2014-10-21 13:54:25 +02:00
|
|
|
/******************************************************************************
|
|
|
|
* Icinga 2 *
|
2016-01-12 08:29:59 +01:00
|
|
|
* Copyright (C) 2012-2016 Icinga Development Team (https://www.icinga.org/) *
|
2014-10-21 13:54:25 +02:00
|
|
|
* *
|
|
|
|
* This program is free software; you can redistribute it and/or *
|
|
|
|
* modify it under the terms of the GNU General Public License *
|
|
|
|
* as published by the Free Software Foundation; either version 2 *
|
|
|
|
* of the License, or (at your option) any later version. *
|
|
|
|
* *
|
|
|
|
* This program is distributed in the hope that it will be useful, *
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of *
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
|
|
|
|
* GNU General Public License for more details. *
|
|
|
|
* *
|
|
|
|
* You should have received a copy of the GNU General Public License *
|
|
|
|
* along with this program; if not, write to the Free Software Foundation *
|
|
|
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. *
|
|
|
|
******************************************************************************/
|
|
|
|
|
|
|
|
#include "cli/pkiutility.hpp"
|
|
|
|
#include "cli/clicommand.hpp"
|
|
|
|
#include "base/logger.hpp"
|
|
|
|
#include "base/application.hpp"
|
|
|
|
#include "base/tlsutility.hpp"
|
2015-11-24 17:01:46 +01:00
|
|
|
#include "base/console.hpp"
|
2014-10-21 13:54:25 +02:00
|
|
|
#include "base/tlsstream.hpp"
|
|
|
|
#include "base/tcpsocket.hpp"
|
2014-11-02 19:38:35 +01:00
|
|
|
#include "base/json.hpp"
|
2014-10-21 13:54:25 +02:00
|
|
|
#include "base/utility.hpp"
|
2014-12-15 10:16:06 +01:00
|
|
|
#include "base/exception.hpp"
|
2014-10-21 13:54:25 +02:00
|
|
|
#include "remote/jsonrpc.hpp"
|
|
|
|
#include <fstream>
|
|
|
|
#include <iostream>
|
|
|
|
|
|
|
|
using namespace icinga;
|
|
|
|
|
2014-10-21 18:13:08 +02:00
|
|
|
String PkiUtility::GetPkiPath(void)
|
|
|
|
{
|
|
|
|
return Application::GetSysconfDir() + "/icinga2/pki";
|
|
|
|
}
|
|
|
|
|
|
|
|
String PkiUtility::GetLocalCaPath(void)
|
|
|
|
{
|
|
|
|
return Application::GetLocalStateDir() + "/lib/icinga2/ca";
|
|
|
|
}
|
|
|
|
|
2014-10-21 13:54:25 +02:00
|
|
|
int PkiUtility::NewCa(void)
|
|
|
|
{
|
2015-11-19 17:06:41 +01:00
|
|
|
String caDir = GetLocalCaPath();
|
|
|
|
String caCertFile = caDir + "/ca.crt";
|
|
|
|
String caKeyFile = caDir + "/ca.key";
|
|
|
|
String caSerialFile = caDir + "/serial.txt";
|
2014-10-21 13:54:25 +02:00
|
|
|
|
2015-11-19 17:06:41 +01:00
|
|
|
if (Utility::PathExists(caCertFile) && Utility::PathExists(caKeyFile)) {
|
2014-10-21 13:54:25 +02:00
|
|
|
Log(LogCritical, "cli")
|
2016-02-09 15:53:40 +01:00
|
|
|
<< "CA files '" << caCertFile << "' and '" << caKeyFile << "' already exist.";
|
2014-10-21 13:54:25 +02:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2015-11-19 17:06:41 +01:00
|
|
|
Utility::MkDirP(caDir, 0700);
|
2014-10-21 13:54:25 +02:00
|
|
|
|
2015-11-19 17:06:41 +01:00
|
|
|
MakeX509CSR("Icinga CA", caKeyFile, String(), caCertFile, caSerialFile, true);
|
2014-10-21 13:54:25 +02:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
int PkiUtility::NewCert(const String& cn, const String& keyfile, const String& csrfile, const String& certfile)
|
|
|
|
{
|
|
|
|
try {
|
|
|
|
MakeX509CSR(cn, keyfile, csrfile, certfile);
|
|
|
|
} catch(std::exception&) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
int PkiUtility::SignCsr(const String& csrfile, const String& certfile)
|
|
|
|
{
|
|
|
|
char errbuf[120];
|
|
|
|
|
|
|
|
InitializeOpenSSL();
|
|
|
|
|
|
|
|
BIO *csrbio = BIO_new_file(csrfile.CStr(), "r");
|
|
|
|
X509_REQ *req = PEM_read_bio_X509_REQ(csrbio, NULL, NULL, NULL);
|
|
|
|
|
|
|
|
if (!req) {
|
|
|
|
Log(LogCritical, "SSL")
|
|
|
|
<< "Could not read X509 certificate request from '" << csrfile << "': " << ERR_peek_error() << ", \"" << ERR_error_string(ERR_peek_error(), errbuf) << "\"";
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
BIO_free(csrbio);
|
|
|
|
|
2014-11-08 21:17:16 +01:00
|
|
|
boost::shared_ptr<X509> cert = CreateCertIcingaCA(X509_REQ_get_pubkey(req), X509_REQ_get_subject_name(req));
|
2014-10-21 13:54:25 +02:00
|
|
|
|
|
|
|
X509_REQ_free(req);
|
|
|
|
|
|
|
|
std::ofstream fpcert;
|
|
|
|
fpcert.open(certfile.CStr());
|
|
|
|
|
|
|
|
if (!fpcert) {
|
|
|
|
Log(LogCritical, "cli")
|
|
|
|
<< "Failed to open certificate file '" << certfile << "' for output";
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
fpcert << CertificateToString(cert);
|
|
|
|
fpcert.close();
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2015-11-24 17:01:46 +01:00
|
|
|
boost::shared_ptr<X509> PkiUtility::FetchCert(const String& host, const String& port)
|
2014-10-21 13:54:25 +02:00
|
|
|
{
|
2014-11-08 21:17:16 +01:00
|
|
|
TcpSocket::Ptr client = new TcpSocket();
|
2014-10-21 13:54:25 +02:00
|
|
|
|
2014-12-15 11:44:56 +01:00
|
|
|
try {
|
|
|
|
client->Connect(host, port);
|
|
|
|
} catch (const std::exception& ex) {
|
2015-11-24 17:01:46 +01:00
|
|
|
Log(LogCritical, "pki")
|
2014-12-15 11:44:56 +01:00
|
|
|
<< "Cannot connect to host '" << host << "' on port '" << port << "'";
|
2015-11-24 17:01:46 +01:00
|
|
|
Log(LogDebug, "pki")
|
2014-12-15 11:44:56 +01:00
|
|
|
<< "Cannot connect to host '" << host << "' on port '" << port << "':\n" << DiagnosticInformation(ex);
|
2015-11-26 11:10:55 +01:00
|
|
|
return boost::shared_ptr<X509>();
|
2014-12-15 11:44:56 +01:00
|
|
|
}
|
2014-10-21 13:54:25 +02:00
|
|
|
|
2014-12-15 11:44:56 +01:00
|
|
|
boost::shared_ptr<SSL_CTX> sslContext;
|
|
|
|
|
|
|
|
try {
|
2015-11-24 17:01:46 +01:00
|
|
|
sslContext = MakeSSLContext();
|
2014-12-15 11:44:56 +01:00
|
|
|
} catch (const std::exception& ex) {
|
2015-11-24 17:01:46 +01:00
|
|
|
Log(LogCritical, "pki")
|
|
|
|
<< "Cannot make SSL context.";
|
|
|
|
Log(LogDebug, "pki")
|
|
|
|
<< "Cannot make SSL context:\n" << DiagnosticInformation(ex);
|
2015-11-26 11:10:55 +01:00
|
|
|
return boost::shared_ptr<X509>();
|
2014-12-15 11:44:56 +01:00
|
|
|
}
|
2014-10-21 13:54:25 +02:00
|
|
|
|
2016-04-21 15:44:51 +02:00
|
|
|
TlsStream::Ptr stream = new TlsStream(client, host, RoleClient, sslContext);
|
2014-10-21 13:54:25 +02:00
|
|
|
|
|
|
|
try {
|
|
|
|
stream->Handshake();
|
|
|
|
} catch (...) {
|
|
|
|
|
|
|
|
}
|
|
|
|
|
2015-11-24 17:01:46 +01:00
|
|
|
return stream->GetPeerCertificate();
|
|
|
|
}
|
2015-02-13 21:02:48 +01:00
|
|
|
|
2015-11-24 17:01:46 +01:00
|
|
|
int PkiUtility::WriteCert(const boost::shared_ptr<X509>& cert, const String& trustedfile)
|
|
|
|
{
|
2014-10-21 13:54:25 +02:00
|
|
|
std::ofstream fpcert;
|
|
|
|
fpcert.open(trustedfile.CStr());
|
|
|
|
fpcert << CertificateToString(cert);
|
|
|
|
fpcert.close();
|
|
|
|
|
|
|
|
if (fpcert.fail()) {
|
2015-11-24 17:01:46 +01:00
|
|
|
Log(LogCritical, "pki")
|
2014-10-21 13:54:25 +02:00
|
|
|
<< "Could not write certificate to file '" << trustedfile << "'.";
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2015-11-24 17:01:46 +01:00
|
|
|
Log(LogInformation, "pki")
|
2014-10-21 13:54:25 +02:00
|
|
|
<< "Writing trusted certificate to file '" << trustedfile << "'.";
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
int PkiUtility::GenTicket(const String& cn, const String& salt, std::ostream& ticketfp)
|
|
|
|
{
|
|
|
|
ticketfp << PBKDF2_SHA1(cn, salt, 50000) << "\n";
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
int PkiUtility::RequestCertificate(const String& host, const String& port, const String& keyfile,
|
2015-11-24 17:01:46 +01:00
|
|
|
const String& certfile, const String& cafile, const boost::shared_ptr<X509>& trustedCert, const String& ticket)
|
2014-10-21 13:54:25 +02:00
|
|
|
{
|
2014-11-08 21:17:16 +01:00
|
|
|
TcpSocket::Ptr client = new TcpSocket();
|
2014-10-21 13:54:25 +02:00
|
|
|
|
2014-10-23 16:07:48 +02:00
|
|
|
try {
|
|
|
|
client->Connect(host, port);
|
|
|
|
} catch (const std::exception& ex) {
|
|
|
|
Log(LogCritical, "cli")
|
|
|
|
<< "Cannot connect to host '" << host << "' on port '" << port << "'";
|
|
|
|
Log(LogDebug, "cli")
|
|
|
|
<< "Cannot connect to host '" << host << "' on port '" << port << "':\n" << DiagnosticInformation(ex);
|
|
|
|
return 1;
|
|
|
|
}
|
2014-10-21 13:54:25 +02:00
|
|
|
|
2014-11-08 21:17:16 +01:00
|
|
|
boost::shared_ptr<SSL_CTX> sslContext;
|
2014-10-23 16:07:48 +02:00
|
|
|
|
|
|
|
try {
|
|
|
|
sslContext = MakeSSLContext(certfile, keyfile);
|
|
|
|
} catch (const std::exception& ex) {
|
|
|
|
Log(LogCritical, "cli")
|
2014-12-18 16:55:45 +01:00
|
|
|
<< "Cannot make SSL context for cert path: '" << certfile << "' key path: '" << keyfile << "' ca path: '" << cafile << "'.";
|
2014-12-15 11:44:56 +01:00
|
|
|
Log(LogDebug, "cli")
|
2014-12-18 16:55:45 +01:00
|
|
|
<< "Cannot make SSL context for cert path: '" << certfile << "' key path: '" << keyfile << "' ca path: '" << cafile << "':\n" << DiagnosticInformation(ex);
|
2014-10-23 16:07:48 +02:00
|
|
|
return 1;
|
|
|
|
}
|
2014-10-21 13:54:25 +02:00
|
|
|
|
2016-04-21 15:44:51 +02:00
|
|
|
TlsStream::Ptr stream = new TlsStream(client, host, RoleClient, sslContext);
|
2014-10-21 13:54:25 +02:00
|
|
|
|
2014-10-23 16:07:48 +02:00
|
|
|
try {
|
|
|
|
stream->Handshake();
|
|
|
|
} catch (const std::exception&) {
|
|
|
|
Log(LogCritical, "cli", "Client TLS handshake failed.");
|
|
|
|
return 1;
|
|
|
|
}
|
2014-10-21 13:54:25 +02:00
|
|
|
|
2014-11-08 21:17:16 +01:00
|
|
|
boost::shared_ptr<X509> peerCert = stream->GetPeerCertificate();
|
2014-10-23 16:07:48 +02:00
|
|
|
|
2015-11-24 17:01:46 +01:00
|
|
|
if (X509_cmp(peerCert.get(), trustedCert.get())) {
|
2014-10-21 13:54:25 +02:00
|
|
|
Log(LogCritical, "cli", "Peer certificate does not match trusted certificate.");
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2014-11-08 21:17:16 +01:00
|
|
|
Dictionary::Ptr request = new Dictionary();
|
2014-10-21 13:54:25 +02:00
|
|
|
|
|
|
|
String msgid = Utility::NewUniqueID();
|
|
|
|
|
|
|
|
request->Set("jsonrpc", "2.0");
|
|
|
|
request->Set("id", msgid);
|
|
|
|
request->Set("method", "pki::RequestCertificate");
|
|
|
|
|
2014-11-08 21:17:16 +01:00
|
|
|
Dictionary::Ptr params = new Dictionary();
|
2014-10-21 13:54:25 +02:00
|
|
|
params->Set("ticket", String(ticket));
|
|
|
|
|
|
|
|
request->Set("params", params);
|
|
|
|
|
|
|
|
JsonRpc::SendMessage(stream, request);
|
|
|
|
|
2016-01-27 16:43:23 +01:00
|
|
|
String jsonString;
|
2014-10-21 13:54:25 +02:00
|
|
|
Dictionary::Ptr response;
|
2015-02-14 16:34:36 +01:00
|
|
|
StreamReadContext src;
|
2014-10-21 13:54:25 +02:00
|
|
|
|
|
|
|
for (;;) {
|
2016-01-27 16:43:23 +01:00
|
|
|
StreamReadStatus srs = JsonRpc::ReadMessage(stream, &jsonString, src);
|
2015-02-14 16:34:36 +01:00
|
|
|
|
|
|
|
if (srs == StatusEof)
|
|
|
|
break;
|
|
|
|
|
|
|
|
if (srs != StatusNewItem)
|
|
|
|
continue;
|
2014-10-21 13:54:25 +02:00
|
|
|
|
2016-01-27 16:43:23 +01:00
|
|
|
response = JsonRpc::DecodeMessage(jsonString);
|
|
|
|
|
2014-11-02 19:38:35 +01:00
|
|
|
if (response && response->Contains("error")) {
|
|
|
|
Log(LogCritical, "cli", "Could not fetch valid response. Please check the master log (notice or debug).");
|
2014-12-19 12:19:28 +01:00
|
|
|
#ifdef I2_DEBUG
|
2014-11-02 19:38:35 +01:00
|
|
|
/* we shouldn't expose master errors to the user in production environments */
|
|
|
|
Log(LogCritical, "cli", response->Get("error"));
|
2014-12-19 12:19:28 +01:00
|
|
|
#endif /* I2_DEBUG */
|
2014-11-02 19:38:35 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (response && (response->Get("id") != msgid))
|
2014-10-21 13:54:25 +02:00
|
|
|
continue;
|
|
|
|
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
2014-11-02 19:38:35 +01:00
|
|
|
if (!response) {
|
|
|
|
Log(LogCritical, "cli", "Could not fetch valid response. Please check the master log.");
|
2014-10-30 16:19:51 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2014-10-21 13:54:25 +02:00
|
|
|
Dictionary::Ptr result = response->Get("result");
|
|
|
|
|
|
|
|
if (result->Contains("error")) {
|
|
|
|
Log(LogCritical, "cli", result->Get("error"));
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
std::ofstream fpcert;
|
|
|
|
fpcert.open(certfile.CStr());
|
|
|
|
fpcert << result->Get("cert");
|
|
|
|
fpcert.close();
|
|
|
|
|
|
|
|
if (fpcert.fail()) {
|
|
|
|
Log(LogCritical, "cli")
|
|
|
|
<< "Could not write certificate to file '" << certfile << "'.";
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
Log(LogInformation, "cli")
|
|
|
|
<< "Writing signed certificate to file '" << certfile << "'.";
|
|
|
|
|
|
|
|
std::ofstream fpca;
|
|
|
|
fpca.open(cafile.CStr());
|
|
|
|
fpca << result->Get("ca");
|
|
|
|
fpca.close();
|
|
|
|
|
|
|
|
if (fpca.fail()) {
|
|
|
|
Log(LogCritical, "cli")
|
|
|
|
<< "Could not open CA certificate file '" << cafile << "' for writing.";
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
Log(LogInformation, "cli")
|
2014-10-21 21:33:21 +02:00
|
|
|
<< "Writing CA certificate to file '" << cafile << "'.";
|
2014-10-21 13:54:25 +02:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
2015-11-24 17:01:46 +01:00
|
|
|
|
|
|
|
String PkiUtility::GetCertificateInformation(const boost::shared_ptr<X509>& cert) {
|
|
|
|
BIO *out = BIO_new(BIO_s_mem());
|
|
|
|
String pre;
|
|
|
|
|
|
|
|
pre = "\n Subject: ";
|
|
|
|
BIO_write(out, pre.CStr(), pre.GetLength());
|
|
|
|
X509_NAME_print_ex(out, X509_get_subject_name(cert.get()), 0, XN_FLAG_ONELINE & ~ASN1_STRFLGS_ESC_MSB);
|
|
|
|
|
|
|
|
pre = "\n Issuer: ";
|
|
|
|
BIO_write(out, pre.CStr(), pre.GetLength());
|
|
|
|
X509_NAME_print_ex(out, X509_get_issuer_name(cert.get()), 0, XN_FLAG_ONELINE & ~ASN1_STRFLGS_ESC_MSB);
|
|
|
|
|
|
|
|
pre = "\n Valid From: ";
|
|
|
|
BIO_write(out, pre.CStr(), pre.GetLength());
|
2016-08-01 09:47:58 +02:00
|
|
|
ASN1_TIME_print(out, X509_get_notBefore(cert.get()));
|
2015-11-24 17:01:46 +01:00
|
|
|
|
|
|
|
pre = "\n Valid Until: ";
|
|
|
|
BIO_write(out, pre.CStr(), pre.GetLength());
|
2016-08-01 09:47:58 +02:00
|
|
|
ASN1_TIME_print(out, X509_get_notAfter(cert.get()));
|
2015-11-24 17:01:46 +01:00
|
|
|
|
|
|
|
pre = "\n Fingerprint: ";
|
|
|
|
BIO_write(out, pre.CStr(), pre.GetLength());
|
|
|
|
unsigned char md[EVP_MAX_MD_SIZE];
|
|
|
|
unsigned int diglen;
|
|
|
|
X509_digest(cert.get(), EVP_sha1(), md, &diglen);
|
|
|
|
|
|
|
|
char *data;
|
|
|
|
long length = BIO_get_mem_data(out, &data);
|
|
|
|
|
|
|
|
std::stringstream info;
|
|
|
|
info << String(data, data + length);
|
|
|
|
for (unsigned int i = 0; i < diglen; i++) {
|
|
|
|
info << std::setfill('0') << std::setw(2) << std::uppercase
|
|
|
|
<< std::hex << static_cast<int>(md[i]) << ' ';
|
|
|
|
}
|
|
|
|
info << '\n';
|
|
|
|
|
|
|
|
return info.str();
|
|
|
|
}
|