Expand server certificate APIs

michaelrsweet commented 1 year ago

Address the following deficiencies:

[x] Update cupsMakeServerCredentials to include the contact info fields (NULL == current default) and a root certificate name (NULL means default site cert or self-signed)
[x] Add a cupsMakeServerRequest API to create a Certificate Signing Request and private key, which are stored in a "staging" area for later installation
[x] Add a cupsSignServerCredentials API to create/sign a certificate using a CSR and root certificate name (NULL means default site cert or self-signed)
[x] Add a server version of httpSaveCredentials API to save a certificate chain with a private key, which can use the private key from a previous CSR created by cupsMakeServerRequest.

michaelrsweet commented 1 year ago

Doing development in x509 branch....

michaelrsweet commented 1 year ago

Proposed API:

typedef enum cups_credtype_e        // X.509 credential types for @link cupsMakeServerCredentials@, @link cupsMakeServerKey@, and @link cupsMakeServerRequest@
{
  CUPS_CREDTYPE_DEFAULT,        // Default type
  CUPS_CREDTYPE_RSA_2048_SHA256,    // RSA with 2048-bit keys and SHA-256 hash
  CUPS_CREDTYPE_RSA_3072_SHA256,    // RSA with 3072-bit keys and SHA-256 hash
  CUPS_CREDTYPE_RSA_4096_SHA256,    // RSA with 4096-bit keys and SHA-256 hash
  CUPS_CREDTYPE_ECDSA_P256_SHA256,  // ECDSA using the P-256 curve with SHA-256 hash
  CUPS_CREDTYPE_ECDSA_P384_SHA256,  // ECDSA using the P-384 curve with SHA-256 hash
  CUPS_CREDTYPE_ECDSA_P521_SHA256   // ECDSA using the P-521 curve with SHA-256 hash
} cups_credtype_t;

extern char     *cupsCopyServerCredentials(const char *path, const char *common_name) _CUPS_PUBLIC;
extern char     *cupsCopyServerKey(const char *path, const char *common_name) _CUPS_PUBLIC;
extern char     *cupsCopyServerRequest(const char *path, const char *common_name) _CUPS_PUBLIC;
extern bool     cupsMakeServerCredentials(const char *path, cups_credtype_t type, const char *organization, const char *org_unit, const char *locality, const char *state_province, const char *country, const char *root_name, bool ca_cert, const char *common_name, size_t num_alt_names, const char **alt_names, time_t expiration_date) _CUPS_PUBLIC;
extern bool     cupsMakeServerKey(const char *path, cups_credtype_t type) _CUPS_PUBLIC;
extern bool     cupsMakeServerRequest(const char *path, cups_credtype_t type, const char *organization, const char *org_unit, const char *locality, const char *state_province, const char *country, const char *common_name, size_t num_alt_names, const char **alt_names) _CUPS_PUBLIC;
extern bool     cupsSaveServerCredentials(const char *path, const char *common_name, const char *credentials, const char *key) _CUPS_PUBLIC;
extern bool     cupsSignServerRequest(const char *path, const char *root_name, const char *common_name, time_t expiration_date) _CUPS_PUBLIC;

michaelrsweet commented 1 year ago

Alternate naming:

char *cupsCopyCredentialsCertificate(const char *path, const char *common_name) _CUPS_PUBLIC;
char *cupsCopyCredentialsKey(const char *path, const char *common_name) _CUPS_PUBLIC;
char *cupsCopyCredentialsRequest(const char *path, const char *common_name) _CUPS_PUBLIC;
bool cupsCreateCredentials(… arguments …) _CUPS_PUBLIC;
bool cupsCreateCredentialsRequest(… arguments …) _CUPS_PUBLIC;
bool cupsSaveCredentialsCertificate(const char *path, const char *common_name, const char *value) _CUPS_PUBLIC;
bool cupsSaveCredentialsKey(const char *path, const char *common_name, const char *value) _CUPS_PUBLIC;
bool cupsSignCredentialsRequest(const char *path, const char *common_name, const char *root_name, const char *request, time_t expiration_date) _CUPS_PUBLIC;

michaelrsweet commented 1 year ago

Also look at exposing certificate usage beyond CA vs TLS server - would be nice to cover (code)signing and client identity uses.

michaelrsweet commented 1 year ago

enum cups_credusage_e           // X.509 keyUsage flags
{
  CUPS_CREDUSAGE_DIGITAL_SIGNATURE = 0x001, // digitalSignature
  CUPS_CREDUSAGE_NON_REPUDIATION = 0x002,   // nonRepudiation/contentCommitment
  CUPS_CREDUSAGE_KEY_ENCIPHERMENT = 0x004,  // keyEncipherment
  CUPS_CREDUSAGE_DATA_ENCIPHERMENT = 0x008, // dataEncipherment
  CUPS_CREDUSAGE_KEY_AGREEMENT = 0x010,     // keyAgreement
  CUPS_CREDUSAGE_KEY_CERT_SIGN = 0x020,     // keyCertSign
  CUPS_CREDUSAGE_CRL_SIGN = 0x040,      // cRLSign
  CUPS_CREDUSAGE_ENCIPHER_ONLY = 0x080,     // encipherOnly
  CUPS_CREDUSAGE_DECIPHER_ONLY = 0x100,     // decipherOnly
  CUPS_CREDUSAGE_DEFAULT_CA = 0x061,        // Defaults for CA certs
  CUPS_CREDUSAGE_DEFAULT_TLS = 0x005        // Defaults for TLS certs
};
typedef unsigned cups_credusage_t;  // Combined X.509 keyUsage flags

michaelrsweet commented 1 year ago

enum cups_credpurpose_e         // X.509 credential purposes
{
  CUPS_CREDPURPOSE_SERVER_AUTH = 0x01,      // serverAuth
  CUPS_CREDPURPOSE_CLIENT_AUTH = 0x02,      // clientAuth
  CUPS_CREDPURPOSE_CODE_SIGNING = 0x04,     // codeSigning
  CUPS_CREDPURPOSE_EMAIL_PROTECTION = 0x08, // emailProtection
  CUPS_CREDPURPOSE_TIME_STAMPING = 0x10,    // timeStamping
  CUPS_CREDPURPOSE_OCSP_SIGNING = 0x20      // OCSPSigning
};
typedef unsigned cups_credpurpose_t;    // Combined X.509 credential purposes

michaelrsweet commented 1 year ago

This is mostly done for OpenSSL... Working on GNU TLS version...

michaelrsweet commented 1 year ago

The rest of OpenSSL is done, still need to sign/validate X.509 requests for GNU TLS.

michaelrsweet commented 1 year ago

And the GNU TLS code seems to be passing the tests, now. Finishing up documentation changes and then I'll merge.

OpenPrinting / libcups

Expand server certificate APIs #53