.Duration(c.Interval))
	if err != nil {
		log.Critical("Unable to create OCSP signer: ", err)
		return
	}

	resp, err := s.Sign(req)
	if err != nil {
		log.Critical("Unable to sign OCSP response: ", err)
		return
	}

	cli.PrintOCSPResponse(resp)
	return
}
예제 #2
0
파일: main.go 프로젝트: diafygi/boulder
func main() {
	// Validate input
	// All flags are required
	flag.Parse()
	missing := false
	flag.VisitAll(func(f *flag.Flag) {
		if len(f.Value.String()) == 0 {
			missing = true
		}
	})
	if missing {
		log.Critical("All flags must be provided.")
		flag.Usage()
		return
	}

	jsonConfig, err := ioutil.ReadFile(*configFile)
	if err != nil {
		log.Criticalf("Unable to read config: %v", err)
		return
	}

	var config Config
	err = json.Unmarshal(jsonConfig, &config)
	if err != nil {
		log.Criticalf("Unable to parse config: %v", err)
		return
	}

	if len(config.Name.C) == 0 || len(config.Name.O) == 0 ||
		len(config.Name.CN) == 0 {
		log.Criticalf("Config must provide country, organizationName, and commonName")
		return
	}

	if config.NotBefore.After(config.NotAfter) {
		log.Criticalf("Invalid validity: notAfter is before notBefore")
		return
	}

	// Set up PKCS#11 key
	priv, err := pkcs11key.New(*module, *token, *pin, *label)
	if err != nil {
		log.Criticalf("Unable to instantiate PKCS#11 private key: %v", err)
		return
	}
	pub := priv.Public()

	// Generate serial number
	serialLimit := new(big.Int).Lsh(big.NewInt(1), 128)
	serialNumber, err := rand.Int(rand.Reader, serialLimit)
	if err != nil {
		log.Criticalf("Error generating serial number: %v", err)
		return
	}

	// Generate subject key ID
	pubDER, err := x509.MarshalPKIXPublicKey(pub)
	if err != nil {
		log.Criticalf("Error serializing public key: %v", err)
		return
	}
	h := sha1.New()
	h.Write(pubDER)
	keyID := h.Sum(nil)

	// Sign the certificate
	rootTemplate := &x509.Certificate{
		SignatureAlgorithm: x509.SHA256WithRSA,

		SerialNumber: serialNumber,
		Subject: pkix.Name{
			Country:      []string{config.Name.C},
			Organization: []string{config.Name.O},
			CommonName:   config.Name.CN,
		},
		NotBefore: config.NotBefore,
		NotAfter:  config.NotAfter,

		BasicConstraintsValid: true,
		IsCA: true,

		SubjectKeyId: keyID,
	}

	rootDER, err := x509.CreateCertificate(rand.Reader, rootTemplate, rootTemplate, pub, priv)
	if err != nil {
		log.Criticalf("Error signing certificate: %v", err)
		return
	}

	fmt.Println(string(pem.EncodeToMemory(&pem.Block{
		Type:  "CERTIFICATE",
		Bytes: rootDER,
	})))
}
예제 #3
0
파일: sign.go 프로젝트: hildjj/boulder
// Handle receives the incoming request, validates it, and processes it.
func (h *AuthHandler) Handle(w http.ResponseWriter, r *http.Request) error {
	log.Info("signature request received")

	body, err := ioutil.ReadAll(r.Body)
	if err != nil {
		log.Errorf("failed to read response body: %v", err)
		return err
	}
	r.Body.Close()

	var aReq auth.AuthenticatedRequest
	err = json.Unmarshal(body, &aReq)
	if err != nil {
		log.Errorf("failed to unmarshal authenticated request: %v", err)
		return errors.NewBadRequest(err)
	}

	var req jsonSignRequest
	err = json.Unmarshal(aReq.Request, &req)
	if err != nil {
		log.Errorf("failed to unmarshal request from authenticated request: %v", err)
		return errors.NewBadRequestString("Unable to parse authenticated sign request")
	}

	// Sanity checks to ensure that we have a valid policy. This
	// should have been checked in NewAuthHandler.
	policy := h.signer.Policy()
	if policy == nil {
		log.Critical("signer was initialised without a signing policy")
		return errors.NewBadRequestString("invalid policy")
	}
	profile := policy.Default

	if policy.Profiles != nil && req.Profile != "" {
		profile = policy.Profiles[req.Profile]
	}

	if profile == nil {
		log.Critical("signer was initialised without any valid profiles")
		return errors.NewBadRequestString("invalid profile")
	}

	if profile.Provider == nil {
		log.Error("profile has no authentication provider")
		return errors.NewBadRequestString("no authentication provider")
	}

	if !profile.Provider.Verify(&aReq) {
		log.Warning("received authenticated request with invalid token")
		return errors.NewBadRequestString("invalid token")
	}

	signReq := jsonReqToTrue(req)
	if signReq.Hosts == nil {
		return errors.NewBadRequestString("missing parameter 'hostname' or 'hosts'")
	}

	if signReq.Request == "" {
		return errors.NewBadRequestString("missing parameter 'certificate_request'")
	}

	cert, err := h.signer.Sign(signReq)
	if err != nil {
		log.Errorf("signature failed: %v", err)
		return err
	}

	result := map[string]string{"certificate": string(cert)}
	log.Info("wrote response")
	return api.SendResponse(w, result)
}
예제 #4
0
파일: main.go 프로젝트: hildjj/boulder
func main() {
	// Validate input
	// All flags are required
	flag.Parse()
	missing := false
	flag.VisitAll(func(f *flag.Flag) {
		if len(f.Value.String()) == 0 {
			missing = true
		}
	})
	if missing {
		log.Critical("All flags must be provided.")
		flag.Usage()
		return
	}

	// Read the issuer cert
	certPEM, err := ioutil.ReadFile(*certFile)
	if err != nil {
		log.Criticalf("Unable to read certificate: %v", err)
		return
	}

	certBlock, _ := pem.Decode(certPEM)
	cert, err := x509.ParseCertificate(certBlock.Bytes)
	if err != nil {
		log.Criticalf("Unable to parse certificate: %v", err)
		return
	}

	// Read the list of revoked certs
	jsonConfig, err := ioutil.ReadFile(*listFile)
	if err != nil {
		log.Criticalf("Unable to read list of revoked certs: %v", err)
		return
	}

	var config Config
	err = json.Unmarshal(jsonConfig, &config)
	if err != nil {
		log.Criticalf("Unable to parse list of revoked certs: %v", err)
		return
	}

	// Set up PKCS#11 key
	priv, err := pkcs11key.New(*module, *token, *pin, *label)
	if err != nil {
		log.Criticalf("Unable to instantiate PKCS#11 private key: %v", err)
		return
	}

	// Sign the CRL
	crlDER, err := cert.CreateCRL(rand.Reader, priv, config.RevokedCerts, config.ThisUpdate, config.NextUpdate)
	if err != nil {
		log.Criticalf("Error signing certificate: %v", err)
		return
	}

	fmt.Println(string(pem.EncodeToMemory(&pem.Block{
		Type:  "X509 CRL",
		Bytes: crlDER,
	})))
}