From 1031ee3118b330783e078eb99017514daa9a6eaf Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Wed, 30 Nov 2022 18:42:40 +0100 Subject: [PATCH] Implement configuration support for CA profiles --- internal/config/config.go | 23 +++++++++++++++ internal/hsm/hsm.go | 18 ++++++++++-- pkg/messages/messages.go | 61 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 99 insertions(+), 3 deletions(-) diff --git a/internal/config/config.go b/internal/config/config.go index d620d0e..273e5c5 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -31,6 +31,8 @@ import ( "gopkg.in/yaml.v3" + "git.cacert.org/cacert-gosigner/pkg/messages" + "git.cacert.org/cacert-gosigner/internal/x509/openssl" "git.cacert.org/cacert-gosigner/internal/x509/revoking" "git.cacert.org/cacert-gosigner/internal/x509/signing" @@ -540,6 +542,7 @@ type CaCertificateEntry struct { KeyPair crypto.Signer Parent string Storage string + Profiles []messages.CAProfile } func (c *CaCertificateEntry) UnmarshalYAML(value *yaml.Node) error { @@ -551,6 +554,10 @@ func (c *CaCertificateEntry) UnmarshalYAML(value *yaml.Node) error { ExtKeyUsage []string `yaml:"ext-key-usages,omitempty"` Parent string `yaml:"parent"` Storage string `yaml:"storage"` + Profiles []struct { + Name string `yaml:"name"` + UseFor string `yaml:"use-for"` + } `yaml:"profiles"` } err := value.Decode(&m) @@ -590,6 +597,22 @@ func (c *CaCertificateEntry) UnmarshalYAML(value *yaml.Node) error { c.Storage = "default" } + if m.Profiles != nil { + c.Profiles = make([]messages.CAProfile, len(m.Profiles)) + + for i, prof := range m.Profiles { + usage, err := messages.ParseUsage(prof.UseFor) + if err != nil { + return fmt.Errorf("config error: %w", err) + } + + c.Profiles[i] = messages.CAProfile{ + Name: prof.Name, + UseFor: usage, + } + } + } + return nil } diff --git a/internal/hsm/hsm.go b/internal/hsm/hsm.go index 315fcc3..17de7dc 100644 --- a/internal/hsm/hsm.go +++ b/internal/hsm/hsm.go @@ -37,6 +37,8 @@ import ( "github.com/ThalesIgnite/crypto11" "github.com/sirupsen/logrus" + "git.cacert.org/cacert-gosigner/pkg/messages" + "git.cacert.org/cacert-gosigner/internal/config" "git.cacert.org/cacert-gosigner/internal/health" ) @@ -68,7 +70,7 @@ func (a *Access) Healthy() (*health.Info, error) { moreInfo := make(map[string]string) - const checkFailed = "failed" + var checkFailed = messages.CertificateInfo{Status: "failed", Signing: false}.String() for _, ca := range a.signerConfig.RootCAs() { infoKey := fmt.Sprintf("root-%s", ca) @@ -82,7 +84,12 @@ func (a *Access) Healthy() (*health.Info, error) { continue } - moreInfo[infoKey] = fmt.Sprintf("ok, valid until %s", cert.NotAfter.UTC().Format(time.RFC3339)) + moreInfo[infoKey] = messages.CertificateInfo{ + Status: "ok", + Signing: false, + Profiles: []messages.CAProfile{}, + ValidUntil: cert.NotAfter.UTC(), + }.String() } for _, ca := range a.signerConfig.SubordinateCAs() { @@ -115,7 +122,12 @@ func (a *Access) Healthy() (*health.Info, error) { continue } - moreInfo[infoKey] = fmt.Sprintf("ok, valid until %s", cert.NotAfter.UTC().Format(time.RFC3339)) + moreInfo[infoKey] = messages.CertificateInfo{ + Status: "ok", + Signing: true, + Profiles: def.Profiles, + ValidUntil: cert.NotAfter.UTC(), + }.String() } return &health.Info{ diff --git a/pkg/messages/messages.go b/pkg/messages/messages.go index 744e2d1..7b1c759 100644 --- a/pkg/messages/messages.go +++ b/pkg/messages/messages.go @@ -22,6 +22,7 @@ package messages import ( "crypto/x509" + "encoding/json" "encoding/pem" "fmt" "math/big" @@ -144,6 +145,66 @@ func (i *HealthInfo) String() string { return builder.String() } +type ProfileUsage string + +const ( + UsageOcsp ProfileUsage = "ocsp" + UsagePerson ProfileUsage = "person" + UsageClient ProfileUsage = "client" + UsageCode ProfileUsage = "code" + UsageServer ProfileUsage = "server" +) + +var validProfileUsages = map[string]ProfileUsage{ + "ocsp": UsageOcsp, + "person": UsagePerson, + "client": UsageClient, + "code": UsageCode, + "server": UsageServer, +} + +func ParseUsage(u string) (ProfileUsage, error) { + usage, ok := validProfileUsages[u] + if !ok { + return "", fmt.Errorf("unsupported profile usage: %s", u) + } + + return usage, nil +} + +type CAProfile struct { + Name string `json:"name"` + UseFor ProfileUsage `json:"use-for"` +} + +func (p CAProfile) String() string { + return fmt.Sprintf("profile['%s': '%s']", p.Name, p.UseFor) +} + +type CertificateInfo struct { + Status string `json:"status"` + Signing bool `json:"signing"` + Profiles []CAProfile `json:"profiles"` + ValidUntil time.Time `json:"valid-until"` +} + +func (i CertificateInfo) String() string { + marshal, _ := json.Marshal(i) + + return string(marshal) +} + +func (i *HealthInfo) ParseCertificateInfo(info string) (*CertificateInfo, error) { + certInfo := CertificateInfo{} + + err := json.Unmarshal([]byte(info), &certInfo) + if err != nil { + return nil, fmt.Errorf("could not parse certificate information: %w", err) + } + + return &certInfo, nil +} + type HealthResponse struct { Version string `msgpack:"version"` Healthy bool `msgpack:"healthy"`