Bug 642084 - CC feature: Key Management -provide signature verification functions (TPS subsystem)

git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1446 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
author: cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> 2010-10-28 20:30:32 +0000
committer: cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> 2010-10-28 20:30:32 +0000
commit: 34811f61a8a8b2628cfcb5350b86a172692393e3 (patch)
tree: 7253a657213abf2916985dcdc3fc714ea83f5f6d /pki/base/tps
parent: a8eaa96b2e0c1b029bc6d642b6fe79f71147ed76 (diff)
download: pki-34811f61a8a8b2628cfcb5350b86a172692393e3.tar.gz
pki-34811f61a8a8b2628cfcb5350b86a172692393e3.tar.xz
pki-34811f61a8a8b2628cfcb5350b86a172692393e3.zip
4 files changed, 165 insertions, 2 deletions
diff --git a/pki/base/tps/doc/CS.cfg b/pki/base/tps/doc/CS.cfg
index 52e319261..c952a40c4 100644
--- a/pki/base/tps/doc/CS.cfg
+++ b/pki/base/tps/doc/CS.cfg
@@ -112,8 +112,8 @@ logging.audit.signedAuditFilename=[SERVER_ROOT]/logs/signedAudit/tps_audit
 logging.audit.level=10
 logging.audit.logSigning=false
 logging.audit.signedAuditCertNickname=auditSigningCert cert-[INSTANCE_ID]
-logging.audit.selected.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL
-logging.audit.selectable.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL
+logging.audit.selected.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL,CIMC_CERT_VERIFICATION
+logging.audit.selectable.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL,CIMC_CERT_VERIFICATION
 logging.audit.nonselectable.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,LOGGING_SIGNED_AUDIT_SIGNING
 logging.audit.buffer.size=512
 logging.audit.flush.interval=5
@@ -1549,3 +1549,13 @@ target.Authentication_Sources.pattern=auth\.instance\.$name\..*
 target.Generals.pattern=^applet\..*\|^general\..*\|^failover.pod.enable\|^channel\..*
 config.Generals.General.state=Enabled
 config.Generals.General.timestamp=1280283607424406
+tps._000=########################################
+tps._001=# For verifying system certificates
+tps._002=# tps.cert.list=sslserver,subsystem,audit_signing
+tps._003=# tps.cert.sslserver.nickname=xxx
+tps._004=# tps.cert.sslserver.certusage=SSLServer
+tps._005=# tps.cert.subsystem.nickname=xxx
+tps._006=# tps.cert.subsystem.certusage=SSLClient
+tps._007=# tps.cert.audit_signing.nickname=xxx 
+tps._008=# tps.cert.audit_signing.certusage=EmailSigner
+tps._009=########################################
diff --git a/pki/base/tps/src/engine/RA.cpp b/pki/base/tps/src/engine/RA.cpp
index 7f13710a2..ba898d787 100644
--- a/pki/base/tps/src/engine/RA.cpp
+++ b/pki/base/tps/src/engine/RA.cpp
@@ -38,6 +38,8 @@ extern "C"
 #include "plhash.h"
 #include "pk11func.h"
 #include "cert.h"
+#include "certt.h"
+#include "secerr.h"
 #include "tus/tus_db.h"
 #include "secder.h"
 #include "nss.h"
@@ -3157,3 +3159,149 @@ int RA::Failover(HttpConnection *&conn, int len) {
     }
     return rc;
 }
+
+TPS_PUBLIC SECCertificateUsage RA::getCertificateUsage(const char *certusage) {
+    SECCertificateUsage cu = 0;
+    if (strcmp(certusage, "SSLServer") == 0)
+         cu = certificateUsageSSLServer;
+    else if (strcmp(certusage, "SSLClient") == 0)
+         cu = certificateUsageSSLClient;
+    else if (strcmp(certusage, "AnyCA") == 0)
+         cu = certificateUsageAnyCA;
+    else if (strcmp(certusage, "EmailSigner") == 0)
+         cu = certificateUsageEmailSigner;
+
+    return cu;
+}
+
+TPS_PUBLIC bool RA::verifySystemCertByNickname(const char *nickname, const char *certusage) {
+    SECStatus rv = SECFailure;
+    CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
+    if (certdb == NULL) {
+        RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "fatal error:%s", "cert db not found");
+        return false;
+    }
+    CERTCertificate *cert = NULL;
+    PR_ASSERT(certdb != NULL);
+    SECCertificateUsage cu = getCertificateUsage(certusage);
+    if (cu == 0) {
+        RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "error: invalid certificate usage %s for cert %s", certusage, nickname);
+        return false;
+    }
+    SECCertificateUsage usage;
+
+    cert = CERT_FindCertByNickname(certdb, nickname);
+    if (cert == NULL) {
+        RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "nickname not found:%s", 
+            nickname);
+    } else {
+        rv = CERT_VerifyCertificateNow(certdb, cert, true, cu /*NULL*/, NULL, &usage);
+        /*
+         *  to find actual certificate usage, pass NULL as cu in above call
+        if (usage & certificateUsageSSLServer)
+            RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is SSLServer"); 
+        if (usage & certificateUsageSSLClient)
+            RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is SSLClient"); 
+        if (usage & certificateUsageAnyCA)
+            RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is AnyCA"); 
+        if (usage & certificateUsageEmailSigner)
+            RA::Debug(LL_PER_SERVER, "RA::verifySystemCertByNickname", "cert is EmailSigner"); 
+        */
+    }
+
+    if (cert != NULL) {
+        CERT_DestroyCertificate(cert);
+    }
+    if (rv == SECSuccess)
+        return true;
+    else
+        return false;
+}
+
+/*
+ * tps.cert.list=sslserver,subsystem,audit_signing
+ * tps.cert.sslserver.nickname=xxx
+ * tps.cert.sslserver.certusage=SSLServer
+ * tps.cert.subsystem.nickname=xxx
+ * tps.cert.subsystem.certusage=SSLClient
+ * tps.cert.audit_signing.nickname=xxx
+ * tps.cert.audit_signing.certusage=EmailSigner
+ */
+TPS_PUBLIC bool RA::verifySystemCerts() {
+    bool rv = false;
+    char configname[256];
+    char configname_nn[256];
+    char configname_cu[256];
+    char audit_msg[512]="";
+    const char *certList = NULL;
+    ConfigStore *store = RA::GetConfigStore();
+
+    PR_snprintf((char *)configname, 256, "tps.cert.list");
+    certList = store->GetConfigAsString(configname);
+    if (certList == NULL) {
+        RA::Debug(LL_PER_SERVER, "RA::verifySystemCerts", 
+          "config not found:%s", configname);
+        PR_snprintf(audit_msg, 512, "%s undefined in CS.cfg", configname);
+        RA::Audit(EV_CIMC_CERT_VERIFICATION, AUDIT_MSG_FORMAT, "System", "Failure", audit_msg);
+        return false;
+    } else {
+        char *certList_x = PL_strdup(certList);
+        RA::Debug(LL_PER_SERVER, "RA::verifySystemCerts", 
+            "found cert list:%s", certList_x);
+        char *sresult = NULL;
+        char *lasts = NULL;
+        const char *nn = NULL;
+        const char *cu = NULL;
+
+        sresult = PL_strtok_r(certList_x, ",", &lasts);
+        while (sresult != NULL) {
+            PR_snprintf((char *)configname_nn, 256, "tps.cert.%s.nickname",
+                sresult);
+            nn = store->GetConfigAsString(configname_nn);
+            if (nn == NULL) {
+                RA::Debug(LL_PER_SERVER, "RA::verifySystemCerts", 
+                    "cert nickname not found for cert tag:%s", sresult);
+                PR_snprintf(audit_msg, 512, "%s undefined in CS.cfg", configname_nn);
+                RA::Audit(EV_CIMC_CERT_VERIFICATION, AUDIT_MSG_FORMAT, "System", "Failure", audit_msg);
+                rv = false;
+                continue;
+            }
+            PR_snprintf((char *)configname_cu, 256, "tps.cert.%s.certusage",
+                sresult);
+            cu = store->GetConfigAsString(configname_cu);
+            if (cu == NULL) {
+                RA::Debug(LL_PER_SERVER, "RA::verifySystemCerts", 
+                    "certificate usage not found for cert tag:%s", sresult);
+                PR_snprintf(audit_msg, 512, "%s undefined in CS.cfg", configname_cu);
+                RA::Audit(EV_CIMC_CERT_VERIFICATION, AUDIT_MSG_FORMAT, "System", "Failure", audit_msg);
+                rv = false;
+                continue;
+            }
+            RA::Debug(LL_PER_SERVER, "RA::verifySystemCerts", 
+                "Verifying cert tag: %s, nickname:%s, certificate usage:%s"
+                    , sresult, nn, cu);
+
+            rv = verifySystemCertByNickname(nn, cu);
+            if (rv == true) {
+                RA::Debug(LL_PER_SERVER, "RA::verifySystemCerts", 
+                    "cert verification passed on cert nickname:%s", nn);
+                PR_snprintf(audit_msg, 512, "Certificate verification succeeded:%s",
+                    nn);
+                RA::Audit(EV_CIMC_CERT_VERIFICATION, AUDIT_MSG_FORMAT, "System", "Success", audit_msg);
+            } else {
+                RA::Debug(LL_PER_SERVER, "RA::verifySystemCerts", 
+                    "cert verification failed on cert nickname:%s", nn);
+                PR_snprintf(audit_msg, 512, "Certificate verification failed:%s",
+                    nn);
+                RA::Audit(EV_CIMC_CERT_VERIFICATION, AUDIT_MSG_FORMAT, "System", "Failure", audit_msg);
+            }
+            sresult = PL_strtok_r(NULL, ",", &lasts);
+        }
+
+        if (certList_x != NULL) {
+            PL_strfree(certList_x);
+        }
+    }
+
+    return rv;
+}
diff --git a/pki/base/tps/src/include/engine/RA.h b/pki/base/tps/src/include/engine/RA.h
index 34f62ad50..c5012441a 100644
--- a/pki/base/tps/src/include/engine/RA.h
+++ b/pki/base/tps/src/include/engine/RA.h
@@ -355,6 +355,10 @@ class RA
           static int InitializeHttpConnections(const char *id, int *len, HttpConnection **conn, RA_Context *ctx);
           static void CleanupPublishers();
         static int Failover(HttpConnection *&conn, int len);   
+
+      TPS_PUBLIC static SECCertificateUsage getCertificateUsage(const char *certusage);
+      TPS_PUBLIC static bool verifySystemCertByNickname(const char *nickname, const char *certUsage);
+      TPS_PUBLIC static bool verifySystemCerts();
    
 };
 
diff --git a/pki/base/tps/src/include/engine/audit.h b/pki/base/tps/src/include/engine/audit.h
index 647c14e85..f8b50de37 100644
--- a/pki/base/tps/src/include/engine/audit.h
+++ b/pki/base/tps/src/include/engine/audit.h
@@ -63,6 +63,7 @@
  */
 #define EV_AUDIT_LOG_STARTUP "AUDIT_LOG_STARTUP"
 #define EV_AUDIT_LOG_SHUTDOWN "AUDIT_LOG_SHUTDOWN"
+#define EV_CIMC_CERT_VERIFICATION "CIMC_CERT_VERIFICATION"
 #define EV_ROLE_ASSUME "ROLE_ASSUME"
 #define EV_ENROLLMENT "ENROLLMENT"
 #define EV_PIN_RESET "PIN_RESET"
author	cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>	2010-10-28 20:30:32 +0000
committer	cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>	2010-10-28 20:30:32 +0000
commit	34811f61a8a8b2628cfcb5350b86a172692393e3 (patch)
tree	7253a657213abf2916985dcdc3fc714ea83f5f6d /pki/base/tps
parent	a8eaa96b2e0c1b029bc6d642b6fe79f71147ed76 (diff)
download	pki-34811f61a8a8b2628cfcb5350b86a172692393e3.tar.gz pki-34811f61a8a8b2628cfcb5350b86a172692393e3.tar.xz pki-34811f61a8a8b2628cfcb5350b86a172692393e3.zip