Adding Sectigo support in LibCertifier (XPKI-764)

docs/configuration.adoc

@@ -2,6 +2,7 @@ xref:libcertifier.adoc[*Back to Manual*]
 
 == Configuration
 
+== xPKI Certificates
 |=======
 | *Property Name* | *Default Value* | *Description* 
 | libcertifier.certifier.url   | https://certifier.xpki.io/v1/certifier/certificate |  
@@ -27,6 +28,42 @@ xref:libcertifier.adoc[*Back to Manual*]
 | libcertifier.ext.key.usage   | clientAuth,serverAuth | (See notes below) 
 |=======
 
+== Sectigo Certificates
+|=======
+| *Property Name* | *Default Value* | *Description* 
+| libcertifier.sectigo.url   | https://certs.xpki.io/api/createCertificate |
+| libcertifier.sectigo.auth.token   | |
+| libcertifier.sectigo.common.name   | |
+| libcertifier.sectigo.group.name   | |
+| libcertifier.sectigo.group.email   | |
+| libcertifier.sectigo.id   | user123 |
+| libcertifier.sectigo.owner.first.name   | |
+| libcertifier.sectigo.owner.last.name   | |
+| libcertifier.sectigo.project.name   | |
+| libcertifier.sectigo.business.justification   | |
+| libcertifier.sectigo.subject.alt.names   | [] |
+| libcertifier.sectigo.owner.email   | |
+| libcertifier.sectigo.devhub.id   | |
+| libcertifier.sectigo.validity.days   | 365 |
+| libcertifier.sectigo.key.type   | |
+| libcertifier.sectigo.serial.number   | |
+| libcertifier.sectigo.certificate.id   | |
+| libcertifier.sectigo.requestor.email   | |
+| libcertifier.sectigo.revocation.request.reason   | |
+| libcertifier.sectigo.status  | |
+| libcertifier.sectigo.offset   | |
+| libcertifier.sectigo.limit   | 10 |
+| libcertifier.sectigo.start.date   | |
+| libcertifier.sectigo.end.date   | |
+| libcertifier.sectigo.validity.start.date   | |
+| libcertifier.sectigo.validity.end.date   | |
+| libcertifier.sectigo.cert.order   | |
+| libcertifier.sectigo.is.cn.in.san   | |
+| libcertifier.sectigo.request.type   | |
+| libcertifier.sectigo.timestamp   | |
+| libcertifier.cert.path  | |
+|=======
+
 == Extended Key Usage values:
 This field can be populated with a list of values, indicating purposes for which the certificate public key can be used for. 
 

include/certifier/certifier_api_easy.h

@@ -101,6 +101,16 @@ typedef enum
 
     CERTIFIER_MODE_PRINT_HELP = 65536,
 
+    CERTIFIER_MODE_SECTIGO_GET_CERT,
+
+    CERTIFIER_MODE_SECTIGO_SEARCH_CERT,
+
+    CERTIFIER_MODE_SECTIGO_RENEW_CERT,
+
+    CERTIFIER_MODE_SECTIGO_REVOKE_CERT,
+
+    CERTIFIER_MODE_SECTIGO_OCSP_STATUS,
+
     // 131072 is unused
 } CERTIFIER_MODE;
 

include/certifier/property.h

@@ -202,6 +202,38 @@ typedef enum CERTIFIER_OPT
      */
     CERTIFIER_OPT_MTLS_P12_PATH,
     CERTIFIER_OPT_MTLS_P12_PASSWORD,
+
+    CERTIFIER_OPT_SECTIGO_AUTH_TOKEN,
+    CERTIFIER_OPT_SECTIGO_COMMON_NAME,
+    CERTIFIER_OPT_SECTIGO_GROUP_NAME,
+    CERTIFIER_OPT_SECTIGO_GROUP_EMAIL,
+    CERTIFIER_OPT_SECTIGO_ID,
+    CERTIFIER_OPT_SECTIGO_OWNER_FIRST_NAME,
+    CERTIFIER_OPT_SECTIGO_OWNER_LAST_NAME,
+    CERTIFIER_OPT_SECTIGO_PROJECT_NAME,
+    CERTIFIER_OPT_SECTIGO_BUSINESS_JUSTIFICATION,
+    CERTIFIER_OPT_SECTIGO_SUBJECT_ALT_NAMES,
+    CERTIFIER_OPT_SECTIGO_OWNER_EMAIL,
+    CERTIFIER_OPT_SECTIGO_URL,
+    CERTIFIER_OPT_SECTIGO_DEVHUB_ID,
+    CERTIFIER_OPT_SECTIGO_VALIDITY_DAYS,
+    CERTIFIER_OPT_SECTIGO_KEY_TYPE,
+    CERTIFIER_OPT_SECTIGO_SERIAL_NUMBER,
+    CERTIFIER_OPT_SECTIGO_CERTIFICATE_ID,
+    CERTIFIER_OPT_SECTIGO_REQUESTOR_EMAIL,
+    CERTIFIER_OPT_SECTIGO_REVOCATION_REQUEST_REASON,
+    CERTIFIER_OPT_SECTIGO_STATUS,
+    CERTIFIER_OPT_SECTIGO_OFFSET,
+    CERTIFIER_OPT_SECTIGO_LIMIT,
+    CERTIFIER_OPT_SECTIGO_START_DATE,
+    CERTIFIER_OPT_SECTIGO_END_DATE,
+    CERTIFIER_OPT_SECTIGO_VALIDITY_START_DATE,
+    CERTIFIER_OPT_SECTIGO_VALIDITY_END_DATE,
+    CERTIFIER_OPT_SECTIGO_CERTIFICATE_ORDER,
+    CERTIFIER_OPT_SECTIGO_IS_CN_IN_SAN,
+    CERTIFIER_OPT_SECTIGO_REQUEST_TYPE,
+    CERTIFIER_OPT_SECTIGO_TIMESTAMP,
+    CERTIFIER_OPT_SECTIGO_CERT_PATH
 
 } CERTIFIER_OPT;
 

internal_headers/certifier/certifier.h

@@ -21,14 +21,17 @@
 
 #include "certifier/property.h"
 #include "certifier/types.h"
+#include "certifier/error.h"
+#include "certifier/property_internal.h"
+
+#define SMALL_STRING_SIZE 64
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
 /* CHUNK is the size of the memory chunk used by the zlib routines. */
 #define CHUNK 10000
-
 #define ALLOWABLE_CHARACTERS "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnpqrstuvwxyz0123456879"
 
 #define CERTIFIER_ERR_INIT_CERTIFIER 1000
@@ -138,7 +141,23 @@ typedef enum
     CERTIFIER_LOG_FATAL
 } CertifierLogPriority;
 
-typedef struct Certifier Certifier;
+typedef struct Map
+{
+    char node_address[SMALL_STRING_SIZE];
+    char * base64_public_key;
+    unsigned char * der_public_key;
+    int der_public_key_len;
+    ECC_KEY * private_ec_key;
+    X509_CERT * x509_cert;
+} Map;
+
+typedef struct Certifier
+{
+    CertifierPropMap * prop_map;
+    Map tmp_map;
+    CertifierError last_error;
+    bool sectigo_mode;
+} Certifier;
 
 Certifier * certifier_new(void);
 
@@ -165,6 +184,8 @@ bool certifier_is_option_set(Certifier * certifier, int name);
  */
 int certifier_load_cfg_file(Certifier * certifier);
 
+int sectigo_load_cfg_file(Certifier * certifier);
+
 char * certifier_get_version(Certifier * certifier);
 
 /**
@@ -250,6 +271,10 @@ void certifier_print_certificate(Certifier * certifier, const char * pem, int pe
 
 void certifier_print_certificate_validity(Certifier * certifier);
 
+CertifierError sectigo_generate_certificate_signing_request(Certifier *certifier, char **out_csr_pem);
+
+CertifierPropMap * certifier_get_prop_map(Certifier * certifier);
+
 #ifdef __cplusplus
 }
 #endif

internal_headers/certifier/http.h

@@ -41,6 +41,7 @@ typedef struct http_response
 {
     const char * error_msg;
     const char * payload;
+    size_t payload_len;
     int http_code;
     int error;
 } http_response;
@@ -53,6 +54,8 @@ http_response * http_get(const CertifierPropMap * props, const char * url, const
 
 http_response * http_post(const CertifierPropMap * props, const char * url, const char * http_headers[], const char * body);
 
+http_response * http_put(const CertifierPropMap * props, const char * url, const char * http_headers[], const char * body);
+
 void http_free_response(http_response * resp);
 
 #ifdef __cplusplus

internal_headers/certifier/property_internal.h

@@ -49,6 +49,8 @@ typedef struct _PropMap CertifierPropMap;
  */
 CertifierPropMap * property_new(void);
 
+CertifierPropMap * property_new_sectigo(void);
+
 CertifierPropMap * property_ext(void);
 
 int property_destroy(CertifierPropMap * prop_map);
@@ -76,18 +78,29 @@ int property_set_ext(CertifierPropMap * prop_map);
 
 int property_set(CertifierPropMap * prop_map, CERTIFIER_OPT name, const void * value);
 
+int sectigo_property_set(CertifierPropMap * prop_map, int name, const void * value);
+
 int property_set_int(CertifierPropMap * prop_map, CERTIFIER_OPT name, int value);
 
 void * property_get(CertifierPropMap * prop_map, CERTIFIER_OPT name);
 
 int property_set_defaults_from_cfg_file(CertifierPropMap * propMap);
 
+int property_set_sectigo_defaults_from_cfg_file(CertifierPropMap * propMap);
+
 const char * get_default_cfg_filename();
 
 const char * get_default_ca_path();
 
 const char * get_default_ca_info();
 
+/**
+ * Validate if a key type string is a supported Sectigo key type.
+ * @param key_type The key type string to validate
+ * @return 1 if valid, 0 otherwise
+ */
+int is_valid_sectigo_key_type(const char * key_type);
+
 #ifdef __cplusplus
 }
 #endif

internal_headers/certifier/sectigo_client.h

@@ -0,0 +1,147 @@
+/**
+ * Copyright 2019 Comcast Cable Communications Management, LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#ifndef SECTIGO_CLIENT_H
+#define SECTIGO_CLIENT_H
+
+
+#include <certifier/types.h>
+#include <certifier/error.h>
+#include <certifier/property_internal.h>
+#include <certifier/certifier.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <pthread.h>
+
+extern pthread_mutex_t lock;
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+#define IMPULSE_URL "https://certs-dev.xpki.io/"
+typedef struct {
+    const char * auth_token;
+    const char * common_name;
+    const char * group_name;
+    const char * group_email;
+    const char * id;
+    const char * owner_first_name;
+    const char * owner_last_name;
+    const char * project_name;
+    const char * business_justification;
+    const char * subject_alt_names;
+    const char * owner_email;
+    const char * sectigo_url;
+    const char * devhub_id;
+    size_t validity_days;
+    const char * key_type;
+} sectigo_get_cert_param_t;
+
+typedef struct {
+    const char * auth_token;
+    const char * group_name;
+    const char * group_email;
+    const char * status;
+    const char * common_name;
+    const char * offset;
+    size_t limit;
+    const char * start_date;
+    const char * end_date;
+    size_t validity_start_date;
+    size_t validity_end_date;
+    const char * certificate_order;
+    const char * is_cn_in_san;
+    const char * request_type;
+    const char * timestamp;
+    const char * devhub_id;
+    const char * key_type;
+} sectigo_search_cert_param_t;
+
+typedef struct {
+    const char * auth_token;
+    const char * common_name;
+    const char * serial_number;
+    const char * certificate_id;
+    const char * requestor_email;
+} sectigo_renew_cert_param_t;
+
+typedef struct {
+    const char * auth_token;
+    const char * common_name;
+    const char * serial_number;
+    const char * certificate_id;
+    const char * requestor_email;
+    const char * revocation_request_reason;
+} sectigo_revoke_cert_param_t;
+
+typedef struct {
+    const char * certificate_path;
+} sectigo_ocsp_status_param_t;
+
+typedef enum {
+    SECTIGO_CLIENT_SUCCESS = 0,
+    SECTIGO_CLIENT_INVALID_ARGUMENT,
+    SECTIGO_CLIENT_NOT_IMPLEMENTED,
+    SECTIGO_CLIENT_ERROR_INTERNAL,
+
+} SECTIGO_CLIENT_ERROR_CODE;
+
+typedef enum {
+    SECTIGO_AUTH_X509,
+    SECTIGO_AUTH_SAT,
+} SECTIGO_AUTH_TYPE;
+
+CertifierError sectigo_client_request_certificate(CertifierPropMap * props, const unsigned char * csr,
+const char * node_address, const char * certifier_id, char ** out_cert);
+
+CertifierError sectigo_client_search_certificates(CertifierPropMap * props);
+
+CertifierError sectigo_client_renew_certificate(CertifierPropMap * props);
+
+CertifierError sectigo_client_revoke_certificate(CertifierPropMap * props);
+
+CertifierError sectigo_client_ocsp_status(CertifierPropMap * props);
+
+CertifierError sectigo_generate_certificate_signing_request(Certifier *certifier, char **out_csr_pem);
+
+Certifier * get_sectigo_certifier_instance();
+
+SECTIGO_CLIENT_ERROR_CODE xc_sectigo_get_cert(sectigo_get_cert_param_t * params);
+
+SECTIGO_CLIENT_ERROR_CODE xc_sectigo_search_cert(sectigo_search_cert_param_t * params);
+
+SECTIGO_CLIENT_ERROR_CODE xc_sectigo_renew_cert(sectigo_renew_cert_param_t * params);
+
+SECTIGO_CLIENT_ERROR_CODE xc_sectigo_revoke_cert(sectigo_revoke_cert_param_t * params);
+
+SECTIGO_CLIENT_ERROR_CODE xc_sectigo_ocsp_status(sectigo_ocsp_status_param_t * params);
+
+SECTIGO_CLIENT_ERROR_CODE xc_sectigo_get_default_cert_param(sectigo_get_cert_param_t * params);
+
+SECTIGO_CLIENT_ERROR_CODE xc_sectigo_get_default_renew_cert_param(sectigo_renew_cert_param_t * params);
+
+SECTIGO_CLIENT_ERROR_CODE xc_sectigo_get_default_revoke_cert_param(sectigo_revoke_cert_param_t * params);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif

internal_headers/certifier/security.h

@@ -199,7 +199,7 @@ X509_CERT * security_cert_list_get(X509_LIST * certs, int which);
  */
 X509_CERT * security_cert_list_pop(X509_LIST * certs, int which);
 
-CertifierError security_load_certs_from_pem(const char * pem, X509_LIST ** out);
+CertifierError security_load_certs_from_pem(const char * pem, X509_LIST ** out, bool load_all_certs);
 
 void security_print_certs_in_list(X509_LIST * certs, XFILE output);