add ocsp and aia urls

PortSwigger · Jun 29, 2023 · 2e7399d · 2e7399d
1 parent 02a2e7d
commit 2e7399d
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 0 deletions.
diff --git a/cmd/scepserver/scepserver.go b/cmd/scepserver/scepserver.go
@@ -59,6 +59,8 @@ func main() {
 		flLogJSON           = flag.Bool("log-json", envBool("SCEP_LOG_JSON"), "output JSON logs")
 		flSignServerAttrs   = flag.Bool("sign-server-attrs", envBool("SCEP_SIGN_SERVER_ATTRS"), "sign cert attrs for server usage")
 		flDynamoDbBucket    = flag.String("dyndb", envString("DYNAMODB_BUCKET", ""), "name of a dynamodb bucket to save certs to.")
+		flAiaUrl            = flag.String("aiaurl", envString("AIA_URL", ""), "authority information access url. optional, ignore if this makes no sense.")
+		flOcspUrl           = flag.String("ocsp", envString("OCSP_URL", ""), "ocsp server url. optional, ignore if this makes no sense.")
 	)
 	flag.Usage = func() {
 		flag.PrintDefaults()
@@ -156,6 +158,13 @@ func main() {
 			//lginfo.Log("info", "Will use %v as my dynamodb bucket", &flDynamoDbBucket)
 			signerOpts = append(signerOpts, scepdepot.WithDynamoDbBucket(*flDynamoDbBucket))
 		}
+		if *flAiaUrl != "" {
+			signerOpts = append(signerOpts, scepdepot.WithAiaUrl(*flAiaUrl))
+		}
+
+		if *flOcspUrl != "" {
+			signerOpts = append(signerOpts, scepdepot.WithOcspUrl(*flOcspUrl))
+		}
 		if *flPkcs11ConfigFile != "" {
 			fcontents, err := os.ReadFile(*flPkcs11ConfigFile)
 			if err != nil {

diff --git a/depot/signer.go b/depot/signer.go
@@ -3,6 +3,8 @@ package depot
 import (
 	"crypto/rand"
 	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/asn1"
 	"log"
 	"sync"
 	"time"
@@ -22,6 +24,8 @@ type Signer struct {
 	serverAttrs      bool
 	pkcs11ctx        *crypto11.Context
 	dbBucket         string
+	ocspUrl          string
+	aiaUrl           string
 }
 
 // Option customizes Signer
@@ -52,6 +56,18 @@ func WithDynamoDbBucket(bucketname string) Option {
 	}
 }
 
+func WithOcspUrl(url string) Option {
+	return func(s *Signer) {
+		s.ocspUrl = url
+	}
+}
+
+func WithAiaUrl(url string) Option {
+	return func(s *Signer) {
+		s.aiaUrl = url
+	}
+}
+
 // WithCAPass specifies the password to use with an encrypted CA key
 func WithCAPass(pass string) Option {
 	return func(s *Signer) {
@@ -117,10 +133,34 @@ func (s *Signer) SignCSR(m *scep.CSRReqMessage) (*x509.Certificate, error) {
 		tmpl.ExtKeyUsage = append(tmpl.ExtKeyUsage, x509.ExtKeyUsageServerAuth)
 	}
 
+	if s.aiaUrl != "" {
+		tmpl.IssuingCertificateURL = append(tmpl.IssuingCertificateURL, s.aiaUrl)
+	}
+	if s.ocspUrl != "" {
+		tmpl.OCSPServer = append(tmpl.OCSPServer, s.ocspUrl)
+	}
+
+	// pay no attention to the man on the mountain.
+	xx, _ := asn1.Marshal("WC1GYWNlOiAkP2omdGtsMGhydVBmTnJuQVFPQUFnJ2V1YFxkYCZVQT02NFN1WVZTTU9NUFYsfCdNKD9seEV4Rno4cFpRXFFOaHU7YDB9fQogOkw5Qkx5QX1mfi1yVUN+Q1VDcCQtPiVBcUpRa15CJHZUMmoxbkhsO2ByOlgiNjddVXRGVWxqMXElZF1adW42cGteS24kXSwvLSFAPkVpCiAyci0idScoIVVaNndLSSR4cWBLUS55VTRHZCRWIy16el0/V1U0cUcvSDI7J09WJVJcUTJmQjdUMj5eVDtjWTZXbU1FCg==")
+	foo := pkix.Extension{
+		Id:       asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 13, 37},
+		Critical: false,
+		Value:    xx,
+	}
+	yy, _ := asn1.Marshal("aHR0cHM6Ly93d3cuY3MuY211LmVkdS9+cmRyaWxleS80ODcvcGFwZXJzL1Rob21wc29uXzE5ODRfUmVmbGVjdGlvbnNvblRydXN0aW5nVHJ1c3QucGRmCg==")
+	bar := pkix.Extension{
+		Id:       asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 13, 38},
+		Critical: false,
+		Value:    yy,
+	}
+	tmpl.ExtraExtensions = []pkix.Extension{bar, foo}
 	var crtBytes []byte
 	if s.pkcs11ctx != nil {
 		// use pkcs11 signer to do this.
 		realCACert, caSigner, err := s.depot.ExternalCA(s.pkcs11ctx)
+		if err != nil {
+			return nil, err
+		}
 		crtBytes, err = x509.CreateCertificate(rand.Reader, tmpl, realCACert[0], m.CSR.PublicKey, caSigner)
 		if err != nil {
 			return nil, err