add: Incremental CRL transfer

author Felix Dörre <felix@dogcraft.de>

Wed, 7 Jan 2015 17:01:33 +0000 (18:01 +0100)

committer Benny Baumann <BenBE@geshi.org>

Sat, 24 Jan 2015 17:33:29 +0000 (18:33 +0100)
author Felix Dörre <felix@dogcraft.de>
Wed, 7 Jan 2015 17:01:33 +0000 (18:01 +0100)
committer Benny Baumann <BenBE@geshi.org>
Sat, 24 Jan 2015 17:33:29 +0000 (18:33 +0100)
diff --git a/src/crypto/remoteSigner.cpp b/src/crypto/remoteSigner.cpp

index f04f6d3b732297e53425666a299cb8d8f4f75cb6..335c2ff3d52561c11cff13f401c70c05c3e07c1f 100644 (file)
--- a/src/crypto/remoteSigner.cpp
+++ b/src/crypto/remoteSigner.cpp
@@ -140,7 +140,7 @@ std::shared_ptr<SignedCertificate> RemoteSigner::sign( std::shared_ptr<TBSCertif
      return result;
  }
  
-std::shared_ptr<CRL> RemoteSigner::revoke( std::shared_ptr<CAConfig> ca, std::string serial ) {
+std::pair<std::shared_ptr<CRL>, std::string> RemoteSigner::revoke( std::shared_ptr<CAConfig> ca, std::string serial ) {
      ( void )BIO_reset( target.get() );
  
      std::shared_ptr<SSL> ssl( SSL_new( ctx.get() ), SSL_free );
@@ -162,27 +162,45 @@ std::shared_ptr<CRL> RemoteSigner::revoke( std::shared_ptr<CAConfig> ca, std::st
  
      if( length <= 0 ) {
          std::cout << "Error, no response data" << std::endl;
-        return std::shared_ptr<CRL>();
+        return std::pair<std::shared_ptr<CRL>, std::string>( std::shared_ptr<CRL>(), "" );
      }
  
      payload = parseCommand( head, std::string( buffer.data(), length ), log );
  
+    std::shared_ptr<CRL> crl( new CRL( ca->path + std::string( "/ca.crl" ) ) );
+
      switch( ( RecordHeader::SignerResult ) head.command ) {
-    case RecordHeader::SignerResult::REVOKED:
-        std::cout << "CRL: " << std::endl << payload << std::endl;
+    case RecordHeader::SignerResult::REVOKED: {
+        const unsigned char* buffer = ( const unsigned char* ) payload.data();
+        const unsigned char* pos = buffer;
+        ASN1_UTCTIME* time = d2i_ASN1_UTCTIME( NULL, &pos, payload.size() );
+        ASN1_UTCTIME_free( time );
+        std::string rest = payload.substr( pos - buffer );
+        crl->revoke( serial, payload.substr( 0, pos - buffer ) );
+        crl->setSignature( rest );
+        bool ok = crl->verify( ca );
+
+        if( ok ) {
+            ( *log ) << "CRL verificated successfully" << std::endl;
+            writeFile( ca->path + std::string( "/ca.crl" ), crl->toString() );
+        } else {
+            ( *log ) << "CRL is broken" << std::endl;
+        }
+
+        ( *log ) << "CRL: " << std::endl << crl->toString() << std::endl;
          break;
+    }
  
      default:
          throw "Invalid response command.";
      }
  
-    writeFile( ca->path + "/ca.crl", payload );
  
      if( !SSL_shutdown( ssl.get() ) && !SSL_shutdown( ssl.get() ) ) { // need to close the connection twice
          std::cout << "SSL shutdown failed" << std::endl;
      }
  
-    return std::shared_ptr<CRL>();
+    return std::pair<std::shared_ptr<CRL>, std::string>( std::shared_ptr<CRL>(), "" );
  }
  
  void RemoteSigner::setLog( std::shared_ptr<std::ostream> target ) {
diff --git a/src/crypto/remoteSigner.h b/src/crypto/remoteSigner.h

index 1be28ed66ee94c83054c4dab7aa47abb7d4eb97d..f08eae6a77b13c9263ece20b3c66ed54cd183027 100644 (file)
--- a/src/crypto/remoteSigner.h
+++ b/src/crypto/remoteSigner.h
@@ -20,7 +20,7 @@ public:
      RemoteSigner( std::shared_ptr<BIO> target, std::shared_ptr<SSL_CTX> ctx );
      ~RemoteSigner();
      std::shared_ptr<SignedCertificate> sign( std::shared_ptr<TBSCertificate> cert );
-    std::shared_ptr<CRL> revoke( std::shared_ptr<CAConfig> ca, std::string serial );
+    std::pair<std::shared_ptr<CRL>, std::string> revoke( std::shared_ptr<CAConfig> ca, std::string serial );
  
      void setLog( std::shared_ptr<std::ostream> target );
  };
diff --git a/src/crypto/signer.h b/src/crypto/signer.h

index 44b2546a905d77cc23b0eea82f20d778220b1117..582308daf6a0e7325f03a687596344e646dd47a7 100644 (file)
--- a/src/crypto/signer.h
+++ b/src/crypto/signer.h
@@ -9,5 +9,5 @@
  class Signer {
  public:
      virtual std::shared_ptr<SignedCertificate> sign( std::shared_ptr<TBSCertificate> cert ) = 0;
-    virtual std::shared_ptr<CRL> revoke( std::shared_ptr<CAConfig> ca, std::string serial ) = 0;
+    virtual std::pair<std::shared_ptr<CRL>, std::string> revoke( std::shared_ptr<CAConfig> ca, std::string serial ) = 0;
  };
diff --git a/src/crypto/simpleOpensslSigner.cpp b/src/crypto/simpleOpensslSigner.cpp

index 8eb97d579bc997785cb1abd9804273cc5e2d4138..2aea5c815944a82a3f220e291f02bb91dd04e36d 100644 (file)
--- a/src/crypto/simpleOpensslSigner.cpp
+++ b/src/crypto/simpleOpensslSigner.cpp
@@ -160,12 +160,12 @@ std::shared_ptr<SignedCertificate> SimpleOpensslSigner::sign( std::shared_ptr<TB
      return output;
  }
  
-std::shared_ptr<CRL> SimpleOpensslSigner::revoke( std::shared_ptr<CAConfig> ca, std::string serial ) {
+std::pair<std::shared_ptr<CRL>, std::string> SimpleOpensslSigner::revoke( std::shared_ptr<CAConfig> ca, std::string serial ) {
      std::string crlpath = ca->path + "/ca.crl";
  
      std::shared_ptr<CRL> crl( new CRL( crlpath ) );
-    crl->revoke( serial, "" );
+    std::string date = crl->revoke( serial, "" );
      crl->sign( ca );
-
-    return crl;
+    writeFile( crlpath, crl->toString() );
+    return std::pair<std::shared_ptr<CRL>, std::string>( crl, date );
  }
diff --git a/src/crypto/simpleOpensslSigner.h b/src/crypto/simpleOpensslSigner.h

index a6af01a7155414941d6662b7f4eb7243a4d5247c..8b3865505205f60522580bbd0051dcd3cf15ef33 100644 (file)
--- a/src/crypto/simpleOpensslSigner.h
+++ b/src/crypto/simpleOpensslSigner.h
@@ -15,5 +15,5 @@ public:
      SimpleOpensslSigner();
      ~SimpleOpensslSigner();
      std::shared_ptr<SignedCertificate> sign( std::shared_ptr<TBSCertificate> cert );
-    std::shared_ptr<CRL> revoke( std::shared_ptr<CAConfig> ca, std::string serial );
+    std::pair<std::shared_ptr<CRL>, std::string> revoke( std::shared_ptr<CAConfig> ca, std::string serial );
  };
diff --git a/src/io/record.h b/src/io/record.h

index 38794289f6d1df5021946c4aac9b8039c9845d3b..92837bd0eec0d7206496b4b68e2cceed65cf6914 100644 (file)
--- a/src/io/record.h
+++ b/src/io/record.h
@@ -22,12 +22,14 @@ public:
          SIGN = 0x80,
          LOG_SAVED = 0x81,
          REVOKE = 0x100,
+        GET_FULL_CRL = 0x101,
          GET_TIMESTAMP = 0xC0,
          GET_STATUS_REPORT = 0xD0
      };
  
      enum class SignerResult : uint16_t {
          REVOKED = 0x100,
+        FULL_CRL = 0x101,
          SAVE_LOG = 0x80,
          CERTIFICATE = 0x81
      };
diff --git a/src/io/recordHandler.cpp b/src/io/recordHandler.cpp

index abac9a53b7ec8034f29424f0af7969c749e8110d..72442ce110742ac5b8c6366efb6cf31cc636b654 100644 (file)
--- a/src/io/recordHandler.cpp
+++ b/src/io/recordHandler.cpp
@@ -201,9 +201,11 @@ public:
  
              auto reqCA = CAs.at( ca );
              ( *log ) << "CA found" << std::endl;
-            std::shared_ptr<CRL> crl = signer->revoke( reqCA, serial );
+            std::shared_ptr<CRL> crl;
+            std::string date;
+            std::tie<std::shared_ptr<CRL>, std::string>( crl, date ) = signer->revoke( reqCA, serial );
  
-            respondCommand( RecordHeader::SignerResult::REVOKED, crl->toString() );
+            respondCommand( RecordHeader::SignerResult::REVOKED, date + crl->getSignature() );
  
              if( !SSL_shutdown( ssl.get() ) && !SSL_shutdown( ssl.get() ) ) {
                  ( *log ) << "ERROR: SSL close failed" << std::endl;
author	Felix Dörre <felix@dogcraft.de>
	Wed, 7 Jan 2015 17:01:33 +0000 (18:01 +0100)
committer	Benny Baumann <BenBE@geshi.org>
	Sat, 24 Jan 2015 17:33:29 +0000 (18:33 +0100)
src/crypto/remoteSigner.cpp		patch \| blob \| history
src/crypto/remoteSigner.h		patch \| blob \| history
src/crypto/signer.h		patch \| blob \| history
src/crypto/simpleOpensslSigner.cpp		patch \| blob \| history
src/crypto/simpleOpensslSigner.h		patch \| blob \| history
src/io/record.h		patch \| blob \| history
src/io/recordHandler.cpp		patch \| blob \| history