app: add compatibility warnings

Try to warn users in console output about possible certificate issues.

fixes: https://github.com/gregtwallace/apc-p15-tool/issues/20
This commit is contained in:
Greg T. Wallace 2025-06-23 19:55:09 -04:00
parent 7319fc16d8
commit b821002e85
5 changed files with 152 additions and 19 deletions

View file

@ -145,7 +145,7 @@ func (app *app) cmdInstall(cmdCtx context.Context, args []string) error {
// verify cert is the correct one
certVerified := bytes.Equal(leafCert.Raw, pemBlock.Bytes)
if !certVerified {
return errors.New("install: web ui leaf cert does not match new cert")
return errors.New("install: web ui leaf cert does not match new cert (your cert may not be compatible with NMC; check for WARNINGs in this tool's output)")
}
app.stdLogger.Println("install: ups web ui cert verified")

View file

@ -2,8 +2,11 @@ package app
import (
"apc-p15-tool/pkg/pkcs15"
"crypto/x509"
"encoding/asn1"
"fmt"
"slices"
"time"
)
// list of keys supported by the NMC2
@ -13,6 +16,32 @@ var nmc2SupportedKeyTypes = []pkcs15.KeyType{
pkcs15.KeyTypeRSA3072, // officially not supported but works
}
// known good signing algorithms
var knownSupportedNMC2SigningAlgs = []x509.SignatureAlgorithm{
x509.SHA256WithRSA,
}
var knownSupportedNMC3SigningAlgs = append(knownSupportedNMC2SigningAlgs, []x509.SignatureAlgorithm{
x509.ECDSAWithSHA384,
}...)
// known supported cert extensions
var knownSupportedCriticalOIDs = []asn1.ObjectIdentifier{
{2, 5, 29, 15}, // keyUsage
{2, 5, 29, 19}, // basicConstraints
{2, 5, 29, 17}, // subjectAltName
}
var knownSupportedOIDs = append(knownSupportedCriticalOIDs, []asn1.ObjectIdentifier{
{2, 5, 29, 37}, // extKeyUsage
{2, 5, 29, 14}, // subjectKeyIdentifier
{2, 5, 29, 35}, // authorityKeyIdentifier
{1, 3, 6, 1, 5, 5, 7, 1, 1}, // authorityInfoAccess
{2, 5, 29, 32}, // certificatePolicies
{1, 3, 6, 1, 4, 1, 11129, 2, 4, 2}, // googleSignedCertificateTimestamp
{2, 5, 29, 31}, // cRLDistributionPoints
}...)
// pemToAPCP15 reads the specified pem files and returns the apc p15 file(s). If the
// key type of the key is not supported by NMC2, the combined key+cert file is not
// generated and nil is returned instead for that file. If the key IS supported by
@ -37,7 +66,10 @@ func (app *app) pemToAPCP15(keyPem, certPem []byte, parentCmdName string) (keyFi
app.stdLogger.Printf("%s: successfully generated p15 key file content", parentCmdName)
// check key type for compat with NMC2
nmc2KeyType := false
if slices.Contains(nmc2SupportedKeyTypes, p15.KeyType()) {
nmc2KeyType = true
app.stdLogger.Printf("%s: key type is supported by NMC2, generating p15 key+cert file content...", parentCmdName)
// make file bytes
@ -54,11 +86,87 @@ func (app *app) pemToAPCP15(keyPem, certPem []byte, parentCmdName string) (keyFi
// combine header with file
apcKeyCertFile = append(apcHeader, keyCertFile...)
} else {
// NMC2 unsupported
app.stdLogger.Printf("%s: key type is not supported by NMC2, skipping p15 key+cert file content", parentCmdName)
}
// check various parts of cert and log compatibility warnings
warned := false
// key not supported for NMC2
if !nmc2KeyType {
app.stdLogger.Printf("WARNING: %s: key type is %s and is not supported by NMC2.", parentCmdName, p15.KeyType().String())
warned = true
}
// signature algorithm (see: https://github.com/gregtwallace/apc-p15-tool/issues/18)
if !nmc2KeyType {
// definitely not for NMC2
if !slices.Contains(knownSupportedNMC3SigningAlgs, p15.Cert.SignatureAlgorithm) {
app.stdLogger.Printf("WARNING: %s: Certificate signing algorithm is %s and it is not known if NMC3 supports this algorithm.", parentCmdName, p15.Cert.SignatureAlgorithm.String())
warned = true
}
} else {
// could be for either NMC2 or NMC3
if !slices.Contains(knownSupportedNMC2SigningAlgs, p15.Cert.SignatureAlgorithm) {
if !slices.Contains(knownSupportedNMC3SigningAlgs, p15.Cert.SignatureAlgorithm) {
// not in NMC2 or NMC3 list
app.stdLogger.Printf("WARNING: %s: Certificate signing algorithm is %s and is not supported by NMC2. It is also not known if NMC3 supports this algorithm.", parentCmdName, p15.Cert.SignatureAlgorithm.String())
} else {
// not in NMC2 list, but is in NMC3 list
app.stdLogger.Printf("WARNING: %s: Certificate signing algorithm is %s and it does not support NMC2.", parentCmdName, p15.Cert.SignatureAlgorithm.String())
}
warned = true
}
}
// if support by 2, check 2 list
// if not found on 2 list, check 3 list
// check validity dates
if time.Now().Before(p15.Cert.NotBefore) {
app.stdLogger.Printf("WARNING: %s: Current time (%s) is before certificate's NotBefore time (%s).",
parentCmdName, time.Now().Format(timeLoggingFormat), p15.Cert.NotBefore.Format(timeLoggingFormat))
warned = true
}
if time.Now().After(p15.Cert.NotAfter) {
app.stdLogger.Printf("WARNING: %s: Current time (%s) is after certificate's NotAfter time (%s).",
parentCmdName, time.Now().Format(timeLoggingFormat), p15.Cert.NotAfter.Format(timeLoggingFormat))
warned = true
}
// check extensions against known working extensions
for _, extension := range p15.Cert.Extensions {
// critical or not?
okOIDs := knownSupportedCriticalOIDs
criticalLogMsg := "Critical "
if !extension.Critical {
okOIDs = knownSupportedOIDs
criticalLogMsg = ""
}
// validate OIDs
ok := false
for _, okOID := range okOIDs {
if okOID.Equal(extension.Id) {
ok = true
break
}
}
if !ok {
app.stdLogger.Printf("WARNING: %s: %sExtension %s may not be supported by NMC.", parentCmdName, criticalLogMsg, extension.Id.String())
}
}
// log a message about possible failure
if warned {
app.stdLogger.Printf("WARNING: %s: Possible certificate compatibility issues were detected. If the resulting p15 file "+
"does not work with your NMC (e.g., a self-signed certificate is regenerated after you try to install the p15), "+
"modify your certificate to resolve the warnings and try again.", parentCmdName)
}
// end compatibility warnings
app.stdLogger.Printf("%s: apc p15 file(s) data succesfully generated", parentCmdName)
return keyFile, apcKeyCertFile, nil