mirror of
https://github.com/gregtwallace/apc-p15-tool.git
synced 2025-07-08 16:56:34 +00:00
app: add compatibility warnings
Try to warn users in console output about possible certificate issues. fixes: https://github.com/gregtwallace/apc-p15-tool/issues/20
This commit is contained in:
parent
7319fc16d8
commit
b821002e85
5 changed files with 152 additions and 19 deletions
pkg/app
|
@ -145,7 +145,7 @@ func (app *app) cmdInstall(cmdCtx context.Context, args []string) error {
|
|||
// verify cert is the correct one
|
||||
certVerified := bytes.Equal(leafCert.Raw, pemBlock.Bytes)
|
||||
if !certVerified {
|
||||
return errors.New("install: web ui leaf cert does not match new cert")
|
||||
return errors.New("install: web ui leaf cert does not match new cert (your cert may not be compatible with NMC; check for WARNINGs in this tool's output)")
|
||||
}
|
||||
|
||||
app.stdLogger.Println("install: ups web ui cert verified")
|
||||
|
|
|
@ -2,8 +2,11 @@ package app
|
|||
|
||||
import (
|
||||
"apc-p15-tool/pkg/pkcs15"
|
||||
"crypto/x509"
|
||||
"encoding/asn1"
|
||||
"fmt"
|
||||
"slices"
|
||||
"time"
|
||||
)
|
||||
|
||||
// list of keys supported by the NMC2
|
||||
|
@ -13,6 +16,32 @@ var nmc2SupportedKeyTypes = []pkcs15.KeyType{
|
|||
pkcs15.KeyTypeRSA3072, // officially not supported but works
|
||||
}
|
||||
|
||||
// known good signing algorithms
|
||||
var knownSupportedNMC2SigningAlgs = []x509.SignatureAlgorithm{
|
||||
x509.SHA256WithRSA,
|
||||
}
|
||||
|
||||
var knownSupportedNMC3SigningAlgs = append(knownSupportedNMC2SigningAlgs, []x509.SignatureAlgorithm{
|
||||
x509.ECDSAWithSHA384,
|
||||
}...)
|
||||
|
||||
// known supported cert extensions
|
||||
var knownSupportedCriticalOIDs = []asn1.ObjectIdentifier{
|
||||
{2, 5, 29, 15}, // keyUsage
|
||||
{2, 5, 29, 19}, // basicConstraints
|
||||
{2, 5, 29, 17}, // subjectAltName
|
||||
}
|
||||
|
||||
var knownSupportedOIDs = append(knownSupportedCriticalOIDs, []asn1.ObjectIdentifier{
|
||||
{2, 5, 29, 37}, // extKeyUsage
|
||||
{2, 5, 29, 14}, // subjectKeyIdentifier
|
||||
{2, 5, 29, 35}, // authorityKeyIdentifier
|
||||
{1, 3, 6, 1, 5, 5, 7, 1, 1}, // authorityInfoAccess
|
||||
{2, 5, 29, 32}, // certificatePolicies
|
||||
{1, 3, 6, 1, 4, 1, 11129, 2, 4, 2}, // googleSignedCertificateTimestamp
|
||||
{2, 5, 29, 31}, // cRLDistributionPoints
|
||||
}...)
|
||||
|
||||
// pemToAPCP15 reads the specified pem files and returns the apc p15 file(s). If the
|
||||
// key type of the key is not supported by NMC2, the combined key+cert file is not
|
||||
// generated and nil is returned instead for that file. If the key IS supported by
|
||||
|
@ -37,7 +66,10 @@ func (app *app) pemToAPCP15(keyPem, certPem []byte, parentCmdName string) (keyFi
|
|||
app.stdLogger.Printf("%s: successfully generated p15 key file content", parentCmdName)
|
||||
|
||||
// check key type for compat with NMC2
|
||||
nmc2KeyType := false
|
||||
if slices.Contains(nmc2SupportedKeyTypes, p15.KeyType()) {
|
||||
nmc2KeyType = true
|
||||
|
||||
app.stdLogger.Printf("%s: key type is supported by NMC2, generating p15 key+cert file content...", parentCmdName)
|
||||
|
||||
// make file bytes
|
||||
|
@ -54,11 +86,87 @@ func (app *app) pemToAPCP15(keyPem, certPem []byte, parentCmdName string) (keyFi
|
|||
|
||||
// combine header with file
|
||||
apcKeyCertFile = append(apcHeader, keyCertFile...)
|
||||
} else {
|
||||
// NMC2 unsupported
|
||||
app.stdLogger.Printf("%s: key type is not supported by NMC2, skipping p15 key+cert file content", parentCmdName)
|
||||
}
|
||||
|
||||
// check various parts of cert and log compatibility warnings
|
||||
warned := false
|
||||
|
||||
// key not supported for NMC2
|
||||
if !nmc2KeyType {
|
||||
app.stdLogger.Printf("WARNING: %s: key type is %s and is not supported by NMC2.", parentCmdName, p15.KeyType().String())
|
||||
warned = true
|
||||
}
|
||||
|
||||
// signature algorithm (see: https://github.com/gregtwallace/apc-p15-tool/issues/18)
|
||||
if !nmc2KeyType {
|
||||
// definitely not for NMC2
|
||||
if !slices.Contains(knownSupportedNMC3SigningAlgs, p15.Cert.SignatureAlgorithm) {
|
||||
app.stdLogger.Printf("WARNING: %s: Certificate signing algorithm is %s and it is not known if NMC3 supports this algorithm.", parentCmdName, p15.Cert.SignatureAlgorithm.String())
|
||||
warned = true
|
||||
}
|
||||
} else {
|
||||
// could be for either NMC2 or NMC3
|
||||
if !slices.Contains(knownSupportedNMC2SigningAlgs, p15.Cert.SignatureAlgorithm) {
|
||||
if !slices.Contains(knownSupportedNMC3SigningAlgs, p15.Cert.SignatureAlgorithm) {
|
||||
// not in NMC2 or NMC3 list
|
||||
app.stdLogger.Printf("WARNING: %s: Certificate signing algorithm is %s and is not supported by NMC2. It is also not known if NMC3 supports this algorithm.", parentCmdName, p15.Cert.SignatureAlgorithm.String())
|
||||
} else {
|
||||
// not in NMC2 list, but is in NMC3 list
|
||||
app.stdLogger.Printf("WARNING: %s: Certificate signing algorithm is %s and it does not support NMC2.", parentCmdName, p15.Cert.SignatureAlgorithm.String())
|
||||
}
|
||||
warned = true
|
||||
}
|
||||
}
|
||||
|
||||
// if support by 2, check 2 list
|
||||
// if not found on 2 list, check 3 list
|
||||
|
||||
// check validity dates
|
||||
if time.Now().Before(p15.Cert.NotBefore) {
|
||||
app.stdLogger.Printf("WARNING: %s: Current time (%s) is before certificate's NotBefore time (%s).",
|
||||
parentCmdName, time.Now().Format(timeLoggingFormat), p15.Cert.NotBefore.Format(timeLoggingFormat))
|
||||
warned = true
|
||||
}
|
||||
|
||||
if time.Now().After(p15.Cert.NotAfter) {
|
||||
app.stdLogger.Printf("WARNING: %s: Current time (%s) is after certificate's NotAfter time (%s).",
|
||||
parentCmdName, time.Now().Format(timeLoggingFormat), p15.Cert.NotAfter.Format(timeLoggingFormat))
|
||||
warned = true
|
||||
}
|
||||
|
||||
// check extensions against known working extensions
|
||||
for _, extension := range p15.Cert.Extensions {
|
||||
// critical or not?
|
||||
okOIDs := knownSupportedCriticalOIDs
|
||||
criticalLogMsg := "Critical "
|
||||
if !extension.Critical {
|
||||
okOIDs = knownSupportedOIDs
|
||||
criticalLogMsg = ""
|
||||
}
|
||||
|
||||
// validate OIDs
|
||||
ok := false
|
||||
for _, okOID := range okOIDs {
|
||||
if okOID.Equal(extension.Id) {
|
||||
ok = true
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
if !ok {
|
||||
app.stdLogger.Printf("WARNING: %s: %sExtension %s may not be supported by NMC.", parentCmdName, criticalLogMsg, extension.Id.String())
|
||||
}
|
||||
}
|
||||
|
||||
// log a message about possible failure
|
||||
if warned {
|
||||
app.stdLogger.Printf("WARNING: %s: Possible certificate compatibility issues were detected. If the resulting p15 file "+
|
||||
"does not work with your NMC (e.g., a self-signed certificate is regenerated after you try to install the p15), "+
|
||||
"modify your certificate to resolve the warnings and try again.", parentCmdName)
|
||||
}
|
||||
|
||||
// end compatibility warnings
|
||||
|
||||
app.stdLogger.Printf("%s: apc p15 file(s) data succesfully generated", parentCmdName)
|
||||
|
||||
return keyFile, apcKeyCertFile, nil
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue