diff options
author | cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-10-28 20:30:32 +0000 |
---|---|---|
committer | cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-10-28 20:30:32 +0000 |
commit | 34811f61a8a8b2628cfcb5350b86a172692393e3 (patch) | |
tree | 7253a657213abf2916985dcdc3fc714ea83f5f6d /pki/base/tps | |
parent | a8eaa96b2e0c1b029bc6d642b6fe79f71147ed76 (diff) | |
download | pki-34811f61a8a8b2628cfcb5350b86a172692393e3.tar.gz pki-34811f61a8a8b2628cfcb5350b86a172692393e3.tar.xz pki-34811f61a8a8b2628cfcb5350b86a172692393e3.zip |
Bug 642084 - CC feature: Key Management -provide signature verification functions (TPS subsystem)
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1446 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base/tps')
-rw-r--r-- | pki/base/tps/doc/CS.cfg | 14 | ||||
-rw-r--r-- | pki/base/tps/src/engine/RA.cpp | 148 | ||||
-rw-r--r-- | pki/base/tps/src/include/engine/RA.h | 4 | ||||
-rw-r--r-- | pki/base/tps/src/include/engine/audit.h | 1 |
4 files changed, 165 insertions, 2 deletions
diff --git a/pki/base/tps/doc/CS.cfg b/pki/base/tps/doc/CS.cfg index 52e319261..c952a40c4 100644 --- a/pki/base/tps/doc/CS.cfg +++ b/pki/base/tps/doc/CS.cfg @@ -112,8 +112,8 @@ logging.audit.signedAuditFilename=[SERVER_ROOT]/logs/signedAudit/tps_audit logging.audit.level=10 logging.audit.logSigning=false logging.audit.signedAuditCertNickname=auditSigningCert cert-[INSTANCE_ID] -logging.audit.selected.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL -logging.audit.selectable.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL +logging.audit.selected.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL,CIMC_CERT_VERIFICATION +logging.audit.selectable.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL,CIMC_CERT_VERIFICATION logging.audit.nonselectable.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,LOGGING_SIGNED_AUDIT_SIGNING logging.audit.buffer.size=512 logging.audit.flush.interval=5 @@ -1549,3 +1549,13 @@ target.Authentication_Sources.pattern=auth\.instance\.$name\..* target.Generals.pattern=^applet\..*\|^general\..*\|^failover.pod.enable\|^channel\..* config.Generals.General.state=Enabled config.Generals.General.timestamp=1280283607424406 +tps._000=######################################## +tps._001=# For verifying system certificates +tps._002=# tps.cert.list=sslserver,subsystem,audit_signing +tps._003=# tps.cert.sslserver.nickname=xxx +tps._004=# tps.cert.sslserver.certusage=SSLServer +tps._005=# tps.cert.subsystem.nickname=xxx +tps._006=# tps.cert.subsystem.certusage=SSLClient +tps._007=# tps.cert.audit_signing.nickname=xxx +tps._008=# tps.cert.audit_signing.certusage=EmailSigner +tps._009=######################################## diff --git a/pki/base/tps/src/engine/RA.cpp b/pki/base/tps/src/engine/RA.cpp index 7f13710a2..ba898d787 100644 --- a/pki/base/tps/src/engine/RA.cpp +++ b/pki/base/tps/src/engine/RA.cpp @@ -38,6 +38,8 @@ extern "C" #include "plhash.h" #include "pk11func.h" #include "cert.h" +#include "certt.h" +#include "secerr.h" #include "tus/tus_db.h" #include "secder.h" #include "nss.h" @@ -3157,3 +3159,149 @@ int RA::Failover(HttpConnection *&conn, int len) { } return rc; } + +TPS_PUBLIC SECCertificateUsage RA::getCertificateUsage(const char *certusage) { + SECCertificateUsage cu = 0; + if (strcmp(certusage, "SSLServer") == 0) + cu = certificateUsageSSLServer; + else if (strcmp(certusage, "SSLClient") == 0) + cu = certificateUsageSSLClient; + else if (strcmp(certusage, "AnyCA") == 0) + cu = certificateUsageAnyCA; + else if (strcmp(certusage, "EmailSigner") == 0) + cu = certificateUsageEmailSigner; + + return cu; +} + +TPS_PUBLIC bool RA::verifySystemCertByNickname(const char *nickname, const char *certusage) { + SECStatus rv = SECFailure; + CERTCertDBHandle *certdb = CERT_GetDefaultCertDB(); + if (certdb == NULL) { + RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "fatal error:%s", "cert db not found"); + return false; + } + CERTCertificate *cert = NULL; + PR_ASSERT(certdb != NULL); + SECCertificateUsage cu = getCertificateUsage(certusage); + if (cu == 0) { + RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "error: invalid certificate usage %s for cert %s", certusage, nickname); + return false; + } + SECCertificateUsage usage; + + cert = CERT_FindCertByNickname(certdb, nickname); + if (cert == NULL) { + RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "nickname not found:%s", + nickname); + } else { + rv = CERT_VerifyCertificateNow(certdb, cert, true, cu /*NULL*/, NULL, &usage); + /* + * to find actual certificate usage, pass NULL as cu in above call + if (usage & certificateUsageSSLServer) + RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is SSLServer"); + if (usage & certificateUsageSSLClient) + RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is SSLClient"); + if (usage & certificateUsageAnyCA) + RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is AnyCA"); + if (usage & certificateUsageEmailSigner) + RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is EmailSigner"); + */ + } + + if (cert != NULL) { + CERT_DestroyCertificate(cert); + } + if (rv == SECSuccess) + return true; + else + return false; +} + +/* + * tps.cert.list=sslserver,subsystem,audit_signing + * tps.cert.sslserver.nickname=xxx + * tps.cert.sslserver.certusage=SSLServer + * tps.cert.subsystem.nickname=xxx + * tps.cert.subsystem.certusage=SSLClient + * tps.cert.audit_signing.nickname=xxx + * tps.cert.audit_signing.certusage=EmailSigner + */ +TPS_PUBLIC bool RA::verifySystemCerts() { + bool rv = false; + char configname[256]; + char configname_nn[256]; + char configname_cu[256]; + char audit_msg[512]=""; + const char *certList = NULL; + ConfigStore *store = RA::GetConfigStore(); + + PR_snprintf((char *)configname, 256, "tps.cert.list"); + certList = store->GetConfigAsString(configname); + if (certList == NULL) { + RA::Debug(LL_PER_SERVER, "RA::verifySystemCerts", + "config not found:%s", configname); + PR_snprintf(audit_msg, 512, "%s undefined in CS.cfg", configname); + RA::Audit(EV_CIMC_CERT_VERIFICATION, AUDIT_MSG_FORMAT, "System", "Failure", audit_msg); + return false; + } else { + char *certList_x = PL_strdup(certList); + RA::Debug(LL_PER_SERVER, "RA::verifySystemCerts", + "found cert list:%s", certList_x); + char *sresult = NULL; + char *lasts = NULL; + const char *nn = NULL; + const char *cu = NULL; + + sresult = PL_strtok_r(certList_x, ",", &lasts); + while (sresult != NULL) { + PR_snprintf((char *)configname_nn, 256, "tps.cert.%s.nickname", + sresult); + nn = store->GetConfigAsString(configname_nn); + if (nn == NULL) { + RA::Debug(LL_PER_SERVER, "RA::verifySystemCerts", + "cert nickname not found for cert tag:%s", sresult); + PR_snprintf(audit_msg, 512, "%s undefined in CS.cfg", configname_nn); + RA::Audit(EV_CIMC_CERT_VERIFICATION, AUDIT_MSG_FORMAT, "System", "Failure", audit_msg); + rv = false; + continue; + } + PR_snprintf((char *)configname_cu, 256, "tps.cert.%s.certusage", + sresult); + cu = store->GetConfigAsString(configname_cu); + if (cu == NULL) { + RA::Debug(LL_PER_SERVER, "RA::verifySystemCerts", + "certificate usage not found for cert tag:%s", sresult); + PR_snprintf(audit_msg, 512, "%s undefined in CS.cfg", configname_cu); + RA::Audit(EV_CIMC_CERT_VERIFICATION, AUDIT_MSG_FORMAT, "System", "Failure", audit_msg); + rv = false; + continue; + } + RA::Debug(LL_PER_SERVER, "RA::verifySystemCerts", + "Verifying cert tag: %s, nickname:%s, certificate usage:%s" + , sresult, nn, cu); + + rv = verifySystemCertByNickname(nn, cu); + if (rv == true) { + RA::Debug(LL_PER_SERVER, "RA::verifySystemCerts", + "cert verification passed on cert nickname:%s", nn); + PR_snprintf(audit_msg, 512, "Certificate verification succeeded:%s", + nn); + RA::Audit(EV_CIMC_CERT_VERIFICATION, AUDIT_MSG_FORMAT, "System", "Success", audit_msg); + } else { + RA::Debug(LL_PER_SERVER, "RA::verifySystemCerts", + "cert verification failed on cert nickname:%s", nn); + PR_snprintf(audit_msg, 512, "Certificate verification failed:%s", + nn); + RA::Audit(EV_CIMC_CERT_VERIFICATION, AUDIT_MSG_FORMAT, "System", "Failure", audit_msg); + } + sresult = PL_strtok_r(NULL, ",", &lasts); + } + + if (certList_x != NULL) { + PL_strfree(certList_x); + } + } + + return rv; +} diff --git a/pki/base/tps/src/include/engine/RA.h b/pki/base/tps/src/include/engine/RA.h index 34f62ad50..c5012441a 100644 --- a/pki/base/tps/src/include/engine/RA.h +++ b/pki/base/tps/src/include/engine/RA.h @@ -355,6 +355,10 @@ class RA static int InitializeHttpConnections(const char *id, int *len, HttpConnection **conn, RA_Context *ctx); static void CleanupPublishers(); static int Failover(HttpConnection *&conn, int len); + + TPS_PUBLIC static SECCertificateUsage getCertificateUsage(const char *certusage); + TPS_PUBLIC static bool verifySystemCertByNickname(const char *nickname, const char *certUsage); + TPS_PUBLIC static bool verifySystemCerts(); }; diff --git a/pki/base/tps/src/include/engine/audit.h b/pki/base/tps/src/include/engine/audit.h index 647c14e85..f8b50de37 100644 --- a/pki/base/tps/src/include/engine/audit.h +++ b/pki/base/tps/src/include/engine/audit.h @@ -63,6 +63,7 @@ */ #define EV_AUDIT_LOG_STARTUP "AUDIT_LOG_STARTUP" #define EV_AUDIT_LOG_SHUTDOWN "AUDIT_LOG_SHUTDOWN" +#define EV_CIMC_CERT_VERIFICATION "CIMC_CERT_VERIFICATION" #define EV_ROLE_ASSUME "ROLE_ASSUME" #define EV_ENROLLMENT "ENROLLMENT" #define EV_PIN_RESET "PIN_RESET" |