From ff5773a47b7d7f1895cfc1c5b2f57857d25acde1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Reynir=20Bj=C3=B6rnsson?= <reynir@reynir.dk>
Date: Sun, 13 Dec 2020 14:57:22 +0100
Subject: [PATCH] Add organization

Also fix a test.
---
 bin/cert_service_client.ml |  6 +++++-
 bin/cert_service_server.ml |  3 ++-
 lib/cert_service.ml        | 15 ++++++++++-----
 test/test.ml               | 37 +++++++++++++++++++++++++------------
 4 files changed, 42 insertions(+), 19 deletions(-)

diff --git a/bin/cert_service_client.ml b/bin/cert_service_client.ml
index f8df28f..6ca6cec 100644
--- a/bin/cert_service_client.ml
+++ b/bin/cert_service_client.ml
@@ -3,9 +3,13 @@ open Lwt.Syntax
 let sock_path = "/home/reynir/cert.sock"
 let version = `V1
 
+let organization = "HashBang"
+
 let csr user =
   let dn = 
-    X509.Distinguished_name.(Relative_distinguished_name.singleton (CN user)) in
+    X509.Distinguished_name.(
+      Relative_distinguished_name.singleton (CN user)
+      |> Relative_distinguished_name.add (O organization)) in
   let key : X509.Private_key.t =
     `RSA (Mirage_crypto_pk.Rsa.generate ~bits:2048 ()) in
   let csr = X509.Signing_request.create [dn] key in
diff --git a/bin/cert_service_server.ml b/bin/cert_service_server.ml
index 6eb0b42..5a03877 100644
--- a/bin/cert_service_server.ml
+++ b/bin/cert_service_server.ml
@@ -38,7 +38,8 @@ let main () =
   Mirage_crypto_rng_lwt.initialize ();
   let cacert = Rresult.R.get_ok (load_cacert (Fpath.v cacert_path)) in
   let cakey = Rresult.R.get_ok (load_cakey (Fpath.v cakey_path)) in
-  let t = { Cert_service.host = "hashbang.sh"; cacert; cakey } in
+  let t = { Cert_service.host = "hashbang.sh";
+            organization = "HashBang"; cacert; cakey } in
   let server_fd = Lwt_unix.socket Unix.PF_UNIX Unix.SOCK_STREAM 0 in
   let old_umask = Unix.umask 0o011 in
   let () = try Unix.unlink sock_path
diff --git a/lib/cert_service.ml b/lib/cert_service.ml
index 01c7fc6..fa230b0 100644
--- a/lib/cert_service.ml
+++ b/lib/cert_service.ml
@@ -8,22 +8,27 @@ let wire_to_cstruct = Wire_asn.wire_to_cstruct
 
 type t = {
   host : string;
+  organization : string;
   cacert : X509.Certificate.t;
   cakey : X509.Private_key.t;
 }
 
-let check_csr_dn csr user =
-  let subject = 
-    [X509.Distinguished_name.(Relative_distinguished_name.singleton (CN user))] in
+let check_csr_dn csr dn =
   if X509.Distinguished_name.equal
-      subject
+      dn
       (X509.Signing_request.info csr).subject
   then Ok ()
   else R.error_msgf "Bad subject in csr: %a"
       X509.Distinguished_name.pp (X509.Signing_request.info csr).subject
 
 let sign t csr user =
-  check_csr_dn csr user >>= fun () ->
+  let subject =
+    [X509.Distinguished_name.(
+        Relative_distinguished_name.singleton (CN user)
+        |> Relative_distinguished_name.add (O t.organization)
+      )]
+  in
+  check_csr_dn csr subject >>= fun () ->
   let issuer = X509.Certificate.subject t.cacert in
   let email = Printf.sprintf "%s@%s" user t.host in
   let valid_from = Ptime_clock.now () in
diff --git a/test/test.ml b/test/test.ml
index 125fc7e..22cfa51 100644
--- a/test/test.ml
+++ b/test/test.ml
@@ -8,9 +8,12 @@ let ca_privkey =
   lazy
     (`RSA (Mirage_crypto_pk.Rsa.generate ~bits:1024 ()))
 
-let dn_of_name name =
-  [X509.(Distinguished_name.Relative_distinguished_name.singleton
-           (CN name))]
+let organization = "Free Shell Servers, Inc."
+
+let dn_of_name ?(organization=organization) name =
+  let open X509.Distinguished_name in
+  let open Relative_distinguished_name in
+  [ singleton (CN name) |> add (O organization) ]
 
 let ca_cert =
   let gen_ca () =
@@ -49,37 +52,46 @@ let csr subject =
     (Lazy.force csr_privkey)
 
 let check_csr_dn_good () =
-  let name = "reynir" in
-  let csr = csr (dn_of_name name) in
+  let subject = dn_of_name "reynir" in
+  let csr = csr subject in
   Alcotest.(check @@ result unit Alcotest.reject)
     "good dn in csr"
     (Ok ())
     (Cert_service.check_csr_dn
-       csr name)
+       csr subject)
 
 let check_csr_dn_different () =
-  let name = "reynir" in
-  let csr = csr (dn_of_name name) in
-  match Cert_service.check_csr_dn csr "notreynir" with
+  let subject = dn_of_name "reynir" in
+  let csr = csr subject in
+  match Cert_service.check_csr_dn csr (dn_of_name "notreynir") with
+  | Ok () -> Alcotest.fail "check succeeded, expected failure"
+  | Error (`Msg _) -> ()
+
+let check_csr_dn_diff_org () =
+  let subject = dn_of_name ~organization:"Evil Corp" "reynir" in
+  let csr = csr subject in
+  match Cert_service.check_csr_dn csr (dn_of_name "reynir") with
   | Ok () -> Alcotest.fail "check succeeded, expected failure"
   | Error (`Msg _) -> ()
 
 let check_csr_dn_extra () =
-  let name = "reynir" in
-  let csr = csr (dn_of_name name @ dn_of_name "bob") in
-  match Cert_service.check_csr_dn csr "notreynir" with
+  let subject = dn_of_name "reynir" in
+  let csr = csr (subject @ dn_of_name "bob") in
+  match Cert_service.check_csr_dn csr (dn_of_name "reynir") with
   | Ok () -> Alcotest.fail "check succeeded, expected failure"
   | Error (`Msg _) -> ()
 
 let check_csr_tests = [
   "check_csr_dn_good", `Quick, check_csr_dn_good;
   "check_csr_dn_different", `Quick, check_csr_dn_different;
+  "check_csr_dn_diff_org", `Quick, check_csr_dn_diff_org;
   "check_csr_dn_extra", `Quick, check_csr_dn_extra;
 ]
 
 let good_sign () =
   let t = {
     Cert_service.host = "example.com";
+    organization;
     cacert = Lazy.force ca_cert;
     cakey = Lazy.force ca_privkey;
   }
@@ -93,6 +105,7 @@ let good_sign () =
 let bad_sign () =
   let t = {
     Cert_service.host = "example.com";
+    organization;
     cacert = Lazy.force ca_cert;
     cakey = Lazy.force ca_privkey;
   }