From bf260e575a563a63f794dfb07fcf21000194226f Mon Sep 17 00:00:00 2001
From: Heiko Reese <heiko.reese@kit.edu>
Date: Thu, 20 Mar 2025 01:28:26 +0100
Subject: [PATCH] fix: better detection of issuing CA

---
 misc.go                | 111 +++++++++++++++++++++++------------------
 redirect.go            |   6 +--
 searchablecert.go      |  12 ++---
 testing/Format/main.go |  16 ------
 4 files changed, 69 insertions(+), 76 deletions(-)
 delete mode 100644 testing/Format/main.go

diff --git a/misc.go b/misc.go
index 2a03bb3..8f10865 100644
--- a/misc.go
+++ b/misc.go
@@ -1,59 +1,22 @@
 package websearch
 
 import (
+	"bytes"
 	"crypto/x509"
+	"embed"
+	_ "embed"
 	"encoding/asn1"
 )
 
-var (
-	kitcag1 = "kit-ca-g1"
-	kitcag2 = "kit-ca-g2"
-	sectigo = "geant-tcs-sectigo"
-	unknown = "unknown"
-
-	// RawIssuerG1 C=DE, ST=Baden-Wuerttemberg, L=Karlsruhe, O=Karlsruhe Institute of Technology, OU=Steinbuch Centre for Computing, CN=KIT-CA/emailAddress=ca@kit.edu
-	RawIssuerG1 = []byte{
-		0x30, 0x81, 0xbf, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x44, 0x45,
-		0x31, 0x1b, 0x30, 0x19, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x12, 0x42, 0x61, 0x64, 0x65, 0x6e,
-		0x2d, 0x57, 0x75, 0x65, 0x72, 0x74, 0x74, 0x65, 0x6d, 0x62, 0x65, 0x72, 0x67, 0x31, 0x12, 0x30,
-		0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x09, 0x4b, 0x61, 0x72, 0x6c, 0x73, 0x72, 0x75, 0x68,
-		0x65, 0x31, 0x2a, 0x30, 0x28, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x21, 0x4b, 0x61, 0x72, 0x6c,
-		0x73, 0x72, 0x75, 0x68, 0x65, 0x20, 0x49, 0x6e, 0x73, 0x74, 0x69, 0x74, 0x75, 0x74, 0x65, 0x20,
-		0x6f, 0x66, 0x20, 0x54, 0x65, 0x63, 0x68, 0x6e, 0x6f, 0x6c, 0x6f, 0x67, 0x79, 0x31, 0x27, 0x30,
-		0x25, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x1e, 0x53, 0x74, 0x65, 0x69, 0x6e, 0x62, 0x75, 0x63,
-		0x68, 0x20, 0x43, 0x65, 0x6e, 0x74, 0x72, 0x65, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x43, 0x6f, 0x6d,
-		0x70, 0x75, 0x74, 0x69, 0x6e, 0x67, 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,
-		0x06, 0x4b, 0x49, 0x54, 0x2d, 0x43, 0x41, 0x31, 0x19, 0x30, 0x17, 0x06, 0x09, 0x2a, 0x86, 0x48,
-		0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x0a, 0x63, 0x61, 0x40, 0x6b, 0x69, 0x74, 0x2e, 0x65,
-		0x64, 0x75,
-	}
-
-	// RawIssuerG2 C=DE, ST=Baden-Wuerttemberg, L=Karlsruhe, O=Karlsruhe Institute of Technology, CN=KIT-CA
-	RawIssuerG2 = []byte{
-		0x30, 0x7b, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x44, 0x45, 0x31,
-		0x1b, 0x30, 0x19, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x12, 0x42, 0x61, 0x64, 0x65, 0x6e, 0x2d,
-		0x57, 0x75, 0x65, 0x72, 0x74, 0x74, 0x65, 0x6d, 0x62, 0x65, 0x72, 0x67, 0x31, 0x12, 0x30, 0x10,
-		0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x4b, 0x61, 0x72, 0x6c, 0x73, 0x72, 0x75, 0x68, 0x65,
-		0x31, 0x2a, 0x30, 0x28, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x21, 0x4b, 0x61, 0x72, 0x6c, 0x73,
-		0x72, 0x75, 0x68, 0x65, 0x20, 0x49, 0x6e, 0x73, 0x74, 0x69, 0x74, 0x75, 0x74, 0x65, 0x20, 0x6f,
-		0x66, 0x20, 0x54, 0x65, 0x63, 0x68, 0x6e, 0x6f, 0x6c, 0x6f, 0x67, 0x79, 0x31, 0x0f, 0x30, 0x0d,
-		0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x06, 0x4b, 0x49, 0x54, 0x2d, 0x43, 0x41,
-	}
-
-	// RawIssuerSectigo CN=GEANT Personal CA 4, O=GEANT Vereniging, C=NL
-	RawIssuerSectigo = []byte{
-		0x30, 0x46, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31,
-		0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x10, 0x47, 0x45, 0x41, 0x4e, 0x54, 0x20,
-		0x56, 0x65, 0x72, 0x65, 0x6e, 0x69, 0x67, 0x69, 0x6e, 0x67, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03,
-		0x55, 0x04, 0x03, 0x13, 0x13, 0x47, 0x45, 0x41, 0x4e, 0x54, 0x20, 0x50, 0x65, 0x72, 0x73, 0x6f,
-		0x6e, 0x61, 0x6c, 0x20, 0x43, 0x41, 0x20, 0x34,
-	}
+//go:embed certs/*.der
+var CertsFS embed.FS
 
-	RawIssuers = map[string][]byte{
-		kitcag1: RawIssuerG1,
-		kitcag2: RawIssuerG2,
-		sectigo: RawIssuerSectigo,
-	}
+var (
+	CAIdentifierKITCAG1 = "kit-ca-g1"
+	CAIdentifierKITCAG2 = "kit-ca-g2"
+	CAIdentifierSectigo = "geant-tcs-sectigo"
+	CAIdentifierHARICA  = "geant-tcs-harica"
+	CAIdentifierUnknown = "unknown"
 )
 
 var (
@@ -74,3 +37,55 @@ var (
 	}
 	oidEmail = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 1}
 )
+
+var CertificateIssuer = make(map[string][][]byte)
+
+func init() {
+	certs := map[string][]string{
+		CAIdentifierKITCAG1: {
+			"certs/KIT-CA-G1.der",
+		},
+		CAIdentifierKITCAG2: {
+			"certs/KIT-CA-G2.der",
+		},
+		CAIdentifierSectigo: {
+			"certs/GEANT-Personal-CA-4.der",
+			"certs/GEANT-Personal-ECC-CA-4.der",
+			"certs/GEANT-eScience-Personal-CA-4.der",
+			"certs/GEANT-eScience-Personal-ECC-CA-4.der",
+		},
+		CAIdentifierHARICA: {
+			"certs/HARICA-GEANT-SMIME-E1.der",
+			"certs/HARICA-GEANT-SMIME-R1.der",
+			"certs/HARICA-Client-Root-2021-ECC.der",
+			"certs/HARICA-Client-Root-2021-RSA.der",
+		},
+	}
+	// read the certificate subjects from all relevant CAs
+	for ca, files := range certs {
+		CertificateIssuer[ca] = make([][]byte, 0, len(files))
+		for _, filename := range files {
+			file, err := CertsFS.ReadFile(filename)
+			if err != nil {
+				panic(err)
+			}
+			c, err := x509.ParseCertificate(file)
+			if err != nil {
+				panic(err)
+			}
+			CertificateIssuer[ca] = append(CertificateIssuer[ca], c.RawSubject)
+		}
+	}
+}
+
+// GetCertificateIssuer returns the issuer subject identifier for the given certificate
+func GetCertificateIssuer(cert *x509.Certificate) *string {
+	for ca, subjects := range CertificateIssuer {
+		for _, subject := range subjects {
+			if bytes.Contains(cert.RawIssuer, subject) {
+				return &ca
+			}
+		}
+	}
+	return &CAIdentifierUnknown
+}
diff --git a/redirect.go b/redirect.go
index de34faa..41e3bcf 100644
--- a/redirect.go
+++ b/redirect.go
@@ -35,17 +35,17 @@ func GetIssuer(serial string, ccache *CertCache) (string, error) {
 	}
 	// alte CA (kurze nummern, serial kleiner als erstes g2)
 	if len(serial) == 8 || len(serial) == 14 || sernum.Cmp(&serialG2First) < 1 {
-		return kitcag1, nil
+		return CAIdentifierKITCAG1, nil
 	}
 	// neue CA (seriennummer größer als letztes g1)
 	if sernum.Cmp(&serialG1Final) == 1 {
-		return kitcag2, nil
+		return CAIdentifierKITCAG2, nil
 	}
 	// check certificate cache
 	fromcache := ccache.Get(serial)
 	if fromcache == nil {
 		// don't know? assume G2
-		return kitcag2, nil
+		return CAIdentifierKITCAG2, nil
 		//return "", errorUnknownCA
 	}
 	return *fromcache.CAGeneration, nil
diff --git a/searchablecert.go b/searchablecert.go
index 14300cc..77ab0e4 100644
--- a/searchablecert.go
+++ b/searchablecert.go
@@ -460,15 +460,9 @@ func CertToSearchable(c *x509.Certificate) SearchableCert {
 	default:
 		cert.KeyLength = -1
 	}
-	if bytes.Compare(c.RawIssuer, RawIssuerG1) == 0 {
-		cert.CAGeneration = &kitcag1
-	} else if bytes.Compare(c.RawIssuer, RawIssuerG2) == 0 {
-		cert.CAGeneration = &kitcag2
-	} else if bytes.Compare(c.RawIssuer, RawIssuerSectigo) == 0 {
-		cert.CAGeneration = &sectigo
-	} else {
-		cert.CAGeneration = &unknown
-	}
+
+	// find issuing CA
+	cert.CAGeneration = GetCertificateIssuer(c)
 
 	// add serials
 	cert.FingerprintSHA1 = fmt.Sprintf("0x%x", sha1.Sum(c.Raw))
diff --git a/testing/Format/main.go b/testing/Format/main.go
deleted file mode 100644
index d8e64be..0000000
--- a/testing/Format/main.go
+++ /dev/null
@@ -1,16 +0,0 @@
-package main
-
-import (
-	"flag"
-	"github.com/k0kubun/pp"
-	. "gitlab.kit.edu/kit/kit-ca/lib/certificatestats"
-)
-
-func main() {
-	flag.Parse()
-	all := ReadCertificates(flag.Args()...)
-
-	for _, c := range all {
-		pp.Print(CertToSearchable(c))
-	}
-}
-- 
GitLab