func ConfirmName(n *pkix.Name) *pkix.Name { return &pkix.Name{ Country: options.ConfirmN("Country", n.Country), Province: options.ConfirmN("State or Province Name", n.Province), Locality: options.ConfirmN("City or Locality Name", n.Locality), Organization: options.ConfirmN("Organization Name (e.g. company)", n.Organization), OrganizationalUnit: options.ConfirmN("Organization UnitName (e.g. section)", n.OrganizationalUnit), CommonName: options.Confirm("Common Name", n.CommonName), } }
func doResponse(conn *tao.Conn) bool { // conn.Trace = tao.NewTrace(6, 1) T := profiling.NewTrace(10, 1) T.Start() defer conn.Close() var req taoca.Request if err := conn.ReadMessage(&req); err != nil { doError(conn, err, taoca.ResponseStatus_TAOCA_BAD_REQUEST, "failed to read request") return false } T.Sample("got msg") // 1 peer := "anonymous" if conn.Peer() != nil { peer = conn.Peer().String() } T.Sample("got peer") // 2 var errmsg string // Check whether the CSR is well-formed name := req.CSR.Name sanitize(name.Country, "Country", &errmsg) sanitize(name.State, "State/Province", &errmsg) sanitize(name.City, "City/Locality", &errmsg) sanitize(name.Organization, "Organization", &errmsg) ou := sanitize(name.OrganizationalUnit, "OrganizationalUnit", &errmsg) cn := sanitize(name.CommonName, "CommonName", &errmsg) years := *req.CSR.Years if years <= 0 { errmsg = "invalid validity period" } if errmsg != "" { doError(conn, nil, taoca.ResponseStatus_TAOCA_BAD_REQUEST, errmsg) return false } T.Sample("sanitized") // 3 var ck tao.CryptoKey if err := proto.Unmarshal(req.CSR.PublicKey, &ck); err != nil { doError(conn, err, taoca.ResponseStatus_TAOCA_BAD_REQUEST, "can't unmarshal key") return false } subjectKey, err := tao.UnmarshalVerifierProto(&ck) if err != nil { doError(conn, err, taoca.ResponseStatus_TAOCA_BAD_REQUEST, "can't unmarshal key") return false } T.Sample("got subject") // 4 // TODO(kwalsh) more robust generation of serial numbers? var serial int64 if err := binary.Read(rand.Reader, binary.LittleEndian, &serial); err != nil { doError(conn, err, taoca.ResponseStatus_TAOCA_ERROR, "could not generate random serial number") } if serial < 0 { serial = ^serial } T.Sample("made serial") // 5 if verbose.Enabled { printRequest(&req, subjectKey, serial, peer) } var cps, unotice string if manualMode { lock.Lock() var ok string for { ok = options.Confirm("Approve this request?", "no") if ok == "yes" || ok == "no" { break } fmt.Printf("I don't understand %q. Please type yes or no.\n", ok) } lock.Unlock() if ok != "yes" { doError(conn, nil, taoca.ResponseStatus_TAOCA_REQUEST_DENIED, "request is denied") return false } fmt.Printf("Issuing certificate.\n") cps = cpsTemplate + cpsManual } else { // Consult guard to enforce policy. if conn.Peer() == nil { doError(conn, nil, taoca.ResponseStatus_TAOCA_REQUEST_DENIED, "anonymous request is denied") return false } if learnMode { prin := *conn.Peer() if len(prin.Ext) > 0 { last := prin.Ext[len(prin.Ext)-1] tail := auth.PrinTail{ Ext: auth.SubPrin([]auth.PrinExt{last}), } prinHash := fmt.Sprintf("Known(%v)", tail) if !knownHashes[prinHash] { fmt.Printf("Learned: %s\n", prinHash) knownHashes[prinHash] = true if err := guard.AddRule(prinHash); err != nil { fmt.Println("Error adding rule: %s\n", err) } } } } if !guard.IsAuthorized(*conn.Peer(), "ClaimCertificate", []string{*name.OrganizationalUnit, *name.CommonName}) && !guard.IsAuthorized(*conn.Peer(), "ClaimCertificate", nil) { fmt.Printf("Policy (as follows) does not allow this request\n") fmt.Printf("%s\n", guard.String()) doError(conn, nil, taoca.ResponseStatus_TAOCA_REQUEST_DENIED, "request is denied") return false } if _, ok := guard.(*tao.ACLGuard); ok { cps = cpsTemplate + cpsACL } else { cps = cpsTemplate + cpsDatalog } cps += "\n" + guard.String() } T.Sample("authenticated") // 6 if conn.Peer() != nil { unotice = fmt.Sprintf(unoticeTemplate+ "* The certificate was requested by the following Tao principal:\n\n %v\n", *conn.Peer()) } else { unotice = fmt.Sprintf(unoticeTemplate + "* The certificate was requested anonymously.\n") } cpsUrl, err := publish([]byte(cps)) unoticeUrl, err := publish([]byte(unotice)) // ext, err := taoca.NewUserNotice("Hello user, how are you?") ext, err := taoca.NewCertficationPolicy(cpsUrl, unoticeUrl) if err != nil { doError(conn, err, taoca.ResponseStatus_TAOCA_ERROR, "failed to generate certificate policy extension") return false } T.Sample("made cps") // 7 netlog.Log("https_ca: issuing certificate for ou=%q cn=%q to %s", ou, cn, peer) template := caKeys.SigningKey.X509Template(NewX509Name(name), ext) template.IsCA = *req.CSR.IsCa template.SerialNumber.SetInt64(serial) cert, err := caKeys.CreateSignedX509(subjectKey, template, "default") if err != nil { doError(conn, err, taoca.ResponseStatus_TAOCA_ERROR, "failed to generate certificate") return false } T.Sample("signed cert") // 8 status := taoca.ResponseStatus_TAOCA_OK resp := &taoca.Response{ Status: &status, Cert: []*taoca.Cert{&taoca.Cert{X509Cert: cert.Raw}}, } for _, parent := range caKeys.CertChain("default") { resp.Cert = append(resp.Cert, &taoca.Cert{X509Cert: parent.Raw}) } T.Sample("built response") // 9 sendResponse(conn, resp) T.Sample("sent response") // 10 //fmt.Println(T) return true }