// NewSignerFromFile reads the issuer cert, the responder cert and the responder key // from PEM files, and takes an interval in seconds func NewSignerFromFile(issuerFile, responderFile, keyFile string, interval time.Duration) (Signer, error) { log.Debug("Loading issuer cert: ", issuerFile) issuerBytes, err := ioutil.ReadFile(issuerFile) if err != nil { return nil, err } log.Debug("Loading responder cert: ", responderFile) responderBytes, err := ioutil.ReadFile(responderFile) if err != nil { return nil, err } log.Debug("Loading responder key: ", keyFile) keyBytes, err := ioutil.ReadFile(keyFile) if err != nil { return nil, cferr.Wrap(cferr.CertificateError, cferr.ReadFailed, err) } issuerCert, err := helpers.ParseCertificatePEM(issuerBytes) if err != nil { return nil, err } responderCert, err := helpers.ParseCertificatePEM(responderBytes) if err != nil { return nil, err } key, err := helpers.ParsePrivateKeyPEM(keyBytes) if err != nil { log.Debug("Malformed private key %v", err) return nil, err } return NewSigner(issuerCert, responderCert, key, interval) }
func TestCAIssuing(t *testing.T) { var caCerts = []string{testCaFile, testECDSACaFile} var caKeys = []string{testCaKeyFile, testECDSACaKeyFile} var interCSRs = []string{ecdsaInterCSR, rsaInterCSR} var interKeys = []string{ecdsaInterKey, rsaInterKey} var CAPolicy = &config.Signing{ Default: &config.SigningProfile{ Usage: []string{"cert sign", "crl sign"}, ExpiryString: "1h", Expiry: 1 * time.Hour, CA: true, }, } var hostname = "cloudflare-inter.com" // Each RSA or ECDSA root CA issues two intermediate CAs (one ECDSA and one RSA). // For each intermediate CA, use it to issue additional RSA and ECDSA intermediate CSRs. for i, caFile := range caCerts { caKeyFile := caKeys[i] s := newCustomSigner(t, caFile, caKeyFile) s.policy = CAPolicy for j, csr := range interCSRs { csrBytes, _ := ioutil.ReadFile(csr) certBytes, err := s.Sign(signer.SignRequest{Hosts: signer.SplitHosts(hostname), Request: string(csrBytes)}) if err != nil { t.Fatal(err) } interCert, err := helpers.ParseCertificatePEM(certBytes) if err != nil { t.Fatal(err) } keyBytes, _ := ioutil.ReadFile(interKeys[j]) interKey, _ := helpers.ParsePrivateKeyPEM(keyBytes) interSigner := &Signer{interCert, interKey, CAPolicy, signer.DefaultSigAlgo(interKey), nil} for _, anotherCSR := range interCSRs { anotherCSRBytes, _ := ioutil.ReadFile(anotherCSR) bytes, err := interSigner.Sign( signer.SignRequest{ Hosts: signer.SplitHosts(hostname), Request: string(anotherCSRBytes), }) if err != nil { t.Fatal(err) } cert, err := helpers.ParseCertificatePEM(bytes) if err != nil { t.Fatal(err) } if cert.SignatureAlgorithm != interSigner.SigAlgo() { t.Fatal("Cert Signature Algorithm does not match the issuer.") } } } } }
func TestECDSASigner(t *testing.T) { s := newCustomSigner(t, testECDSACaFile, testECDSACaKeyFile) hostname := "cloudflare.com" for _, test := range csrTests { csr, err := ioutil.ReadFile(test.file) if err != nil { t.Fatal("CSR loading error:", err) } // Try all ECDSA SignatureAlgorithm SigAlgos := []x509.SignatureAlgorithm{x509.ECDSAWithSHA1, x509.ECDSAWithSHA256, x509.ECDSAWithSHA384, x509.ECDSAWithSHA512} for _, sigAlgo := range SigAlgos { s.sigAlgo = sigAlgo certBytes, err := s.Sign(signer.SignRequest{Hosts: signer.SplitHosts(hostname), Request: string(csr)}) if test.errorCallback != nil { test.errorCallback(t, err) } else { if err != nil { t.Fatalf("Expected no error. Got %s. Param %s %d", err.Error(), test.keyAlgo, test.keyLen) } cert, _ := helpers.ParseCertificatePEM(certBytes) if cert.SignatureAlgorithm != s.SigAlgo() { t.Fatal("Cert Signature Algorithm does not match the issuer.") } } } } }
func TestRemoteSignBadServerAndOverride(t *testing.T) { remoteServer := newTestSignServer(t) defer closeTestServer(t, remoteServer) // remoteConfig contains port 80 that no test server will listen on remoteConfig := testsuite.NewConfig(t, []byte(validMinimalRemoteConfig)) s := newRemoteSigner(t, remoteConfig.Signing) hosts := []string{"cloudflare.com"} csr, err := ioutil.ReadFile("../local/testdata/rsa2048.csr") if err != nil { t.Fatal("CSR loading error:", err) } _, err = s.Sign(signer.SignRequest{Hosts: hosts, Request: string(csr)}) if err == nil { t.Fatal("Should return error") } remoteConfig.Signing.OverrideRemotes(remoteServer.URL[7:]) s.SetPolicy(remoteConfig.Signing) certBytes, err := s.Sign(signer.SignRequest{ Hosts: hosts, Request: string(csr), Serial: big.NewInt(1), }) if err != nil { t.Fatalf("Expected no error. Got %s.", err.Error()) } _, err = helpers.ParseCertificatePEM(certBytes) if err != nil { t.Fatal("Fail to parse returned certificate:", err) } }
// fetchRemoteCertificate retrieves a single URL pointing to a certificate // and attempts to first parse it as a DER-encoded certificate; if // this fails, it attempts to decode it as a PEM-encoded certificate. func fetchRemoteCertificate(certURL string) (fi *fetchedIntermediate, err error) { log.Debugf("fetching remote certificate: %s", certURL) var resp *http.Response resp, err = http.Get(certURL) if err != nil { log.Debugf("failed HTTP get: %v", err) return } defer resp.Body.Close() var certData []byte certData, err = ioutil.ReadAll(resp.Body) if err != nil { log.Debugf("failed to read response body: %v", err) return } log.Debugf("attempting to parse certificate as DER") crt, err := x509.ParseCertificate(certData) if err != nil { log.Debugf("attempting to parse certificate as PEM") crt, err = helpers.ParseCertificatePEM(certData) if err != nil { log.Debugf("failed to parse certificate: %v", err) return } } log.Debugf("certificate fetch succeeds") fi = &fetchedIntermediate{Cert: crt, Name: constructCertFileName(crt)} return }
func makeCASigner(certBytes, keyBytes []byte, sigAlgo x509.SignatureAlgorithm, t *testing.T) signer.Signer { cert, err := helpers.ParseCertificatePEM(certBytes) if err != nil { t.Fatal(err) } key, err := helpers.ParsePrivateKeyPEM(keyBytes) if err != nil { t.Fatal(err) } defaultProfile := &config.SigningProfile{ Usage: []string{"cert sign"}, CA: true, Expiry: time.Hour, ExpiryString: "1h", } policy := &config.Signing{ Profiles: map[string]*config.SigningProfile{}, Default: defaultProfile, } s, err := local.NewSigner(key, cert, sigAlgo, policy) if err != nil { t.Fatal(err) } return s }
func TestExtractCertificateRequest(t *testing.T) { certPEM, err := ioutil.ReadFile(testECDSACertificateFile) if err != nil { t.Fatal(err) } // must parse ok cert, err := helpers.ParseCertificatePEM(certPEM) if err != nil { t.Fatal(err) } req := ExtractCertificateRequest(cert) if req.CN != "" { t.Fatal("Bad Certificate Request!") } if len(req.Names) != 1 { t.Fatal("Bad Certificate Request!") } name := req.Names[0] if name.C != "US" || name.ST != "California" || name.O != "CloudFlare, Inc." || name.OU != "Test Certificate Authority" || name.L != "San Francisco" { t.Fatal("Bad Certificate Request!") } if req.CA == nil || req.CA.PathLength != 2 { t.Fatal("Bad Certificate Request!") } }
// NewSignerFromFile generates a new local signer from a caFile // and a caKey file, both PEM encoded. func NewSignerFromFile(caFile, caKeyFile string, policy *config.Signing) (*Signer, error) { log.Debug("Loading CA: ", caFile) ca, err := ioutil.ReadFile(caFile) if err != nil { return nil, err } log.Debug("Loading CA key: ", caKeyFile) cakey, err := ioutil.ReadFile(caKeyFile) if err != nil { return nil, cferr.Wrap(cferr.CertificateError, cferr.ReadFailed, err) } parsedCa, err := helpers.ParseCertificatePEM(ca) if err != nil { return nil, err } priv, err := helpers.ParsePrivateKeyPEM(cakey) if err != nil { log.Debug("Malformed private key %v", err) return nil, err } return NewSigner(priv, parsedCa, signer.DefaultSigAlgo(priv), policy) }
func TestSignCSRs(t *testing.T) { s := newTestSigner(t) hostname := "cloudflare.com" for _, test := range csrTests { csr, err := ioutil.ReadFile(test.file) if err != nil { t.Fatal("CSR loading error:", err) } // It is possible to use different SHA2 algorithm with RSA CA key. rsaSigAlgos := []x509.SignatureAlgorithm{x509.SHA1WithRSA, x509.SHA256WithRSA, x509.SHA384WithRSA, x509.SHA512WithRSA} for _, sigAlgo := range rsaSigAlgos { s.sigAlgo = sigAlgo certBytes, err := s.Sign(signer.SignRequest{Hosts: signer.SplitHosts(hostname), Request: string(csr)}) if test.errorCallback != nil { test.errorCallback(t, err) } else { if err != nil { t.Fatalf("Expected no error. Got %s. Param %s %d", err.Error(), test.keyAlgo, test.keyLen) } cert, _ := helpers.ParseCertificatePEM(certBytes) if cert.SignatureAlgorithm != s.SigAlgo() { t.Fatal("Cert Signature Algorithm does not match the issuer.") } } } } }
// ParseCertificatePEM parses an x509 certificate PEM. func ParseCertificatePEM(certPEM []byte) (*Certificate, error) { cert, err := helpers.ParseCertificatePEM(certPEM) if err != nil { return nil, err } return ParseCertificate(cert), nil }
// LoadRoot parses a config structure into a Root structure func LoadRoot(cfg map[string]string) (*Root, error) { var root Root var err error spec, ok := cfg["private"] if !ok { return nil, ErrMissingPrivateKey } certPath, ok := cfg["certificate"] if !ok { return nil, ErrMissingCertificatePath } configPath, ok := cfg["config"] if !ok { return nil, ErrMissingConfigPath } root.PrivateKey, err = parsePrivateKeySpec(spec, cfg) if err != nil { return nil, err } in, err := ioutil.ReadFile(certPath) if err != nil { return nil, err } root.Certificate, err = helpers.ParseCertificatePEM(in) if err != nil { return nil, err } conf, err := config.LoadFile(configPath) if err != nil { return nil, err } root.Config = conf.Signing nets := cfg["nets"] if nets != "" { root.ACL, err = parseACL(nets) if err != nil { return nil, err } } dbConfig := cfg["dbconfig"] if dbConfig != "" { db, err := certdb.DBFromConfig(dbConfig) if err != nil { return nil, err } root.DB = db } return &root, nil }
func TestOverrideSubject(t *testing.T) { csrPEM, err := ioutil.ReadFile(fullSubjectCSR) if err != nil { t.Fatalf("%v", err) } req := &signer.Subject{ Names: []csr.Name{ {O: "example.net"}, }, } s := newCustomSigner(t, testECDSACaFile, testECDSACaKeyFile) request := signer.SignRequest{ Hosts: []string{"127.0.0.1", "localhost", "*****@*****.**"}, Request: string(csrPEM), Subject: req, } certPEM, err := s.Sign(request) if err != nil { t.Fatalf("%v", err) } cert, err := helpers.ParseCertificatePEM(certPEM) if err != nil { t.Fatalf("%v", err) } block, _ := pem.Decode(csrPEM) template, err := x509.ParseCertificateRequest(block.Bytes) if err != nil { t.Fatal(err.Error()) } if cert.Subject.Organization[0] != "example.net" { t.Fatalf("Failed to override subject: want example.net but have %s", cert.Subject.Organization[0]) } if cert.Subject.Country[0] != template.Subject.Country[0] { t.Fatal("Failed to override Country") } if cert.Subject.Locality[0] != template.Subject.Locality[0] { t.Fatal("Failed to override Locality") } if cert.Subject.Organization[0] == template.Subject.Organization[0] { t.Fatal("Shouldn't have overrode Organization") } if cert.Subject.OrganizationalUnit[0] != template.Subject.OrganizationalUnit[0] { t.Fatal("Failed to override OrganizationalUnit") } log.Info("Overrode subject info") }
func TestUniversalRemoteAndLocalSign(t *testing.T) { // set up remote server remoteConfig := testsuite.NewConfig(t, []byte(validNoAuthRemoteConfig)) remoteServer := newTestSignServer(t, newTestUniversalSigner(t, remoteConfig.Signing)) defer closeTestServer(t, remoteServer) universalConfig := testsuite.NewConfig(t, []byte(validNoAuthUniversalConfig)) // override with test server address, ignore url prefix "http://" for name, profile := range universalConfig.Signing.Profiles { if profile.RemoteServer != "" { universalConfig.Signing.Profiles[name].RemoteServer = remoteServer.URL[7:] } } s := newTestUniversalSigner(t, universalConfig.Signing) checkSign := func(name string, profile *config.SigningProfile) { hosts := []string{"cloudflare.com"} for _, test := range testsuite.CSRTests { csr, err := ioutil.ReadFile(test.File) if err != nil { t.Fatalf("CSR loading error (%s): %v", name, err) } testSerial := big.NewInt(0x7007F) certBytes, err := s.Sign(signer.SignRequest{ Hosts: hosts, Request: string(csr), Serial: testSerial, Profile: name, }) if test.ErrorCallback != nil { test.ErrorCallback(t, err) } else { if err != nil { t.Fatalf("Expected no error. Got %s. Param %s %d", err.Error(), test.KeyAlgo, test.KeyLen) } cert, err := helpers.ParseCertificatePEM(certBytes) if err != nil { t.Fatal("Fail to parse returned certificate:", err) } ku, _, _ := profile.Usages() if cert.KeyUsage != ku { t.Fatalf("Key usage was incorrect expected %+v, got %+v", ku, cert.KeyUsage) } } } } for name, profile := range universalConfig.Signing.Profiles { checkSign(name, profile) } // add check for default profile checkSign("", universalConfig.Signing.Default) }
func TestNoWhitelistSign(t *testing.T) { csrPEM, err := ioutil.ReadFile(fullSubjectCSR) if err != nil { t.Fatalf("%v", err) } req := &signer.Subject{ Names: []csr.Name{ {O: "sam certificate authority"}, }, CN: "localhost", } s := newCustomSigner(t, testECDSACaFile, testECDSACaKeyFile) // No policy CSR whitelist: the normal set of CSR fields get passed through to // certificate. s.policy = &config.Signing{ Default: &config.SigningProfile{ Usage: []string{"cert sign", "crl sign"}, ExpiryString: "1h", Expiry: 1 * time.Hour, CA: true, }, } request := signer.SignRequest{ Hosts: []string{"127.0.0.1", "localhost"}, Request: string(csrPEM), Subject: req, } certPEM, err := s.Sign(request) if err != nil { t.Fatalf("%v", err) } cert, err := helpers.ParseCertificatePEM(certPEM) if err != nil { t.Fatalf("%v", err) } name := cert.Subject if name.CommonName != "localhost" { t.Fatalf("Expected certificate common name to be 'localhost' but have '%v'", name.CommonName) } // CSR has: Subject: C=US, O=CloudFlare, OU=WWW, L=Ithaca, ST=New York // Expect all to be passed through. expectOneValueOf(t, name.Organization, "sam certificate authority", "O") expectOneValueOf(t, name.OrganizationalUnit, "WWW", "OU") expectOneValueOf(t, name.Province, "New York", "ST") expectOneValueOf(t, name.Locality, "Ithaca", "L") expectOneValueOf(t, name.Country, "US", "C") }
func TestSHA2Preferences(t *testing.T) { // create a CA signer and signs a new intermediate with SHA-1 sha1CASigner := makeCASignerFromFile(sha1CA, sha1CAKey, x509.SHA1WithRSA, t) // create a CA signer and signs a new intermediate with SHA-2 sha2CASigner := makeCASignerFromFile(sha1CA, sha1CAKey, x509.SHA256WithRSA, t) // sign two different intermediates sha1InterBytes := signCSRFile(sha1CASigner, intermediateCSR, t) sha2InterBytes := signCSRFile(sha2CASigner, intermediateCSR, t) interKeyBytes, err := ioutil.ReadFile(intermediateKey) if err != nil { t.Fatal(err) } // create a intermediate signer from SHA-1 intermediate cert/key sha2InterSigner := makeCASigner(sha1InterBytes, interKeyBytes, x509.SHA256WithRSA, t) // sign a leaf cert leafBytes := signCSRFile(sha2InterSigner, leafCSR, t) // create a bundler with SHA-1 and SHA-2 intermediate certs of same key. b := newCustomizedBundlerFromFile(t, sha1CA, sha1Intermediate, "") if err != nil { t.Fatal(err) } sha1Inter, _ := helpers.ParseCertificatePEM(sha1InterBytes) sha2Inter, _ := helpers.ParseCertificatePEM(sha2InterBytes) b.IntermediatePool.AddCert(sha1Inter) b.IntermediatePool.AddCert(sha2Inter) bundle, err := b.BundleFromPEMorDER(leafBytes, nil, Ubiquitous, "") if err != nil { t.Fatal("bundling failed: ", err) } if bundle.Chain[1].SignatureAlgorithm != x509.SHA256WithRSA { t.Fatal("ubiquity selection by SHA-2 homogenity failed.") } }
// ocspSignerMain is the main CLI of OCSP signer functionality. func ocspSignerMain(args []string, c cli.Config) (err error) { // Read the cert to be revoked from file certBytes, err := ioutil.ReadFile(c.CertFile) if err != nil { log.Critical("Unable to read certificate: ", err) return } cert, err := helpers.ParseCertificatePEM(certBytes) if err != nil { log.Critical("Unable to parse certificate: ", err) return } req := ocsp.SignRequest{ Certificate: cert, Status: c.Status, } if c.Status == "revoked" { var reasonCode int reasonCode, err = ocsp.ReasonStringToCode(c.Reason) if err != nil { log.Critical("Invalid reason code: ", err) return } req.Reason = reasonCode req.RevokedAt = time.Now() if c.RevokedAt != "now" { req.RevokedAt, err = time.Parse("2006-01-02", c.RevokedAt) if err != nil { log.Critical("Malformed revocation time: ", c.RevokedAt) return } } } s, err := SignerFromConfig(c) if err != nil { log.Critical("Unable to create OCSP signer: ", err) return } resp, err := s.Sign(req) if err != nil { log.Critical("Unable to sign OCSP response: ", err) return } cli.PrintOCSPResponse(resp) return }
// Handle responds to requests for a ocsp signature. It creates and signs // a ocsp response for the provided certificate and status. If the status // is revoked then it also adds reason and revoked_at. The response is // base64 encoded. func (h *Handler) Handle(w http.ResponseWriter, r *http.Request) error { body, err := ioutil.ReadAll(r.Body) if err != nil { return err } r.Body.Close() // Default the status to good so it matches the cli req := &jsonSignRequest{ Status: "good", } err = json.Unmarshal(body, req) if err != nil { return errors.NewBadRequestString("Unable to parse sign request") } cert, err := helpers.ParseCertificatePEM([]byte(req.Certificate)) if err != nil { log.Error("Error from ParseCertificatePEM", err) return errors.NewBadRequestString("Malformed certificate") } signReq := ocsp.SignRequest{ Certificate: cert, Status: req.Status, } // We need to convert the time from being a string to a time.Time if req.Status == "revoked" { signReq.Reason = req.Reason // "now" is accepted and the default on the cli so default that here if req.RevokedAt == "" || req.RevokedAt == "now" { signReq.RevokedAt = time.Now() } else { signReq.RevokedAt, err = time.Parse("2006-01-02", req.RevokedAt) if err != nil { return errors.NewBadRequestString("Malformed revocation time") } } } resp, err := h.signer.Sign(signReq) if err != nil { return err } b64Resp := base64.StdEncoding.EncodeToString(resp) result := map[string]string{"ocspResponse": b64Resp} return api.SendResponse(w, result) }
// NewCRLFromFile takes in a list of serial numbers, one per line, as well as the issuing certificate // of the CRL, and the private key. This function is then used to parse the list and generate a CRL func NewCRLFromFile(serialList, issuerFile, keyFile []byte, expiryTime string) ([]byte, error) { var revokedCerts []pkix.RevokedCertificate var oneWeek = time.Duration(604800) * time.Second expiryInt, err := strconv.ParseInt(expiryTime, 0, 32) if err != nil { return nil, err } newDurationFromInt := time.Duration(expiryInt) * time.Second newExpiryTime := time.Now().Add(newDurationFromInt) if expiryInt == 0 { newExpiryTime = time.Now().Add(oneWeek) } // Parse the PEM encoded certificate issuerCert, err := helpers.ParseCertificatePEM(issuerFile) if err != nil { return nil, err } // Split input file by new lines individualCerts := strings.Split(string(serialList), "\n") // For every new line, create a new revokedCertificate and add it to slice for _, value := range individualCerts { if len(strings.TrimSpace(value)) == 0 { continue } tempBigInt := new(big.Int) tempBigInt.SetString(value, 10) tempCert := pkix.RevokedCertificate{ SerialNumber: tempBigInt, RevocationTime: time.Now(), } revokedCerts = append(revokedCerts, tempCert) } // Parse the key given key, err := helpers.ParsePrivateKeyPEM(keyFile) if err != nil { log.Debug("Malformed private key %v", err) return nil, err } return CreateGenericCRL(revokedCerts, key, issuerCert, newExpiryTime) }
func setup(t *testing.T) (SignRequest, time.Duration) { dur, _ := time.ParseDuration("1ms") certPEM, err := ioutil.ReadFile(otherCertFile) if err != nil { t.Fatal(err) } leafCert, err := helpers.ParseCertificatePEM(certPEM) if err != nil { t.Fatal(err) } req := SignRequest{ Certificate: leafCert, Status: "good", } return req, dur }
func fetchRemote(url string) (*x509.Certificate, error) { resp, err := http.Get(url) if err != nil { return nil, err } in, err := ioutil.ReadAll(resp.Body) if err != nil { return nil, err } resp.Body.Close() p, _ := pem.Decode(in) if p != nil { return helpers.ParseCertificatePEM(in) } return x509.ParseCertificate(in) }
func getInfoFromRemote(c cli.Config) (resp *info.Resp, err error) { req := new(info.Req) req.Label = c.Label req.Profile = c.Profile serv := client.NewServer(c.Remote) reqJSON, _ := json.Marshal(req) resp, err = serv.Info(reqJSON) if err != nil { return } _, err = helpers.ParseCertificatePEM([]byte(resp.Certificate)) if err != nil { return } return }
func TestRemoteSign(t *testing.T) { remoteServer := newTestSignServer(t) defer closeTestServer(t, remoteServer) remoteConfig := testsuite.NewConfig(t, []byte(validMinimalRemoteConfig)) // override with test server address, ignore url prefix "http://" remoteConfig.Signing.OverrideRemotes(remoteServer.URL[7:]) s := newRemoteSigner(t, remoteConfig.Signing) hosts := []string{"cloudflare.com"} for _, test := range testsuite.CSRTests { csr, err := ioutil.ReadFile(test.File) if err != nil { t.Fatal("CSR loading error:", err) } testSerial := big.NewInt(0x7007F) certBytes, err := s.Sign(signer.SignRequest{ Hosts: hosts, Request: string(csr), Serial: testSerial, }) if test.ErrorCallback != nil { test.ErrorCallback(t, err) } else { if err != nil { t.Fatalf("Expected no error. Got %s. Param %s %d", err.Error(), test.KeyAlgo, test.KeyLen) } cert, err := helpers.ParseCertificatePEM(certBytes) if err != nil { t.Fatal("Fail to parse returned certificate:", err) } sn := fmt.Sprintf("%X", cert.SerialNumber) if sn != "7007F" { t.Fatal("Serial Number was incorrect:", sn) } } } }
// NewPKCS11Signer returns a new PKCS #11 signer. func NewPKCS11Signer(cfg ocspConfig.Config) (ocsp.Signer, error) { log.Debugf("Loading PKCS #11 module %s", cfg.PKCS11.Module) certData, err := ioutil.ReadFile(cfg.CACertFile) if err != nil { return nil, errors.New(errors.CertificateError, errors.ReadFailed) } cert, err := helpers.ParseCertificatePEM(certData) if err != nil { return nil, err } PKCS11 := cfg.PKCS11 priv, err := pkcs11key.New( PKCS11.Module, PKCS11.TokenLabel, PKCS11.PIN, PKCS11.PrivateKeyLabel) if err != nil { return nil, errors.New(errors.PrivateKeyError, errors.ReadFailed) } return ocsp.NewSigner(cert, cert, priv, cfg.Interval) }
// RenewFromPEM re-creates a root certificate from the CA cert and key // files. The resulting root certificate will have the input CA certificate // as the template and have the same expiry length. E.g. the exsiting CA // is valid for a year from Jan 01 2015 to Jan 01 2016, the renewed certificate // will be valid from now and expire in one year as well. func RenewFromPEM(caFile, keyFile string) ([]byte, error) { caBytes, err := ioutil.ReadFile(caFile) if err != nil { return nil, err } ca, err := helpers.ParseCertificatePEM(caBytes) if err != nil { return nil, err } keyBytes, err := ioutil.ReadFile(keyFile) if err != nil { return nil, err } key, err := helpers.ParsePrivateKeyPEM(keyBytes) if err != nil { return nil, err } return RenewFromSigner(ca, key) }
// New returns a new PKCS #11 signer. func New(caCertFile string, policy *config.Signing, cfg *Config) (signer.Signer, error) { if cfg == nil { return nil, errors.New(errors.PrivateKeyError, errors.ReadFailed) } log.Debugf("Loading PKCS #11 module %s", cfg.Module) certData, err := ioutil.ReadFile(caCertFile) if err != nil { return nil, errors.New(errors.PrivateKeyError, errors.ReadFailed) } cert, err := helpers.ParseCertificatePEM(certData) if err != nil { return nil, err } priv, err := pkcs11key.New(cfg.Module, cfg.Token, cfg.PIN, cfg.Label) if err != nil { return nil, errors.New(errors.PrivateKeyError, errors.ReadFailed) } sigAlgo := signer.DefaultSigAlgo(priv) return local.NewSigner(priv, cert, sigAlgo, policy) }
func TestRenewECDSA(t *testing.T) { certPEM, err := RenewFromPEM(testECDSACAFile, testECDSACAKeyFile) if err != nil { t.Fatal(err) } // must parse ok cert, err := helpers.ParseCertificatePEM(certPEM) if err != nil { t.Fatal(err) } if !cert.IsCA { t.Fatal("renewed CA certificate is not CA") } // cert expiry must be 5 minutes expiry := cert.NotAfter.Sub(cert.NotBefore).Seconds() if expiry >= 301 || expiry <= 299 { t.Fatal("expiry is not correct") } // check subject if cert.Subject.CommonName != "" { t.Fatal("Bad CommonName") } if len(cert.Subject.Country) != 1 || cert.Subject.Country[0] != "US" { t.Fatal("Bad Subject") } if len(cert.Subject.Organization) != 1 || cert.Subject.Organization[0] != "CloudFlare, Inc." { t.Fatal("Bad Subject") } }
// Handle responds to requests for crl generation. It creates this crl // based off of the given certificate, serial numbers, and private key func crlHandler(w http.ResponseWriter, r *http.Request) error { var revokedCerts []pkix.RevokedCertificate var oneWeek = time.Duration(604800) * time.Second var newExpiryTime = time.Now() body, err := ioutil.ReadAll(r.Body) if err != nil { return err } r.Body.Close() req := &jsonCRLRequest{} err = json.Unmarshal(body, req) if err != nil { log.Error(err) } if req.ExpiryTime != "" { expiryTime := strings.TrimSpace(req.ExpiryTime) expiryInt, err := strconv.ParseInt(expiryTime, 0, 32) if err != nil { return err } newExpiryTime = time.Now().Add((time.Duration(expiryInt) * time.Second)) } if req.ExpiryTime == "" { newExpiryTime = time.Now().Add(oneWeek) } if err != nil { return err } cert, err := helpers.ParseCertificatePEM([]byte(req.Certificate)) if err != nil { log.Error("Error from ParseCertificatePEM", err) return errors.NewBadRequestString("Malformed certificate") } for _, value := range req.SerialNumber { tempBigInt := new(big.Int) tempBigInt.SetString(value, 10) tempCert := pkix.RevokedCertificate{ SerialNumber: tempBigInt, RevocationTime: time.Now(), } revokedCerts = append(revokedCerts, tempCert) } key, err := helpers.ParsePrivateKeyPEM([]byte(req.PrivateKey)) if err != nil { log.Debug("Malformed private key %v", err) return errors.NewBadRequestString("Malformed Private Key") } result, err := cert.CreateCRL(rand.Reader, key, revokedCerts, time.Now(), newExpiryTime) return api.SendResponse(w, result) }
// readCert read a PEM file and returns a cert. func readCert(filename string) *x509.Certificate { bytes, _ := ioutil.ReadFile(filename) cert, _ := helpers.ParseCertificatePEM(bytes) return cert }
// Regression test: ubiquity bundle test with SHA2-homogeneous preference should not override root ubiquity. func TestSHA2HomogeneityAgainstUbiquity(t *testing.T) { // create a CA signer and signs a new intermediate with SHA-1 caSigner := makeCASignerFromFile(testCAFile, testCAKeyFile, x509.SHA1WithRSA, t) interL1Bytes := signCSRFile(caSigner, interL1CSR, t) // create a inter L1 signer interL1KeyBytes, err := ioutil.ReadFile(interL1Key) if err != nil { t.Fatal(err) } interL1Signer := makeCASigner(interL1Bytes, interL1KeyBytes, x509.SHA256WithRSA, t) // sign a level 2 intermediate interL2Bytes := signCSRFile(interL1Signer, interL2CSR, t) // create a inter L2 signer interL2KeyBytes, err := ioutil.ReadFile(interL2Key) if err != nil { t.Fatal(err) } interL2Signer := makeCASigner(interL2Bytes, interL2KeyBytes, x509.ECDSAWithSHA256, t) // interL2 sign a leaf cert leafBytes := signCSRFile(interL2Signer, leafCSR, t) // create two platforms // platform A trusts the CA cert and L1 intermediate // platform B trusts the CA cert caBytes, err := ioutil.ReadFile(testCAFile) if err != nil { t.Fatal(err) } ca, _ := helpers.ParseCertificatePEM(caBytes) interL1, _ := helpers.ParseCertificatePEM(interL1Bytes) platformA := ubiquity.Platform{ Name: "A", Weight: 100, KeyStore: make(ubiquity.CertSet), HashUbiquity: ubiquity.SHA2Ubiquity, KeyAlgoUbiquity: ubiquity.ECDSA521Ubiquity, } platformB := ubiquity.Platform{ Name: "B", Weight: 100, KeyStore: make(ubiquity.CertSet), HashUbiquity: ubiquity.SHA2Ubiquity, KeyAlgoUbiquity: ubiquity.ECDSA521Ubiquity, } platformA.KeyStore.Add(ca) platformA.KeyStore.Add(interL1) platformB.KeyStore.Add(ca) ubiquity.Platforms = []ubiquity.Platform{platformA, platformB} caBundle := string(caBytes) + string(interL1Bytes) interBundle := string(interL2Bytes) + string(interL1Bytes) fullChain := string(leafBytes) + string(interL2Bytes) + string(interL1Bytes) // create bundler b, err := NewBundlerFromPEM([]byte(caBundle), []byte(interBundle)) if err != nil { t.Fatal(err) } // The input PEM bundle is 3-cert chain. bundle, err := b.BundleFromPEMorDER([]byte(fullChain), nil, Force, "") if err != nil { t.Fatal("Force bundle failed:", err) } if len(bundle.Chain) != 3 { t.Fatal("Force bundle failed:") } if len(bundle.Status.Untrusted) != 0 { t.Fatal("Force bundle failed:") } // With ubiquity flavor, we should not sacrifice trust store ubiquity and rebundle with a shorter chain // with SHA2 homogenity. bundle, err = b.BundleFromPEMorDER([]byte(fullChain), nil, Ubiquitous, "") if err != nil { t.Fatal("Ubiquitous bundle failed:", err) } if len(bundle.Chain) != 3 { t.Fatal("Ubiquitous bundle failed:") } if len(bundle.Status.Untrusted) != 0 { t.Fatal("Ubiquitous bundle failed:") } // With optimal flavor, we should have a shorter chain. bundle, err = b.BundleFromPEMorDER([]byte(fullChain), nil, Optimal, "") if err != nil { t.Fatal("Optimal bundle failed:", err) } if len(bundle.Chain) != 2 { t.Fatal("Optimal bundle failed:") } if len(bundle.Status.Untrusted) == 0 { t.Fatal("Optimal bundle failed:") } }
// ocsprefreshMain is the main CLI of OCSP refresh functionality. func ocsprefreshMain(args []string, c cli.Config) (err error) { if c.DBConfigFile == "" { log.Error("need DB config file (provide with -db-config)") return } if c.ResponderFile == "" { log.Error("need responder certificate (provide with -responder)") return } if c.ResponderKeyFile == "" { log.Error("need responder key (provide with -responder-key)") return } if c.CAFile == "" { log.Error("need CA certificate (provide with -ca)") return } s, err := SignerFromConfig(c) if err != nil { log.Critical("Unable to create OCSP signer: ", err) return err } var db *sql.DB db, err = certdb.DBFromConfig(c.DBConfigFile) if err != nil { return err } var certs []*certdb.CertificateRecord certs, err = certdb.GetUnexpiredCertificates(db) if err != nil { return err } // Set an expiry timestamp for all certificates refreshed in this batch ocspExpiry := time.Now().Add(c.Interval) for _, certRecord := range certs { cert, err := helpers.ParseCertificatePEM([]byte(certRecord.PEM)) if err != nil { log.Critical("Unable to parse certificate: ", err) return err } req := ocsp.SignRequest{ Certificate: cert, Status: certRecord.Status, } if certRecord.Status == "revoked" { req.Reason = int(certRecord.Reason) req.RevokedAt = certRecord.RevokedAt } resp, err := s.Sign(req) if err != nil { log.Critical("Unable to sign OCSP response: ", err) return err } err = certdb.UpsertOCSP(db, cert.SerialNumber.String(), string(resp), ocspExpiry) if err != nil { log.Critical("Unable to save OCSP response: ", err) return err } } return nil }