update cfssl mostly for the Subject.SerialName

Resolves a blocker for #1477

Godeps/Godeps.json

@@ -12,63 +12,63 @@
 		},
 		{
 			"ImportPath": "github.com/cloudflare/cfssl/auth",
-			"Comment": "1.1.0-345-g3cc473b",
-			"Rev": "3cc473b970536c9c35099bc46be861cd33f8bda2"
+			"Comment": "1.1.0-355-g3f3fa68",
+			"Rev": "3f3fa68e8d6ce6ceace60ea86461f8be41fa477b"
 		},
 		{
 			"ImportPath": "github.com/cloudflare/cfssl/certdb",
-			"Comment": "1.1.0-345-g3cc473b",
-			"Rev": "3cc473b970536c9c35099bc46be861cd33f8bda2"
+			"Comment": "1.1.0-355-g3f3fa68",
+			"Rev": "3f3fa68e8d6ce6ceace60ea86461f8be41fa477b"
 		},
 		{
 			"ImportPath": "github.com/cloudflare/cfssl/config",
-			"Comment": "1.1.0-345-g3cc473b",
-			"Rev": "3cc473b970536c9c35099bc46be861cd33f8bda2"
+			"Comment": "1.1.0-355-g3f3fa68",
+			"Rev": "3f3fa68e8d6ce6ceace60ea86461f8be41fa477b"
 		},
 		{
 			"ImportPath": "github.com/cloudflare/cfssl/crypto/pkcs11key",
-			"Comment": "1.1.0-345-g3cc473b",
-			"Rev": "3cc473b970536c9c35099bc46be861cd33f8bda2"
+			"Comment": "1.1.0-355-g3f3fa68",
+			"Rev": "3f3fa68e8d6ce6ceace60ea86461f8be41fa477b"
 		},
 		{
 			"ImportPath": "github.com/cloudflare/cfssl/crypto/pkcs7",
-			"Comment": "1.1.0-345-g3cc473b",
-			"Rev": "3cc473b970536c9c35099bc46be861cd33f8bda2"
+			"Comment": "1.1.0-355-g3f3fa68",
+			"Rev": "3f3fa68e8d6ce6ceace60ea86461f8be41fa477b"
 		},
 		{
 			"ImportPath": "github.com/cloudflare/cfssl/csr",
-			"Comment": "1.1.0-345-g3cc473b",
-			"Rev": "3cc473b970536c9c35099bc46be861cd33f8bda2"
+			"Comment": "1.1.0-355-g3f3fa68",
+			"Rev": "3f3fa68e8d6ce6ceace60ea86461f8be41fa477b"
 		},
 		{
 			"ImportPath": "github.com/cloudflare/cfssl/errors",
-			"Comment": "1.1.0-345-g3cc473b",
-			"Rev": "3cc473b970536c9c35099bc46be861cd33f8bda2"
+			"Comment": "1.1.0-355-g3f3fa68",
+			"Rev": "3f3fa68e8d6ce6ceace60ea86461f8be41fa477b"
 		},
 		{
 			"ImportPath": "github.com/cloudflare/cfssl/helpers",
-			"Comment": "1.1.0-345-g3cc473b",
-			"Rev": "3cc473b970536c9c35099bc46be861cd33f8bda2"
+			"Comment": "1.1.0-355-g3f3fa68",
+			"Rev": "3f3fa68e8d6ce6ceace60ea86461f8be41fa477b"
 		},
 		{
 			"ImportPath": "github.com/cloudflare/cfssl/info",
-			"Comment": "1.1.0-345-g3cc473b",
-			"Rev": "3cc473b970536c9c35099bc46be861cd33f8bda2"
+			"Comment": "1.1.0-355-g3f3fa68",
+			"Rev": "3f3fa68e8d6ce6ceace60ea86461f8be41fa477b"
 		},
 		{
 			"ImportPath": "github.com/cloudflare/cfssl/log",
-			"Comment": "1.1.0-345-g3cc473b",
-			"Rev": "3cc473b970536c9c35099bc46be861cd33f8bda2"
+			"Comment": "1.1.0-355-g3f3fa68",
+			"Rev": "3f3fa68e8d6ce6ceace60ea86461f8be41fa477b"
 		},
 		{
 			"ImportPath": "github.com/cloudflare/cfssl/ocsp",
-			"Comment": "1.1.0-345-g3cc473b",
-			"Rev": "3cc473b970536c9c35099bc46be861cd33f8bda2"
+			"Comment": "1.1.0-355-g3f3fa68",
+			"Rev": "3f3fa68e8d6ce6ceace60ea86461f8be41fa477b"
 		},
 		{
 			"ImportPath": "github.com/cloudflare/cfssl/signer",
-			"Comment": "1.1.0-345-g3cc473b",
-			"Rev": "3cc473b970536c9c35099bc46be861cd33f8bda2"
+			"Comment": "1.1.0-355-g3f3fa68",
+			"Rev": "3f3fa68e8d6ce6ceace60ea86461f8be41fa477b"
 		},
 		{
 			"ImportPath": "github.com/codegangsta/cli",

Godeps/_workspace/src/github.com/cloudflare/cfssl/helpers/helpers.go

@@ -327,7 +327,14 @@ func LoadPEMCertPool(certsFile string) (*x509.CertPool, error) {
 // key. The private key may be either an unencrypted PKCS#8, PKCS#1,
 // or elliptic private key.
 func ParsePrivateKeyPEM(keyPEM []byte) (key crypto.Signer, err error) {
-	keyDER, err := GetKeyDERFromPEM(keyPEM)
+	return ParsePrivateKeyPEMWithPassword(keyPEM, nil)
+}
+
+// ParsePrivateKeyPEMWithPassword parses and returns a PEM-encoded private
+// key. The private key may be a potentially encrypted PKCS#8, PKCS#1,
+// or elliptic private key.
+func ParsePrivateKeyPEMWithPassword(keyPEM []byte, password []byte) (key crypto.Signer, err error) {
+	keyDER, err := GetKeyDERFromPEM(keyPEM, password)
 	if err != nil {
 		return nil, err
 	}
@@ -336,11 +343,14 @@ func ParsePrivateKeyPEM(keyPEM []byte) (key crypto.Signer, err error) {
 }
 
 // GetKeyDERFromPEM parses a PEM-encoded private key and returns DER-format key bytes.
-func GetKeyDERFromPEM(in []byte) ([]byte, error) {
+func GetKeyDERFromPEM(in []byte, password []byte) ([]byte, error) {
 	keyDER, _ := pem.Decode(in)
 	if keyDER != nil {
 		if procType, ok := keyDER.Headers["Proc-Type"]; ok {
 			if strings.Contains(procType, "ENCRYPTED") {
+				if password != nil {
+					return x509.DecryptPEMBlock(keyDER, password)
+				}
 				return nil, cferr.New(cferr.PrivateKeyError, cferr.Encrypted)
 			}
 		}

Godeps/_workspace/src/github.com/cloudflare/cfssl/log/log.go

@@ -6,43 +6,82 @@
 package log
 
 import (
+	"flag"
 	"fmt"
-	golog "log"
+	"log"
+	"log/syslog"
 	"os"
 )
 
 // The following constants represent logging levels in increasing levels of seriousness.
 const (
+	// LevelDebug is the log level for Debug statements.
 	LevelDebug = iota
+	// LevelInfo is the log level for Info statements.
 	LevelInfo
+	// LevelWarning is the log level for Warning statements.
 	LevelWarning
+	// LevelError is the log level for Error statements.
 	LevelError
+	// LevelCritical is the log level for Critical statements.
 	LevelCritical
+	// LevelFatal is the log level for Fatal statements.
 	LevelFatal
 )
 
 var levelPrefix = [...]string{
-	LevelDebug:    "[DEBUG] ",
-	LevelInfo:     "[INFO] ",
-	LevelWarning:  "[WARNING] ",
-	LevelError:    "[ERROR] ",
-	LevelCritical: "[CRITICAL] ",
-	LevelFatal:    "[FATAL] ",
+	LevelDebug:    "DEBUG",
+	LevelInfo:     "INFO",
+	LevelWarning:  "WARNING",
+	LevelError:    "ERROR",
+	LevelCritical: "CRITICAL",
+	LevelFatal:    "FATAL",
 }
 
+var (
 	// Level stores the current logging level.
-var Level = LevelDebug
+	Level = LevelInfo
+	// SysLogger is a syslog Writer to be used if not nil.
+	SysLogger *syslog.Writer
+)
+
+func init() {
+	flag.IntVar(&Level, "loglevel", LevelInfo, "Log level (0 = DEBUG, 5 = FATAL)")
+}
+
+func print(l int, msg string) {
+	if l >= Level {
+		if SysLogger != nil {
+			var err error
+			switch l {
+			case LevelDebug:
+				err = SysLogger.Debug(msg)
+			case LevelInfo:
+				err = SysLogger.Info(msg)
+			case LevelWarning:
+				err = SysLogger.Warning(msg)
+			case LevelError:
+				err = SysLogger.Err(msg)
+			case LevelCritical:
+				err = SysLogger.Crit(msg)
+			case LevelFatal:
+				err = SysLogger.Emerg(msg)
+			}
+			if err != nil {
+				log.Printf("Unable to write syslog: %v for msg: %s\n", err, msg)
+			}
+		} else {
+			log.Printf("[%s] %s", levelPrefix[l], msg)
+		}
+	}
+}
 
 func outputf(l int, format string, v []interface{}) {
-	if l >= Level {
-		golog.Printf(fmt.Sprint(levelPrefix[l], format), v...)
-	}
+	print(l, fmt.Sprintf(format, v...))
 }
 
 func output(l int, v []interface{}) {
-	if l >= Level {
-		golog.Print(levelPrefix[l], fmt.Sprint(v...))
-	}
+	print(l, fmt.Sprint(v...))
 }
 
 // Fatalf logs a formatted message at the "fatal" level and then exits. The

Godeps/_workspace/src/github.com/cloudflare/cfssl/signer/local/local.go

@@ -12,12 +12,12 @@ import (
 	"encoding/hex"
 	"encoding/pem"
 	"errors"
-	"fmt"
 	"io"
 	"io/ioutil"
 	"math/big"
 	"net"
 	"net/mail"
+	"os"
 
 	"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/cloudflare/cfssl/certdb"
 	"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/cloudflare/cfssl/config"
@@ -80,7 +80,13 @@ func NewSignerFromFile(caFile, caKeyFile string, policy *config.Signing) (*Signe
 		return nil, err
 	}
 
-	priv, err := helpers.ParsePrivateKeyPEM(cakey)
+	strPassword := os.Getenv("CFSSL_CA_PK_PASSWORD")
+	password := []byte(strPassword)
+	if strPassword == "" {
+		password = nil
+	}
+
+	priv, err := helpers.ParsePrivateKeyPEMWithPassword(cakey, password)
 	if err != nil {
 		log.Debug("Malformed private key %v", err)
 		return nil, err
@@ -156,7 +162,9 @@ func PopulateSubjectFromCSR(s *signer.Subject, req pkix.Name) pkix.Name {
 	replaceSliceIfEmpty(&name.Locality, &req.Locality)
 	replaceSliceIfEmpty(&name.Organization, &req.Organization)
 	replaceSliceIfEmpty(&name.OrganizationalUnit, &req.OrganizationalUnit)
-
+	if name.SerialNumber == "" {
+		name.SerialNumber = req.SerialNumber
+	}
 	return name
 }
 
@@ -259,7 +267,6 @@ func (s *Signer) Sign(req signer.SignRequest) (cert []byte, err error) {
 
 	if profile.ClientProvidesSerialNumbers {
 		if req.Serial == nil {
-			fmt.Printf("xx %#v\n", profile)
 			return nil, cferr.New(cferr.CertificateError, cferr.MissingSerial)
 		}
 		safeTemplate.SerialNumber = req.Serial

Godeps/_workspace/src/github.com/cloudflare/cfssl/signer/signer.go

@@ -31,6 +31,7 @@ var MaxPathLen = 2
 type Subject struct {
 	CN           string
 	Names        []csr.Name `json:"names"`
+	SerialNumber string
 }
 
 // Extension represents a raw extension to be included in the certificate.  The
@@ -77,6 +78,7 @@ func (s *Subject) Name() pkix.Name {
 		appendIf(n.O, &name.Organization)
 		appendIf(n.OU, &name.OrganizationalUnit)
 	}
+	name.SerialNumber = s.SerialNumber
 	return name
 }