app: add compatibility warnings

Try to warn users in console output about possible certificate issues.

fixes: https://github.com/gregtwallace/apc-p15-tool/issues/20

pkg/app/pem_to_p15.go

@@ -2,8 +2,11 @@ package app
 
 import (
 	"apc-p15-tool/pkg/pkcs15"
+	"crypto/x509"
+	"encoding/asn1"
 	"fmt"
 	"slices"
+	"time"
 )
 
 // list of keys supported by the NMC2
@@ -13,6 +16,32 @@ var nmc2SupportedKeyTypes = []pkcs15.KeyType{
 	pkcs15.KeyTypeRSA3072, // officially not supported but works
 }
 
+// known good signing algorithms
+var knownSupportedNMC2SigningAlgs = []x509.SignatureAlgorithm{
+	x509.SHA256WithRSA,
+}
+
+var knownSupportedNMC3SigningAlgs = append(knownSupportedNMC2SigningAlgs, []x509.SignatureAlgorithm{
+	x509.ECDSAWithSHA384,
+}...)
+
+// known supported cert extensions
+var knownSupportedCriticalOIDs = []asn1.ObjectIdentifier{
+	{2, 5, 29, 15}, // keyUsage
+	{2, 5, 29, 19}, // basicConstraints
+	{2, 5, 29, 17}, // subjectAltName
+}
+
+var knownSupportedOIDs = append(knownSupportedCriticalOIDs, []asn1.ObjectIdentifier{
+	{2, 5, 29, 37},                     // extKeyUsage
+	{2, 5, 29, 14},                     // subjectKeyIdentifier
+	{2, 5, 29, 35},                     // authorityKeyIdentifier
+	{1, 3, 6, 1, 5, 5, 7, 1, 1},        // authorityInfoAccess
+	{2, 5, 29, 32},                     // certificatePolicies
+	{1, 3, 6, 1, 4, 1, 11129, 2, 4, 2}, // googleSignedCertificateTimestamp
+	{2, 5, 29, 31},                     // cRLDistributionPoints
+}...)
+
 // pemToAPCP15 reads the specified pem files and returns the apc p15 file(s). If the
 // key type of the key is not supported by NMC2, the combined key+cert file is not
 // generated and nil is returned instead for that file. If the key IS supported by
@@ -37,7 +66,10 @@ func (app *app) pemToAPCP15(keyPem, certPem []byte, parentCmdName string) (keyFi
 	app.stdLogger.Printf("%s: successfully generated p15 key file content", parentCmdName)
 
 	// check key type for compat with NMC2
+	nmc2KeyType := false
 	if slices.Contains(nmc2SupportedKeyTypes, p15.KeyType()) {
+		nmc2KeyType = true
+
 		app.stdLogger.Printf("%s: key type is supported by NMC2, generating p15 key+cert file content...", parentCmdName)
 
 		// make file bytes
@@ -54,11 +86,87 @@ func (app *app) pemToAPCP15(keyPem, certPem []byte, parentCmdName string) (keyFi
 
 		// combine header with file
 		apcKeyCertFile = append(apcHeader, keyCertFile...)
-	} else {
-		// NMC2 unsupported
-		app.stdLogger.Printf("%s: key type is not supported by NMC2, skipping p15 key+cert file content", parentCmdName)
 	}
 
+	// check various parts of cert and log compatibility warnings
+	warned := false
+
+	// key not supported for NMC2
+	if !nmc2KeyType {
+		app.stdLogger.Printf("WARNING: %s: key type is %s and is not supported by NMC2.", parentCmdName, p15.KeyType().String())
+		warned = true
+	}
+
+	// signature algorithm (see: https://github.com/gregtwallace/apc-p15-tool/issues/18)
+	if !nmc2KeyType {
+		// definitely not for NMC2
+		if !slices.Contains(knownSupportedNMC3SigningAlgs, p15.Cert.SignatureAlgorithm) {
+			app.stdLogger.Printf("WARNING: %s: Certificate signing algorithm is %s and it is not known if NMC3 supports this algorithm.", parentCmdName, p15.Cert.SignatureAlgorithm.String())
+			warned = true
+		}
+	} else {
+		// could be for either NMC2 or NMC3
+		if !slices.Contains(knownSupportedNMC2SigningAlgs, p15.Cert.SignatureAlgorithm) {
+			if !slices.Contains(knownSupportedNMC3SigningAlgs, p15.Cert.SignatureAlgorithm) {
+				// not in NMC2 or NMC3 list
+				app.stdLogger.Printf("WARNING: %s: Certificate signing algorithm is %s and is not supported by NMC2. It is also not known if NMC3 supports this algorithm.", parentCmdName, p15.Cert.SignatureAlgorithm.String())
+			} else {
+				// not in NMC2 list, but is in NMC3 list
+				app.stdLogger.Printf("WARNING: %s: Certificate signing algorithm is %s and it does not support NMC2.", parentCmdName, p15.Cert.SignatureAlgorithm.String())
+			}
+			warned = true
+		}
+	}
+
+	// if support by 2, check 2 list
+	// if not found on 2 list, check 3 list
+
+	// check validity dates
+	if time.Now().Before(p15.Cert.NotBefore) {
+		app.stdLogger.Printf("WARNING: %s: Current time (%s) is before certificate's NotBefore time (%s).",
+			parentCmdName, time.Now().Format(timeLoggingFormat), p15.Cert.NotBefore.Format(timeLoggingFormat))
+		warned = true
+	}
+
+	if time.Now().After(p15.Cert.NotAfter) {
+		app.stdLogger.Printf("WARNING: %s: Current time (%s) is after certificate's NotAfter time (%s).",
+			parentCmdName, time.Now().Format(timeLoggingFormat), p15.Cert.NotAfter.Format(timeLoggingFormat))
+		warned = true
+	}
+
+	// check extensions against known working extensions
+	for _, extension := range p15.Cert.Extensions {
+		// critical or not?
+		okOIDs := knownSupportedCriticalOIDs
+		criticalLogMsg := "Critical "
+		if !extension.Critical {
+			okOIDs = knownSupportedOIDs
+			criticalLogMsg = ""
+		}
+
+		// validate OIDs
+		ok := false
+		for _, okOID := range okOIDs {
+			if okOID.Equal(extension.Id) {
+				ok = true
+				break
+			}
+		}
+
+		if !ok {
+			app.stdLogger.Printf("WARNING: %s: %sExtension %s may not be supported by NMC.", parentCmdName, criticalLogMsg, extension.Id.String())
+		}
+	}
+
+	// log a message about possible failure
+	if warned {
+		app.stdLogger.Printf("WARNING: %s: Possible certificate compatibility issues were detected. If the resulting p15 file "+
+			"does not work with your NMC (e.g., a self-signed certificate is regenerated after you try to install the p15), "+
+			"modify your certificate to resolve the warnings and try again.", parentCmdName)
+	}
+
+	// end compatibility warnings
+
 	app.stdLogger.Printf("%s: apc p15 file(s) data succesfully generated", parentCmdName)
 
 	return keyFile, apcKeyCertFile, nil