mirror of
https://github.com/gregtwallace/apc-p15-tool.git
synced 2025-07-09 17:16:34 +00:00
170 lines
6 KiB
Go
170 lines
6 KiB
Go
package app
|
|
|
|
import (
|
|
"apc-p15-tool/pkg/pkcs15"
|
|
"crypto/x509"
|
|
"encoding/asn1"
|
|
"fmt"
|
|
"slices"
|
|
"time"
|
|
)
|
|
|
|
// list of keys supported by the NMC2
|
|
var nmc2SupportedKeyTypes = []pkcs15.KeyType{
|
|
pkcs15.KeyTypeRSA1024,
|
|
pkcs15.KeyTypeRSA2048,
|
|
pkcs15.KeyTypeRSA3072, // officially not supported but works
|
|
}
|
|
|
|
// known good signing algorithms
|
|
var knownSupportedNMC2SigningAlgs = []x509.SignatureAlgorithm{
|
|
x509.SHA256WithRSA,
|
|
}
|
|
|
|
var knownSupportedNMC3SigningAlgs = append(knownSupportedNMC2SigningAlgs, []x509.SignatureAlgorithm{
|
|
x509.ECDSAWithSHA384,
|
|
}...)
|
|
|
|
// known supported cert extensions
|
|
var knownSupportedCriticalOIDs = []asn1.ObjectIdentifier{
|
|
{2, 5, 29, 15}, // keyUsage
|
|
{2, 5, 29, 19}, // basicConstraints
|
|
{2, 5, 29, 17}, // subjectAltName
|
|
}
|
|
|
|
var knownSupportedOIDs = append(knownSupportedCriticalOIDs, []asn1.ObjectIdentifier{
|
|
{2, 5, 29, 37}, // extKeyUsage
|
|
{2, 5, 29, 14}, // subjectKeyIdentifier
|
|
{2, 5, 29, 35}, // authorityKeyIdentifier
|
|
{1, 3, 6, 1, 5, 5, 7, 1, 1}, // authorityInfoAccess
|
|
{2, 5, 29, 32}, // certificatePolicies
|
|
{1, 3, 6, 1, 4, 1, 11129, 2, 4, 2}, // googleSignedCertificateTimestamp
|
|
{2, 5, 29, 31}, // cRLDistributionPoints
|
|
}...)
|
|
|
|
// pemToAPCP15 reads the specified pem files and returns the apc p15 file(s). If the
|
|
// key type of the key is not supported by NMC2, the combined key+cert file is not
|
|
// generated and nil is returned instead for that file. If the key IS supported by
|
|
// NMC2, the key+cert file is generated and the proper header is prepended.
|
|
func (app *app) pemToAPCP15(keyPem, certPem []byte, parentCmdName string) (keyFile []byte, apcKeyCertFile []byte, err error) {
|
|
app.stdLogger.Printf("%s: making apc p15 file(s) content from pem", parentCmdName)
|
|
|
|
// make p15 struct
|
|
p15, err := pkcs15.ParsePEMToPKCS15(keyPem, certPem)
|
|
if err != nil {
|
|
return nil, nil, fmt.Errorf("%s: failed to parse pem files (%w)", parentCmdName, err)
|
|
}
|
|
|
|
app.stdLogger.Printf("%s: successfully parsed pem files", parentCmdName)
|
|
|
|
// make key file (always)
|
|
keyFile, err = p15.ToP15Key()
|
|
if err != nil {
|
|
return nil, nil, fmt.Errorf("%s: failed to make p15 key file (%w)", parentCmdName, err)
|
|
}
|
|
|
|
app.stdLogger.Printf("%s: successfully generated p15 key file content", parentCmdName)
|
|
|
|
// check key type for compat with NMC2
|
|
nmc2KeyType := false
|
|
if slices.Contains(nmc2SupportedKeyTypes, p15.KeyType()) {
|
|
nmc2KeyType = true
|
|
|
|
app.stdLogger.Printf("%s: key type is supported by NMC2, generating p15 key+cert file content...", parentCmdName)
|
|
|
|
// make file bytes
|
|
keyCertFile, err := p15.ToP15KeyCert()
|
|
if err != nil {
|
|
return nil, nil, fmt.Errorf("%s: failed to make p15 key+cert file content (%w)", parentCmdName, err)
|
|
}
|
|
|
|
// make header for file bytes
|
|
apcHeader, err := makeFileHeader(keyCertFile)
|
|
if err != nil {
|
|
return nil, nil, fmt.Errorf("%s: failed to make p15 key+cert file header (%w)", parentCmdName, err)
|
|
}
|
|
|
|
// combine header with file
|
|
apcKeyCertFile = append(apcHeader, keyCertFile...)
|
|
}
|
|
|
|
// check various parts of cert and log compatibility warnings
|
|
warned := false
|
|
|
|
// key not supported for NMC2
|
|
if !nmc2KeyType {
|
|
app.stdLogger.Printf("WARNING: %s: key type is %s and is not supported by NMC2.", parentCmdName, p15.KeyType().String())
|
|
warned = true
|
|
}
|
|
|
|
// signature algorithm (see: https://github.com/gregtwallace/apc-p15-tool/issues/18)
|
|
if !nmc2KeyType {
|
|
// definitely not for NMC2
|
|
if !slices.Contains(knownSupportedNMC3SigningAlgs, p15.Cert.SignatureAlgorithm) {
|
|
app.stdLogger.Printf("WARNING: %s: Certificate signing algorithm is %s and it is not known if NMC3 supports this algorithm.", parentCmdName, p15.Cert.SignatureAlgorithm.String())
|
|
warned = true
|
|
}
|
|
} else {
|
|
// could be for either NMC2 or NMC3
|
|
if !slices.Contains(knownSupportedNMC2SigningAlgs, p15.Cert.SignatureAlgorithm) {
|
|
if !slices.Contains(knownSupportedNMC3SigningAlgs, p15.Cert.SignatureAlgorithm) {
|
|
// not in NMC2 or NMC3 list
|
|
app.stdLogger.Printf("WARNING: %s: Certificate signing algorithm is %s and is not supported by NMC2. It is also not known if NMC3 supports this algorithm.", parentCmdName, p15.Cert.SignatureAlgorithm.String())
|
|
} else {
|
|
// not in NMC2 list, but is in NMC3 list
|
|
app.stdLogger.Printf("WARNING: %s: Certificate signing algorithm is %s and it does not support NMC2.", parentCmdName, p15.Cert.SignatureAlgorithm.String())
|
|
}
|
|
warned = true
|
|
}
|
|
}
|
|
|
|
// check validity dates
|
|
if time.Now().Before(p15.Cert.NotBefore) {
|
|
app.stdLogger.Printf("WARNING: %s: Current time (%s) is before certificate's NotBefore time (%s).",
|
|
parentCmdName, time.Now().Format(timeLoggingFormat), p15.Cert.NotBefore.Format(timeLoggingFormat))
|
|
warned = true
|
|
}
|
|
|
|
if time.Now().After(p15.Cert.NotAfter) {
|
|
app.stdLogger.Printf("WARNING: %s: Current time (%s) is after certificate's NotAfter time (%s).",
|
|
parentCmdName, time.Now().Format(timeLoggingFormat), p15.Cert.NotAfter.Format(timeLoggingFormat))
|
|
warned = true
|
|
}
|
|
|
|
// check extensions against known working extensions
|
|
for _, extension := range p15.Cert.Extensions {
|
|
// critical or not?
|
|
okOIDs := knownSupportedCriticalOIDs
|
|
criticalLogMsg := "Critical "
|
|
if !extension.Critical {
|
|
okOIDs = knownSupportedOIDs
|
|
criticalLogMsg = ""
|
|
}
|
|
|
|
// validate OIDs
|
|
ok := false
|
|
for _, okOID := range okOIDs {
|
|
if okOID.Equal(extension.Id) {
|
|
ok = true
|
|
break
|
|
}
|
|
}
|
|
|
|
if !ok {
|
|
app.stdLogger.Printf("WARNING: %s: %sExtension %s may not be supported by NMC.", parentCmdName, criticalLogMsg, extension.Id.String())
|
|
}
|
|
}
|
|
|
|
// log a message about possible failure
|
|
if warned {
|
|
app.stdLogger.Printf("WARNING: %s: Possible certificate compatibility issues were detected. If the resulting p15 file "+
|
|
"does not work with your NMC (e.g., a self-signed certificate is regenerated after you try to install the p15), "+
|
|
"modify your certificate to resolve the warnings and try again.", parentCmdName)
|
|
}
|
|
|
|
// end compatibility warnings
|
|
|
|
app.stdLogger.Printf("%s: apc p15 file(s) data succesfully generated", parentCmdName)
|
|
|
|
return keyFile, apcKeyCertFile, nil
|
|
}
|