cacert-gosigner/pkg/messages/messages.go
Jan Dittberner afe7d23c9b Implement CA information command
This commit defines command codes for planned commands and response codes for
their corresponding responses.

The health response from the HSM access component has been reduced to avoid
unnecessary data transmissions.

A new CA information command has been implemented. This command can be used
to retrieve the CA certificate and profile information for a given CA name.

The client simulator has been updated to retrieve CA information for all
CAs when the list of CAs changes.
2022-12-02 18:31:59 +01:00

394 lines
9.1 KiB
Go

/*
Copyright 2022 CAcert Inc.
SPDX-License-Identifier: Apache-2.0
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
//go:generate go run github.com/shamaton/msgpackgen
// Package messages contains structure definitions for protocol messages
package messages
import (
"crypto/x509"
"encoding/pem"
"fmt"
"math/big"
"sort"
"strings"
"time"
// required for msgpackgen
_ "github.com/dave/jennifer"
"github.com/google/uuid"
)
type CommandCode int8
const (
CmdUndef CommandCode = iota
CmdHealth
CmdCAInfo
CmdFetchCRL
CmdSignCertificate
CmdSignOpenPGP
CmdRevokeCertificate
)
var commandNames = map[CommandCode]string{
CmdUndef: "UNDEFINED",
CmdHealth: "HEALTH",
CmdFetchCRL: "FETCH CRL",
CmdCAInfo: "CA INFO",
CmdSignCertificate: "SIG CERT",
CmdSignOpenPGP: "SIG OPENPGP",
CmdRevokeCertificate: "REV CERT",
}
func (c CommandCode) String() string {
if name, ok := commandNames[c]; ok {
return name
}
return fmt.Sprintf("unknown %d", c)
}
type ResponseCode int8
const (
RespError ResponseCode = -1
RespUndef ResponseCode = iota
RespHealth
RespCAInfo
RespFetchCRL
RespSignCertificate
RespSignOpenPGP
RespRevokeCertificate
)
var responseNames = map[ResponseCode]string{
RespError: "ERROR",
RespUndef: "UNDEFINED",
RespHealth: "HEALTH",
RespCAInfo: "CA INFO",
RespFetchCRL: "FETCH CRL",
RespSignCertificate: "SIG CERT",
RespSignOpenPGP: "SIG OPENPGP",
RespRevokeCertificate: "REV CERT",
}
func (c ResponseCode) String() string {
if name, ok := responseNames[c]; ok {
return name
}
return fmt.Sprintf("unknown %d", c)
}
type CommandAnnounce struct {
Code CommandCode `msgpack:"code"`
ID string `msgpack:"id"`
Created time.Time `msgpack:"created"`
}
func (r *CommandAnnounce) String() string {
return fmt.Sprintf("code=%s, id=%s, created=%s", r.Code, r.ID, r.Created.Format(time.RFC3339))
}
func BuildCommandAnnounce(code CommandCode) *CommandAnnounce {
commandID := uuid.NewString()
return &CommandAnnounce{Code: code, ID: commandID, Created: time.Now().UTC()}
}
type ResponseAnnounce struct {
Code ResponseCode `msgpack:"code"`
Created time.Time `msgpack:"created"`
ID string `msgpack:"id"`
}
func (r *ResponseAnnounce) String() string {
return fmt.Sprintf("code=%s, id=%s, created=%s", r.Code, r.ID, r.Created.Format(time.RFC3339))
}
func BuildResponseAnnounce(code ResponseCode, commandID string) *ResponseAnnounce {
return &ResponseAnnounce{Code: code, ID: commandID, Created: time.Now().UTC()}
}
type HealthCommand struct{}
func (h *HealthCommand) String() string {
return ""
}
type CAInfoCommand struct {
Name string `msgpack:"name"`
}
func (r *CAInfoCommand) String() string {
return fmt.Sprintf("name=%s", r.Name)
}
type FetchCRLCommand struct {
IssuerID string `msgpack:"issuer_id"`
LastKnownID []byte `msgpack:"last_known_id"`
}
func (f *FetchCRLCommand) String() string {
builder := &strings.Builder{}
_, _ = fmt.Fprintf(builder, "issuerId='%s'", f.IssuerID)
if f.LastKnownID != nil {
_, _ = fmt.Fprintf(builder, ", lastKnownId=0x%x", new(big.Int).SetBytes(f.LastKnownID))
}
return builder.String()
}
type ProfileUsage uint8
const (
UsageInvalid ProfileUsage = iota
UsageOCSP
UsageClient
UsageCode
UsagePerson
UsageServer
UsageServerClient
UsageOrgClient
UsageOrgCode
UsageOrgEmail
UsageOrgPerson
UsageOrgServer
UsageOrgServerClient
)
var validProfileUsages = map[string]ProfileUsage{
"ocsp": UsageOCSP,
"client": UsageClient,
"code": UsageCode,
"person": UsagePerson,
"server": UsageServer,
"server_client": UsageServerClient,
"org_client": UsageOrgClient,
"org_code": UsageOrgCode,
"org_email": UsageOrgEmail,
"org_person": UsageOrgPerson,
"org_server": UsageOrgServer,
"org_server_client": UsageOrgServerClient,
}
var profileUsageDetails = map[ProfileUsage]struct {
Name string
Description string
}{
UsageInvalid: {"invalid", "Invalid certificate profile, not to be used"},
UsageOCSP: {"ocsp", "OCSP responder signing certificate"},
UsageClient: {"client", "machine TLS client certificate"},
UsageCode: {"code", "individual code signing certificate"},
UsagePerson: {"person", "person identity certificate"},
UsageServer: {"server", "TLS server certificate"},
UsageServerClient: {"server_client", "combined TLS server and client certificate"},
UsageOrgClient: {"org_client", "organization machine TLS client certificate"},
UsageOrgCode: {"org_code", "organization code signing certificate"},
UsageOrgEmail: {"org_email", "organization email certificate"},
UsageOrgPerson: {"org_person", "organizational person identity certificate"},
UsageOrgServer: {"org_server", "organization TLS server certificate"},
UsageOrgServerClient: {
"org_server_client",
"combined organization TLS server and client certificate",
},
}
func (p ProfileUsage) String() string {
name, ok := profileUsageDetails[p]
if !ok {
return fmt.Sprintf("unknown profile usage %d", p)
}
return name.Name
}
func (p ProfileUsage) Description() string {
name, ok := profileUsageDetails[p]
if !ok {
return fmt.Sprintf("unknown profile usage %d", p)
}
return name.Description
}
func ParseUsage(u string) (ProfileUsage, error) {
usage, ok := validProfileUsages[u]
if !ok {
return UsageInvalid, fmt.Errorf("unsupported profile usage: %s", u)
}
return usage, nil
}
type CAProfile struct {
Name string `msgpack:"name"`
UseFor ProfileUsage `msgpack:"use-for"`
}
func (p CAProfile) String() string {
return fmt.Sprintf("profile['%s': '%s']", p.Name, p.UseFor)
}
type CertificateStatus string
const (
CertStatusOk CertificateStatus = "ok"
CertStatusFailed CertificateStatus = "failed"
)
type CAInfoResponse struct {
Name string `msgpack:"name"`
Certificate []byte `msgpack:"certificate"`
Signing bool `msgpack:"signing"`
Profiles []CAProfile `msgpack:"profiles,omitempty"`
}
func (i CAInfoResponse) String() string {
return fmt.Sprintf("certificate name=%s, signing=%t, profiles=[%s]", i.Name, i.Signing, i.Profiles)
}
type HealthInfo struct {
Source string
Healthy bool
MoreInfo map[string]string
}
func (i *HealthInfo) String() string {
builder := &strings.Builder{}
_, _ = fmt.Fprintf(builder, "source: %s, healthy: %v", i.Source, i.Healthy)
if len(i.MoreInfo) > 0 {
keys := make([]string, 0, len(i.MoreInfo))
parts := make([]string, len(i.MoreInfo))
for k := range i.MoreInfo {
keys = append(keys, k)
}
sort.Strings(keys)
for j, k := range keys {
parts[j] = fmt.Sprintf("'%s': '%s'", k, i.MoreInfo[k])
}
builder.WriteRune('[')
builder.WriteString(strings.Join(parts, ", "))
builder.WriteRune(']')
}
return builder.String()
}
type HealthResponse struct {
Version string `msgpack:"version"`
Healthy bool `msgpack:"healthy"`
Info []*HealthInfo
}
func (h *HealthResponse) String() string {
builder := &strings.Builder{}
_, _ = fmt.Fprintf(builder, "signer version=%s, healthy=%v, health data=[", h.Version, h.Healthy)
infos := make([]string, len(h.Info))
for i, info := range h.Info {
infos[i] = fmt.Sprintf("{%s}", info)
}
builder.WriteString(strings.Join(infos, ", "))
builder.WriteRune(']')
return builder.String()
}
type FetchCRLResponse struct {
IssuerID string `msgpack:"issuer_id"`
IsDelta bool `msgpack:"is_delta"`
UnChanged bool `msgpack:"unchanged"`
CRLData []byte `msgpack:"crl_data"`
CRLNumber []byte `msgpack:"crl_number"`
}
func (r *FetchCRLResponse) String() string {
builder := &strings.Builder{}
_, _ = fmt.Fprintf(
builder,
"issuer id=%s, delta=%t, unchanged=%t, CRL number=0x%x",
r.IssuerID,
r.IsDelta,
r.UnChanged,
new(big.Int).SetBytes(r.CRLNumber),
)
if r.UnChanged {
return builder.String()
}
if r.IsDelta {
_, _ = fmt.Fprintf(builder, ", delta CRL data of %d bytes not shown", len(r.CRLData))
return builder.String()
}
revocationList, err := x509.ParseRevocationList(r.CRLData)
if err != nil {
_, _ = fmt.Fprintf(builder, ", could not parse CRL: %s", err.Error())
return builder.String()
}
_, _ = fmt.Fprintf(
builder,
", CRL info: issuer=%s, number=0x%x, next update=%s, revoked certificates=%d",
revocationList.Issuer,
revocationList.Number,
revocationList.NextUpdate,
len(revocationList.RevokedCertificates),
)
_, _ = builder.WriteString(", CRL data:\n")
_ = pem.Encode(builder, &pem.Block{
Type: "CERTIFICATE REVOCATION LIST",
Bytes: r.CRLData,
})
return builder.String()
}
type ErrorResponse struct {
Message string `msgpack:"message"`
}
func (e *ErrorResponse) String() string {
return fmt.Sprintf("message=%s", e.Message)
}