Commit f7c1a257 authored by Heiko Reese's avatar Heiko Reese
Browse files

First working version

parent f2712851
......@@ -36,7 +36,7 @@ func ReadCertificates(filenames ...string) []*x509.Certificate {
}
}
} else {
log.Println("X", err)
log.Println(err)
}
}
return allcerts
......
......@@ -5,7 +5,7 @@ import (
. "git.scc.kit.edu/KIT-CA/websearch"
"github.com/gorilla/mux"
_ "github.com/k0kubun/pp"
"io"
"github.com/satori/go.uuid"
"io/ioutil"
"log"
"net"
......@@ -28,7 +28,7 @@ var (
ccache CertCache
allCertDir string
watcherDone chan bool
newFileChan chan string
newFileChan chan string = make(chan string, 64)
)
func init() {
......@@ -54,29 +54,40 @@ func init() {
}
func getcertHandler(w http.ResponseWriter, r *http.Request) {
headers := w.Header()
headers.Add("Content-Type", "text/html")
serial := mux.Vars(r)["serial"]
whichca, _ := BuildCertificateLink(serial)
io.WriteString(w, whichca)
var (
serial = mux.Vars(r)["serial"]
dowhat = mux.Vars(r)["dowhat"]
)
ca, err := GetIssuer(serial, &ccache)
if err == nil {
url := BuildCertificateLink(RedirTemplates[dowhat], ca, serial)
log.Println("Redirecting ", r.URL.String(), "to", url)
http.Redirect(w, r, url, http.StatusFound)
} else {
uuid4 := uuid.NewV4().String()
log.Printf("[%s] unable to process %s", uuid4, r.URL.String())
errormsg := "Invalid serial number " + serial + " (errorid " + uuid4 + ")"
http.Error(w, errormsg, http.StatusBadRequest)
}
}
func main() {
var err error
// create watcher for new certificates
log.Println("Starting filewatcher for directory", allCertDir)
NewDirectoryWatcher(allCertDir, watcherDone, newFileChan)
go func(newFileChan chan string) {
select {
case newcert := <-newFileChan:
for newcert := range newFileChan {
for _, c := range ReadCertificates(newcert) {
log.Println("Adding new certificate", newcert)
log.Println("Adding certificate from", newcert)
ccache.Add(c)
}
}
}(newFileChan)
// read initial batch of certificates
log.Println("Loading all certificates from", allCertDir)
files, err := ioutil.ReadDir(allCertDir)
if err != nil {
log.Fatal(err)
......@@ -84,18 +95,19 @@ func main() {
var allfiles []string
for _, file := range files {
if !file.IsDir() {
fullname := filepath.Join(allCertDir, file.Name())
fullname := filepath.Join(allCertDir, file.Name())
allfiles = append(allfiles, fullname)
}
}
for _, c := range ReadCertificates(allfiles...) {
ccache.Add(c)
}
log.Println(ccache.Len(), "certificates have been loaded into the certificate cache.")
// create http interface
r := mux.NewRouter()
r.HandleFunc("/p/getcert/{serial}", getcertHandler)
r.Path("/{dowhat:getcert|installcert}/{serial:[0-9]+}").HandlerFunc(getcertHandler)
// TODO: was tun bei anderen anfragen?
//r.NotFoundHandler = http.HandlerFunc
......
......@@ -5,12 +5,9 @@ import (
"encoding/asn1"
)
const (
var (
kitcag1 = "kit-ca-g1"
kitcag2 = "kit-ca-g2"
)
var (
// C=DE, ST=Baden-Wuerttemberg, L=Karlsruhe, O=Karlsruhe Institute of Technology, OU=Steinbuch Centre for Computing, CN=KIT-CA/emailAddress=ca@kit.edu
RawIssuerG1 = []byte{
0x30, 0x81, 0xbf, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x44, 0x45,
......
......@@ -2,12 +2,19 @@ package websearch
import (
"errors"
"fmt"
"math/big"
)
var (
serialG2Start big.Int
serialG1Cutoff big.Int
serialG2Start big.Int
serialG1Cutoff big.Int
errorCannotConvert = errors.New("Unable to convert serial number to bigint")
errorUnknownCA = errors.New("Unable to determine CA generation")
RedirTemplates = map[string]string{
"getcert": "https://pki.pca.dfn.de/%s/cgi-bin/pub/pki?cmd=send_email_cert&type=email&dataType=CERTIFICATE&key=%s",
"installcert": "https://pki.pca.dfn.de/%s/cgi-bin/pub/pki?cmd=getcert&type=CERTIFICATE&key=%s",
}
)
func init() {
......@@ -16,19 +23,14 @@ func init() {
}
const (
getcertTempl = "https://pki.pca.dfn.de/%s/cgi-bin/pub/pki?cmd=send_email_cert&type=email&dataType=CERTIFICATE&key=%s"
installcertTempl = "https://pki.pca.dfn.de/%s/cgi-bin/pub/pki?cmd=getcert&type=CERTIFICATE&key=%s"
testCertURL = getcertTempl
)
func BuildCertificateLink(serial string) (string, error) {
func GetIssuer(serial string, ccache *CertCache) (string, error) {
// convert to integer
var sernum big.Int
_, ok := sernum.SetString(serial, 10)
if !ok {
return "", errors.New("Unable to convert serial number to bigint")
return "", errorCannotConvert
}
/* das erlaubt dann nicht-legale seriennummern an den gesicherten enden
// alte CA (kurze nummern, serial kleiner als erstes g2)
if len(serial) == 8 || len(serial) == 14 || sernum.Cmp(&serialG2Start) < 1 {
return kitcag1, nil
......@@ -37,8 +39,16 @@ func BuildCertificateLink(serial string) (string, error) {
if sernum.Cmp(&serialG1Cutoff) == 1 {
return kitcag2, nil
}
*/
// check certificate cache
fromcache := ccache.Get(serial)
if fromcache == nil {
return "", errorUnknownCA
}
return *fromcache.CAGeneration, nil
}
// TODO: memdb befragen
return "", errors.New("both callouts failed")
func BuildCertificateLink(template, ca, serial string) string {
fmt.Printf("[%#v] [%#v] [%#v]\n", template, ca, serial)
return fmt.Sprintf(template, ca, serial)
}
package websearch
import (
"bytes"
"crypto/rsa"
"crypto/x509"
"crypto/x509/pkix"
......@@ -21,7 +22,8 @@ type SearchableCert struct {
DNSNames []string `json:san`
EmailAddresses []string `json:email`
IPAddresses []string `json:ip`
searchablestring string
CAGeneration *string
searchablestring string // TODO
RawCertificate *x509.Certificate
}
......@@ -85,6 +87,12 @@ func CertToSearchable(c *x509.Certificate) SearchableCert {
default:
cert.KeyLength = -1
}
if bytes.Compare(c.RawIssuer, RawIssuerG1) == 0 {
cert.CAGeneration = &kitcag1
} else {
//if bytes.Compare(c.RawIssuer, RawIssuerG2) == 0 {
cert.CAGeneration = &kitcag2
}
return cert
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment