• Software
• Gigi

Gigi / New Software

After waiting for a new approach to our software development with birdshack for many years a team of developers started a new attempt in mid-2014 to rewrite the software. This became necessary as maintaining the grown source code of the existing system became a tough challenge. The internal code names for the various parts of the new software are based on the characters of the Michael Ende's novel MOMO. Based on the story we are calling our web front end Gigi, as - like in the story - it leads your way. Cassiopeia on the other hand is a wise, trusty turtle with a hard shell to protect its secrets and thus the perfect name for our signer. Some information about the new software is / will be published in a blog series in 2015

1. Rewriting the software driving our site

2. Modernising the Web Frontend

3. The Heart of Gold

Gigi - the new front end

One aim of the rewrite is to get a more scaleable and secure data structure.

The database will be migrated from MySQL to PostgreSQL. While changing the database a stronger protection of the stored information is introduced by encrypting both at database level and at record level.

The front end will be written using Java using OpenJDK 8.

Some of the new features are

• Separation of business logic and HTML output generation
• An RESTful API for easy automation of certificate issuance
• New URL structure
• Stronger password storage using Scrypt-SHA2
• Stronger and more flexible authentication mechanisms
• Content Security Policy (CSP)
• New domain registration and continuous verification of ownership/control
• New and more flexible certificate issuing process
• Improved layout and User Interface

Current sources

Source code: https://github.com/CAcertOrg/cacert-gigi - holds the completely reviewed parts; recent development can be found at the fork of yellowant in the network connections.

Use cases: The use cases are documentet in https://github.com/felixdoerre/cacert-gigi-usecases

Coverity report for Gigi.

Cassiopeia - the new signer

The signer will be rewritten in C++. It is designed so its cryptography back end can easily be exchanged for other implementations. With this new implementation additional hardening has been applied to strengthen the protections of the signing keys.

Some of the new features are:

• new way to deal with certificate revocation lists (CRL files)

• new root structure according to the New Root and Escrow (NRE) project

• allow for change of used crypto backend for another one. e.g OpenSSL, LibreSSL, GnuTLS, libNSS, NaCl, CyaSSL/WolffSSL, PolarSSL/embedSSL

• Several security enhancements

Current sources

Source code: https://github.com/CAcertOrg/cacert-cassiopeia - holds the completely reviewed parts; recent development can be found at the fork of yellowant in the network connections

Coverity reports for Cassiopeia.

Additional projects

The software team applied for the Google Summer of Code 2015 with 3 sub projects for the new software:

• Rewrite of the OpenPGP functionality from scratch
• Writing a Multi-Factor Authentication and Authorisation for Gigi
• Several UI Improvements

Technology used

Code language: Java using OpenJDK 8 and C++11

Developing platform: Eclipse Luna, mostly on Debian/Linux (other OS like MacOSX and WinNT work, but are not the target platform)

Database: PostgreSQL 9.5 or newer

Web server: Jetty 9.3 or newer

Continuous testing: CppCheck to check C++ code, FindBugs to check Java code, Jenkins as continuous integration tool (currently about 250+ tests), Coverity Scan static analysing tool for C++ and Java code.

Documentation: UML, JavaDoc, DoxyGen

Testing

Information for tester can be find tester welcome pack

Future projects

For the future the software team has these projects in mind:

• time stamping service (code name Hora)
• OCSP solution

Input and thoughts

(add your ideas here)

• CategorySoftware