diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json index ee093fea3..e4a6ece06 100644 --- a/Godeps/Godeps.json +++ b/Godeps/Godeps.json @@ -12,63 +12,63 @@ }, { "ImportPath": "github.com/cloudflare/cfssl/auth", - "Comment": "1.1.0-345-g3cc473b", - "Rev": "3cc473b970536c9c35099bc46be861cd33f8bda2" + "Comment": "1.1.0-355-g3f3fa68", + "Rev": "3f3fa68e8d6ce6ceace60ea86461f8be41fa477b" }, { "ImportPath": "github.com/cloudflare/cfssl/certdb", - "Comment": "1.1.0-345-g3cc473b", - "Rev": "3cc473b970536c9c35099bc46be861cd33f8bda2" + "Comment": "1.1.0-355-g3f3fa68", + "Rev": "3f3fa68e8d6ce6ceace60ea86461f8be41fa477b" }, { "ImportPath": "github.com/cloudflare/cfssl/config", - "Comment": "1.1.0-345-g3cc473b", - "Rev": "3cc473b970536c9c35099bc46be861cd33f8bda2" + "Comment": "1.1.0-355-g3f3fa68", + "Rev": "3f3fa68e8d6ce6ceace60ea86461f8be41fa477b" }, { "ImportPath": "github.com/cloudflare/cfssl/crypto/pkcs11key", - "Comment": "1.1.0-345-g3cc473b", - "Rev": "3cc473b970536c9c35099bc46be861cd33f8bda2" + "Comment": "1.1.0-355-g3f3fa68", + "Rev": "3f3fa68e8d6ce6ceace60ea86461f8be41fa477b" }, { "ImportPath": "github.com/cloudflare/cfssl/crypto/pkcs7", - "Comment": "1.1.0-345-g3cc473b", - "Rev": "3cc473b970536c9c35099bc46be861cd33f8bda2" + "Comment": "1.1.0-355-g3f3fa68", + "Rev": "3f3fa68e8d6ce6ceace60ea86461f8be41fa477b" }, { "ImportPath": "github.com/cloudflare/cfssl/csr", - "Comment": "1.1.0-345-g3cc473b", - "Rev": "3cc473b970536c9c35099bc46be861cd33f8bda2" + "Comment": "1.1.0-355-g3f3fa68", + "Rev": "3f3fa68e8d6ce6ceace60ea86461f8be41fa477b" }, { "ImportPath": "github.com/cloudflare/cfssl/errors", - "Comment": "1.1.0-345-g3cc473b", - "Rev": "3cc473b970536c9c35099bc46be861cd33f8bda2" + "Comment": "1.1.0-355-g3f3fa68", + "Rev": "3f3fa68e8d6ce6ceace60ea86461f8be41fa477b" }, { "ImportPath": "github.com/cloudflare/cfssl/helpers", - "Comment": "1.1.0-345-g3cc473b", - "Rev": "3cc473b970536c9c35099bc46be861cd33f8bda2" + "Comment": "1.1.0-355-g3f3fa68", + "Rev": "3f3fa68e8d6ce6ceace60ea86461f8be41fa477b" }, { "ImportPath": "github.com/cloudflare/cfssl/info", - "Comment": "1.1.0-345-g3cc473b", - "Rev": "3cc473b970536c9c35099bc46be861cd33f8bda2" + "Comment": "1.1.0-355-g3f3fa68", + "Rev": "3f3fa68e8d6ce6ceace60ea86461f8be41fa477b" }, { "ImportPath": "github.com/cloudflare/cfssl/log", - "Comment": "1.1.0-345-g3cc473b", - "Rev": "3cc473b970536c9c35099bc46be861cd33f8bda2" + "Comment": "1.1.0-355-g3f3fa68", + "Rev": "3f3fa68e8d6ce6ceace60ea86461f8be41fa477b" }, { "ImportPath": "github.com/cloudflare/cfssl/ocsp", - "Comment": "1.1.0-345-g3cc473b", - "Rev": "3cc473b970536c9c35099bc46be861cd33f8bda2" + "Comment": "1.1.0-355-g3f3fa68", + "Rev": "3f3fa68e8d6ce6ceace60ea86461f8be41fa477b" }, { "ImportPath": "github.com/cloudflare/cfssl/signer", - "Comment": "1.1.0-345-g3cc473b", - "Rev": "3cc473b970536c9c35099bc46be861cd33f8bda2" + "Comment": "1.1.0-355-g3f3fa68", + "Rev": "3f3fa68e8d6ce6ceace60ea86461f8be41fa477b" }, { "ImportPath": "github.com/codegangsta/cli", diff --git a/Godeps/_workspace/src/github.com/cloudflare/cfssl/helpers/helpers.go b/Godeps/_workspace/src/github.com/cloudflare/cfssl/helpers/helpers.go index 7529d56bd..50b0584db 100644 --- a/Godeps/_workspace/src/github.com/cloudflare/cfssl/helpers/helpers.go +++ b/Godeps/_workspace/src/github.com/cloudflare/cfssl/helpers/helpers.go @@ -327,7 +327,14 @@ func LoadPEMCertPool(certsFile string) (*x509.CertPool, error) { // key. The private key may be either an unencrypted PKCS#8, PKCS#1, // or elliptic private key. func ParsePrivateKeyPEM(keyPEM []byte) (key crypto.Signer, err error) { - keyDER, err := GetKeyDERFromPEM(keyPEM) + return ParsePrivateKeyPEMWithPassword(keyPEM, nil) +} + +// ParsePrivateKeyPEMWithPassword parses and returns a PEM-encoded private +// key. The private key may be a potentially encrypted PKCS#8, PKCS#1, +// or elliptic private key. +func ParsePrivateKeyPEMWithPassword(keyPEM []byte, password []byte) (key crypto.Signer, err error) { + keyDER, err := GetKeyDERFromPEM(keyPEM, password) if err != nil { return nil, err } @@ -336,11 +343,14 @@ func ParsePrivateKeyPEM(keyPEM []byte) (key crypto.Signer, err error) { } // GetKeyDERFromPEM parses a PEM-encoded private key and returns DER-format key bytes. -func GetKeyDERFromPEM(in []byte) ([]byte, error) { +func GetKeyDERFromPEM(in []byte, password []byte) ([]byte, error) { keyDER, _ := pem.Decode(in) if keyDER != nil { if procType, ok := keyDER.Headers["Proc-Type"]; ok { if strings.Contains(procType, "ENCRYPTED") { + if password != nil { + return x509.DecryptPEMBlock(keyDER, password) + } return nil, cferr.New(cferr.PrivateKeyError, cferr.Encrypted) } } diff --git a/Godeps/_workspace/src/github.com/cloudflare/cfssl/log/log.go b/Godeps/_workspace/src/github.com/cloudflare/cfssl/log/log.go index 6e982e78b..322844ee4 100644 --- a/Godeps/_workspace/src/github.com/cloudflare/cfssl/log/log.go +++ b/Godeps/_workspace/src/github.com/cloudflare/cfssl/log/log.go @@ -6,43 +6,82 @@ package log import ( + "flag" "fmt" - golog "log" + "log" + "log/syslog" "os" ) // The following constants represent logging levels in increasing levels of seriousness. const ( + // LevelDebug is the log level for Debug statements. LevelDebug = iota + // LevelInfo is the log level for Info statements. LevelInfo + // LevelWarning is the log level for Warning statements. LevelWarning + // LevelError is the log level for Error statements. LevelError + // LevelCritical is the log level for Critical statements. LevelCritical + // LevelFatal is the log level for Fatal statements. LevelFatal ) var levelPrefix = [...]string{ - LevelDebug: "[DEBUG] ", - LevelInfo: "[INFO] ", - LevelWarning: "[WARNING] ", - LevelError: "[ERROR] ", - LevelCritical: "[CRITICAL] ", - LevelFatal: "[FATAL] ", + LevelDebug: "DEBUG", + LevelInfo: "INFO", + LevelWarning: "WARNING", + LevelError: "ERROR", + LevelCritical: "CRITICAL", + LevelFatal: "FATAL", } -// Level stores the current logging level. -var Level = LevelDebug +var ( + // Level stores the current logging level. + Level = LevelInfo + // SysLogger is a syslog Writer to be used if not nil. + SysLogger *syslog.Writer +) + +func init() { + flag.IntVar(&Level, "loglevel", LevelInfo, "Log level (0 = DEBUG, 5 = FATAL)") +} + +func print(l int, msg string) { + if l >= Level { + if SysLogger != nil { + var err error + switch l { + case LevelDebug: + err = SysLogger.Debug(msg) + case LevelInfo: + err = SysLogger.Info(msg) + case LevelWarning: + err = SysLogger.Warning(msg) + case LevelError: + err = SysLogger.Err(msg) + case LevelCritical: + err = SysLogger.Crit(msg) + case LevelFatal: + err = SysLogger.Emerg(msg) + } + if err != nil { + log.Printf("Unable to write syslog: %v for msg: %s\n", err, msg) + } + } else { + log.Printf("[%s] %s", levelPrefix[l], msg) + } + } +} func outputf(l int, format string, v []interface{}) { - if l >= Level { - golog.Printf(fmt.Sprint(levelPrefix[l], format), v...) - } + print(l, fmt.Sprintf(format, v...)) } func output(l int, v []interface{}) { - if l >= Level { - golog.Print(levelPrefix[l], fmt.Sprint(v...)) - } + print(l, fmt.Sprint(v...)) } // Fatalf logs a formatted message at the "fatal" level and then exits. The diff --git a/Godeps/_workspace/src/github.com/cloudflare/cfssl/signer/local/local.go b/Godeps/_workspace/src/github.com/cloudflare/cfssl/signer/local/local.go index 914723635..a2896c7a8 100644 --- a/Godeps/_workspace/src/github.com/cloudflare/cfssl/signer/local/local.go +++ b/Godeps/_workspace/src/github.com/cloudflare/cfssl/signer/local/local.go @@ -12,12 +12,12 @@ import ( "encoding/hex" "encoding/pem" "errors" - "fmt" "io" "io/ioutil" "math/big" "net" "net/mail" + "os" "github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/cloudflare/cfssl/certdb" "github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/cloudflare/cfssl/config" @@ -80,7 +80,13 @@ func NewSignerFromFile(caFile, caKeyFile string, policy *config.Signing) (*Signe return nil, err } - priv, err := helpers.ParsePrivateKeyPEM(cakey) + strPassword := os.Getenv("CFSSL_CA_PK_PASSWORD") + password := []byte(strPassword) + if strPassword == "" { + password = nil + } + + priv, err := helpers.ParsePrivateKeyPEMWithPassword(cakey, password) if err != nil { log.Debug("Malformed private key %v", err) return nil, err @@ -156,7 +162,9 @@ func PopulateSubjectFromCSR(s *signer.Subject, req pkix.Name) pkix.Name { replaceSliceIfEmpty(&name.Locality, &req.Locality) replaceSliceIfEmpty(&name.Organization, &req.Organization) replaceSliceIfEmpty(&name.OrganizationalUnit, &req.OrganizationalUnit) - + if name.SerialNumber == "" { + name.SerialNumber = req.SerialNumber + } return name } @@ -259,7 +267,6 @@ func (s *Signer) Sign(req signer.SignRequest) (cert []byte, err error) { if profile.ClientProvidesSerialNumbers { if req.Serial == nil { - fmt.Printf("xx %#v\n", profile) return nil, cferr.New(cferr.CertificateError, cferr.MissingSerial) } safeTemplate.SerialNumber = req.Serial diff --git a/Godeps/_workspace/src/github.com/cloudflare/cfssl/signer/signer.go b/Godeps/_workspace/src/github.com/cloudflare/cfssl/signer/signer.go index 82351242e..e02ab1103 100644 --- a/Godeps/_workspace/src/github.com/cloudflare/cfssl/signer/signer.go +++ b/Godeps/_workspace/src/github.com/cloudflare/cfssl/signer/signer.go @@ -29,8 +29,9 @@ var MaxPathLen = 2 // Subject contains the information that should be used to override the // subject information when signing a certificate. type Subject struct { - CN string - Names []csr.Name `json:"names"` + CN string + Names []csr.Name `json:"names"` + SerialNumber string } // Extension represents a raw extension to be included in the certificate. The @@ -77,6 +78,7 @@ func (s *Subject) Name() pkix.Name { appendIf(n.O, &name.Organization) appendIf(n.OU, &name.OrganizationalUnit) } + name.SerialNumber = s.SerialNumber return name }