1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
package remote
import (
"crypto/x509"
"encoding/json"
"errors"
"net/http"
"github.com/cloudflare/cfssl/api/client"
"github.com/cloudflare/cfssl/certdb"
"github.com/cloudflare/cfssl/config"
cferr "github.com/cloudflare/cfssl/errors"
"github.com/cloudflare/cfssl/helpers"
"github.com/cloudflare/cfssl/info"
"github.com/cloudflare/cfssl/signer"
)
// A Signer represents a CFSSL instance running as signing server.
// fulfills the signer.Signer interface
type Signer struct {
policy *config.Signing
reqModifier func(*http.Request, []byte)
}
// NewSigner creates a new remote Signer directly from a
// signing policy.
func NewSigner(policy *config.Signing) (*Signer, error) {
if policy != nil {
if !policy.Valid() {
return nil, cferr.New(cferr.PolicyError,
cferr.InvalidPolicy)
}
return &Signer{policy: policy}, nil
}
return nil, cferr.New(cferr.PolicyError,
cferr.InvalidPolicy)
}
// Sign sends a signature request to the remote CFSSL server,
// receiving a signed certificate or an error in response. The hostname,
// csr, and profileName are used as with a local signing operation, and
// the label is used to select a signing root in a multi-root CA.
func (s *Signer) Sign(req signer.SignRequest) (cert []byte, err error) {
resp, err := s.remoteOp(req, req.Profile, "sign")
if err != nil {
return
}
if cert, ok := resp.([]byte); ok {
return cert, nil
}
return
}
// Info sends an info request to the remote CFSSL server, receiving an
// Resp struct or an error in response.
func (s *Signer) Info(req info.Req) (resp *info.Resp, err error) {
respInterface, err := s.remoteOp(req, req.Profile, "info")
if err != nil {
return
}
if resp, ok := respInterface.(*info.Resp); ok {
return resp, nil
}
return
}
// Helper function to perform a remote sign or info request.
func (s *Signer) remoteOp(req interface{}, profile, target string) (resp interface{}, err error) {
jsonData, err := json.Marshal(req)
if err != nil {
return nil, cferr.Wrap(cferr.APIClientError, cferr.JSONError, err)
}
p, err := signer.Profile(s, profile)
if err != nil {
return
}
server := client.NewServerTLS(p.RemoteServer, helpers.CreateTLSConfig(p.RemoteCAs, p.ClientCert))
if server == nil {
return nil, cferr.Wrap(cferr.PolicyError, cferr.InvalidRequest,
errors.New("failed to connect to remote"))
}
server.SetReqModifier(s.reqModifier)
// There's no auth provider for the "info" method
if target == "info" {
resp, err = server.Info(jsonData)
} else if p.RemoteProvider != nil {
resp, err = server.AuthSign(jsonData, nil, p.RemoteProvider)
} else {
resp, err = server.Sign(jsonData)
}
if err != nil {
return nil, err
}
return
}
// SigAlgo returns the RSA signer's signature algorithm.
func (s *Signer) SigAlgo() x509.SignatureAlgorithm {
// TODO: implement this as a remote info call
return x509.UnknownSignatureAlgorithm
}
// SetPolicy sets the signer's signature policy.
func (s *Signer) SetPolicy(policy *config.Signing) {
s.policy = policy
}
// SetDBAccessor sets the signers' cert db accessor, currently noop.
func (s *Signer) SetDBAccessor(dba certdb.Accessor) {
// noop
}
// GetDBAccessor returns the signers' cert db accessor, currently noop.
func (s *Signer) GetDBAccessor() certdb.Accessor {
return nil
}
// SetReqModifier sets the function to call to modify the HTTP request prior to sending it
func (s *Signer) SetReqModifier(mod func(*http.Request, []byte)) {
s.reqModifier = mod
}
// Policy returns the signer's policy.
func (s *Signer) Policy() *config.Signing {
return s.policy
}
|
