summaryrefslogtreecommitdiffstats
path: root/base/ra
diff options
context:
space:
mode:
Diffstat (limited to 'base/ra')
-rw-r--r--base/ra/CMakeLists.txt76
-rw-r--r--base/ra/LICENSE291
-rw-r--r--base/ra/apache/conf/httpd.conf1074
-rw-r--r--base/ra/apache/conf/magic382
-rw-r--r--base/ra/apache/conf/mime.types592
-rw-r--r--base/ra/apache/conf/nss.conf267
-rw-r--r--base/ra/apache/conf/perl.conf102
-rw-r--r--base/ra/doc/CMakeLists.txt10
-rw-r--r--base/ra/doc/CS.cfg.in242
-rw-r--r--base/ra/emails/mail_approve_request.vm11
-rw-r--r--base/ra/emails/mail_create_request.vm8
-rwxr-xr-xbase/ra/etc/init.d/pki-rad87
-rwxr-xr-xbase/ra/forms/admin/group/add.cgi86
-rwxr-xr-xbase/ra/forms/admin/group/add_member.cgi80
-rwxr-xr-xbase/ra/forms/admin/group/add_new.cgi86
-rwxr-xr-xbase/ra/forms/admin/group/delete.cgi79
-rwxr-xr-xbase/ra/forms/admin/group/delete_member.cgi79
-rwxr-xr-xbase/ra/forms/admin/group/index.cgi115
-rwxr-xr-xbase/ra/forms/admin/group/read.cgi125
-rwxr-xr-xbase/ra/forms/admin/index.cgi80
-rwxr-xr-xbase/ra/forms/admin/user/add.cgi99
-rwxr-xr-xbase/ra/forms/admin/user/add_new.cgi87
-rwxr-xr-xbase/ra/forms/admin/user/delete.cgi79
-rwxr-xr-xbase/ra/forms/admin/user/index.cgi118
-rwxr-xr-xbase/ra/forms/admin/user/read.cgi97
-rwxr-xr-xbase/ra/forms/agent/cert/index.cgi119
-rwxr-xr-xbase/ra/forms/agent/cert/read.cgi104
-rwxr-xr-xbase/ra/forms/agent/cert/revoke.cgi89
-rwxr-xr-xbase/ra/forms/agent/cert/submit.cgi104
-rwxr-xr-xbase/ra/forms/agent/error.cgi81
-rwxr-xr-xbase/ra/forms/agent/index.cgi83
-rwxr-xr-xbase/ra/forms/agent/request/add_note.cgi93
-rwxr-xr-xbase/ra/forms/agent/request/index.cgi146
-rwxr-xr-xbase/ra/forms/agent/request/op.cgi153
-rwxr-xr-xbase/ra/forms/agent/request/read.cgi119
-rwxr-xr-xbase/ra/forms/ee/agent/enroll.cgi127
-rwxr-xr-xbase/ra/forms/ee/agent/index.cgi68
-rwxr-xr-xbase/ra/forms/ee/agent/new.cgi68
-rwxr-xr-xbase/ra/forms/ee/agent/start.cgi69
-rwxr-xr-xbase/ra/forms/ee/agent/submit.cgi88
-rwxr-xr-xbase/ra/forms/ee/error.cgi81
-rwxr-xr-xbase/ra/forms/ee/index.cgi68
-rwxr-xr-xbase/ra/forms/ee/request/getcert.cgi93
-rwxr-xr-xbase/ra/forms/ee/request/importcert.cgi82
-rwxr-xr-xbase/ra/forms/ee/request/index.cgi68
-rwxr-xr-xbase/ra/forms/ee/request/status.cgi94
-rwxr-xr-xbase/ra/forms/ee/scep/enroll.cgi112
-rwxr-xr-xbase/ra/forms/ee/scep/index.cgi68
-rwxr-xr-xbase/ra/forms/ee/scep/installer.cgi74
-rwxr-xr-xbase/ra/forms/ee/scep/manager.cgi68
-rwxr-xr-xbase/ra/forms/ee/scep/pkiclient.cgi113
-rwxr-xr-xbase/ra/forms/ee/scep/submit.cgi91
-rwxr-xr-xbase/ra/forms/ee/server/admin.cgi68
-rwxr-xr-xbase/ra/forms/ee/server/index.cgi68
-rwxr-xr-xbase/ra/forms/ee/server/submit.cgi93
-rwxr-xr-xbase/ra/forms/ee/user/index.cgi68
-rwxr-xr-xbase/ra/forms/ee/user/renew.cgi165
-rwxr-xr-xbase/ra/forms/ee/user/renewal.cgi74
-rwxr-xr-xbase/ra/forms/ee/user/submit.cgi112
-rwxr-xr-xbase/ra/forms/ee/user/user.cgi68
-rwxr-xr-xbase/ra/forms/index.cgi76
-rw-r--r--base/ra/lib/perl/PKI/Base/CertStore.pm151
-rwxr-xr-xbase/ra/lib/perl/PKI/Base/Conf.pm130
-rw-r--r--base/ra/lib/perl/PKI/Base/PinStore.pm180
-rw-r--r--base/ra/lib/perl/PKI/Base/Registry.pm55
-rwxr-xr-xbase/ra/lib/perl/PKI/Base/TimeTool.pm54
-rw-r--r--base/ra/lib/perl/PKI/Base/UserStore.pm343
-rwxr-xr-xbase/ra/lib/perl/PKI/Base/Util.pm155
-rw-r--r--base/ra/lib/perl/PKI/Conn/CA.pm390
-rwxr-xr-xbase/ra/lib/perl/PKI/RA/AdminAuthPanel.pm86
-rwxr-xr-xbase/ra/lib/perl/PKI/RA/AdminPanel.pm227
-rwxr-xr-xbase/ra/lib/perl/PKI/RA/AgentAuthPanel.pm86
-rwxr-xr-xbase/ra/lib/perl/PKI/RA/BasePanel.pm40
-rwxr-xr-xbase/ra/lib/perl/PKI/RA/CAInfoPanel.pm289
-rwxr-xr-xbase/ra/lib/perl/PKI/RA/CertInfo.pm133
-rwxr-xr-xbase/ra/lib/perl/PKI/RA/CertPrettyPrintPanel.pm85
-rwxr-xr-xbase/ra/lib/perl/PKI/RA/CertRequestPanel.pm301
-rwxr-xr-xbase/ra/lib/perl/PKI/RA/Common.pm50
-rwxr-xr-xbase/ra/lib/perl/PKI/RA/Config.pm170
-rwxr-xr-xbase/ra/lib/perl/PKI/RA/ConfigHSMLoginPanel.pm104
-rwxr-xr-xbase/ra/lib/perl/PKI/RA/ConfigHSMPanel.pm72
-rwxr-xr-xbase/ra/lib/perl/PKI/RA/DRMInfoPanel.pm140
-rwxr-xr-xbase/ra/lib/perl/PKI/RA/DatabasePanel.pm109
-rwxr-xr-xbase/ra/lib/perl/PKI/RA/DisplayCertChain2Panel.pm179
-rwxr-xr-xbase/ra/lib/perl/PKI/RA/DisplayCertChainPanel.pm348
-rwxr-xr-xbase/ra/lib/perl/PKI/RA/DonePanel.pm399
-rwxr-xr-xbase/ra/lib/perl/PKI/RA/GlobalVar.pm42
-rwxr-xr-xbase/ra/lib/perl/PKI/RA/ImportAdminCertPanel.pm142
-rwxr-xr-xbase/ra/lib/perl/PKI/RA/Login.pm466
-rwxr-xr-xbase/ra/lib/perl/PKI/RA/LoginPanel.pm91
-rwxr-xr-xbase/ra/lib/perl/PKI/RA/ModulePanel.pm273
-rwxr-xr-xbase/ra/lib/perl/PKI/RA/Modutil.pm262
-rwxr-xr-xbase/ra/lib/perl/PKI/RA/NamePanel.pm570
-rwxr-xr-xbase/ra/lib/perl/PKI/RA/ReqCertInfo.pm235
-rwxr-xr-xbase/ra/lib/perl/PKI/RA/SecurityDomainPanel.pm199
-rwxr-xr-xbase/ra/lib/perl/PKI/RA/SizePanel.pm245
-rwxr-xr-xbase/ra/lib/perl/PKI/RA/SubsystemTypePanel.pm142
-rwxr-xr-xbase/ra/lib/perl/PKI/RA/TKSInfoPanel.pm134
-rwxr-xr-xbase/ra/lib/perl/PKI/RA/WelcomePanel.pm90
-rwxr-xr-xbase/ra/lib/perl/PKI/RA/wizard.pm502
-rw-r--r--base/ra/lib/perl/PKI/Request/Plugin/AutoAssign.pm52
-rw-r--r--base/ra/lib/perl/PKI/Request/Plugin/CreatePin.pm75
-rw-r--r--base/ra/lib/perl/PKI/Request/Plugin/EmailNotification.pm100
-rw-r--r--base/ra/lib/perl/PKI/Request/Plugin/RequestToCA.pm89
-rw-r--r--base/ra/lib/perl/PKI/Request/Queue.pm387
-rw-r--r--base/ra/lib/perl/PKI/Service/Op.pm290
-rwxr-xr-xbase/ra/lib/perl/Template/Velocity.pm1099
-rwxr-xr-xbase/ra/scripts/nss_pcache66
-rw-r--r--base/ra/scripts/schema.sql33
-rw-r--r--base/ra/setup/CMakeLists.txt8
-rw-r--r--base/ra/setup/registry_instance116
111 files changed, 17651 insertions, 0 deletions
diff --git a/base/ra/CMakeLists.txt b/base/ra/CMakeLists.txt
new file mode 100644
index 000000000..59910fe95
--- /dev/null
+++ b/base/ra/CMakeLists.txt
@@ -0,0 +1,76 @@
+project(ra)
+
+add_subdirectory(doc)
+add_subdirectory(setup)
+
+# install init script
+install(
+ FILES
+ etc/init.d/pki-rad
+ DESTINATION
+ ${SYSCONF_INSTALL_DIR}/rc.d/init.d
+ PERMISSIONS
+ OWNER_EXECUTE OWNER_WRITE OWNER_READ
+ GROUP_EXECUTE GROUP_READ
+ WORLD_EXECUTE WORLD_READ
+)
+
+install(
+ DIRECTORY
+ apache/conf/
+ DESTINATION
+ ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf
+)
+
+install(
+ DIRECTORY
+ emails/
+ DESTINATION
+ ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf
+)
+
+install(
+ DIRECTORY
+ forms/
+ DESTINATION
+ ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/docroot
+)
+
+install(
+ DIRECTORY
+ lib/
+ DESTINATION
+ ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/lib
+)
+
+install(
+ FILES
+ scripts/nss_pcache
+ DESTINATION
+ ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/scripts
+ PERMISSIONS
+ OWNER_EXECUTE OWNER_WRITE OWNER_READ
+ GROUP_EXECUTE GROUP_READ
+ WORLD_EXECUTE WORLD_READ
+)
+
+install(
+ FILES
+ scripts/schema.sql
+ DESTINATION
+ ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/scripts
+)
+
+# install empty directories
+install(
+ DIRECTORY
+ DESTINATION
+ ${VAR_INSTALL_DIR}/lock/pki/ra
+)
+
+install(
+ DIRECTORY
+ DESTINATION
+ ${VAR_INSTALL_DIR}/run/pki/ra
+)
+
diff --git a/base/ra/LICENSE b/base/ra/LICENSE
new file mode 100644
index 000000000..e281f4362
--- /dev/null
+++ b/base/ra/LICENSE
@@ -0,0 +1,291 @@
+This Program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published
+by the Free Software Foundation; version 2 of the License.
+
+This Program is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+for more details.
+
+You should have received a copy of the GNU General Public License
+along with this Program; if not, write to the Free Software
+Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
+
+ GNU GENERAL PUBLIC LICENSE
+ Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users. This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it. (Some other Free Software Foundation software is covered by
+the GNU Lesser General Public License instead.) You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+ To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have. You must make sure that they, too, receive or can get the
+source code. And you must show them these terms so they know their
+rights.
+
+ We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+ Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software. If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+ Finally, any free program is threatened constantly by software
+patents. We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary. To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+
+ GNU GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License. The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language. (Hereinafter, translation is included without limitation in
+the term "modification".) Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+ 1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+ 2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) You must cause the modified files to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ b) You must cause any work that you distribute or publish, that in
+ whole or in part contains or is derived from the Program or any
+ part thereof, to be licensed as a whole at no charge to all third
+ parties under the terms of this License.
+
+ c) If the modified program normally reads commands interactively
+ when run, you must cause it, when started running for such
+ interactive use in the most ordinary way, to print or display an
+ announcement including an appropriate copyright notice and a
+ notice that there is no warranty (or else, saying that you provide
+ a warranty) and that users may redistribute the program under
+ these conditions, and telling the user how to view a copy of this
+ License. (Exception: if the Program itself is interactive but
+ does not normally print such an announcement, your work based on
+ the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+ a) Accompany it with the complete corresponding machine-readable
+ source code, which must be distributed under the terms of Sections
+ 1 and 2 above on a medium customarily used for software interchange; or,
+
+ b) Accompany it with a written offer, valid for at least three
+ years, to give any third party, for a charge no more than your
+ cost of physically performing source distribution, a complete
+ machine-readable copy of the corresponding source code, to be
+ distributed under the terms of Sections 1 and 2 above on a medium
+ customarily used for software interchange; or,
+
+ c) Accompany it with the information you received as to the offer
+ to distribute corresponding source code. (This alternative is
+ allowed only for noncommercial distribution and only if you
+ received the program in object code or executable form with such
+ an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it. For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable. However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+ 4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License. Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+ 5. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Program or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+ 6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+ 7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all. For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+ 8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded. In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+ 9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation. If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+ 10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission. For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this. Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+ NO WARRANTY
+
+ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
diff --git a/base/ra/apache/conf/httpd.conf b/base/ra/apache/conf/httpd.conf
new file mode 100644
index 000000000..9f81b646d
--- /dev/null
+++ b/base/ra/apache/conf/httpd.conf
@@ -0,0 +1,1074 @@
+#
+# Based upon the NCSA server configuration files originally by Rob McCool.
+#
+# This is the main Apache server configuration file. It contains the
+# configuration directives that give the server its instructions.
+# See <URL:http://httpd.apache.org/docs-2.0/> for detailed information about
+# the directives.
+#
+# Do NOT simply read the instructions in here without understanding
+# what they do. They're here only as hints or reminders. If you are unsure
+# consult the online docs. You have been warned.
+#
+# The configuration directives are grouped into three basic sections:
+# 1. Directives that control the operation of the Apache server process as a
+# whole (the 'global environment').
+# 2. Directives that define the parameters of the 'main' or 'default' server,
+# which responds to requests that aren't handled by a virtual host.
+# These directives also provide default values for the settings
+# of all virtual hosts.
+# 3. Settings for virtual hosts, which allow Web requests to be sent to
+# different IP addresses or hostnames and have them handled by the
+# same Apache server process.
+#
+# Configuration and logfile names: If the filenames you specify for many
+# of the server's control files begin with "/" (or "drive:/" for Win32), the
+# server will use that explicit path. If the filenames do *not* begin
+# with "/", the value of ServerRoot is prepended -- so "logs/foo.log"
+# with ServerRoot set to "/export/apache" will be interpreted by the
+# server as "/export/apache/logs/foo.log".
+#
+
+### Section 1: Global Environment
+#
+# The directives in this section affect the overall operation of Apache,
+# such as the number of concurrent requests it can handle or where it
+# can find its configuration files.
+#
+
+#
+# ServerRoot: The top of the directory tree under which the server's
+# configuration, error, and log files are kept.
+#
+# NOTE! If you intend to place this on an NFS (or otherwise network)
+# mounted filesystem then please read the LockFile documentation (available
+# at <URL:http://httpd.apache.org/docs-2.0/mod/mpm_common.html#lockfile>);
+# you will save yourself a lot of trouble.
+#
+# Do NOT add a slash at the end of the directory path.
+#
+ServerRoot "[SERVER_ROOT]"
+
+#
+# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
+#
+<IfModule !mpm_winnt.c>
+<IfModule !mpm_netware.c>
+#LockFile logs/accept.lock
+</IfModule>
+</IfModule>
+
+#
+# ScoreBoardFile: File used to store internal server process information.
+# If unspecified (the default), the scoreboard will be stored in an
+# anonymous shared memory segment, and will be unavailable to third-party
+# applications.
+# If specified, ensure that no two invocations of Apache share the same
+# scoreboard file. The scoreboard file MUST BE STORED ON A LOCAL DISK.
+#
+<IfModule !mpm_netware.c>
+<IfModule !perchild.c>
+#ScoreBoardFile logs/apache_runtime_status
+</IfModule>
+</IfModule>
+
+
+#
+# PidFile: The file in which the server should record its process
+# identification number when it starts.
+#
+<IfModule !mpm_netware.c>
+PidFile run/[PKI_INSTANCE_ID].pid
+</IfModule>
+
+#
+# Timeout: The number of seconds before receives and sends time out.
+#
+Timeout 300
+
+#
+# KeepAlive: Whether or not to allow persistent connections (more than
+# one request per connection). Set to "Off" to deactivate.
+#
+KeepAlive On
+
+#
+# MaxKeepAliveRequests: The maximum number of requests to allow
+# during a persistent connection. Set to 0 to allow an unlimited amount.
+# We recommend you leave this number high, for maximum performance.
+#
+MaxKeepAliveRequests 100
+
+#
+# KeepAliveTimeout: Number of seconds to wait for the next request from the
+# same client on the same connection.
+#
+KeepAliveTimeout 15
+
+##
+## Server-Pool Size Regulation (MPM specific)
+##
+
+# prefork MPM
+# StartServers: number of server processes to start
+# MinSpareServers: minimum number of server processes which are kept spare
+# MaxSpareServers: maximum number of server processes which are kept spare
+# MaxClients: maximum number of server processes allowed to start
+# MaxRequestsPerChild: maximum number of requests a server process serves
+<IfModule prefork.c>
+StartServers 5
+MinSpareServers 5
+MaxSpareServers 10
+MaxClients 150
+MaxRequestsPerChild 0
+</IfModule>
+
+# worker MPM
+# StartServers: initial number of server processes to start
+# MaxClients: maximum number of simultaneous client connections
+# MinSpareThreads: minimum number of worker threads which are kept spare
+# MaxSpareThreads: maximum number of worker threads which are kept spare
+# ThreadsPerChild: constant number of worker threads in each server process
+# MaxRequestsPerChild: maximum number of requests a server process serves
+<IfModule worker.c>
+ServerLimit 1
+StartServers 1
+MaxClients 64
+MinSpareThreads 1
+MaxSpareThreads 75
+ThreadsPerChild 64
+MaxRequestsPerChild 0
+</IfModule>
+
+# perchild MPM
+# NumServers: constant number of server processes
+# StartThreads: initial number of worker threads in each server process
+# MinSpareThreads: minimum number of worker threads which are kept spare
+# MaxSpareThreads: maximum number of worker threads which are kept spare
+# MaxThreadsPerChild: maximum number of worker threads in each server process
+# MaxRequestsPerChild: maximum number of connections per server process
+<IfModule perchild.c>
+NumServers 5
+StartThreads 5
+MinSpareThreads 5
+MaxSpareThreads 10
+MaxThreadsPerChild 20
+MaxRequestsPerChild 0
+</IfModule>
+
+# WinNT MPM
+# ThreadsPerChild: constant number of worker threads in the server process
+# MaxRequestsPerChild: maximum number of requests a server process serves
+<IfModule mpm_winnt.c>
+ThreadsPerChild 250
+MaxRequestsPerChild 0
+</IfModule>
+
+# BeOS MPM
+# StartThreads: how many threads do we initially spawn?
+# MaxClients: max number of threads we can have (1 thread == 1 client)
+# MaxRequestsPerThread: maximum number of requests each thread will process
+<IfModule beos.c>
+StartThreads 10
+MaxClients 50
+MaxRequestsPerThread 10000
+</IfModule>
+
+# NetWare MPM
+# ThreadStackSize: Stack size allocated for each worker thread
+# StartThreads: Number of worker threads launched at server startup
+# MinSpareThreads: Minimum number of idle threads, to handle request spikes
+# MaxSpareThreads: Maximum number of idle threads
+# MaxThreads: Maximum number of worker threads alive at the same time
+# MaxRequestsPerChild: Maximum number of requests a thread serves. It is
+# recommended that the default value of 0 be set for this
+# directive on NetWare. This will allow the thread to
+# continue to service requests indefinitely.
+<IfModule mpm_netware.c>
+ThreadStackSize 65536
+StartThreads 250
+MinSpareThreads 25
+MaxSpareThreads 250
+MaxThreads 1000
+MaxRequestsPerChild 0
+MaxMemFree 100
+</IfModule>
+
+# OS/2 MPM
+# StartServers: Number of server processes to maintain
+# MinSpareThreads: Minimum number of idle threads per process,
+# to handle request spikes
+# MaxSpareThreads: Maximum number of idle threads per process
+# MaxRequestsPerChild: Maximum number of connections per server process
+<IfModule mpmt_os2.c>
+StartServers 2
+MinSpareThreads 5
+MaxSpareThreads 10
+MaxRequestsPerChild 0
+</IfModule>
+
+#
+# Listen: Allows you to bind Apache to specific IP addresses and/or
+# ports, instead of the default. See also the <VirtualHost>
+# directive.
+#
+# Change this to Listen on specific IP addresses as shown below to
+# prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
+#
+#Listen 12.34.56.78:80
+
+Listen [PORT]
+
+#
+# Dynamic Shared Object (DSO) Support
+#
+# To be able to use the functionality of a module which was built as a DSO you
+# have to place corresponding `LoadModule' lines at this location so the
+# directives contained in it are actually available _before_ they are used.
+# Statically compiled modules (those listed by `httpd -l') do not need
+# to be loaded here.
+#
+# Example:
+# LoadModule foo_module modules/mod_foo.so
+#
+
+# Required modules for command 'Order':
+[FORTITUDE_AUTH_MODULES]
+# Required module for command 'UserDir':
+LoadModule userdir_module [FORTITUDE_LIB_DIR]/modules/mod_userdir.so
+# Required module for command 'DirectoryIndex':
+LoadModule dir_module [FORTITUDE_LIB_DIR]/modules/mod_dir.so
+# Required module for command 'TypesConfig':
+LoadModule mime_module [FORTITUDE_LIB_DIR]/modules/mod_mime.so
+# Required module for command 'LogFormat':
+LoadModule log_config_module [FORTITUDE_LIB_DIR]/modules/mod_log_config.so
+# Required module for command 'Alias':
+LoadModule alias_module [FORTITUDE_LIB_DIR]/modules/mod_alias.so
+# Required module for command 'SetEnvIf':
+LoadModule setenvif_module [FORTITUDE_LIB_DIR]/modules/mod_setenvif.so
+# Required module for command 'IndexOptions':
+LoadModule autoindex_module [FORTITUDE_LIB_DIR]/modules/mod_autoindex.so
+# Required module for command 'LanguagePriority':
+LoadModule negotiation_module [FORTITUDE_LIB_DIR]/modules/mod_negotiation.so
+# Required module for command 'CGI Scripts':
+LoadModule cgi_module [FORTITUDE_LIB_DIR]/modules/mod_cgi.so
+# Required module for commands in nss.conf:
+[FORTITUDE_NSS_MODULES]
+
+<Location /nk_service>
+ SetHandler nk_service
+</Location>
+
+<Location /tus>
+ SetHandler tus
+</Location>
+
+#
+# Load config files from the config directory "/etc/[PKI_INSTANCE_ID]/conf.d".
+#
+#Include conf.d/*.conf
+Include [SERVER_ROOT]/conf/perl.conf
+
+#
+# ExtendedStatus controls whether Apache will generate "full" status
+# information (ExtendedStatus On) or just basic information (ExtendedStatus
+# Off) when the "server-status" handler is called. The default is Off.
+#
+#ExtendedStatus On
+
+### Section 2: 'Main' server configuration
+#
+# The directives in this section set up the values used by the 'main'
+# server, which responds to any requests that aren't handled by a
+# <VirtualHost> definition. These values also provide defaults for
+# any <VirtualHost> containers you may define later in the file.
+#
+# All of these directives may appear inside <VirtualHost> containers,
+# in which case these default settings will be overridden for the
+# virtual host being defined.
+#
+
+<IfModule !mpm_winnt.c>
+<IfModule !mpm_netware.c>
+#
+# If you wish [PKI_INSTANCE_ID] to run as a different user or group, you must run
+# [PKI_INSTANCE_ID] as root initially and it will switch.
+#
+# User/Group: The name (or #number) of the user/group to run [PKI_INSTANCE_ID] as.
+# . On SCO (ODT 3) use "User nouser" and "Group nogroup".
+# . On HPUX you may not be able to use shared memory as nobody, and the
+# suggested workaround is to create a user www and use that user.
+# NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)
+# when the value of (unsigned)Group is above 60000;
+# don't use Group #-1 on these systems!
+#
+User [PKI_USER]
+Group [PKI_GROUP]
+#Group #-1
+</IfModule>
+</IfModule>
+
+#
+# ServerAdmin: Your address, where problems with the server should be
+# e-mailed. This address appears on some server-generated pages, such
+# as error documents. e.g. admin@your-domain.com
+#
+ServerAdmin you@example.com
+
+#
+# ServerName gives the name and port that the server uses to identify itself.
+# This can often be determined automatically, but we recommend you specify
+# it explicitly to prevent problems during startup.
+#
+# If this is not set to valid DNS name for your host, server-generated
+# redirections will not work. See also the UseCanonicalName directive.
+#
+# If your host doesn't have a registered DNS name, enter its IP address here.
+# You will have to access it by its address anyway, and this will make
+# redirections work in a sensible way.
+#
+#ServerName www.example.com:80
+
+#
+# UseCanonicalName: Determines how Apache constructs self-referencing
+# URLs and the SERVER_NAME and SERVER_PORT variables.
+# When set "Off", Apache will use the Hostname and Port supplied
+# by the client. When set "On", Apache will use the value of the
+# ServerName directive.
+#
+UseCanonicalName Off
+
+#
+# DocumentRoot: The directory out of which you will serve your
+# documents. By default, all requests are taken from this directory, but
+# symbolic links and aliases may be used to point to other locations.
+#
+DocumentRoot "[SERVER_ROOT]/docroot"
+
+#
+# Each directory to which Apache has access can be configured with respect
+# to which services and features are allowed and/or disabled in that
+# directory (and its subdirectories).
+#
+# First, we configure the "default" to be a very restrictive set of
+# features.
+#
+<Directory />
+ Options FollowSymLinks
+ AllowOverride None
+</Directory>
+
+#
+# Note that from this point forward you must specifically allow
+# particular features to be enabled - so if something's not working as
+# you might expect, make sure that you have specifically enabled it
+# below.
+#
+
+#
+# This should be changed to whatever you set DocumentRoot to.
+#
+<Directory "[SERVER_ROOT]/docroot">
+
+#
+# Possible values for the Options directive are "None", "All",
+# or any combination of:
+# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
+#
+# Note that "MultiViews" must be named *explicitly* --- "Options All"
+# doesn't give it to you.
+#
+# The Options directive is both complicated and important. Please see
+# http://httpd.apache.org/docs-2.0/mod/core.html#options
+# for more information.
+#
+ Options Indexes ExecCGI FollowSymLinks
+
+#
+# AllowOverride controls what directives may be placed in .htaccess files.
+# It can be "All", "None", or any combination of the keywords:
+# Options FileInfo AuthConfig Limit
+#
+ AllowOverride None
+
+#
+# Controls who can get stuff from this server.
+#
+ Order allow,deny
+ Allow from all
+
+</Directory>
+
+#
+# UserDir: The name of the directory that is appended onto a user's home
+# directory if a ~user request is received.
+#
+UserDir public_html
+
+#
+# Control access to UserDir directories. The following is an example
+# for a site where these directories are restricted to read-only.
+#
+#<Directory /home/*/public_html>
+# AllowOverride FileInfo AuthConfig Limit Indexes
+# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
+# <Limit GET POST OPTIONS PROPFIND>
+# Order allow,deny
+# Allow from all
+# </Limit>
+# <LimitExcept GET POST OPTIONS PROPFIND>
+# Order deny,allow
+# Deny from all
+# </LimitExcept>
+#</Directory>
+
+#
+# DirectoryIndex: sets the file that Apache will serve if a directory
+# is requested.
+#
+# The index.html.var file (a type-map) is used to deliver content-
+# negotiated documents. The MultiViews Option can be used for the
+# same purpose, but it is much slower.
+#
+DirectoryIndex index.html index.html.var index.cgi
+
+#
+# AccessFileName: The name of the file to look for in each directory
+# for additional configuration directives. See also the AllowOverride
+# directive.
+#
+AccessFileName .htaccess
+
+#
+# The following lines prevent .htaccess and .htpasswd files from being
+# viewed by Web clients.
+#
+<Files ~ "^\.ht">
+ Order allow,deny
+ Deny from all
+</Files>
+
+#
+# TypesConfig describes where the mime.types file (or equivalent) is
+# to be found.
+#
+TypesConfig conf/mime.types
+
+#
+# DefaultType is the default MIME type the server will use for a document
+# if it cannot otherwise determine one, such as from filename extensions.
+# If your server contains mostly text or HTML documents, "text/plain" is
+# a good value. If most of your content is binary, such as applications
+# or images, you may want to use "application/octet-stream" instead to
+# keep browsers from trying to display binary files as though they are
+# text.
+#
+DefaultType text/plain
+
+#
+# The mod_mime_magic module allows the server to use various hints from the
+# contents of the file itself to determine its type. The MIMEMagicFile
+# directive tells the module where the hint definitions are located.
+#
+<IfModule mod_mime_magic.c>
+ MIMEMagicFile conf/magic
+</IfModule>
+
+#
+# HostnameLookups: Log the names of clients or just their IP addresses
+# e.g., www.apache.org (on) or 204.62.129.132 (off).
+# The default is off because it'd be overall better for the net if people
+# had to knowingly turn this feature on, since enabling it means that
+# each client request will result in AT LEAST one lookup request to the
+# nameserver.
+#
+HostnameLookups Off
+
+#
+# EnableMMAP: Control whether memory-mapping is used to deliver
+# files (assuming that the underlying OS supports it).
+# The default is on; turn this off if you serve from NFS-mounted
+# filesystems. On some systems, turning it off (regardless of
+# filesystem) can improve performance; for details, please see
+# http://httpd.apache.org/docs-2.0/mod/core.html#enablemmap
+#
+#EnableMMAP off
+
+#
+# EnableSendfile: Control whether the sendfile kernel support is
+# used to deliver files (assuming that the OS supports it).
+# The default is on; turn this off if you serve from NFS-mounted
+# filesystems. Please see
+# http://httpd.apache.org/docs-2.0/mod/core.html#enablesendfile
+#
+#EnableSendfile off
+
+#
+# ErrorLog: The location of the error log file.
+# If you do not specify an ErrorLog directive within a <VirtualHost>
+# container, error messages relating to that virtual host will be
+# logged here. If you *do* define an error logfile for a <VirtualHost>
+# container, that host's errors will be logged there and not here.
+#
+ErrorLog logs/error_log
+
+#
+# LogLevel: Control the number of messages logged to the error_log.
+# Possible values include: debug, info, notice, warn, error, crit,
+# alert, emerg.
+#
+#LogLevel warn
+LogLevel debug
+
+#
+# The following directives define some format nicknames for use with
+# a CustomLog directive (see below).
+#
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+LogFormat "%h %l %u %t \"%r\" %>s %b" common
+LogFormat "%{Referer}i -> %U" referer
+LogFormat "%{User-agent}i" agent
+
+# You need to enable mod_logio.c to use %I and %O
+#LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
+
+#
+# The location and format of the access logfile (Common Logfile Format).
+# If you do not define any access logfiles within a <VirtualHost>
+# container, they will be logged here. Contrariwise, if you *do*
+# define per-<VirtualHost> access logfiles, transactions will be
+# logged therein and *not* in this file.
+#
+CustomLog logs/access_log common
+
+#
+# If you would like to have agent and referer logfiles, uncomment the
+# following directives.
+#
+#CustomLog logs/referer_log referer
+#CustomLog logs/agent_log agent
+
+#
+# If you prefer a single logfile with access, agent, and referer information
+# (Combined Logfile Format) you can use the following directive.
+#
+#CustomLog logs/access_log combined
+
+#
+# ServerTokens
+# This directive configures what you return as the Server HTTP response
+# Header. The default is 'Full' which sends information about the OS-Type
+# and compiled in modules.
+# Set to one of: Full | OS | Minor | Minimal | Major | Prod
+# where Full conveys the most information, and Prod the least.
+#
+ServerTokens Prod
+
+#
+# Optionally add a line containing the server version and virtual host
+# name to server-generated pages (internal error documents, FTP directory
+# listings, mod_status and mod_info output etc., but not CGI generated
+# documents or custom error documents).
+# Set to "EMail" to also include a mailto: link to the ServerAdmin.
+# Set to one of: On | Off | EMail
+#
+ServerSignature Off
+
+#
+# Aliases: Add here as many aliases as you need (with no limit). The format is
+# Alias fakename realname
+#
+# Note that if you include a trailing / on fakename then the server will
+# require it to be present in the URL. So "/icons" isn't aliased in this
+# example, only "/icons/". If the fakename is slash-terminated, then the
+# realname must also be slash terminated, and if the fakename omits the
+# trailing slash, the realname must also omit it.
+#
+# We include the /icons/ alias for FancyIndexed directory listings. If you
+# do not use FancyIndexing, you may comment this out.
+#
+Alias /icons/ "[SERVER_ROOT]/icons/"
+
+<Directory "[SERVER_ROOT]/icons">
+ Options Indexes MultiViews
+ AllowOverride None
+ Order allow,deny
+ Allow from all
+</Directory>
+
+#
+# This should be changed to the ServerRoot/manual/. The alias provides
+# the manual, even if you choose to move your DocumentRoot. You may comment
+# this out if you do not care for the documentation.
+#
+AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|ru))?(/.*)?$ "[SERVER_ROOT]/manual$1"
+
+<Directory "[SERVER_ROOT]/manual">
+ Options Indexes
+ AllowOverride None
+ Order allow,deny
+ Allow from all
+
+ <Files *.html>
+ SetHandler type-map
+ </Files>
+
+ SetEnvIf Request_URI ^/manual/(de|en|es|fr|ja|ko|ru)/ prefer-language=$1
+ RedirectMatch 301 ^/manual(?:/(de|en|es|fr|ja|ko|ru)){2,}(/.*)?$ /manual/$1$2
+</Directory>
+
+#
+# ScriptAlias: This controls which directories contain server scripts.
+# ScriptAliases are essentially the same as Aliases, except that
+# documents in the realname directory are treated as applications and
+# run by the server when requested rather than as documents sent to the client.
+# The same rules about trailing "/" apply to ScriptAlias directives as to
+# Alias.
+#
+ScriptAlias /cgi-bin/ "[SERVER_ROOT]/cgi-bin/"
+
+<IfModule mod_cgid.c>
+#
+# Additional to mod_cgid.c settings, mod_cgid has Scriptsock <path>
+# for setting UNIX socket for communicating with cgid.
+#
+#Scriptsock logs/cgisock
+</IfModule>
+
+#
+# "[SERVER_ROOT]/cgi-bin" should be changed to whatever your ScriptAliased
+# CGI directory exists, if you have that configured.
+#
+<Directory "[SERVER_ROOT]/cgi-bin">
+ AllowOverride None
+ Options ExecCGI
+ Order allow,deny
+ Allow from all
+</Directory>
+
+#
+# Redirect allows you to tell clients about documents which used to exist in
+# your server's namespace, but do not anymore. This allows you to tell the
+# clients where to look for the relocated document.
+# Example:
+# Redirect permanent /foo http://www.example.com/bar
+
+#
+# Directives controlling the display of server-generated directory listings.
+#
+
+#
+# IndexOptions: Controls the appearance of server-generated directory
+# listings.
+#
+IndexOptions FancyIndexing VersionSort
+
+#
+# AddIcon* directives tell the server which icon to show for different
+# files or filename extensions. These are only displayed for
+# FancyIndexed directories.
+#
+AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
+
+AddIconByType (TXT,/icons/text.gif) text/*
+AddIconByType (IMG,/icons/image2.gif) image/*
+AddIconByType (SND,/icons/sound2.gif) audio/*
+AddIconByType (VID,/icons/movie.gif) video/*
+
+AddIcon /icons/binary.gif .bin .exe
+AddIcon /icons/binhex.gif .hqx
+AddIcon /icons/tar.gif .tar
+AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
+AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
+AddIcon /icons/a.gif .ps .ai .eps
+AddIcon /icons/layout.gif .html .shtml .htm .pdf
+AddIcon /icons/text.gif .txt
+AddIcon /icons/c.gif .c
+AddIcon /icons/p.gif .pl .py
+AddIcon /icons/f.gif .for
+AddIcon /icons/dvi.gif .dvi
+AddIcon /icons/uuencoded.gif .uu
+AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
+AddIcon /icons/tex.gif .tex
+AddIcon /icons/bomb.gif core
+
+AddIcon /icons/back.gif ..
+AddIcon /icons/hand.right.gif README
+AddIcon /icons/folder.gif ^^DIRECTORY^^
+AddIcon /icons/blank.gif ^^BLANKICON^^
+
+#
+# DefaultIcon is which icon to show for files which do not have an icon
+# explicitly set.
+#
+DefaultIcon /icons/unknown.gif
+
+#
+# AddDescription allows you to place a short description after a file in
+# server-generated indexes. These are only displayed for FancyIndexed
+# directories.
+# Format: AddDescription "description" filename
+#
+#AddDescription "GZIP compressed document" .gz
+#AddDescription "tar archive" .tar
+#AddDescription "GZIP compressed tar archive" .tgz
+
+#
+# ReadmeName is the name of the README file the server will look for by
+# default, and append to directory listings.
+#
+# HeaderName is the name of a file which should be prepended to
+# directory indexes.
+ReadmeName README.html
+HeaderName HEADER.html
+
+#
+# IndexIgnore is a set of filenames which directory indexing should ignore
+# and not include in the listing. Shell-style wildcarding is permitted.
+#
+IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
+
+#
+# DefaultLanguage and AddLanguage allows you to specify the language of
+# a document. You can then use content negotiation to give a browser a
+# file in a language the user can understand.
+#
+# Specify a default language. This means that all data
+# going out without a specific language tag (see below) will
+# be marked with this one. You probably do NOT want to set
+# this unless you are sure it is correct for all cases.
+#
+# * It is generally better to not mark a page as
+# * being a certain language than marking it with the wrong
+# * language!
+#
+# DefaultLanguage nl
+#
+# Note 1: The suffix does not have to be the same as the language
+# keyword --- those with documents in Polish (whose net-standard
+# language code is pl) may wish to use "AddLanguage pl .po" to
+# avoid the ambiguity with the common suffix for perl scripts.
+#
+# Note 2: The example entries below illustrate that in some cases
+# the two character 'Language' abbreviation is not identical to
+# the two character 'Country' code for its country,
+# E.g. 'Danmark/dk' versus 'Danish/da'.
+#
+# Note 3: In the case of 'ltz' we violate the RFC by using a three char
+# specifier. There is 'work in progress' to fix this and get
+# the reference data for rfc1766 cleaned up.
+#
+# Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl)
+# English (en) - Esperanto (eo) - Estonian (et) - French (fr) - German (de)
+# Greek-Modern (el) - Hebrew (he) - Italian (it) - Japanese (ja)
+# Korean (ko) - Luxembourgeois* (ltz) - Norwegian Nynorsk (nn)
+# Norwegian (no) - Polish (pl) - Portugese (pt)
+# Brazilian Portuguese (pt-BR) - Russian (ru) - Swedish (sv)
+# Simplified Chinese (zh-CN) - Spanish (es) - Traditional Chinese (zh-TW)
+#
+AddLanguage ca .ca
+AddLanguage cs .cz .cs
+AddLanguage da .dk
+AddLanguage de .de
+AddLanguage el .el
+AddLanguage en .en
+AddLanguage eo .eo
+AddLanguage es .es
+AddLanguage et .et
+AddLanguage fr .fr
+AddLanguage he .he
+AddLanguage hr .hr
+AddLanguage it .it
+AddLanguage ja .ja
+AddLanguage ko .ko
+AddLanguage ltz .ltz
+AddLanguage nl .nl
+AddLanguage nn .nn
+AddLanguage no .no
+AddLanguage pl .po
+AddLanguage pt .pt
+AddLanguage pt-BR .pt-br
+AddLanguage ru .ru
+AddLanguage sv .sv
+AddLanguage zh-CN .zh-cn
+AddLanguage zh-TW .zh-tw
+
+#
+# LanguagePriority allows you to give precedence to some languages
+# in case of a tie during content negotiation.
+#
+# Just list the languages in decreasing order of preference. We have
+# more or less alphabetized them here. You probably want to change this.
+#
+LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW
+
+#
+# ForceLanguagePriority allows you to serve a result page rather than
+# MULTIPLE CHOICES (Prefer) [in case of a tie] or NOT ACCEPTABLE (Fallback)
+# [in case no accepted languages matched the available variants]
+#
+ForceLanguagePriority Prefer Fallback
+
+#
+# Commonly used filename extensions to character sets. You probably
+# want to avoid clashes with the language extensions, unless you
+# are good at carefully testing your setup after each change.
+# See http://www.iana.org/assignments/character-sets for the
+# official list of charset names and their respective RFCs.
+#
+AddCharset ISO-8859-1 .iso8859-1 .latin1
+AddCharset ISO-8859-2 .iso8859-2 .latin2 .cen
+AddCharset ISO-8859-3 .iso8859-3 .latin3
+AddCharset ISO-8859-4 .iso8859-4 .latin4
+AddCharset ISO-8859-5 .iso8859-5 .latin5 .cyr .iso-ru
+AddCharset ISO-8859-6 .iso8859-6 .latin6 .arb
+AddCharset ISO-8859-7 .iso8859-7 .latin7 .grk
+AddCharset ISO-8859-8 .iso8859-8 .latin8 .heb
+AddCharset ISO-8859-9 .iso8859-9 .latin9 .trk
+AddCharset ISO-2022-JP .iso2022-jp .jis
+AddCharset ISO-2022-KR .iso2022-kr .kis
+AddCharset ISO-2022-CN .iso2022-cn .cis
+AddCharset Big5 .Big5 .big5
+# For russian, more than one charset is used (depends on client, mostly):
+AddCharset WINDOWS-1251 .cp-1251 .win-1251
+AddCharset CP866 .cp866
+AddCharset KOI8-r .koi8-r .koi8-ru
+AddCharset KOI8-ru .koi8-uk .ua
+AddCharset ISO-10646-UCS-2 .ucs2
+AddCharset ISO-10646-UCS-4 .ucs4
+AddCharset UTF-8 .utf8
+
+# The set below does not map to a specific (iso) standard
+# but works on a fairly wide range of browsers. Note that
+# capitalization actually matters (it should not, but it
+# does for some browsers).
+#
+# See http://www.iana.org/assignments/character-sets
+# for a list of sorts. But browsers support few.
+#
+AddCharset GB2312 .gb2312 .gb
+AddCharset utf-7 .utf7
+AddCharset utf-8 .utf8
+AddCharset big5 .big5 .b5
+AddCharset EUC-TW .euc-tw
+AddCharset EUC-JP .euc-jp
+AddCharset EUC-KR .euc-kr
+AddCharset shift_jis .sjis
+
+#
+# AddType allows you to add to or override the MIME configuration
+# file mime.types for specific file types.
+#
+#AddType application/x-tar .tgz
+#
+# AddEncoding allows you to have certain browsers uncompress
+# information on the fly. Note: Not all browsers support this.
+# Despite the name similarity, the following Add* directives have nothing
+# to do with the FancyIndexing customization directives above.
+#
+#AddEncoding x-compress .Z
+#AddEncoding x-gzip .gz .tgz
+#
+# If the AddEncoding directives above are commented-out, then you
+# probably should define those extensions to indicate media types:
+#
+AddType application/x-compress .Z
+AddType application/x-gzip .gz .tgz
+
+#
+# AddHandler allows you to map certain file extensions to "handlers":
+# actions unrelated to filetype. These can be either built into the server
+# or added with the Action directive (see below)
+#
+# To use CGI scripts outside of ScriptAliased directories:
+# (You will also need to add "ExecCGI" to the "Options" directive.)
+#
+AddHandler cgi-script .cgi
+
+#
+# For files that include their own HTTP headers:
+#
+#AddHandler send-as-is asis
+
+#
+# For server-parsed imagemap files:
+#
+#AddHandler imap-file map
+
+#
+# For type maps (negotiated resources):
+# (This is enabled by default to allow the Apache "It Worked" page
+# to be distributed in multiple languages.)
+#
+AddHandler type-map var
+
+#
+# Filters allow you to process content before it is sent to the client.
+#
+# To parse .shtml files for server-side includes (SSI):
+# (You will also need to add "Includes" to the "Options" directive.)
+#
+#AddType text/html .shtml
+#AddOutputFilter INCLUDES .shtml
+
+#
+# Action lets you define media types that will execute a script whenever
+# a matching file is called. This eliminates the need for repeated URL
+# pathnames for oft-used CGI file processors.
+# Format: Action media/type /cgi-script/location
+# Format: Action handler-name /cgi-script/location
+#
+
+#
+# Customizable error responses come in three flavors:
+# 1) plain text 2) local redirects 3) external redirects
+#
+# Some examples:
+#ErrorDocument 500 "The server made a boo boo."
+#ErrorDocument 404 /missing.html
+#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
+#ErrorDocument 402 http://www.example.com/subscription_info.html
+#
+
+#
+# Putting this all together, we can internationalize error responses.
+#
+# We use Alias to redirect any /error/HTTP_<error>.html.var response to
+# our collection of by-error message multi-language collections. We use
+# includes to substitute the appropriate text.
+#
+# You can modify the messages' appearance without changing any of the
+# default HTTP_<error>.html.var files by adding the line:
+#
+# Alias /error/include/ "/your/include/path/"
+#
+# which allows you to create your own set of files by starting with the
+# /export/apache/error/include/ files and copying them to /your/include/path/,
+# even on a per-VirtualHost basis. The default include files will display
+# your Apache version number and your ServerAdmin email address regardless
+# of the setting of ServerSignature.
+#
+# The internationalized error documents require mod_alias, mod_include
+# and mod_negotiation. To activate them, uncomment the following 30 lines.
+
+# Alias /error/ "/export/apache/error/"
+#
+# <Directory "/export/apache/error">
+# AllowOverride None
+# Options IncludesNoExec
+# AddOutputFilter Includes html
+# AddHandler type-map var
+# Order allow,deny
+# Allow from all
+# LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
+# ForceLanguagePriority Prefer Fallback
+# </Directory>
+#
+# ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
+# ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
+# ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
+# ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
+# ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
+# ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
+# ErrorDocument 410 /error/HTTP_GONE.html.var
+# ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
+# ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var
+# ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
+# ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var
+# ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
+# ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var
+# ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
+# ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
+# ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var
+# ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var
+#[ErrorDocument_404]
+#[ErrorDocument_500]
+
+
+#
+# The following directives modify normal HTTP response behavior to
+# handle known problems with browser implementations.
+#
+BrowserMatch "Mozilla/2" nokeepalive
+BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
+BrowserMatch "RealPlayer 4\.0" force-response-1.0
+BrowserMatch "Java/1\.0" force-response-1.0
+BrowserMatch "JDK/1\.0" force-response-1.0
+
+#
+# The following directive disables redirects on non-GET requests for
+# a directory that does not include the trailing slash. This fixes a
+# problem with Microsoft WebFolders which does not appropriately handle
+# redirects for folders with DAV methods.
+# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
+#
+BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
+BrowserMatch "^WebDrive" redirect-carefully
+BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
+BrowserMatch "^gnome-vfs" redirect-carefully
+
+#
+# Allow server status reports generated by mod_status,
+# with the URL of http://servername/server-status
+# Change the ".example.com" to match your domain to enable.
+#
+#<Location /server-status>
+# SetHandler server-status
+# Order deny,allow
+# Deny from all
+# Allow from .example.com
+#</Location>
+
+#
+# Allow remote server configuration reports, with the URL of
+# http://servername/server-info (requires that mod_info.c be loaded).
+# Change the ".example.com" to match your domain to enable.
+#
+#<Location /server-info>
+# SetHandler server-info
+# Order deny,allow
+# Deny from all
+# Allow from .example.com
+#</Location>
+
+
+#
+# Bring in additional module-specific configurations
+#
+#<IfModule mod_ssl.c>
+# Include conf/ssl.conf
+#</IfModule>
+Include [SERVER_ROOT]/conf/nss.conf
+
+### Section 3: Virtual Hosts
+#
+# VirtualHost: If you want to maintain multiple domains/hostnames on your
+# machine you can setup VirtualHost containers for them. Most configurations
+# use only name-based virtual hosts so the server doesn't need to worry about
+# IP addresses. This is indicated by the asterisks in the directives below.
+#
+# Please see the documentation at
+# <URL:http://httpd.apache.org/docs-2.0/vhosts/>
+# for further details before you try to setup virtual hosts.
+#
+# You may use the command line option '-S' to verify your virtual host
+# configuration.
+
+#
+# Use name-based virtual hosting.
+#
+#NameVirtualHost *:80
+
+#
+# VirtualHost example:
+# Almost any Apache directive may go into a VirtualHost container.
+# The first VirtualHost section is used for requests without a known
+# server name.
+#
+#<VirtualHost *:80>
+# ServerAdmin webmaster@dummy-host.example.com
+# DocumentRoot /www/docs/dummy-host.example.com
+# ServerName dummy-host.example.com
+# ErrorLog logs/dummy-host.example.com-error_log
+# CustomLog logs/dummy-host.example.com-access_log common
+#</VirtualHost>
diff --git a/base/ra/apache/conf/magic b/base/ra/apache/conf/magic
new file mode 100644
index 000000000..0de73361f
--- /dev/null
+++ b/base/ra/apache/conf/magic
@@ -0,0 +1,382 @@
+# Magic data for mod_mime_magic Apache module (originally for file(1) command)
+# The module is described in /manual/mod/mod_mime_magic.html
+#
+# The format is 4-5 columns:
+# Column #1: byte number to begin checking from, ">" indicates continuation
+# Column #2: type of data to match
+# Column #3: contents of data to match
+# Column #4: MIME type of result
+# Column #5: MIME encoding of result (optional)
+
+#------------------------------------------------------------------------------
+# Localstuff: file(1) magic for locally observed files
+# Add any locally observed files here.
+
+#------------------------------------------------------------------------------
+# end local stuff
+#------------------------------------------------------------------------------
+
+#------------------------------------------------------------------------------
+# Java
+
+0 short 0xcafe
+>2 short 0xbabe application/java
+
+#------------------------------------------------------------------------------
+# audio: file(1) magic for sound formats
+#
+# from Jan Nicolai Langfeldt <janl@ifi.uio.no>,
+#
+
+# Sun/NeXT audio data
+0 string .snd
+>12 belong 1 audio/basic
+>12 belong 2 audio/basic
+>12 belong 3 audio/basic
+>12 belong 4 audio/basic
+>12 belong 5 audio/basic
+>12 belong 6 audio/basic
+>12 belong 7 audio/basic
+
+>12 belong 23 audio/x-adpcm
+
+# DEC systems (e.g. DECstation 5000) use a variant of the Sun/NeXT format
+# that uses little-endian encoding and has a different magic number
+# (0x0064732E in little-endian encoding).
+0 lelong 0x0064732E
+>12 lelong 1 audio/x-dec-basic
+>12 lelong 2 audio/x-dec-basic
+>12 lelong 3 audio/x-dec-basic
+>12 lelong 4 audio/x-dec-basic
+>12 lelong 5 audio/x-dec-basic
+>12 lelong 6 audio/x-dec-basic
+>12 lelong 7 audio/x-dec-basic
+# compressed (G.721 ADPCM)
+>12 lelong 23 audio/x-dec-adpcm
+
+# Bytes 0-3 of AIFF, AIFF-C, & 8SVX audio files are "FORM"
+# AIFF audio data
+8 string AIFF audio/x-aiff
+# AIFF-C audio data
+8 string AIFC audio/x-aiff
+# IFF/8SVX audio data
+8 string 8SVX audio/x-aiff
+
+# Creative Labs AUDIO stuff
+# Standard MIDI data
+0 string MThd audio/unknown
+#>9 byte >0 (format %d)
+#>11 byte >1 using %d channels
+# Creative Music (CMF) data
+0 string CTMF audio/unknown
+# SoundBlaster instrument data
+0 string SBI audio/unknown
+# Creative Labs voice data
+0 string Creative\ Voice\ File audio/unknown
+## is this next line right? it came this way...
+#>19 byte 0x1A
+#>23 byte >0 - version %d
+#>22 byte >0 \b.%d
+
+# [GRR 950115: is this also Creative Labs? Guessing that first line
+# should be string instead of unknown-endian long...]
+#0 long 0x4e54524b MultiTrack sound data
+#0 string NTRK MultiTrack sound data
+#>4 long x - version %ld
+
+# Microsoft WAVE format (*.wav)
+# [GRR 950115: probably all of the shorts and longs should be leshort/lelong]
+# Microsoft RIFF
+0 string RIFF audio/unknown
+# - WAVE format
+>8 string WAVE audio/x-wav
+# MPEG audio.
+0 beshort&0xfff0 0xfff0 audio/mpeg
+# C64 SID Music files, from Linus Walleij <triad@df.lth.se>
+0 string PSID audio/prs.sid
+
+#------------------------------------------------------------------------------
+# c-lang: file(1) magic for C programs or various scripts
+#
+
+# XPM icons (Greg Roelofs, newt@uchicago.edu)
+# ideally should go into "images", but entries below would tag XPM as C source
+0 string /*\ XPM image/x-xbm 7bit
+
+# this first will upset you if you're a PL/1 shop... (are there any left?)
+# in which case rm it; ascmagic will catch real C programs
+# C or REXX program text
+0 string /* text/plain
+# C++ program text
+0 string // text/plain
+
+#------------------------------------------------------------------------------
+# compress: file(1) magic for pure-compression formats (no archives)
+#
+# compress, gzip, pack, compact, huf, squeeze, crunch, freeze, yabba, whap, etc.
+#
+# Formats for various forms of compressed data
+# Formats for "compress" proper have been moved into "compress.c",
+# because it tries to uncompress it to figure out what's inside.
+
+# standard unix compress
+0 string \037\235 application/octet-stream x-compress
+
+# gzip (GNU zip, not to be confused with [Info-ZIP/PKWARE] zip archiver)
+0 string \037\213 application/octet-stream x-gzip
+
+# According to gzip.h, this is the correct byte order for packed data.
+0 string \037\036 application/octet-stream
+#
+# This magic number is byte-order-independent.
+#
+0 short 017437 application/octet-stream
+
+# XXX - why *two* entries for "compacted data", one of which is
+# byte-order independent, and one of which is byte-order dependent?
+#
+# compacted data
+0 short 0x1fff application/octet-stream
+0 string \377\037 application/octet-stream
+# huf output
+0 short 0145405 application/octet-stream
+
+# Squeeze and Crunch...
+# These numbers were gleaned from the Unix versions of the programs to
+# handle these formats. Note that I can only uncrunch, not crunch, and
+# I didn't have a crunched file handy, so the crunch number is untested.
+# Keith Waclena <keith@cerberus.uchicago.edu>
+#0 leshort 0x76FF squeezed data (CP/M, DOS)
+#0 leshort 0x76FE crunched data (CP/M, DOS)
+
+# Freeze
+#0 string \037\237 Frozen file 2.1
+#0 string \037\236 Frozen file 1.0 (or gzip 0.5)
+
+# lzh?
+#0 string \037\240 LZH compressed data
+
+#------------------------------------------------------------------------------
+# frame: file(1) magic for FrameMaker files
+#
+# This stuff came on a FrameMaker demo tape, most of which is
+# copyright, but this file is "published" as witness the following:
+#
+0 string \<MakerFile application/x-frame
+0 string \<MIFFile application/x-frame
+0 string \<MakerDictionary application/x-frame
+0 string \<MakerScreenFon application/x-frame
+0 string \<MML application/x-frame
+0 string \<Book application/x-frame
+0 string \<Maker application/x-frame
+
+#------------------------------------------------------------------------------
+# html: file(1) magic for HTML (HyperText Markup Language) docs
+#
+# from Daniel Quinlan <quinlan@yggdrasil.com>
+# and Anna Shergold <anna@inext.co.uk>
+#
+0 string \<!DOCTYPE\ HTML text/html
+0 string \<!doctype\ html text/html
+0 string \<HEAD text/html
+0 string \<head text/html
+0 string \<TITLE text/html
+0 string \<title text/html
+0 string \<html text/html
+0 string \<HTML text/html
+0 string \<!-- text/html
+0 string \<h1 text/html
+0 string \<H1 text/html
+
+# XML eXtensible Markup Language, from Linus Walleij <triad@df.lth.se>
+0 string \<?xml text/xml
+
+#------------------------------------------------------------------------------
+# images: file(1) magic for image formats (see also "c-lang" for XPM bitmaps)
+#
+# originally from jef@helios.ee.lbl.gov (Jef Poskanzer),
+# additions by janl@ifi.uio.no as well as others. Jan also suggested
+# merging several one- and two-line files into here.
+#
+# XXX - byte order for GIF and TIFF fields?
+# [GRR: TIFF allows both byte orders; GIF is probably little-endian]
+#
+
+# [GRR: what the hell is this doing in here?]
+#0 string xbtoa btoa'd file
+
+# PBMPLUS
+# PBM file
+0 string P1 image/x-portable-bitmap 7bit
+# PGM file
+0 string P2 image/x-portable-greymap 7bit
+# PPM file
+0 string P3 image/x-portable-pixmap 7bit
+# PBM "rawbits" file
+0 string P4 image/x-portable-bitmap
+# PGM "rawbits" file
+0 string P5 image/x-portable-greymap
+# PPM "rawbits" file
+0 string P6 image/x-portable-pixmap
+
+# NIFF (Navy Interchange File Format, a modification of TIFF)
+# [GRR: this *must* go before TIFF]
+0 string IIN1 image/x-niff
+
+# TIFF and friends
+# TIFF file, big-endian
+0 string MM image/tiff
+# TIFF file, little-endian
+0 string II image/tiff
+
+# possible GIF replacements; none yet released!
+# (Greg Roelofs, newt@uchicago.edu)
+#
+# GRR 950115: this was mine ("Zip GIF"):
+# ZIF image (GIF+deflate alpha)
+0 string GIF94z image/unknown
+#
+# GRR 950115: this is Jeremy Wohl's Free Graphics Format (better):
+# FGF image (GIF+deflate beta)
+0 string FGF95a image/unknown
+#
+# GRR 950115: this is Thomas Boutell's Portable Bitmap Format proposal
+# (best; not yet implemented):
+# PBF image (deflate compression)
+0 string PBF image/unknown
+
+# GIF
+0 string GIF image/gif
+
+# JPEG images
+0 beshort 0xffd8 image/jpeg
+
+# PC bitmaps (OS/2, Windoze BMP files) (Greg Roelofs, newt@uchicago.edu)
+0 string BM image/bmp
+#>14 byte 12 (OS/2 1.x format)
+#>14 byte 64 (OS/2 2.x format)
+#>14 byte 40 (Windows 3.x format)
+#0 string IC icon
+#0 string PI pointer
+#0 string CI color icon
+#0 string CP color pointer
+#0 string BA bitmap array
+
+
+#------------------------------------------------------------------------------
+# lisp: file(1) magic for lisp programs
+#
+# various lisp types, from Daniel Quinlan (quinlan@yggdrasil.com)
+0 string ;; text/plain 8bit
+# Emacs 18 - this is always correct, but not very magical.
+0 string \012( application/x-elc
+# Emacs 19
+0 string ;ELC\023\000\000\000 application/x-elc
+
+#------------------------------------------------------------------------------
+# mail.news: file(1) magic for mail and news
+#
+# There are tests to ascmagic.c to cope with mail and news.
+0 string Relay-Version: message/rfc822 7bit
+0 string #!\ rnews message/rfc822 7bit
+0 string N#!\ rnews message/rfc822 7bit
+0 string Forward\ to message/rfc822 7bit
+0 string Pipe\ to message/rfc822 7bit
+0 string Return-Path: message/rfc822 7bit
+0 string Path: message/news 8bit
+0 string Xref: message/news 8bit
+0 string From: message/rfc822 7bit
+0 string Article message/news 8bit
+#------------------------------------------------------------------------------
+# msword: file(1) magic for MS Word files
+#
+# Contributor claims:
+# Reversed-engineered MS Word magic numbers
+#
+
+0 string \376\067\0\043 application/msword
+0 string \333\245-\0\0\0 application/msword
+
+# disable this one because it applies also to other
+# Office/OLE documents for which msword is not correct. See PR#2608.
+#0 string \320\317\021\340\241\261 application/msword
+
+
+
+#------------------------------------------------------------------------------
+# printer: file(1) magic for printer-formatted files
+#
+
+# PostScript
+0 string %! application/postscript
+0 string \004%! application/postscript
+
+# Acrobat
+# (due to clamen@cs.cmu.edu)
+0 string %PDF- application/pdf
+
+#------------------------------------------------------------------------------
+# sc: file(1) magic for "sc" spreadsheet
+#
+38 string Spreadsheet application/x-sc
+
+#------------------------------------------------------------------------------
+# tex: file(1) magic for TeX files
+#
+# XXX - needs byte-endian stuff (big-endian and little-endian DVI?)
+#
+# From <conklin@talisman.kaleida.com>
+
+# Although we may know the offset of certain text fields in TeX DVI
+# and font files, we can't use them reliably because they are not
+# zero terminated. [but we do anyway, christos]
+0 string \367\002 application/x-dvi
+#0 string \367\203 TeX generic font data
+#0 string \367\131 TeX packed font data
+#0 string \367\312 TeX virtual font data
+#0 string This\ is\ TeX, TeX transcript text
+#0 string This\ is\ METAFONT, METAFONT transcript text
+
+# There is no way to detect TeX Font Metric (*.tfm) files without
+# breaking them apart and reading the data. The following patterns
+# match most *.tfm files generated by METAFONT or afm2tfm.
+#2 string \000\021 TeX font metric data
+#2 string \000\022 TeX font metric data
+#>34 string >\0 (%s)
+
+# Texinfo and GNU Info, from Daniel Quinlan (quinlan@yggdrasil.com)
+#0 string \\input\ texinfo Texinfo source text
+#0 string This\ is\ Info\ file GNU Info text
+
+# correct TeX magic for Linux (and maybe more)
+# from Peter Tobias (tobias@server.et-inf.fho-emden.de)
+#
+0 leshort 0x02f7 application/x-dvi
+
+# RTF - Rich Text Format
+0 string {\\rtf application/rtf
+
+#------------------------------------------------------------------------------
+# animation: file(1) magic for animation/movie formats
+#
+# animation formats, originally from vax@ccwf.cc.utexas.edu (VaX#n8)
+# MPEG file
+0 string \000\000\001\263 video/mpeg
+#
+# The contributor claims:
+# I couldn't find a real magic number for these, however, this
+# -appears- to work. Note that it might catch other files, too,
+# so BE CAREFUL!
+#
+# Note that title and author appear in the two 20-byte chunks
+# at decimal offsets 2 and 22, respectively, but they are XOR'ed with
+# 255 (hex FF)! DL format SUCKS BIG ROCKS.
+#
+# DL file version 1 , medium format (160x100, 4 images/screen)
+0 byte 1 video/unknown
+0 byte 2 video/unknown
+# Quicktime video, from Linus Walleij <triad@df.lth.se>
+# from Apple quicktime file format documentation.
+4 string moov video/quicktime
+4 string mdat video/quicktime
+
diff --git a/base/ra/apache/conf/mime.types b/base/ra/apache/conf/mime.types
new file mode 100644
index 000000000..3485692d1
--- /dev/null
+++ b/base/ra/apache/conf/mime.types
@@ -0,0 +1,592 @@
+# This is a comment. I love comments.
+
+# This file controls what Internet media types are sent to the client for
+# given file extension(s). Sending the correct media type to the client
+# is important so they know how to handle the content of the file.
+# Extra types can either be added here or by using an AddType directive
+# in your config files. For more information about Internet media types,
+# please read RFC 2045, 2046, 2047, 2048, and 2077. The Internet media type
+# registry is at <http://www.iana.org/assignments/media-types/>.
+
+# MIME type Extensions
+application/activemessage
+application/andrew-inset ez
+application/applefile
+application/atom+xml atom
+application/atomicmail
+application/batch-smtp
+application/beep+xml
+application/cals-1840
+application/cnrp+xml
+application/commonground
+application/cpl+xml
+application/cybercash
+application/dca-rft
+application/dec-dx
+application/dvcs
+application/edi-consent
+application/edifact
+application/edi-x12
+application/eshop
+application/font-tdpfr
+application/http
+application/hyperstudio
+application/iges
+application/index
+application/index.cmd
+application/index.obj
+application/index.response
+application/index.vnd
+application/iotp
+application/ipp
+application/isup
+application/mac-binhex40 hqx
+application/mac-compactpro cpt
+application/macwriteii
+application/marc
+application/mathematica
+application/mathml+xml mathml
+application/msword doc
+application/news-message-id
+application/news-transmission
+application/ocsp-request
+application/ocsp-response
+application/octet-stream bin dms lha lzh exe class so dll dmg
+application/oda oda
+application/ogg ogg
+application/parityfec
+application/pdf pdf
+application/pgp-encrypted
+application/pgp-keys
+application/pgp-signature
+application/pkcs10
+application/pkcs7-mime
+application/pkcs7-signature
+application/pkix-cert
+application/pkix-crl
+application/pkixcmp
+application/postscript ai eps ps
+application/prs.alvestrand.titrax-sheet
+application/prs.cww
+application/prs.nprend
+application/prs.plucker
+application/qsig
+application/rdf+xml rdf
+application/reginfo+xml
+application/remote-printing
+application/riscos
+application/rtf
+application/sdp
+application/set-payment
+application/set-payment-initiation
+application/set-registration
+application/set-registration-initiation
+application/sgml
+application/sgml-open-catalog
+application/sieve
+application/slate
+application/smil smi smil
+application/srgs gram
+application/srgs+xml grxml
+application/timestamp-query
+application/timestamp-reply
+application/tve-trigger
+application/vemmi
+application/vnd.3gpp.pic-bw-large
+application/vnd.3gpp.pic-bw-small
+application/vnd.3gpp.pic-bw-var
+application/vnd.3gpp.sms
+application/vnd.3m.post-it-notes
+application/vnd.accpac.simply.aso
+application/vnd.accpac.simply.imp
+application/vnd.acucobol
+application/vnd.acucorp
+application/vnd.adobe.xfdf
+application/vnd.aether.imp
+application/vnd.amiga.ami
+application/vnd.anser-web-certificate-issue-initiation
+application/vnd.anser-web-funds-transfer-initiation
+application/vnd.audiograph
+application/vnd.blueice.multipass
+application/vnd.bmi
+application/vnd.businessobjects
+application/vnd.canon-cpdl
+application/vnd.canon-lips
+application/vnd.cinderella
+application/vnd.claymore
+application/vnd.commerce-battelle
+application/vnd.commonspace
+application/vnd.contact.cmsg
+application/vnd.cosmocaller
+application/vnd.criticaltools.wbs+xml
+application/vnd.ctc-posml
+application/vnd.cups-postscript
+application/vnd.cups-raster
+application/vnd.cups-raw
+application/vnd.curl
+application/vnd.cybank
+application/vnd.data-vision.rdz
+application/vnd.dna
+application/vnd.dpgraph
+application/vnd.dreamfactory
+application/vnd.dxr
+application/vnd.ecdis-update
+application/vnd.ecowin.chart
+application/vnd.ecowin.filerequest
+application/vnd.ecowin.fileupdate
+application/vnd.ecowin.series
+application/vnd.ecowin.seriesrequest
+application/vnd.ecowin.seriesupdate
+application/vnd.enliven
+application/vnd.epson.esf
+application/vnd.epson.msf
+application/vnd.epson.quickanime
+application/vnd.epson.salt
+application/vnd.epson.ssf
+application/vnd.ericsson.quickcall
+application/vnd.eudora.data
+application/vnd.fdf
+application/vnd.ffsns
+application/vnd.fints
+application/vnd.flographit
+application/vnd.framemaker
+application/vnd.fsc.weblaunch
+application/vnd.fujitsu.oasys
+application/vnd.fujitsu.oasys2
+application/vnd.fujitsu.oasys3
+application/vnd.fujitsu.oasysgp
+application/vnd.fujitsu.oasysprs
+application/vnd.fujixerox.ddd
+application/vnd.fujixerox.docuworks
+application/vnd.fujixerox.docuworks.binder
+application/vnd.fut-misnet
+application/vnd.grafeq
+application/vnd.groove-account
+application/vnd.groove-help
+application/vnd.groove-identity-message
+application/vnd.groove-injector
+application/vnd.groove-tool-message
+application/vnd.groove-tool-template
+application/vnd.groove-vcard
+application/vnd.hbci
+application/vnd.hhe.lesson-player
+application/vnd.hp-hpgl
+application/vnd.hp-hpid
+application/vnd.hp-hps
+application/vnd.hp-pcl
+application/vnd.hp-pclxl
+application/vnd.httphone
+application/vnd.hzn-3d-crossword
+application/vnd.ibm.afplinedata
+application/vnd.ibm.electronic-media
+application/vnd.ibm.minipay
+application/vnd.ibm.modcap
+application/vnd.ibm.rights-management
+application/vnd.ibm.secure-container
+application/vnd.informix-visionary
+application/vnd.intercon.formnet
+application/vnd.intertrust.digibox
+application/vnd.intertrust.nncp
+application/vnd.intu.qbo
+application/vnd.intu.qfx
+application/vnd.irepository.package+xml
+application/vnd.is-xpr
+application/vnd.japannet-directory-service
+application/vnd.japannet-jpnstore-wakeup
+application/vnd.japannet-payment-wakeup
+application/vnd.japannet-registration
+application/vnd.japannet-registration-wakeup
+application/vnd.japannet-setstore-wakeup
+application/vnd.japannet-verification
+application/vnd.japannet-verification-wakeup
+application/vnd.jisp
+application/vnd.kde.karbon
+application/vnd.kde.kchart
+application/vnd.kde.kformula
+application/vnd.kde.kivio
+application/vnd.kde.kontour
+application/vnd.kde.kpresenter
+application/vnd.kde.kspread
+application/vnd.kde.kword
+application/vnd.kenameaapp
+application/vnd.koan
+application/vnd.liberty-request+xml
+application/vnd.llamagraphics.life-balance.desktop
+application/vnd.llamagraphics.life-balance.exchange+xml
+application/vnd.lotus-1-2-3
+application/vnd.lotus-approach
+application/vnd.lotus-freelance
+application/vnd.lotus-notes
+application/vnd.lotus-organizer
+application/vnd.lotus-screencam
+application/vnd.lotus-wordpro
+application/vnd.mcd
+application/vnd.mediastation.cdkey
+application/vnd.meridian-slingshot
+application/vnd.micrografx.flo
+application/vnd.micrografx.igx
+application/vnd.mif mif
+application/vnd.minisoft-hp3000-save
+application/vnd.mitsubishi.misty-guard.trustweb
+application/vnd.mobius.daf
+application/vnd.mobius.dis
+application/vnd.mobius.mbk
+application/vnd.mobius.mqy
+application/vnd.mobius.msl
+application/vnd.mobius.plc
+application/vnd.mobius.txf
+application/vnd.mophun.application
+application/vnd.mophun.certificate
+application/vnd.motorola.flexsuite
+application/vnd.motorola.flexsuite.adsi
+application/vnd.motorola.flexsuite.fis
+application/vnd.motorola.flexsuite.gotap
+application/vnd.motorola.flexsuite.kmr
+application/vnd.motorola.flexsuite.ttc
+application/vnd.motorola.flexsuite.wem
+application/vnd.mozilla.xul+xml xul
+application/vnd.ms-artgalry
+application/vnd.ms-asf
+application/vnd.ms-excel xls
+application/vnd.ms-lrm
+application/vnd.ms-powerpoint ppt
+application/vnd.ms-project
+application/vnd.ms-tnef
+application/vnd.ms-works
+application/vnd.ms-wpl
+application/vnd.mseq
+application/vnd.msign
+application/vnd.music-niff
+application/vnd.musician
+application/vnd.netfpx
+application/vnd.noblenet-directory
+application/vnd.noblenet-sealer
+application/vnd.noblenet-web
+application/vnd.novadigm.edm
+application/vnd.novadigm.edx
+application/vnd.novadigm.ext
+application/vnd.obn
+application/vnd.osa.netdeploy
+application/vnd.palm
+application/vnd.pg.format
+application/vnd.pg.osasli
+application/vnd.powerbuilder6
+application/vnd.powerbuilder6-s
+application/vnd.powerbuilder7
+application/vnd.powerbuilder7-s
+application/vnd.powerbuilder75
+application/vnd.powerbuilder75-s
+application/vnd.previewsystems.box
+application/vnd.publishare-delta-tree
+application/vnd.pvi.ptid1
+application/vnd.pwg-multiplexed
+application/vnd.pwg-xhtml-print+xml
+application/vnd.quark.quarkxpress
+application/vnd.rapid
+application/vnd.s3sms
+application/vnd.sealed.net
+application/vnd.seemail
+application/vnd.shana.informed.formdata
+application/vnd.shana.informed.formtemplate
+application/vnd.shana.informed.interchange
+application/vnd.shana.informed.package
+application/vnd.smaf
+application/vnd.sss-cod
+application/vnd.sss-dtf
+application/vnd.sss-ntf
+application/vnd.street-stream
+application/vnd.svd
+application/vnd.swiftview-ics
+application/vnd.triscape.mxs
+application/vnd.trueapp
+application/vnd.truedoc
+application/vnd.ufdl
+application/vnd.uplanet.alert
+application/vnd.uplanet.alert-wbxml
+application/vnd.uplanet.bearer-choice
+application/vnd.uplanet.bearer-choice-wbxml
+application/vnd.uplanet.cacheop
+application/vnd.uplanet.cacheop-wbxml
+application/vnd.uplanet.channel
+application/vnd.uplanet.channel-wbxml
+application/vnd.uplanet.list
+application/vnd.uplanet.list-wbxml
+application/vnd.uplanet.listcmd
+application/vnd.uplanet.listcmd-wbxml
+application/vnd.uplanet.signal
+application/vnd.vcx
+application/vnd.vectorworks
+application/vnd.vidsoft.vidconference
+application/vnd.visio
+application/vnd.visionary
+application/vnd.vividence.scriptfile
+application/vnd.vsf
+application/vnd.wap.sic
+application/vnd.wap.slc
+application/vnd.wap.wbxml wbxml
+application/vnd.wap.wmlc wmlc
+application/vnd.wap.wmlscriptc wmlsc
+application/vnd.webturbo
+application/vnd.wrq-hp3000-labelled
+application/vnd.wt.stf
+application/vnd.wv.csp+wbxml
+application/vnd.xara
+application/vnd.xfdl
+application/vnd.yamaha.hv-dic
+application/vnd.yamaha.hv-script
+application/vnd.yamaha.hv-voice
+application/vnd.yellowriver-custom-menu
+application/voicexml+xml vxml
+application/watcherinfo+xml
+application/whoispp-query
+application/whoispp-response
+application/wita
+application/wordperfect5.1
+application/x-bcpio bcpio
+application/x-cdlink vcd
+application/x-chess-pgn pgn
+application/x-compress
+application/x-cpio cpio
+application/x-csh csh
+application/x-director dcr dir dxr
+application/x-dvi dvi
+application/x-futuresplash spl
+application/x-gtar gtar
+application/x-gzip
+application/x-hdf hdf
+application/x-javascript js
+application/x-koan skp skd skt skm
+application/x-latex latex
+application/x-netcdf nc cdf
+application/x-sh sh
+application/x-shar shar
+application/x-shockwave-flash swf
+application/x-stuffit sit
+application/x-sv4cpio sv4cpio
+application/x-sv4crc sv4crc
+application/x-tar tar
+application/x-tcl tcl
+application/x-tex tex
+application/x-texinfo texinfo texi
+application/x-troff t tr roff
+application/x-troff-man man
+application/x-troff-me me
+application/x-troff-ms ms
+application/x-ustar ustar
+application/x-wais-source src
+application/x400-bp
+application/xhtml+xml xhtml xht
+application/xslt+xml xslt
+application/xml xml xsl
+application/xml-dtd dtd
+application/xml-external-parsed-entity
+application/zip zip
+audio/32kadpcm
+audio/amr
+audio/amr-wb
+audio/basic au snd
+audio/cn
+audio/dat12
+audio/dsr-es201108
+audio/dvi4
+audio/evrc
+audio/evrc0
+audio/g722
+audio/g.722.1
+audio/g723
+audio/g726-16
+audio/g726-24
+audio/g726-32
+audio/g726-40
+audio/g728
+audio/g729
+audio/g729D
+audio/g729E
+audio/gsm
+audio/gsm-efr
+audio/l8
+audio/l16
+audio/l20
+audio/l24
+audio/lpc
+audio/midi mid midi kar
+audio/mpa
+audio/mpa-robust
+audio/mp4a-latm
+audio/mpeg mpga mp2 mp3
+audio/parityfec
+audio/pcma
+audio/pcmu
+audio/prs.sid
+audio/qcelp
+audio/red
+audio/smv
+audio/smv0
+audio/telephone-event
+audio/tone
+audio/vdvi
+audio/vnd.3gpp.iufp
+audio/vnd.cisco.nse
+audio/vnd.cns.anp1
+audio/vnd.cns.inf1
+audio/vnd.digital-winds
+audio/vnd.everad.plj
+audio/vnd.lucent.voice
+audio/vnd.nortel.vbk
+audio/vnd.nuera.ecelp4800
+audio/vnd.nuera.ecelp7470
+audio/vnd.nuera.ecelp9600
+audio/vnd.octel.sbc
+audio/vnd.qcelp
+audio/vnd.rhetorex.32kadpcm
+audio/vnd.vmx.cvsd
+audio/x-aiff aif aiff aifc
+audio/x-alaw-basic
+audio/x-mpegurl m3u
+audio/x-pn-realaudio ram ra
+audio/x-pn-realaudio-plugin
+application/vnd.rn-realmedia rm
+audio/x-wav wav
+chemical/x-pdb pdb
+chemical/x-xyz xyz
+image/bmp bmp
+image/cgm cgm
+image/g3fax
+image/gif gif
+image/ief ief
+image/jpeg jpeg jpg jpe
+image/naplps
+image/png png
+image/prs.btif
+image/prs.pti
+image/svg+xml svg
+image/t38
+image/tiff tiff tif
+image/tiff-fx
+image/vnd.cns.inf2
+image/vnd.djvu djvu djv
+image/vnd.dwg
+image/vnd.dxf
+image/vnd.fastbidsheet
+image/vnd.fpx
+image/vnd.fst
+image/vnd.fujixerox.edmics-mmr
+image/vnd.fujixerox.edmics-rlc
+image/vnd.globalgraphics.pgb
+image/vnd.mix
+image/vnd.ms-modi
+image/vnd.net-fpx
+image/vnd.svf
+image/vnd.wap.wbmp wbmp
+image/vnd.xiff
+image/x-cmu-raster ras
+image/x-icon ico
+image/x-portable-anymap pnm
+image/x-portable-bitmap pbm
+image/x-portable-graymap pgm
+image/x-portable-pixmap ppm
+image/x-rgb rgb
+image/x-xbitmap xbm
+image/x-xpixmap xpm
+image/x-xwindowdump xwd
+message/delivery-status
+message/disposition-notification
+message/external-body
+message/http
+message/news
+message/partial
+message/rfc822
+message/s-http
+message/sip
+message/sipfrag
+model/iges igs iges
+model/mesh msh mesh silo
+model/vnd.dwf
+model/vnd.flatland.3dml
+model/vnd.gdl
+model/vnd.gs-gdl
+model/vnd.gtw
+model/vnd.mts
+model/vnd.parasolid.transmit.binary
+model/vnd.parasolid.transmit.text
+model/vnd.vtu
+model/vrml wrl vrml
+multipart/alternative
+multipart/appledouble
+multipart/byteranges
+multipart/digest
+multipart/encrypted
+multipart/form-data
+multipart/header-set
+multipart/mixed
+multipart/parallel
+multipart/related
+multipart/report
+multipart/signed
+multipart/voice-message
+text/calendar ics ifb
+text/css css
+text/directory
+text/enriched
+text/html html htm
+text/parityfec
+text/plain asc txt
+text/prs.lines.tag
+text/rfc822-headers
+text/richtext rtx
+text/rtf rtf
+text/sgml sgml sgm
+text/t140
+text/tab-separated-values tsv
+text/uri-list
+text/vnd.abc
+text/vnd.curl
+text/vnd.dmclientscript
+text/vnd.fly
+text/vnd.fmi.flexstor
+text/vnd.in3d.3dml
+text/vnd.in3d.spot
+text/vnd.iptc.nitf
+text/vnd.iptc.newsml
+text/vnd.latex-z
+text/vnd.motorola.reflex
+text/vnd.ms-mediapackage
+text/vnd.net2phone.commcenter.command
+text/vnd.sun.j2me.app-descriptor
+text/vnd.wap.si
+text/vnd.wap.sl
+text/vnd.wap.wml wml
+text/vnd.wap.wmlscript wmls
+text/x-setext etx
+text/xml
+text/xml-external-parsed-entity
+video/bmpeg
+video/bt656
+video/celb
+video/dv
+video/h261
+video/h263
+video/h263-1998
+video/h263-2000
+video/jpeg
+video/mp1s
+video/mp2p
+video/mp2t
+video/mp4v-es
+video/mpv
+video/mpeg mpeg mpg mpe
+video/nv
+video/parityfec
+video/pointer
+video/quicktime qt mov
+video/smpte292m
+video/vnd.fvt
+video/vnd.motorola.video
+video/vnd.motorola.videop
+video/vnd.mpegurl mxu m4u
+video/vnd.nokia.interleaved-multimedia
+video/vnd.objectvideo
+video/vnd.vivo
+video/x-msvideo avi
+video/x-sgi-movie movie
+x-conference/x-cooltalk ice
diff --git a/base/ra/apache/conf/nss.conf b/base/ra/apache/conf/nss.conf
new file mode 100644
index 000000000..a3e0621ab
--- /dev/null
+++ b/base/ra/apache/conf/nss.conf
@@ -0,0 +1,267 @@
+#
+# This is the Apache server configuration file providing SSL support using.
+# the mod_nss plugin. It contains the configuration directives to instruct
+# the server how to serve pages over an https connection.
+#
+# Do NOT simply read the instructions in here without understanding
+# what they do. They're here only as hints or reminders. If you are unsure
+# consult the online docs. You have been warned.
+#
+
+#
+# When we also provide SSL we have to listen to the
+# standard HTTP port (see above) and to the HTTPS port
+#
+# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
+# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
+#
+Listen [SECURE_PORT]
+
+Listen [NON_CLIENTAUTH_SECURE_PORT]
+
+##
+## SSL Global Context
+##
+## All SSL configuration in this context applies both to
+## the main server and all SSL-enabled virtual hosts.
+##
+
+#
+# Some MIME-types for downloading Certificates and CRLs
+#
+AddType application/x-x509-ca-cert .crt
+AddType application/x-pkcs7-crl .crl
+
+# Pass Phrase Dialog:
+# Configure the pass phrase gathering process.
+# The filtering dialog program (`builtin' is a internal
+# terminal dialog) has to provide the pass phrase on stdout.
+#NSSPassPhraseDialog builtin
+NSSPassPhraseDialog defer:[SERVER_ROOT]/conf/password.conf
+
+
+# Pass Phrase Helper:
+# This helper program stores the token password pins between
+# restarts of Apache.
+NSSPassPhraseHelper /usr/share/pki/ra/scripts/nss_pcache
+
+# Configure the SSL Session Cache.
+# SSLSessionCacheSize is the number of entries in the cache.
+# SSLSessionCacheTimeout is the SSL2 session timeout (in seconds).
+# SSL3SessionCacheTimeout is the SSL3/TLS session timeout (in seconds).
+NSSSessionCacheSize 10000
+NSSSessionCacheTimeout 100
+NSSSession3CacheTimeout 86400
+
+##
+## SSL Virtual Host Context
+##
+
+<VirtualHost _default_:[SECURE_PORT]>
+
+# General setup for the virtual host
+#DocumentRoot "/htdocs"
+#ServerName [Server_Name]:[Secure_Port]
+#ServerAdmin you@example.com
+
+# Configure OCSP checking of client certs
+
+#NSSOCSP on
+#NSSOCSPDefaultResponder on
+
+# URL of the ocsp service
+#
+# Example of the built in ocsp service of the CS CA
+#
+#NSSOCSPDefaultURL http://localhost:9180/ca/ocsp
+
+# Nickname of ocsp signing cert
+#
+# Below is sufficient if using built in CS CA ocsp service
+# If using outboard ocsp, make sure the cert listed below
+# is imported into the local cert database.
+#
+#NSSOCSPDefaultName caCert
+
+# mod_ssl logs to separate log files, you can choose to do that if you'd like
+ErrorLog [SERVER_ROOT]/logs/error_log
+TransferLog [SERVER_ROOT]/logs/access_log
+
+# SSL Engine Switch:
+# Enable/Disable SSL for this virtual host.
+NSSEngine on
+
+# SSL Cipher Suite:
+# List the ciphers that the client is permitted to negotiate.
+# See the mod_nss documentation for a complete list.
+NSSCipherSuite -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,-rsa_des_56_sha,+rsa_des_sha,-rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_rc4_40_md5,-rsa_rc4_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha
+
+NSSProtocol SSLv3,TLSv1
+
+# SSL Certificate Nickname:
+# The nickname of the server certificate you are going to use.
+NSSNickname "Server-Cert cert-[PKI_INSTANCE_ID]"
+
+# Server Certificate Database:
+# The NSS security database directory that holds the certificates and
+# keys. The database consists of 3 files: cert8.db, key3.db and secmod.db.
+# Provide the directory that these files exist.
+NSSCertificateDatabase [SERVER_ROOT]/alias
+
+# Client Authentication (Type):
+# Client certificate verification type. Types are none, optional and
+# require.
+NSSVerifyClient require
+
+# Access Control:
+# With SSLRequire you can do per-directory access control based
+# on arbitrary complex boolean expressions containing server
+# variable checks and other lookup directives. The syntax is a
+# mixture between C and Perl. See the mod_nss documentation
+# for more details.
+#<Location />
+#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
+# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+#</Location>
+
+# SSL Engine Options:
+# Set various options for the SSL engine.
+# o FakeBasicAuth:
+# Translate the client X.509 into a Basic Authorisation. This means that
+# the standard Auth/DBMAuth methods can be used for access control. The
+# user name is the `one line' version of the client's X.509 certificate.
+# Note that no password is obtained from the user. Every entry in the user
+# file needs this password: `xxj31ZMTZzkVA'.
+# o ExportCertData:
+# This exports two additional environment variables: SSL_CLIENT_CERT and
+# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+# server (always existing) and the client (only existing when client
+# authentication is used). This can be used to import the certificates
+# into CGI scripts.
+# o StdEnvVars:
+# This exports the standard SSL/TLS related `SSL_*' environment variables.
+# Per default this exportation is switched off for performance reasons,
+# because the extraction step is an expensive operation and is usually
+# useless for serving static content. So one usually enables the
+# exportation for CGI and SSI requests only.
+# o StrictRequire:
+# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+# under a "Satisfy any" situation, i.e. when it applies access is denied
+# and no other module can change it.
+# o OptRenegotiate:
+# This enables optimized SSL connection renegotiation handling when SSL
+# directives are used in per-directory context.
+#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
+<Files ~ "\.(cgi|shtml|phtml|php3?)$">
+ NSSOptions +StdEnvVars +ExportCertData
+</Files>
+<Directory "/cgi-bin">
+ NSSOptions +StdEnvVars
+</Directory>
+
+# Per-Server Logging:
+# The home of a custom SSL log file. Use this when you want a
+# compact non-error SSL logfile on a virtual host basis.
+#CustomLog [SERVER_ROOT]/logs/ssl_request_log \
+# "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+</VirtualHost>
+
+<VirtualHost _default_:[NON_CLIENTAUTH_SECURE_PORT]>
+
+# General setup for the virtual host
+#DocumentRoot "/htdocs"
+#ServerName [Server_Name]:[Non_Clientauth_Secure_Port]
+#ServerAdmin you@example.com
+
+# mod_ssl logs to separate log files, you can choose to do that if you'd like
+ErrorLog [SERVER_ROOT]/logs/error_log
+TransferLog [SERVER_ROOT]/logs/access_log
+
+# SSL Engine Switch:
+# Enable/Disable SSL for this virtual host.
+NSSEngine on
+
+# SSL Cipher Suite:
+# List the ciphers that the client is permitted to negotiate.
+# See the mod_nss documentation for a complete list.
+NSSCipherSuite -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,-rsa_des_56_sha,+rsa_des_sha,-rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_rc4_40_md5,-rsa_rc4_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha
+
+NSSProtocol SSLv3,TLSv1
+
+# SSL Certificate Nickname:
+# The nickname of the server certificate you are going to use.
+NSSNickname "Server-Cert cert-[PKI_INSTANCE_ID]"
+
+# Server Certificate Database:
+# The NSS security database directory that holds the certificates and
+# keys. The database consists of 3 files: cert8.db, key3.db and secmod.db.
+# Provide the directory that these files exist.
+NSSCertificateDatabase [SERVER_ROOT]/alias
+
+# Client Authentication (Type):
+# Client certificate verification type. Types are none, optional and
+# require.
+NSSVerifyClient none
+
+# Access Control:
+# With SSLRequire you can do per-directory access control based
+# on arbitrary complex boolean expressions containing server
+# variable checks and other lookup directives. The syntax is a
+# mixture between C and Perl. See the mod_nss documentation
+# for more details.
+#<Location />
+#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
+# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+#</Location>
+
+# SSL Engine Options:
+# Set various options for the SSL engine.
+# o FakeBasicAuth:
+# Translate the client X.509 into a Basic Authorisation. This means that
+# the standard Auth/DBMAuth methods can be used for access control. The
+# user name is the `one line' version of the client's X.509 certificate.
+# Note that no password is obtained from the user. Every entry in the user
+# file needs this password: `xxj31ZMTZzkVA'.
+# o ExportCertData:
+# This exports two additional environment variables: SSL_CLIENT_CERT and
+# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+# server (always existing) and the client (only existing when client
+# authentication is used). This can be used to import the certificates
+# into CGI scripts.
+# o StdEnvVars:
+# This exports the standard SSL/TLS related `SSL_*' environment variables.
+# Per default this exportation is switched off for performance reasons,
+# because the extraction step is an expensive operation and is usually
+# useless for serving static content. So one usually enables the
+# exportation for CGI and SSI requests only.
+# o StrictRequire:
+# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+# under a "Satisfy any" situation, i.e. when it applies access is denied
+# and no other module can change it.
+# o OptRenegotiate:
+# This enables optimized SSL connection renegotiation handling when SSL
+# directives are used in per-directory context.
+#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
+<Files ~ "\.(cgi|shtml|phtml|php3?)$">
+ NSSOptions +StdEnvVars +ExportCertData
+</Files>
+<Directory "/cgi-bin">
+ NSSOptions +StdEnvVars
+</Directory>
+
+# Per-Server Logging:
+# The home of a custom SSL log file. Use this when you want a
+# compact non-error SSL logfile on a virtual host basis.
+#CustomLog [SERVER_ROOT]/logs/ssl_request_log \
+# "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+</VirtualHost>
diff --git a/base/ra/apache/conf/perl.conf b/base/ra/apache/conf/perl.conf
new file mode 100644
index 000000000..50139cdab
--- /dev/null
+++ b/base/ra/apache/conf/perl.conf
@@ -0,0 +1,102 @@
+#
+# Mod_perl incorporates a Perl interpreter into the Apache web server,
+# so that the Apache web server can directly execute Perl code.
+# Mod_perl links the Perl runtime library into the Apache web server
+# and provides an object-oriented Perl interface for Apache's C
+# language API. The end result is a quicker CGI script turnaround
+# process, since no external Perl interpreter has to be started.
+#
+
+LoadModule perl_module [FORTITUDE_LIB_DIR]/modules/mod_perl.so
+
+# Uncomment this line to globally enable warnings, which will be
+# written to the server's error log. Warnings should be enabled
+# during the development process, but should be disabled on a
+# production server as they affect performance.
+#
+#PerlWarn On
+
+# Uncomment this line to enable taint checking globally. When Perl is
+# running in taint mode various checks are performed to reduce the
+# risk of insecure data being passed to a subshell or being used to
+# modify the filesystem. Unfortunatly many Perl modules are not
+# taint-safe, so you should exercise care before enabling it on a
+# production server.
+#
+#PerlTaintCheck On
+
+# This will allow execution of mod_perl to compile your scripts to
+# subroutines which it will execute directly, avoiding the costly
+# compile process for most requests.
+#
+#Alias /perl /var/www/perl
+#<Directory /var/www/perl>
+# SetHandler perl-script
+# PerlResponseHandler ModPerl::Registry
+# PerlOptions +ParseHeaders
+# Options +ExecCGI
+#</Directory>
+
+# This will allow remote server configuration reports, with the URL of
+# http://servername/perl-status
+# Change the ".your-domain.com" to match your domain to enable.
+#
+#PerlModule Apache::compat
+#<Location /perl-status>
+# SetHandler perl-script
+# PerlResponseHandler Apache::Status
+# Order deny,allow
+# Deny from all
+# Allow from .your-domain.com
+#</Location>
+
+PerlModule ModPerl::Registry
+PerlModule [FORTITUDE_APACHE]::compat
+PerlModule PKI::RA::wizard
+PerlSetEnv PKI_DOCROOT [SERVER_ROOT]/docroot
+PerlSetEnv PKI_ROOT [SERVER_ROOT]
+<Location /ra/admin/console/config/wizard>
+ SetHandler perl-script
+ PerlHandler PKI::RA::Wizard
+ Order deny,allow
+ Allow from all
+</Location>
+
+<Location /ra/admin/console/config/login>
+ SetHandler perl-script
+ PerlHandler PKI::RA::Login
+ Order deny,allow
+ Allow from all
+</Location>
+
+PerlModule ModPerl::PerlRun
+Alias /ee/ [SERVER_ROOT]/docroot/ee/
+<Location /ee/ >
+ SetHandler perl-script
+ PerlHandler ModPerl::PerlRun
+ Options Indexes ExecCGI
+ PerlSendHeader On
+</Location>
+
+Alias /agent/ [SERVER_ROOT]/docroot/agent/
+<Location /agent/ >
+ SetHandler perl-script
+ PerlHandler ModPerl::PerlRun
+ Options Indexes ExecCGI
+ PerlSendHeader On
+</Location>
+
+Alias /admin/ [SERVER_ROOT]/docroot/admin/
+<Location /admin/ >
+ SetHandler perl-script
+ PerlHandler ModPerl::PerlRun
+ Options Indexes ExecCGI
+ PerlSendHeader On
+</Location>
+
+<Location /index.cgi >
+ SetHandler perl-script
+ PerlHandler ModPerl::PerlRun
+ Options Indexes ExecCGI
+ PerlSendHeader On
+</Location>
diff --git a/base/ra/doc/CMakeLists.txt b/base/ra/doc/CMakeLists.txt
new file mode 100644
index 000000000..4cebbe1c9
--- /dev/null
+++ b/base/ra/doc/CMakeLists.txt
@@ -0,0 +1,10 @@
+set(VERSION ${APPLICATION_VERSION})
+
+configure_file(${CMAKE_CURRENT_SOURCE_DIR}/CS.cfg.in ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg @ONLY)
+
+install(
+ FILES
+ ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg
+ DESTINATION
+ ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf
+)
diff --git a/base/ra/doc/CS.cfg.in b/base/ra/doc/CS.cfg.in
new file mode 100644
index 000000000..0581e3a78
--- /dev/null
+++ b/base/ra/doc/CS.cfg.in
@@ -0,0 +1,242 @@
+_000=##
+_001=## Registration Authority (RA) Configuration File
+_002=##
+pidDir=[PKI_PIDDIR]
+pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT]
+pkicreate.pki_instance_name=[PKI_INSTANCE_ID]
+pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE]
+pkicreate.secure_port=[SECURE_PORT]
+pkicreate.non_clientauth_secure_port=[NON_CLIENTAUTH_SECURE_PORT]
+pkicreate.unsecure_port=[PORT]
+pkicreate.user=[PKI_USER]
+pkicreate.group=[PKI_GROUP]
+pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID]
+request._000=#########################################
+request._001=# Request Queue Parameters
+request._002=#########################################
+agent.authorized_groups=administrators,agents
+admin.authorized_groups=administrators
+database.dbfile=[SERVER_ROOT]/conf/dbfile
+database.lockfile=[SERVER_ROOT]/conf/dblock
+request.renewal.approve_request.0.ca=ca1
+request.renewal.approve_request.0.plugin=PKI::Request::Plugin::RequestToCA
+request.renewal.approve_request.0.profileId=caDualRAuserCert
+request.renewal.approve_request.0.reqType=crmf
+request.renewal.approve_request.1.mailTo=$created_by
+request.renewal.approve_request.1.plugin=PKI::Request::Plugin::EmailNotification
+request.renewal.approve_request.1.templateDir=/usr/share/pki/ra/conf
+request.renewal.approve_request.1.templateFile=mail_approve_request.vm
+request.renewal.approve_request.num_plugins=2
+request.renewal.reject_request.num_plugins=0
+request.renewal.create_request.0.assignTo=agents
+request.renewal.create_request.0.plugin=PKI::Request::Plugin::AutoAssign
+request.renewal.create_request.1.mailTo=$created_by
+request.renewal.create_request.1.plugin=PKI::Request::Plugin::EmailNotification
+request.renewal.create_request.1.templateDir=/usr/share/pki/ra/conf
+request.renewal.create_request.1.templateFile=mail_create_request.vm
+request.renewal.create_request.num_plugins=2
+request.scep.profileId=caRARouterCert
+request.scep.reqType=pkcs10
+request.scep.create_request.num_plugins=2
+request.scep.create_request.0.plugin=PKI::Request::Plugin::AutoAssign
+request.scep.create_request.0.assignTo=agents
+request.scep.create_request.1.plugin=PKI::Request::Plugin::EmailNotification
+request.scep.create_request.1.mailTo=
+request.scep.create_request.1.templateDir=/usr/share/pki/ra/conf
+request.scep.create_request.1.templateFile=mail_create_request.vm
+request.scep.approve_request.num_plugins=1
+request.scep.approve_request.0.plugin=PKI::Request::Plugin::CreatePin
+request.scep.approve_request.0.pinFormat=$site_id
+request.scep.reject_request.num_plugins=0
+request.agent.profileId=caRAagentCert
+request.agent.reqType=crmf
+request.agent.create_request.num_plugins=2
+request.agent.create_request.0.plugin=PKI::Request::Plugin::AutoAssign
+request.agent.create_request.0.assignTo=agents
+request.agent.create_request.1.plugin=PKI::Request::Plugin::EmailNotification
+request.agent.create_request.1.mailTo=
+request.agent.create_request.1.templateDir=/usr/share/pki/ra/conf
+request.agent.create_request.1.templateFile=mail_create_request.vm
+request.agent.approve_request.num_plugins=1
+request.agent.approve_request.0.plugin=PKI::Request::Plugin::CreatePin
+request.agent.approve_request.0.pinFormat=$uid
+request.agent.reject_request.num_plugins=0
+request.user.create_request.num_plugins=2
+request.user.create_request.0.plugin=PKI::Request::Plugin::AutoAssign
+request.user.create_request.0.assignTo=agents
+request.user.create_request.1.plugin=PKI::Request::Plugin::EmailNotification
+request.user.create_request.1.templateDir=/usr/share/pki/ra/conf
+request.user.create_request.1.templateFile=mail_create_request.vm
+request.user.create_request.1.mailTo=
+request.user.approve_request.num_plugins=2
+request.user.approve_request.0.plugin=PKI::Request::Plugin::RequestToCA
+request.user.approve_request.0.ca=ca1
+request.user.approve_request.0.profileId=caDualRAuserCert
+request.user.approve_request.0.reqType=crmf
+request.user.approve_request.1.plugin=PKI::Request::Plugin::EmailNotification
+request.user.approve_request.1.mailTo=$created_by
+request.user.approve_request.1.templateDir=/usr/share/pki/ra/conf
+request.user.approve_request.1.templateFile=mail_approve_request.vm
+request.user.reject_request.num_plugins=0
+request.server.create_request.num_plugins=2
+request.server.create_request.0.plugin=PKI::Request::Plugin::AutoAssign
+request.server.create_request.0.assignTo=agents
+request.server.create_request.1.plugin=PKI::Request::Plugin::EmailNotification
+request.server.create_request.1.mailTo=
+request.server.create_request.1.templateDir=/usr/share/pki/ra/conf
+request.server.create_request.1.templateFile=mail_create_request.vm
+request.server.approve_request.num_plugins=2
+request.server.approve_request.0.plugin=PKI::Request::Plugin::RequestToCA
+request.server.approve_request.0.ca=ca1
+request.server.approve_request.0.profileId=caRAserverCert
+request.server.approve_request.0.reqType=pkcs10
+request.server.approve_request.1.plugin=PKI::Request::Plugin::EmailNotification
+request.server.approve_request.1.mailTo=$created_by
+request.server.approve_request.1.templateDir=/usr/share/pki/ra/conf
+request.server.approve_request.1.templateFile=mail_approve_request.vm
+request.server.reject_request.num_plugins=0
+cs.type=RA
+service.machineName=[SERVER_NAME]
+service.instanceDir=[SERVER_ROOT]
+service.securePort=[SECURE_PORT]
+service.non_clientauth_securePort=[NON_CLIENTAUTH_SECURE_PORT]
+service.unsecurePort=[PORT]
+service.instanceID=[PKI_INSTANCE_ID]
+logging._000=#########################################
+logging._001=# RA configuration File
+logging._002=#
+logging._003=# All <...> must be replaced with
+logging._004=# appropriate values.
+logging._005=#########################################
+logging._006=########################################
+logging._007=# logging
+logging._008=#
+logging._009=# logging.debug.enable:
+logging._010=# logging.audit.enable:
+logging._011=# logging.error.enable:
+logging._012=# - enable or disable the corresponding logging
+logging._013=# logging.debug.filename:
+logging._014=# logging.audit.filename:
+logging._015=# logging.error.filename:
+logging._016=# - name of the log file
+logging._017=# logging.debug.level:
+logging._018=# logging.audit.level:
+logging._019=# logging.error.level:
+logging._020=# - level of logging. (0-10)
+logging._021=# 0 - no logging,
+logging._022=# 4 - LL_PER_SERVER these messages will occur only once
+logging._023=# during the entire invocation of the
+logging._024=# server, e. g. at startup or shutdown
+logging._025=# time., reading the conf parameters.
+logging._026=# Perhaps other infrequent events
+logging._027=# relating to failing over of CA, TKS,
+logging._028=# too
+logging._029=# 6 - LL_PER_CONNECTION these messages happen once per
+logging._030=# connection - most of the log events
+logging._031=# will be at this level
+logging._032=# 8 - LL_PER_PDU these messages relate to PDU
+logging._033=# processing. If you have something that
+logging._034=# is done for every PDU, such as
+logging._035=# applying the MAC, it should be logged
+logging._036=# at this level
+logging._037=# 9 - LL_ALL_DATA_IN_PDU dump all the data in the PDU - a more
+logging._038=# chatty version of the above
+logging._039=# 10 - all logging
+logging._040=#########################################
+logging.debug.enable=true
+logging.debug.filename=[SERVER_ROOT]/logs/ra-debug.log
+logging.debug.level=7
+logging.audit.enable=true
+logging.audit.filename=[SERVER_ROOT]/logs/ra-audit.log
+logging.audit.level=10
+logging.error.enable=true
+logging.error.filename=[SERVER_ROOT]/logs/ra-error.log
+logging.error.level=10
+conn.ca1._000=#########################################
+conn.ca1._001=# CA connection
+conn.ca1._002=#
+conn.ca1._003=# conn.ca<n>.hostport:
+conn.ca1._004=# - host name and port number of your CA, format is host:port
+conn.ca1._005=# conn.ca<n>.clientNickname:
+conn.ca1._006=# - nickname of the client certificate for
+conn.ca1._007=# authentication
+conn.ca1._008=# conn.ca<n>.servlet.enrollment:
+conn.ca1._009=# - servlet to contact in CA
+conn.ca1._010=# - must be '/ca/ee/ca/profileSubmitSSLClient'
+conn.ca1._008=# conn.ca<n>.servlet.addagent:
+conn.ca1._009=# - servlet to add ra agent on CA
+conn.ca1._010=# - must be '/ca/admin/ca/registerRaUser
+conn.ca1._011=# conn.ca<n>.retryConnect:
+conn.ca1._012=# - number of reconnection attempts on failure
+conn.ca1._013=# conn.ca<n>.timeout:
+conn.ca1._014=# - connection timeout
+conn.ca1._015=# conn.ca<n>.SSLOn:
+conn.ca1._016=# - enable SSL or not
+conn.ca1._017=# conn.ca<n>.keepAlive:
+conn.ca1._018=# - enable keep alive or not
+conn.ca1._019=#
+conn.ca1._020=# where
+conn.ca1._021=# <n> - CA connection ID
+conn.ca1._022=#########################################
+failover.pod.enable=false
+conn.ca1.hostport=[CA_HOST]:[CA_PORT]
+conn.ca1.clientNickname=[HSM_LABEL][NICKNAME]
+conn.ca1.servlet.enrollment=/ca/ee/ca/profileSubmitSSLClient
+conn.ca1.servlet.addagent=/ca/admin/ca/registerRaUser
+conn.ca1.servlet.revoke=/ca/subsystem/ca/doRevoke
+conn.ca1.servlet.unrevoke=/ca/subsystem/ca/doUnrevoke
+conn.ca1.retryConnect=3
+conn.ca1.timeout=100
+conn.ca1.SSLOn=true
+conn.ca1.keepAlive=true
+preop.pin=[PKI_RANDOM_NUMBER]
+preop.product.version=@VERSION@
+preop.cert._000=#########################################
+preop.cert._001=# Installation configuration "preop" certs parameters
+preop.cert._002=#########################################
+preop.cert.list=sslserver,subsystem
+preop.cert.sslserver.enable=true
+preop.cert.subsystem.enable=true
+preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA
+preop.cert.sslserver.dn=CN=[SERVER_NAME], OU=[PKI_INSTANCE_ID]
+preop.cert.sslserver.keysize.customsize=2048
+preop.cert.sslserver.keysize.size=2048
+preop.cert.sslserver.keysize.select=custom
+preop.cert.sslserver.nickname=Server-Cert cert-[PKI_INSTANCE_ID]
+preop.cert.sslserver.profile=caInternalAuthServerCert
+preop.cert.sslserver.subsystem=ra
+preop.cert._003=#preop.cert.sslserver.type=local
+preop.cert.sslserver.userfriendlyname=SSL Server Certificate
+preop.cert._004=#preop.cert.sslserver.cncomponent.override=false
+preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA
+preop.cert.subsystem.dn=CN=RA Subsystem Certificate, OU=[PKI_INSTANCE_ID]
+preop.cert.subsystem.keysize.customsize=2048
+preop.cert.subsystem.keysize.size=2048
+preop.cert.subsystem.keysize.select=custom
+preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_ID]
+preop.cert.subsystem.profile=caInternalAuthSubsystemCert
+preop.cert.subsystem.subsystem=ra
+preop.cert._005=#preop.cert.subsystem.type=local
+preop.cert.subsystem.userfriendlyname=Subsystem Certificate
+preop.cert._006=#preop.cert.subsystem.cncomponent.override=true
+preop.configModules._000=#########################################
+preop.configModules._001=# Installation configuration "preop" module parameters
+preop.configModules._002=#########################################
+preop.configModules.count=3
+preop.configModules.module0.commonName=NSS Internal PKCS #11 Module
+preop.configModules.module0.imagePath=../img/clearpixel.gif
+preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module
+preop.configModules.module1.commonName=nfast
+preop.configModules.module1.imagePath=../img/clearpixel.gif
+preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module
+preop.configModules.module2.commonName=lunasa
+preop.configModules.module2.imagePath=../img/clearpixel.gif
+preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module
+preop.module.token=NSS Certificate DB
+preop.keysize._000=#########################################
+preop.keysize._001=# Installation configuration "preop" keysize parameters
+preop.keysize._002=#########################################
+preop.keysize.customsize=2048
+preop.keysize.select=default
+preop.keysize.size=2048
+preop.keysize.ecc.size=256
diff --git a/base/ra/emails/mail_approve_request.vm b/base/ra/emails/mail_approve_request.vm
new file mode 100644
index 000000000..461eb4d10
--- /dev/null
+++ b/base/ra/emails/mail_approve_request.vm
@@ -0,0 +1,11 @@
+Reply-to: $mail_to
+Subject: Request #$request_id approved
+To: $mail_to
+Content-type: text/plain\n\n
+Request #$request_id has been approved
+for
+Subject DN: $subject_dn
+
+Import certificate at:
+https://$machineName:$nonClientAuthSecurePort/ee/request/getcert.cgi?id=$request_id
+
diff --git a/base/ra/emails/mail_create_request.vm b/base/ra/emails/mail_create_request.vm
new file mode 100644
index 000000000..317270efa
--- /dev/null
+++ b/base/ra/emails/mail_create_request.vm
@@ -0,0 +1,8 @@
+Reply-to: $mail_to
+Subject: New request #$request_id has been created
+To: $mail_to
+Content-type: text/plain\n\n
+A new request has been created for you. You can access
+the request by going to
+
+https://$machineName:$securePort/agent/request/read.cgi?id=$request_id
diff --git a/base/ra/etc/init.d/pki-rad b/base/ra/etc/init.d/pki-rad
new file mode 100755
index 000000000..666bf6387
--- /dev/null
+++ b/base/ra/etc/init.d/pki-rad
@@ -0,0 +1,87 @@
+#!/bin/bash
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007-2010 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+# pki-rad Startup script for the Apache HTTP pki-ra Server
+#
+# chkconfig: - 86 14
+# description: Registration Authority (Apache)
+# processname: pki-rad
+# piddir: /var/run/pki/ra
+# config: ${PKI_SERVER_ROOT}/conf/httpd.conf
+
+PROG_NAME=`basename $0`
+SERVICE_NAME="pki-rad"
+SERVICE_PROG="/sbin/service"
+PKI_PATH="/usr/share/pki/ra"
+PKI_REGISTRY="/etc/sysconfig/pki/ra"
+PKI_TYPE="pki-ra"
+PKI_TOTAL_PORTS=3
+
+# Avoid using 'systemctl' for now
+SYSTEMCTL_SKIP_REDIRECT=1
+export SYSTEMCTL_SKIP_REDIRECT
+
+# Disallow 'others' the ability to 'write' to new files
+umask 00002
+
+command="$1"
+pki_instance="$2"
+
+# Source function library.
+. /etc/init.d/functions
+
+# Source the PKI function library
+. /usr/share/pki/scripts/functions
+
+# See how we were called.
+case $command in
+ status)
+ registry_status
+ exit $?
+ ;;
+ start)
+ start
+ exit $?
+ ;;
+ restart)
+ restart
+ exit $?
+ ;;
+ stop)
+ stop
+ exit $?
+ ;;
+ condrestart|force-restart|try-restart)
+ [ ! -f ${lockfile} ] || restart
+ exit $?
+ ;;
+ reload)
+ echo "The 'reload' action is an unimplemented feature."
+ exit ${default_error}
+ ;;
+ *)
+ echo "unknown action ($command)"
+ usage
+ echo "where valid instance names include:"
+ list_instances
+ exit ${default_error}
+ ;;
+esac
+
diff --git a/base/ra/forms/admin/group/add.cgi b/base/ra/forms/admin/group/add.cgi
new file mode 100755
index 000000000..212330d0d
--- /dev/null
+++ b/base/ra/forms/admin/group/add.cgi
@@ -0,0 +1,86 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use DBI;
+use CGI;
+use Template::Velocity;
+use PKI::RA::GlobalVar;
+use PKI::Base::Conf;
+use PKI::Base::Util;
+use PKI::Request::Queue;
+use PKI::Base::Registry;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $util = PKI::Base::Util->new();
+
+ my $cfg = PKI::Base::Registry->get_config();
+
+ $self->debug_params($cfg, $q);
+
+ if (!$self->admin_auth($cfg)) {
+ print $q->redirect("/admin/error.cgi");
+ return;
+ }
+ my $uid = $self->get_current_uid($cfg);
+
+ my %context;
+ $context{uid} = $util->html_encode($uid);
+
+ my $gid = $util->get_val($q->param('gid'));
+ my $name = $util->get_val($q->param('name'));
+
+ my $store = PKI::Base::UserStore->new();
+ $store->open($cfg);
+ my $ref = $store->read_group($gid);
+ if (defined($ref)) {
+ # gid used
+ print $q->redirect("/admin/group/add_new.cgi?error=exist");
+ return;
+ }
+ my $ref = $store->add_group($gid, $name);
+ $store->close();
+
+ print $q->redirect("/admin/group/index.cgi");
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/admin/group/add_member.cgi b/base/ra/forms/admin/group/add_member.cgi
new file mode 100755
index 000000000..d60fe965e
--- /dev/null
+++ b/base/ra/forms/admin/group/add_member.cgi
@@ -0,0 +1,80 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use DBI;
+use CGI;
+use Template::Velocity;
+use PKI::RA::GlobalVar;
+use PKI::Base::Conf;
+use PKI::Base::Util;
+use PKI::Base::Registry;
+use PKI::Request::Queue;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $util = PKI::Base::Util->new();
+
+ my $cfg = PKI::Base::Registry->get_config();
+
+ $self->debug_params($cfg, $q);
+
+ if (!$self->admin_auth($cfg)) {
+ print $q->redirect("/admin/error.cgi");
+ return;
+ }
+ my $uid = $self->get_current_uid($cfg);
+
+ my %context;
+ $context{uid} = $util->html_encode($uid);
+
+ my $gid = $util->get_val($q->param('gid'));
+ my $userid = $util->get_val($q->param('uid'));
+
+ my $store = PKI::Base::UserStore->new();
+ $store->open($cfg);
+ $store->add_user_to_group($gid, $userid);
+ $store->close();
+
+ print $q->redirect("/admin/group/read.cgi?gid=" . $gid);
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/admin/group/add_new.cgi b/base/ra/forms/admin/group/add_new.cgi
new file mode 100755
index 000000000..5a1ca7eda
--- /dev/null
+++ b/base/ra/forms/admin/group/add_new.cgi
@@ -0,0 +1,86 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use DBI;
+use CGI;
+use Template::Velocity;
+use PKI::RA::GlobalVar;
+use PKI::Base::Conf;
+use PKI::Base::Util;
+use PKI::Request::Queue;
+use PKI::Base::Registry;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $util = PKI::Base::Util->new();
+
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ $self->debug_params($cfg, $q);
+
+ if (!$self->admin_auth($cfg)) {
+ print $q->redirect("/admin/error.cgi");
+ return;
+ }
+ my $uid = $self->get_current_uid($cfg);
+
+ my %context;
+ $context{uid} = $util->html_encode($uid);
+ my $error = $q->param('error');
+ $context{error} = $util->html_encode($error);
+
+ my $result = $parser->execute_file_with_context("admin/group/add_new.vm",
+ \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/admin/group/delete.cgi b/base/ra/forms/admin/group/delete.cgi
new file mode 100755
index 000000000..5fb1f22ce
--- /dev/null
+++ b/base/ra/forms/admin/group/delete.cgi
@@ -0,0 +1,79 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use DBI;
+use CGI;
+use Template::Velocity;
+use PKI::RA::GlobalVar;
+use PKI::Base::Conf;
+use PKI::Base::Util;
+use PKI::Request::Queue;
+use PKI::Base::Registry;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $util = PKI::Base::Util->new();
+
+ my $cfg = PKI::Base::Registry->get_config();
+
+ $self->debug_params($cfg, $q);
+
+ if (!$self->admin_auth($cfg)) {
+ print $q->redirect("/admin/error.cgi");
+ return;
+ }
+ my $uid = $self->get_current_uid($cfg);
+
+ my %context;
+ $context{uid} = $util->html_encode($uid);
+
+ my $gid = $util->get_val($q->param('gid'));
+
+ my $store = PKI::Base::UserStore->new();
+ $store->open($cfg);
+ $store->delete_group($gid);
+ $store->close();
+
+ print $q->redirect("/admin/group/index.cgi");
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/admin/group/delete_member.cgi b/base/ra/forms/admin/group/delete_member.cgi
new file mode 100755
index 000000000..2e516eeee
--- /dev/null
+++ b/base/ra/forms/admin/group/delete_member.cgi
@@ -0,0 +1,79 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use DBI;
+use CGI;
+use Template::Velocity;
+use PKI::RA::GlobalVar;
+use PKI::Base::Conf;
+use PKI::Base::Util;
+use PKI::Request::Queue;
+use PKI::Base::Registry;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $util = PKI::Base::Util->new();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ $self->debug_params($cfg, $q);
+
+ if (!$self->admin_auth($cfg)) {
+ print $q->redirect("/admin/error.cgi");
+ return;
+ }
+ my $uid = $self->get_current_uid($cfg);
+
+ my %context;
+ $context{uid} = $util->html_encode($uid);
+
+ my $gid = $util->get_val($q->param('gid'));
+ my $userid = $util->get_val($q->param('uid'));
+
+ my $store = PKI::Base::UserStore->new();
+ $store->open($cfg);
+ $store->delete_user_from_group($gid, $userid);
+ $store->close();
+
+ print $q->redirect("/admin/group/read.cgi?gid=" . $gid);
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/admin/group/index.cgi b/base/ra/forms/admin/group/index.cgi
new file mode 100755
index 000000000..07dc653e6
--- /dev/null
+++ b/base/ra/forms/admin/group/index.cgi
@@ -0,0 +1,115 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use DBI;
+use CGI;
+use Template::Velocity;
+use PKI::RA::GlobalVar;
+use PKI::Base::Conf;
+use PKI::Base::Util;
+use PKI::Request::Queue;
+use PKI::Base::Registry;
+use Encode;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+
+ my $util = PKI::Base::Util->new();
+
+ $self->debug_params($cfg, $q);
+
+ if (!$self->admin_auth($cfg)) {
+ print $q->redirect("/admin/error.cgi");
+ return;
+ }
+ my $uid = $self->get_current_uid($cfg);
+
+ my %context;
+ $context{uid} = $util->html_encode($uid);
+
+ my $sp = $util->get_alphanum_val($q->param('sp'));
+ if ($sp eq "") {
+ $sp = "0";
+ }
+ $context{sp} = $sp;
+ my $mc = $util->get_alphanum_val($q->param('mc'));
+ if ($mc eq "") {
+ $mc = "20";
+ }
+ $context{mc} = $mc;
+ $context{pp} = $sp - $mc; # previous pos (for paging)
+ $context{np} = $sp + $mc; # next pos (for paging)
+
+ my $store = PKI::Base::UserStore->new();
+ $store->open($cfg);
+ my @groups = $store->list_groups($sp, $mc);
+ $store->close();
+
+ my @r;
+ my $i = 0;
+ foreach my $group (@groups) {
+ $r[$i] = new PKI::RA::GlobalVar(
+ getGID => sub { return $util->html_encode(Encode::decode('UTF-8', $group->{'gid'})) },
+ getName => sub { return $util->html_encode(Encode::decode('UTF-8', $group->{'name'})) },
+ );
+ $i++;
+ }
+ $context{rows} = \@r;
+
+ my $result = $parser->execute_file_with_context("admin/group/index.vm",
+ \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/admin/group/read.cgi b/base/ra/forms/admin/group/read.cgi
new file mode 100755
index 000000000..9ede3aa53
--- /dev/null
+++ b/base/ra/forms/admin/group/read.cgi
@@ -0,0 +1,125 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use DBI;
+use CGI;
+use Template::Velocity;
+use PKI::RA::GlobalVar;
+use PKI::Base::Conf;
+use PKI::Base::Util;
+use PKI::Request::Queue;
+use PKI::Base::Registry;
+use Encode;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $util = PKI::Base::Util->new();
+
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ $self->debug_params($cfg, $q);
+
+ if (!$self->admin_auth($cfg)) {
+ print $q->redirect("/admin/error.cgi");
+ return;
+ }
+ my $uid = $self->get_current_uid($cfg);
+
+ my %context;
+ $context{uid} = $util->html_encode($uid);
+
+ my $gid = $util->get_val($q->param('gid'));
+
+ my $store = PKI::Base::UserStore->new();
+ $store->open($cfg);
+ my $ref = $store->read_group($gid);
+
+ $context{gid} = $util->html_encode(Encode::decode('UTF-8', $ref->{'gid'}));
+ $context{name} = $util->html_encode(Encode::decode('UTF-8', $ref->{'name'}));
+
+ my @members = $store->list_all_members($gid);
+ my @users = $store->list_all_non_members($gid);
+ $store->close();
+
+ # new member in the group
+ my @r;
+ my $i = 0;
+ foreach my $member (@members) {
+ $r[$i] = new PKI::RA::GlobalVar(
+ getUID => sub { return $util->html_encode($member->{'uid'}) },
+ );
+ $i++;
+ }
+ $context{members} = \@r;
+
+ # read users
+ my @u;
+ $i = 0;
+ foreach my $user (@users) {
+ $u[$i] = new PKI::RA::GlobalVar(
+ getUID => sub { return $util->html_encode($user->{'uid'}) },
+ );
+ $i++;
+ }
+ if ($i == 0) {
+ $context{non_member_exists} = 0;
+ } else {
+ $context{non_member_exists} = 1;
+ }
+ $context{users} = \@u;
+
+ my $result = $parser->execute_file_with_context("admin/group/read.vm",
+ \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/admin/index.cgi b/base/ra/forms/admin/index.cgi
new file mode 100755
index 000000000..2db7b2500
--- /dev/null
+++ b/base/ra/forms/admin/index.cgi
@@ -0,0 +1,80 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use CGI;
+use Template::Velocity;
+use PKI::Base::Conf;
+use PKI::Base::UserStore;
+use PKI::Base::Registry;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+
+ my $q = CGI->new();
+
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ $self->debug_params($cfg, $q);
+
+ if (!$self->admin_auth($cfg)) {
+ print $q->redirect("/agent/error.cgi?error=Authentication%20Error");
+ return;
+ }
+ my $uid = $self->get_current_uid($cfg);
+
+ my %context;
+ $context{uid} = $uid;
+
+ my $result = $parser->execute_file_with_context("admin/index.vm",
+ \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/admin/user/add.cgi b/base/ra/forms/admin/user/add.cgi
new file mode 100755
index 000000000..94c4bae81
--- /dev/null
+++ b/base/ra/forms/admin/user/add.cgi
@@ -0,0 +1,99 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use DBI;
+use CGI;
+use Template::Velocity;
+use PKI::RA::GlobalVar;
+use PKI::Base::Conf;
+use PKI::Base::Util;
+use PKI::Request::Queue;
+use PKI::Base::Registry;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $util = PKI::Base::Util->new();
+
+ my $cfg = PKI::Base::Registry->get_config();
+
+ $self->debug_params($cfg, $q);
+
+ if (!$self->admin_auth($cfg)) {
+ print $q->redirect("/admin/error.cgi");
+ return;
+ }
+ my $uid = $self->get_current_uid($cfg);
+
+ my %context;
+ $context{uid} = $uid;
+
+ my $userid = $util->get_val($q->param('uid'));
+ my $name = $util->get_val($q->param('name'));
+ my $email = $util->get_val($q->param('email'));
+ my $certificate = $util->get_val($q->param('certificate'));
+
+ if ($certificate =~ /BEGIN CERTIFICATE/ ||
+ $certificate =~ /END CERTIFICATE/) {
+ # do nothing
+ } else {
+ print $q->redirect("/admin/user/add_new.cgi?error=cert_header");
+ return;
+ }
+ $certificate =~ s/-----BEGIN CERTIFICATE-----//g;
+ $certificate =~ s/-----END CERTIFICATE-----//g;
+ $certificate =~ s/[\r\n]//g;
+
+ my $store = PKI::Base::UserStore->new();
+ $store->open($cfg);
+ my $ref = $store->read_user($userid);
+ if (defined($ref)) {
+ # uid used
+ print $q->redirect("/admin/user/add_new.cgi?error=exist");
+ return;
+ }
+ my $ref = $store->add_user($userid, $name, $email, $certificate);
+ $store->close();
+
+ print $q->redirect("/admin/user/index.cgi");
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/admin/user/add_new.cgi b/base/ra/forms/admin/user/add_new.cgi
new file mode 100755
index 000000000..8bfbd0e9e
--- /dev/null
+++ b/base/ra/forms/admin/user/add_new.cgi
@@ -0,0 +1,87 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use DBI;
+use CGI;
+use Template::Velocity;
+use PKI::RA::GlobalVar;
+use PKI::Base::Conf;
+use PKI::Base::Util;
+use PKI::Request::Queue;
+use PKI::Base::Registry;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $util = PKI::Base::Util->new();
+
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ $self->debug_params($cfg, $q);
+
+ if (!$self->admin_auth($cfg)) {
+ print $q->redirect("/admin/error.cgi");
+ return;
+ }
+ my $uid = $self->get_current_uid($cfg);
+
+ my %context;
+ $context{uid} = $uid;
+
+ my $error = $util->get_val($q->param('error'));
+ $context{error} = $error;
+
+ my $result = $parser->execute_file_with_context("admin/user/add_new.vm",
+ \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/admin/user/delete.cgi b/base/ra/forms/admin/user/delete.cgi
new file mode 100755
index 000000000..707035edb
--- /dev/null
+++ b/base/ra/forms/admin/user/delete.cgi
@@ -0,0 +1,79 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use DBI;
+use CGI;
+use Template::Velocity;
+use PKI::RA::GlobalVar;
+use PKI::Base::Conf;
+use PKI::Base::Util;
+use PKI::Request::Queue;
+use PKI::Base::Registry;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $cfg = PKI::Base::Registry->get_config();
+
+ my $util = PKI::Base::Util->new();
+
+ $self->debug_params($cfg, $q);
+
+ if (!$self->admin_auth($cfg)) {
+ print $q->redirect("/admin/error.cgi");
+ return;
+ }
+ my $uid = $self->get_current_uid($cfg);
+
+ my %context;
+ $context{uid} = $uid;
+
+ my $userid = $util->get_val($q->param('uid'));
+
+ my $store = PKI::Base::UserStore->new();
+ $store->open($cfg);
+ $store->delete_user($userid);
+ $store->close();
+
+ print $q->redirect("/admin/user/index.cgi");
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/admin/user/index.cgi b/base/ra/forms/admin/user/index.cgi
new file mode 100755
index 000000000..c845ae1dc
--- /dev/null
+++ b/base/ra/forms/admin/user/index.cgi
@@ -0,0 +1,118 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use DBI;
+use CGI;
+use Template::Velocity;
+use PKI::RA::GlobalVar;
+use PKI::Base::Conf;
+use PKI::Base::Util;
+use PKI::Request::Queue;
+use PKI::Base::Registry;
+use Encode;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ my $util = PKI::Base::Util->new();
+
+ $self->debug_params($cfg, $q);
+
+ if (!$self->admin_auth($cfg)) {
+ print $q->redirect("/admin/error.cgi");
+ return;
+ }
+ my $uid = $self->get_current_uid($cfg);
+
+ my %context;
+ $context{uid} = $uid;
+
+ my $status = $util->get_alphanum_val($q->param('status'));
+ $context{status} = $status;
+
+ my $sp = $util->get_alphanum_val($q->param('sp'));
+ if ($sp eq "") {
+ $sp = "0";
+ }
+ $context{sp} = $sp;
+ my $mc = $util->get_alphanum_val($q->param('mc'));
+ if ($mc eq "") {
+ $mc = "20";
+ }
+ $context{mc} = $mc;
+ $context{pp} = $sp - $mc; # previous pos (for paging)
+ $context{np} = $sp + $mc; # next pos (for paging)
+
+ my $store = PKI::Base::UserStore->new();
+ $store->open($cfg);
+ my @users = $store->list_users($sp, $mc);
+ $store->close();
+
+ my @r;
+ my $i = 0;
+ foreach my $user (@users) {
+ $r[$i] = new PKI::RA::GlobalVar(
+ getUID => sub { return $util->html_encode($user->{'uid'}) },
+ getName => sub { return $util->html_encode(Encode::decode('UTF-8',$user->{'name'})) },
+ getEmail => sub { return $util->html_encode($user->{'email'}) },
+ );
+ $i++;
+ }
+ $context{rows} = \@r;
+
+ my $result = $parser->execute_file_with_context("admin/user/index.vm",
+ \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/admin/user/read.cgi b/base/ra/forms/admin/user/read.cgi
new file mode 100755
index 000000000..08d2fd3f7
--- /dev/null
+++ b/base/ra/forms/admin/user/read.cgi
@@ -0,0 +1,97 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use DBI;
+use CGI;
+use Template::Velocity;
+use PKI::RA::GlobalVar;
+use PKI::Base::Conf;
+use PKI::Base::Util;
+use PKI::Base::Registry;
+use PKI::Request::Queue;
+use Encode;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $util = PKI::Base::Util->new();
+
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ $self->debug_params($cfg, $q);
+
+ if (!$self->admin_auth($cfg)) {
+ print $q->redirect("/admin/error.cgi");
+ return;
+ }
+ my $uid = $self->get_current_uid($cfg);
+
+ my %context;
+ $context{uid} = $uid;
+
+ my $userid = $util->get_val($q->param('uid'));
+
+ my $store = PKI::Base::UserStore->new();
+ $store->open($cfg);
+ my $ref = $store->read_user($userid);
+ $store->close();
+
+ $context{userid} = $util->html_encode($ref->{'uid'});
+ $context{name} = $util->html_encode(Encode::decode('UTF-8', $ref->{'name'}));
+ $context{email} = $util->html_encode($ref->{'email'});
+ $context{certificate} = $util->breakline($util->html_encode($ref->{'certificate'}),40);
+
+ my $result = $parser->execute_file_with_context("admin/user/read.vm",
+ \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/agent/cert/index.cgi b/base/ra/forms/agent/cert/index.cgi
new file mode 100755
index 000000000..46e5b8c2c
--- /dev/null
+++ b/base/ra/forms/agent/cert/index.cgi
@@ -0,0 +1,119 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use DBI;
+use CGI;
+use Template::Velocity;
+use PKI::RA::GlobalVar;
+use PKI::Base::Conf;
+use PKI::Base::Util;
+use PKI::Base::Registry;
+use PKI::Base::CertStore;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $util = PKI::Base::Util->new();
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ $self->debug_params($cfg, $q);
+
+ if (!$self->agent_auth($cfg)) {
+ print $q->redirect("/agent/error.cgi");
+ return;
+ }
+ my $uid = $self->get_current_uid($cfg);
+
+ my %context;
+ $context{uid} = $util->html_encode($uid);
+
+ my @roles = $self->get_current_roles($cfg);
+ my $r = join(",",@roles);
+
+ my $sp = $util->get_alphanum_val($q->param('sp'));
+ if ($sp eq "") {
+ $sp = "0";
+ }
+ $context{sp} = $sp;
+ my $mc = $util->get_alphanum_val($q->param('mc'));
+ if ($mc eq "") {
+ $mc = "20";
+ }
+ $context{mc} = $mc;
+ $context{pp} = $sp - $mc; # previous pos (for paging)
+ $context{np} = $sp + $mc; # next pos (for paging)
+
+ my $cs = PKI::Base::CertStore->new();
+ $cs->open($cfg);
+ my @certs = $cs->list_certs_by_approver($uid, $sp, $mc);
+ $cs->close();
+
+ my @r;
+ my $i = 0;
+ foreach my $cert (@certs) {
+ $r[$i] = new PKI::RA::GlobalVar(
+ getReqId => sub { return $util->html_encode($cert->{'rid'}) },
+ getSerialno => sub { return $util->html_encode($cert->{'serialno'}) },
+ getSubjectDN => sub { return $util->html_encode($cert->{'subject_dn'}) },
+ getCertificate => sub { return $util->html_encode($cert->{'certificate'}) },
+ getApprovedBy => sub { return $util->html_encode($cert->{'approved_by'}) },
+ getCreatedAt => sub { return $util->html_encode($cert->{'created_at'}); },
+ );
+ $i++;
+ }
+ $context{rows} = \@r;
+
+ my $result = $parser->execute_file_with_context("agent/cert/index.vm",
+ \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/agent/cert/read.cgi b/base/ra/forms/agent/cert/read.cgi
new file mode 100755
index 000000000..f434baedb
--- /dev/null
+++ b/base/ra/forms/agent/cert/read.cgi
@@ -0,0 +1,104 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use DBI;
+use CGI;
+use Template::Velocity;
+use PKI::Base::Conf;
+use PKI::Base::Util;
+use PKI::Base::Registry;
+use PKI::Conn::CA;
+use Encode;
+use vars qw (@ISA);
+use PKI::Service::Op;
+
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $util = PKI::Base::Util->new();
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+ $self->debug_params($cfg, $q);
+
+ if (!$self->agent_auth($cfg)) {
+ print $q->redirect("/agent/error.cgi");
+ return;
+ }
+ my $uid = $self->get_current_uid($cfg);
+
+ my %context;
+ $context{uid} = $util->html_encode($uid);
+
+ my $serialno = $util->get_alphanum_val($q->param('serialno'));
+
+ my $cs = PKI::Base::CertStore->new();
+ $cs->open($cfg);
+ my $ref = $cs->read_certificate_by_approver($uid, $serialno);
+ $cs->close();
+
+ my $ca = PKI::Conn::CA->new();
+ $ca->open($cfg);
+ my $certStatus = $ca->getCertStatus("ca1", $serialno);
+ $ca->close();
+
+
+ $context{certificate} = $util->breakline($util->html_encode($ref->{'certificate'}), 40);
+
+ $context{serialno} = $util->html_encode($ref->{'serialno'});
+ $context{subject_dn} = $util->html_encode(Encode::decode('UTF-8', $ref->{'subject_dn'}));
+ $context{created_at} = $util->html_encode($ref->{'created_at'});
+ $context{approved_by} = $util->html_encode($ref->{'approved_by'});
+ $context{rid} = $util->html_encode($ref->{'rid'});
+ $context{certStatus} = $util->html_encode($certStatus);
+
+ my $result = $parser->execute_file_with_context("agent/cert/read.vm",
+ \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/agent/cert/revoke.cgi b/base/ra/forms/agent/cert/revoke.cgi
new file mode 100755
index 000000000..1e483aea0
--- /dev/null
+++ b/base/ra/forms/agent/cert/revoke.cgi
@@ -0,0 +1,89 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use DBI;
+use CGI;
+use Template::Velocity;
+use PKI::Base::Conf;
+use PKI::Base::Registry;
+use PKI::Base::Util;
+use Encode;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $util = PKI::Base::Util->new();
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+ $self->debug_params($cfg, $q);
+
+ if (!$self->agent_auth($cfg)) {
+ print $q->redirect("/agent/error.cgi");
+ return;
+ }
+ my $uid = $self->get_current_uid($cfg);
+
+ my %context;
+ $context{uid} = $util->html_encode($uid);
+
+ my $serialno = $util->get_alphanum_val($q->param('serialno'));
+ my $subject_dn = $util->get_val($q->param('subject_dn'));
+ my $rid = $util->get_alphanum_val($q->param('rid'));
+
+ $context{serialno} = $util->html_encode($serialno);
+ $context{subject_dn} = $util->html_encode(Encode::decode('UTF-8',$subject_dn));
+ $context{rid} = $util->html_encode($rid);
+
+ my $result = $parser->execute_file_with_context("agent/cert/revoke.vm",
+ \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/agent/cert/submit.cgi b/base/ra/forms/agent/cert/submit.cgi
new file mode 100755
index 000000000..571385f3a
--- /dev/null
+++ b/base/ra/forms/agent/cert/submit.cgi
@@ -0,0 +1,104 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use DBI;
+use CGI;
+use Template::Velocity;
+use PKI::Base::Conf;
+use PKI::Base::Util;
+use PKI::Base::Registry;
+use PKI::Conn::CA;
+use Encode;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $util = PKI::Base::Util->new();
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ $self->debug_params($cfg, $q);
+
+ if (!$self->agent_auth($cfg)) {
+ print $q->redirect("/agent/error.cgi");
+ return;
+ }
+ my $uid = $self->get_current_uid($cfg);
+
+ my %context;
+ $context{uid} = $util->html_encode($uid);
+
+ my $serialno = $util->get_alphanum_val($q->param('serialno'));
+ my $subject_dn = $util->get_val($q->param('subject_dn'));
+ my $reason = $util->get_alphanum_val($q->param('reason'));
+ my $rid = $util->get_alphanum_val($q->param('rid'));
+
+ my $ca = PKI::Conn::CA->new();
+ $ca->open($cfg);
+ $ca->revoke($rid, "ca1", $serialno, $reason);
+ $ca->close();
+
+ my $queue = PKI::Request::Queue->new();
+ $queue->open($cfg);
+
+ my $ref = $queue->read_request($rid);
+ $context{errorString} = $util->html_encode($ref->{'errorString'});
+ $queue->close();
+
+ $context{rid} = $util->html_encode($rid);
+ $context{serialno} = $util->html_encode($serialno);
+ $context{subject_dn} = $util->html_encode(Encode::decode('UTF-8', $subject_dn));
+
+ my $result = $parser->execute_file_with_context("agent/cert/submit.vm",
+ \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/agent/error.cgi b/base/ra/forms/agent/error.cgi
new file mode 100755
index 000000000..fa13365a7
--- /dev/null
+++ b/base/ra/forms/agent/error.cgi
@@ -0,0 +1,81 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use CGI;
+use Template::Velocity;
+use PKI::Base::Conf;
+use PKI::Base::UserStore;
+use PKI::Base::Util;
+use PKI::Base::Registry;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+
+ my $q = CGI->new();
+
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ $self->debug_params($cfg, $q);
+
+ my $util = PKI::Base::Util->new();
+
+ my $error = $util->get_val($q->param('error'));
+
+ my %context;
+ if ($error ne "") {
+ $context{has_error} = 1;
+ $context{'error'} = $util->html_encode($error);
+ }
+
+ my $result = $parser->execute_file_with_context("agent/error.vm", \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/agent/index.cgi b/base/ra/forms/agent/index.cgi
new file mode 100755
index 000000000..c8f2040fe
--- /dev/null
+++ b/base/ra/forms/agent/index.cgi
@@ -0,0 +1,83 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use CGI;
+use Template::Velocity;
+use PKI::Base::Conf;
+use PKI::Base::UserStore;
+use PKI::Base::Registry;
+use PKI::Base::Util;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+
+ my $q = CGI->new();
+
+ my $util = PKI::Base::Util->new();
+
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ $self->debug_params($cfg, $q);
+
+ if (!$self->agent_auth($cfg)) {
+ print $q->redirect("/agent/error.cgi?error=Authentication%20Error");
+ return;
+ }
+ my $uid = $self->get_current_uid($cfg);
+
+ my %context;
+ $context{uid} = $util->html_encode($uid);
+
+ my $result = $parser->execute_file_with_context("agent/index.vm",
+ \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/agent/request/add_note.cgi b/base/ra/forms/agent/request/add_note.cgi
new file mode 100755
index 000000000..0ffac91c7
--- /dev/null
+++ b/base/ra/forms/agent/request/add_note.cgi
@@ -0,0 +1,93 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use CGI;
+use Template::Velocity;
+use PKI::Base::Conf;
+use PKI::Base::Util;
+use PKI::Base::Registry;
+use PKI::Request::Queue;
+use PKI::Base::TimeTool;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+
+ my $q = CGI->new();
+
+ my $util = PKI::Base::Util->new();
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ $self->debug_params($cfg, $q);
+
+ if (!$self->agent_auth($cfg)) {
+ print $q->redirect("/agent/error.cgi");
+ return;
+ }
+ my $uid = $self->get_current_uid($cfg);
+
+ my %context;
+ $context{uid} = $util->html_encode($uid);
+
+ my $id = $util->get_alphanum_val($q->param('id'));
+ my $note = $util->get_val($q->param('note'));
+
+ if ($note eq "") {
+ # dont add anything
+ print $q->redirect("/agent/request/read.cgi?id=" . $id);
+ return;
+ }
+
+ my $timet = PKI::Base::TimeTool->new();
+ my $now = $timet->get_time();
+ my $new_note = "==== Note created by $uid at $now ====\n" .
+ $note . "\n";
+
+ my $queue = PKI::Request::Queue->new();
+ $queue->open($cfg);
+ my $ref = $queue->read_request($id);
+ $queue->set_request($id, "note", $ref->{'note'} . $new_note);
+ $queue->close();
+
+ print $q->redirect("/agent/request/read.cgi?id=" . $id);
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/agent/request/index.cgi b/base/ra/forms/agent/request/index.cgi
new file mode 100755
index 000000000..81b25977a
--- /dev/null
+++ b/base/ra/forms/agent/request/index.cgi
@@ -0,0 +1,146 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use DBI;
+use CGI;
+use Template::Velocity;
+use PKI::RA::GlobalVar;
+use PKI::Base::Conf;
+use PKI::Base::Util;
+use PKI::Base::Registry;
+use PKI::Request::Queue;
+use PKI::Service::Op;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $util = PKI::Base::Util->new();
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ $self->debug_params($cfg, $q);
+
+ if (!$self->agent_auth($cfg)) {
+ print $q->redirect("/agent/error.cgi");
+ return;
+ }
+ my $uid = $self->get_current_uid($cfg);
+ $self->debug_log( $cfg, "in request/index.cgi, uid == $uid");
+
+ my %context;
+ $context{uid} = $util->html_encode($uid);
+
+ my @roles = $self->get_current_roles($cfg);
+# my $r = join(",",@roles);
+
+ my $status = $util->get_alphanum_val($q->param('status'));
+ if ($status eq "") {
+ $context{status} = "";
+ } else {
+ $context{status} = $util->html_encode($status);
+ }
+
+ my $sp = $util->get_alphanum_val($q->param('sp'));
+ if ($sp eq "") {
+ $sp = "0";
+ }
+ $context{sp} = $sp;
+ my $mc = $util->get_alphanum_val($q->param('mc'));
+ if ($mc eq "") {
+ $mc = "20";
+ }
+ $context{mc} = $mc;
+ $context{pp} = $sp - $mc; # previous pos (for paging)
+ $context{np} = $sp + $mc; # next pos (for paging)
+
+ my $queue = PKI::Request::Queue->new();
+ $queue->open($cfg);
+ my $total = $queue->count_requests_by_roles(\@roles, $status);
+ $context{total} = $util->html_encode($total);
+
+ my @reqs = $queue->list_requests_by_roles(\@roles, $status, $sp, $mc);
+# my @reqs = $queue->list_requests_by_roles($r, $status, $sp, $mc);
+ $queue->close();
+
+ my @r;
+ my $i = 0;
+ foreach my $req (@reqs) {
+ $r[$i] = new PKI::RA::GlobalVar(
+ getId => sub { return $util->html_encode($req->{'rowid'}) },
+ getType => sub { return $util->html_encode($req->{'type'}) },
+ getStatus => sub { return $util->html_encode($req->{'status'}) },
+ getError => sub { return $util->html_encode($req->{'errorString'}) },
+ getAssignedTo => sub { return $util->html_encode($req->{'assigned_to'}) },
+ getData => sub { return $util->html_encode($req->{'data'}); },
+ getCreatedBy => sub { return $util->html_encode($req->{'created_by'}); },
+ getCreatedAt => sub { return $util->html_encode($req->{'created_at'}); },
+ );
+ $i++;
+ }
+ $context{rows} = \@r;
+
+ if ($sp - $mc < 0) {
+ $context{show_previous} = "no";
+ } else {
+ $context{show_previous} = "yes";
+ }
+
+ if ($i < 20) {
+ $context{show_next} = "no";
+ } else {
+ $context{show_next} = "yes";
+ }
+
+ my $result = $parser->execute_file_with_context("agent/request/index.vm",
+ \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/agent/request/op.cgi b/base/ra/forms/agent/request/op.cgi
new file mode 100755
index 000000000..363d7121b
--- /dev/null
+++ b/base/ra/forms/agent/request/op.cgi
@@ -0,0 +1,153 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use Benchmark;
+use CGI;
+use Template::Velocity;
+use PKI::Base::Conf;
+use PKI::Base::Registry;
+use PKI::Request::Queue;
+use PKI::Base::Util;
+use Encode;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+
+ my $q = CGI->new();
+
+ my $st = new Benchmark;
+
+ my $util = PKI::Base::Util->new();
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ $self->debug_params($cfg, $q);
+
+ if (!$self->agent_auth($cfg)) {
+ print $q->redirect("/agent/error.cgi");
+ return;
+ }
+ my $uid = $self->get_current_uid($cfg);
+
+ my %context;
+ $context{uid} = $util->html_encode($uid);
+
+ my $type = $util->get_alphanum_val($q->param('type'));
+ my $id = $util->get_alphanum_val($q->param('id'));
+
+ my $db_st = new Benchmark;
+ my $queue = PKI::Request::Queue->new();
+ $queue->open($cfg);
+
+ my $ref;
+
+ my @roles = $self->get_current_roles($cfg);
+ my $pref = $queue->read_request_by_roles(\@roles, $id);
+
+ if (! defined $pref) {
+ $queue->close();
+ $self->debug_log($cfg, "Invalid attempt to process request id= " . $id .
+ " by userid= " . $uid);
+ print $q->redirect("/agent/error.cgi");
+ return;
+ }
+
+ my $curr_status = $pref->{'status'};
+ if ($type eq "approve") {
+ if (($curr_status ne "OPEN") && ($curr_status ne "ERROR")) {
+ $queue->close();
+ print $q->redirect("/agent/request/read.cgi?id=$id");
+ return;
+ }
+
+ $ref = $queue->approve_request($id, $uid);
+ } elsif ($type eq "reject") {
+ if (($curr_status ne "OPEN") && ($curr_status ne "ERROR")) {
+ $queue->close();
+ print $q->redirect("/agent/request/read.cgi?id=$id");
+ return;
+ }
+
+ $ref = $queue->reject_request($id, $uid);
+ }
+ $queue->close();
+ my $db_et = new Benchmark;
+
+ $context{data} = $util->breakline($util->html_encode(Encode::decode('UTF-8', $ref->{'data'})), 40);
+ $context{output} = $util->breakline($util->html_encode($ref->{'output'}), 40);
+ $context{serialno} = $util->html_encode($ref->{'serialno'});
+ $context{type} = $util->html_encode($ref->{'type'});
+ $context{ip} = $util->html_encode($ref->{'ip'});
+ $context{note} = $util->html_encode($ref->{'note'});
+ $context{note} =~ s/\n/<br\/>/g;
+ $context{created_at} = $util->html_encode($ref->{'created_at'});
+ $context{updated_at} = $util->html_encode($ref->{'updated_at'});
+ $context{assigned_to} = $util->html_encode($ref->{'assigned_to'});
+ $context{processed_by} = $util->html_encode($ref->{'processed_by'});
+ $context{created_by} = $util->html_encode($ref->{'created_by'});
+ $context{status} = $util->html_encode($ref->{'status'});
+ $context{errorString} = $util->html_encode($ref->{'errorString'});
+ $context{id} = $util->html_encode($ref->{'rowid'});
+
+ my $t_st = new Benchmark;
+ my $result = $parser->execute_file_with_context("agent/request/op.vm",
+ \%context);
+ my $t_et = new Benchmark;
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+
+ my $et = new Benchmark;
+
+ $self->debug_log($cfg, "benchmark " .
+ "total=" . timestr(timediff($et, $st)) . " " .
+ "db total=" . timestr(timediff($db_et, $db_st)) . " " .
+ "template total=" . timestr(timediff($t_et, $t_st)) . " "
+ );
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/agent/request/read.cgi b/base/ra/forms/agent/request/read.cgi
new file mode 100755
index 000000000..d1633c164
--- /dev/null
+++ b/base/ra/forms/agent/request/read.cgi
@@ -0,0 +1,119 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use DBI;
+use CGI;
+use Template::Velocity;
+use PKI::Base::Conf;
+use PKI::Base::Registry;
+use PKI::Base::Util;
+use PKI::Request::Queue;
+use Encode;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $util = PKI::Base::Util->new();
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ $self->debug_params($cfg, $q);
+
+ if (!$self->agent_auth($cfg)) {
+ print $q->redirect("/agent/error.cgi");
+ return;
+ }
+ my $uid = $self->get_current_uid($cfg);
+
+ my %context;
+ $context{uid} = $util->html_encode($uid);
+
+
+ my @roles = $self->get_current_roles($cfg);
+# my $r = join(",",@roles);
+
+ my $id = $util->get_alphanum_val($q->param('id'));
+
+ my $queue = PKI::Request::Queue->new();
+ $queue->open($cfg);
+ my $ref = $queue->read_request_by_roles(\@roles, $id);
+ $queue->close();
+
+ $context{data} = $util->breakline($util->html_encode(Encode::decode('UTF-8',$ref->{'data'})), 40);
+ $context{output} = $util->breakline($util->html_encode($ref->{'output'}), 40);
+ $context{meta_info} = $util->breakline($util->html_encode($ref->{'meta_info'}), 40);
+
+ $context{serialno} = $util->html_encode($ref->{'serialno'});
+ $context{subject_dn} = $util->html_encode($ref->{'subject_dn'});
+ $context{type} = $util->html_encode($ref->{'type'});
+ $context{created_at} = $util->html_encode($ref->{'created_at'});
+ $context{created_by} = $util->html_encode($ref->{'created_by'});
+ $context{updated_at} = $util->html_encode($ref->{'updated_at'});
+ $context{ip} = $util->html_encode($ref->{'ip'});
+ $context{processed_by} = $util->html_encode($ref->{'processed_by'});
+ $context{note} = $util->html_encode($ref->{'note'});
+ $context{note} =~ s/\n/<br\/>/g;
+ $context{assigned_to} = $util->html_encode($ref->{'assigned_to'});
+ $context{status} = $util->html_encode($ref->{'status'});
+ if ($ref->{'status'} eq "OPEN") {
+ $context{is_open} = 1;
+ }
+ if ($ref->{'status'} eq "ERROR") {
+ $context{is_error} = 1;
+ }
+ $context{errorString} = $util->html_encode($ref->{'errorString'});
+ $context{id} = $util->html_encode($ref->{'rowid'});
+
+ my $result = $parser->execute_file_with_context("agent/request/read.vm",
+ \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/ee/agent/enroll.cgi b/base/ra/forms/ee/agent/enroll.cgi
new file mode 100755
index 000000000..4f1af8f16
--- /dev/null
+++ b/base/ra/forms/ee/agent/enroll.cgi
@@ -0,0 +1,127 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use MIME::Base64;
+use CGI;
+use PKI::Service::Op;
+use Template::Velocity;
+use PKI::Base::Conf;
+use PKI::Base::Registry;
+use PKI::Request::Queue;
+use PKI::Conn::CA;
+use PKI::Base::PinStore;
+use PKI::Base::Util;
+
+use vars qw (@ISA);
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $util = PKI::Base::Util->new();
+
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ $self->debug_params($cfg, $q);
+
+ my $uid = $util->get_val($q->param('uid'));
+ my $pin = $util->get_alphanum_val($q->param('pin'));
+ my $csr = $util->get_val($q->param('csr'));
+ $csr = $util->normalize_csr($csr);
+
+ my $key = $uid;
+
+ my $pin_store = PKI::Base::PinStore->new();
+ $pin_store->open($cfg);
+ my $pinref = $pin_store->read_pin($key);
+ if (defined($pinref) && $pinref->{'pin'} eq $pin) {
+ $pin_store->delete($key);
+ } else {
+ $pin_store->close();
+ print $q->redirect("/ee/error.cgi?error=Invalid Pin");
+ return;
+ }
+ my $rid = $pinref->{'rid'};
+ $pin_store->close();
+
+ my $profile_id = $cfg->get("request.agent.profileId");
+ my $cert_request_type = $cfg->get("request.agent.reqType");
+
+ my $queue = PKI::Request::Queue->new();
+ $queue->open($cfg);
+ my $req = $queue->read_request($rid);
+ $queue->set_request($rid, "subject_dn", "uid=$uid, e=$req->{'created_by'}");
+
+ my $ca = PKI::Conn::CA->new();
+ $ca->open($cfg);
+ my $cert = $ca->enroll($rid, "ca1", $profile_id, $cert_request_type, $csr);
+ $ca->close();
+ $queue->set_request($rid, "output", $cert);
+
+ $req = $queue->read_request($rid);
+ if ($cert eq "") {
+ my $error = $req->{'errorString'};
+ $queue->close();
+ print $q->redirect("/ee/error.cgi?error=$error");
+ return;
+ }
+
+ my $decoded = decode_base64($cert);
+ my $encoded = encode_base64($decoded);
+
+ my %context;
+ $context{cert} = $encoded;
+ $context{rid} = $util->html_encode($rid);
+ $context{subject_dn} = $util->html_encode($req->{'subject_dn'});
+ $queue->close();
+
+ my $result = $parser->execute_file_with_context("ee/agent/enroll.vm",
+ \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/ee/agent/index.cgi b/base/ra/forms/ee/agent/index.cgi
new file mode 100755
index 000000000..66fceb8ff
--- /dev/null
+++ b/base/ra/forms/ee/agent/index.cgi
@@ -0,0 +1,68 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use CGI;
+use PKI::Service::Op;
+use PKI::Base::Registry;
+use Template::Velocity;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ my %context;
+ my $result = $parser->execute_file_with_context("ee/agent/index.vm",
+ \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/ee/agent/new.cgi b/base/ra/forms/ee/agent/new.cgi
new file mode 100755
index 000000000..c209f5e74
--- /dev/null
+++ b/base/ra/forms/ee/agent/new.cgi
@@ -0,0 +1,68 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use CGI;
+use PKI::Service::Op;
+use PKI::Base::Registry;
+use Template::Velocity;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ my %context;
+ my $result = $parser->execute_file_with_context("ee/agent/new.vm", \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/ee/agent/start.cgi b/base/ra/forms/ee/agent/start.cgi
new file mode 100755
index 000000000..27aedb546
--- /dev/null
+++ b/base/ra/forms/ee/agent/start.cgi
@@ -0,0 +1,69 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use CGI;
+use PKI::Service::Op;
+use PKI::Base::Registry;
+use Template::Velocity;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ my %context;
+
+ my $result = $parser->execute_file_with_context("ee/agent/start.vm",
+ \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/ee/agent/submit.cgi b/base/ra/forms/ee/agent/submit.cgi
new file mode 100755
index 000000000..a68242114
--- /dev/null
+++ b/base/ra/forms/ee/agent/submit.cgi
@@ -0,0 +1,88 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use CGI;
+use PKI::Service::Op;
+use Template::Velocity;
+use PKI::Base::Conf;
+use PKI::Base::Util;
+use PKI::Base::Registry;
+use PKI::Request::Queue;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $util = PKI::Base::Util->new();
+
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ my $uid = $util->get_val($q->param('uid'));
+ my $email = $util->get_val($q->param('email'));
+
+ $self->debug_params($cfg, $q);
+
+ my $queue = PKI::Request::Queue->new();
+ $queue->open($cfg);
+ my $request_id = $queue->create_request("agent",
+ "uid=" . $uid,
+ "0",
+ $email);
+ my %context;
+ $context{request_id} = $util->html_encode($request_id);
+ $self->debug_log($cfg, "request $request_id created");
+ $queue->close();
+
+ my $result = $parser->execute_file_with_context("ee/agent/submit.vm",
+ \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/ee/error.cgi b/base/ra/forms/ee/error.cgi
new file mode 100755
index 000000000..1417d4b61
--- /dev/null
+++ b/base/ra/forms/ee/error.cgi
@@ -0,0 +1,81 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use CGI;
+use Template::Velocity;
+use PKI::Base::Conf;
+use PKI::Base::UserStore;
+use PKI::Base::Util;
+use PKI::Base::Registry;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+
+ my $q = CGI->new();
+
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ $self->debug_params($cfg, $q);
+
+ my $util = PKI::Base::Util->new();
+
+ my %context;
+
+ my $error = $util->get_val($q->param('error'));
+ if ($error ne "") {
+ $context{has_error} = 1;
+ $context{'error'} = $util->html_encode($error);
+ }
+
+ my $result = $parser->execute_file_with_context("ee/error.vm", \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/ee/index.cgi b/base/ra/forms/ee/index.cgi
new file mode 100755
index 000000000..453b2873b
--- /dev/null
+++ b/base/ra/forms/ee/index.cgi
@@ -0,0 +1,68 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use CGI;
+use PKI::Service::Op;
+use Template::Velocity;
+use PKI::Base::Registry;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+
+ my $q = CGI->new();
+
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ my %context;
+ my $result = $parser->execute_file_with_context("ee/index.vm", \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/ee/request/getcert.cgi b/base/ra/forms/ee/request/getcert.cgi
new file mode 100755
index 000000000..b22444dc1
--- /dev/null
+++ b/base/ra/forms/ee/request/getcert.cgi
@@ -0,0 +1,93 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use DBI;
+use CGI;
+use PKI::Service::Op;
+use PKI::Base::Conf;
+use PKI::Base::Util;
+use PKI::Base::Registry;
+use PKI::Request::Queue;
+use Template::Velocity;
+use MIME::Base64;
+use Encode;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $util = PKI::Base::Util->new();
+
+ my $id = $util->get_alphanum_val($q->param('id'));
+
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ $self->debug_params($cfg, $q);
+
+ my $queue = PKI::Request::Queue->new();
+ $queue->open($cfg);
+ my $req = $queue->read_request($id);
+ $queue->close();
+
+ my %context;
+ $context{id} = $util->html_encode($req->{'rowid'});
+ $context{serialno} = $util->html_encode($req->{'serialno'});
+ $context{subject_dn} = $util->html_encode(Encode::decode('UTF-8', $req->{'subject_dn'}));
+ if ($req->{'serialno'} eq "unavailable") {
+ $context{output} = "";
+ } else {
+ $context{output} = "-----BEGIN CERTIFICATE-----\n".$util->breakline($util->html_encode($req->{'output'}), 40)."\n-----END CERTIFICATE-----";
+ }
+ my $result = $parser->execute_file_with_context("ee/request/getcert.vm",
+ \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/ee/request/importcert.cgi b/base/ra/forms/ee/request/importcert.cgi
new file mode 100755
index 000000000..fdc309746
--- /dev/null
+++ b/base/ra/forms/ee/request/importcert.cgi
@@ -0,0 +1,82 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use DBI;
+use CGI;
+use PKI::Service::Op;
+use PKI::Base::Conf;
+use PKI::Base::Util;
+use PKI::Base::Registry;
+use PKI::Request::Queue;
+use Template::Velocity;
+use MIME::Base64;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $util = PKI::Base::Util->new();
+
+ my $id = $util->get_alphanum_val($q->param('id'));
+
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ $self->debug_params($cfg, $q);
+
+ my $queue = PKI::Request::Queue->new();
+ $queue->open($cfg);
+ my $req = $queue->read_request($id);
+ $queue->close();
+
+ my %context;
+# $::symbol{id} = $req->{'rowid'};
+# $::symbol{status} = $req->{'status'};
+
+# my $result = $parser->execute_file("ee/request/status.vm");
+
+ my $cert = MIME::Base64::decode($req->{'output'});
+
+ print "Content-Type: application/x-x509-user-cert\n\n";
+ print $cert;
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/ee/request/index.cgi b/base/ra/forms/ee/request/index.cgi
new file mode 100755
index 000000000..ef2a68b23
--- /dev/null
+++ b/base/ra/forms/ee/request/index.cgi
@@ -0,0 +1,68 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use CGI;
+use PKI::Service::Op;
+use Template::Velocity;
+use PKI::Base::Registry;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ my %context;
+ my $result = $parser->execute_file_with_context("ee/request/index.vm",
+ \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/ee/request/status.cgi b/base/ra/forms/ee/request/status.cgi
new file mode 100755
index 000000000..6a3154716
--- /dev/null
+++ b/base/ra/forms/ee/request/status.cgi
@@ -0,0 +1,94 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use DBI;
+use CGI;
+use PKI::Service::Op;
+use PKI::Base::Conf;
+use PKI::Base::Util;
+use PKI::Base::Registry;
+use PKI::Request::Queue;
+use Template::Velocity;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+
+ my $util = PKI::Base::Util->new();
+
+ my $id = $util->get_alphanum_val($q->param('id'));
+
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ $self->debug_params($cfg, $q);
+
+ my $queue = PKI::Request::Queue->new();
+ $queue->open($cfg);
+ my $req = $queue->read_request($id);
+ $queue->close();
+ if ($req == "") {
+ print $q->redirect("/ee/error.cgi?error=request%20not%20found");
+ return;
+ }
+
+ my %context;
+ $context{id} = $util->html_encode($req->{'rowid'});
+ $context{type} =$util->html_encode($req->{'type'});
+ $context{status} = $util->html_encode($req->{'status'});
+ $context{serialno} = $util->html_encode($req->{'serialno'});
+ $context{errorString} = $util->html_encode($req->{'errorString'});
+
+ my $result = $parser->execute_file_with_context("ee/request/status.vm",
+ \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/ee/scep/enroll.cgi b/base/ra/forms/ee/scep/enroll.cgi
new file mode 100755
index 000000000..53291636a
--- /dev/null
+++ b/base/ra/forms/ee/scep/enroll.cgi
@@ -0,0 +1,112 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use MIME::Base64;
+use URI::URL;
+use URI::Escape;
+use XML::Simple;
+use CGI;
+use PKI::Base::Conf;
+use PKI::Base::Util;
+use PKI::Base::Registry;
+use PKI::Service::Op;
+use Template::Velocity;
+use PKI::Conn::CA;
+use PKI::Base::PinStore;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $util = PKI::Base::Util->new();
+
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ $self->debug_params($cfg, $q);
+
+ my $client_id = $util->get_val($q->param('client_id'));
+ my $site_id = $util->get_val($q->param('site_id'));
+ my $pin = $util->get_alphanum_val($q->param('pin'));
+ my $csr = $util->get_val($q->param('csr'));
+
+ my $key = $client_id . "/" . $site_id;
+
+ my $pin_store = PKI::Base::PinStore->new();
+ $pin_store->open($cfg);
+ my $pinref = $pin_store->read_pin($key);
+ if (defined($pinref) && $pinref->{'pin'} eq $pin) {
+ $pin_store->delete($key);
+ } else {
+ $pin_store->close();
+ # error, redirect user back to the original enrollment page
+ print $q->redirect("/ee/scep/installer.cgi");
+ return;
+ }
+ $pin_store->close();
+
+ my $profile_id = $cfg->get("request.scep.profileId");
+ my $cert_request_type = $cfg->get("request.scep.reqType");
+
+ my $ca = PKI::Conn::CA->new();
+ $ca->open($cfg);
+ my $cert = $ca->enroll($pinref->{'rid'}, "ca1", $profile_id, $cert_request_type, $csr);
+ $ca->close();
+ my $decoded = decode_base64($cert);
+ my $encoded = encode_base64($decoded);
+
+ my %context;
+ $context{cert} = $encoded;
+
+ my $result = $parser->execute_file_with_context("ee/scep/enroll.vm",
+ \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/ee/scep/index.cgi b/base/ra/forms/ee/scep/index.cgi
new file mode 100755
index 000000000..c73fc379a
--- /dev/null
+++ b/base/ra/forms/ee/scep/index.cgi
@@ -0,0 +1,68 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use CGI;
+use PKI::Service::Op;
+use Template::Velocity;
+use PKI::Base::Registry;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ my %context;
+ my $result = $parser->execute_file_with_context("ee/scep/index.vm",
+ \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/ee/scep/installer.cgi b/base/ra/forms/ee/scep/installer.cgi
new file mode 100755
index 000000000..8453c2cc4
--- /dev/null
+++ b/base/ra/forms/ee/scep/installer.cgi
@@ -0,0 +1,74 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use CGI;
+use PKI::Service::Op;
+use Template::Velocity;
+use PKI::Base::Conf;
+use PKI::Base::Registry;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ $self->debug_params($cfg, $q);
+
+ my %context;
+ $context{machine} = $cfg->get("service.machineName");
+ $context{port} = $cfg->get("service.unsecurePort");
+
+ my $result = $parser->execute_file_with_context("ee/scep/installer.vm",
+ \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/ee/scep/manager.cgi b/base/ra/forms/ee/scep/manager.cgi
new file mode 100755
index 000000000..8b547a928
--- /dev/null
+++ b/base/ra/forms/ee/scep/manager.cgi
@@ -0,0 +1,68 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use CGI;
+use PKI::Service::Op;
+use Template::Velocity;
+use PKI::Base::Registry;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ my %context;
+ my $result = $parser->execute_file_with_context("ee/scep/manager.vm",
+ \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/ee/scep/pkiclient.cgi b/base/ra/forms/ee/scep/pkiclient.cgi
new file mode 100755
index 000000000..a54558f37
--- /dev/null
+++ b/base/ra/forms/ee/scep/pkiclient.cgi
@@ -0,0 +1,113 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use MIME::Base64;
+use URI::URL;
+use URI::Escape;
+use XML::Simple;
+use CGI;
+use PKI::Base::Conf;
+use PKI::Base::Util;
+use PKI::Service::Op;
+use Template::Velocity;
+use PKI::Conn::CA;
+use PKI::Base::PinStore;
+use PKI::Base::Registry;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $util = PKI::Base::Util->new();
+
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ $self->debug_params($cfg, $q);
+
+ my $operation = $util->get_alphanum_val($q->param('operation'));
+ my $message = $util->get_val($q->param('message'));
+ $message = uri_escape($message);
+
+ my $ca = PKI::Conn::CA->new();
+ $ca->open($cfg);
+ if ($operation eq "GetCACert") {
+ my $content = $ca->scep_get_ca_cert("ca1", $operation, $message);
+
+ print "Content-Type: application/x-x509-ca-cert\n\n";
+ print $content;
+ } elsif ($operation eq "PKIOperation") {
+ my $decoded = $ca->scep_decode("ca1", $operation, $message);
+ $decoded =~ /(\<XMLResponse\>.*\<\/XMLResponse\>)/;
+ $decoded = $1;
+ my $parser = XML::Simple->new();
+ my $response = $parser->XMLin($decoded);
+
+ # one time pin
+ my $pin = $response->{'PKCS10'}->{'ChallengePassword'}->{'Password'} ;
+ # IP Address
+ my $key = $ENV{'REMOTE_ADDR'};
+
+ # check PIN
+ if (1) {
+ my $pin_store = PKI::Base::PinStore->new();
+ $pin_store->open($cfg);
+ my $pinref = $pin_store->read_pin($key);
+ if (defined($pinref) && $pinref->{'pin'} eq $pin) {
+ $pin_store->delete($key);
+ } else {
+ $pin_store->close();
+ # XXX - return SCEP error
+ print $q->redirect("/ee/scep/installer.cgi");
+ return;
+ }
+ $pin_store->close();
+ }
+
+ my $content = $ca->scep_pki_message("ca1", $operation, $message);
+
+ print "Content-Type: application/x-pki-message\n\n";
+ print $content;
+ }
+ $ca->close();
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/ee/scep/submit.cgi b/base/ra/forms/ee/scep/submit.cgi
new file mode 100755
index 000000000..b3dfd7a5d
--- /dev/null
+++ b/base/ra/forms/ee/scep/submit.cgi
@@ -0,0 +1,91 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use DBI;
+use CGI;
+use PKI::Service::Op;
+use PKI::Base::Conf;
+use PKI::Base::Util;
+use PKI::Request::Queue;
+use Template::Velocity;
+use PKI::Base::Registry;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $util = PKI::Base::Util->new();
+
+ my $client_id = $util->get_val($q->param('client_id'));
+ my $site_id = $util->get_val($q->param('site_id'));
+ my $email = $util->get_val($q->param('email'));
+
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ $self->debug_params($cfg, $q);
+
+ my $queue = PKI::Request::Queue->new();
+ $queue->open($cfg);
+ my $request_id = $queue->create_request("scep",
+ "client_id=" . $client_id . ";" .
+ "site_id=" . $site_id,
+ "0",
+ $email);
+ my %context;
+ $context{request_id} = $util->html_encode($request_id);
+ $self->debug_log($cfg, "request $request_id created");
+ $queue->close();
+
+ my $result = $parser->execute_file_with_context("ee/scep/submit.vm",
+ \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/ee/server/admin.cgi b/base/ra/forms/ee/server/admin.cgi
new file mode 100755
index 000000000..18945da02
--- /dev/null
+++ b/base/ra/forms/ee/server/admin.cgi
@@ -0,0 +1,68 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use CGI;
+use PKI::Service::Op;
+use Template::Velocity;
+use PKI::Base::Registry;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ my %context;
+ my $result = $parser->execute_file_with_context("ee/server/admin.vm",
+ \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/ee/server/index.cgi b/base/ra/forms/ee/server/index.cgi
new file mode 100755
index 000000000..830409a8b
--- /dev/null
+++ b/base/ra/forms/ee/server/index.cgi
@@ -0,0 +1,68 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use CGI;
+use PKI::Service::Op;
+use Template::Velocity;
+use PKI::Base::Registry;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ my %context;
+ my $result = $parser->execute_file_with_context("ee/server/index.vm",
+ \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/ee/server/submit.cgi b/base/ra/forms/ee/server/submit.cgi
new file mode 100755
index 000000000..4916033ee
--- /dev/null
+++ b/base/ra/forms/ee/server/submit.cgi
@@ -0,0 +1,93 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use CGI;
+use PKI::Service::Op;
+use PKI::Base::Conf;
+use PKI::Base::Util;
+use PKI::Request::Queue;
+use Template::Velocity;
+use PKI::Base::Registry;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $util = PKI::Base::Util->new();
+
+ my $server_id = $util->get_val($q->param('server_id'));
+ my $site_id = $util->get_val($q->param('site_id'));
+ my $email = $util->get_val($q->param('email'));
+ my $csr = $util->get_val($q->param('csr'));
+
+ $csr = $util->normalize_csr($csr);
+
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ $self->debug_params($cfg, $q);
+
+ my $queue = PKI::Request::Queue->new();
+ $queue->open($cfg);
+ my $request_id = $queue->create_request("server",
+ "server_id=" . $server_id . ";" .
+ "site_id=" . $site_id . ";" .
+ "csr=" . $csr,
+ "0",
+ $email);
+ my %context;
+ $context{request_id} = $util->html_encode($request_id);
+ $self->debug_log($cfg, "request $request_id created");
+ $queue->close();
+
+ my $result = $parser->execute_file_with_context("ee/server/submit.vm",
+ \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/ee/user/index.cgi b/base/ra/forms/ee/user/index.cgi
new file mode 100755
index 000000000..ef6b3aa47
--- /dev/null
+++ b/base/ra/forms/ee/user/index.cgi
@@ -0,0 +1,68 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use CGI;
+use PKI::Service::Op;
+use Template::Velocity;
+use PKI::Base::Registry;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ my %context;
+ my $result = $parser->execute_file_with_context("ee/user/index.vm",
+ \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/ee/user/renew.cgi b/base/ra/forms/ee/user/renew.cgi
new file mode 100755
index 000000000..63d646ec9
--- /dev/null
+++ b/base/ra/forms/ee/user/renew.cgi
@@ -0,0 +1,165 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use CGI;
+use PKI::Base::Conf;
+use PKI::Request::Queue;
+use Template::Velocity;
+use PKI::Service::Op;
+use PKI::Base::Util;
+use PKI::Base::Registry;
+
+use vars qw (@ISA);
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ my $util = PKI::Base::Util->new();
+ my $error = "";
+
+ my $host = $cfg->get("service.machineName");
+ my $port = $cfg->get("service.non_clientauth_securePort");
+
+ $self->debug_params($cfg, $q);
+
+ my $cert = $self->get_cert_record($cfg);
+ $self->debug_log( $cfg, "after get_cert_record");
+ if (!defined($cert) || ($cert eq "")) {
+ $self->debug_log( $cfg, "cert not defined");
+ $error = "certificate not found in database";
+ print $q->redirect("/ee/error.cgi?error=$error");
+ return;
+ }
+ $self->debug_log( $cfg, "got cert");
+
+ my $csr = $cert->{'csr'};
+ if ($csr eq "") {
+ $error = "csr not found in database";
+ print $q->redirect("/ee/error.cgi?error=$error");
+ return;
+ }
+ $self->debug_log( $cfg, "got csr");
+
+ my $req_id = $cert->{'rid'};
+ if ($req_id eq "") {
+ $error = "reqid not found in database";
+ print $q->redirect("/ee/error.cgi?error=$error");
+ return;
+ }
+ $self->debug_log( $cfg, "got req_id = $req_id");
+ $self->debug_log( $cfg, "before renewl read/create request");
+ my $queue = PKI::Request::Queue->new();
+ $queue->open($cfg);
+ my $o_req = $queue->read_request($req_id);
+ if ($o_req eq "") {
+ $self->debug_log( $cfg, "got null o_req");
+ print $q->redirect("/ee/error.cgi?error=$error");
+ return;
+ }
+
+ my $uid = "";
+ my $site_id = "";
+ my $org_csr = "";
+ my $csr_type = "";
+
+ my $data = $o_req->{'data'};
+ foreach $nv (split(/;/, $data)) {
+ my ($n, $v) = split(/=/, $nv);
+ if ($n eq "uid") {
+ $uid = $v;
+ }
+ if ($n eq "site_id") {
+ $site_id = $v;
+ }
+ if ($n eq "csr") {
+ $org_csr = $v;
+ }
+ if ($n eq "csr_type") {
+ $csr_type = $v;
+ }
+ }
+
+ my $new_request = $queue->create_request("renewal",
+ "uid=" . $uid . ";" .
+ "site_id=" . $site_id . ";" .
+ "csr_type=" . $csr_type . ";" .
+ "csr=" . $csr,
+ "orig_reqid=" . $o_req->{'rowid'},
+ $o_req->{'created_by'});
+
+ #self-renewal is created and processed by the same user
+ $ref = $queue->approve_request($new_request, $o_req->{'created_by'});
+ my $nreq = $queue->read_request($new_request);
+ $error = $nreq->{'errorString'};
+ if ($error ne "0") {
+ $self->debug_log( $cfg, "after approve request, got error=$error");
+ print $q->redirect("/ee/error.cgi?error=$error");
+ return;
+ }
+
+ my %context;
+ $context{request_id} = $util->html_encode($new_request);
+ $self->debug_log($cfg, "request $new_request created");
+ $queue->close();
+ $self->debug_log( $cfg, "after renewl read/create request $new_request");
+
+ $context{data} = $util->breakline($util->html_encode($ref->{'data'}), 40);
+ $context{output} = $util->breakline($util->html_encode($ref->{'output'}), 40);
+ $context{serialno} = $util->html_encode($ref->{'serialno'});
+ $context{host} = $util->html_encode($host);
+ $context{port} = $util->html_encode($port);
+
+ #print $q->redirect("/ee/request/getcert.cgi?id=$new_request");
+ my $result = $parser->execute_file_with_context("ee/user/renew.vm",
+ \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/ee/user/renewal.cgi b/base/ra/forms/ee/user/renewal.cgi
new file mode 100755
index 000000000..63a211eff
--- /dev/null
+++ b/base/ra/forms/ee/user/renewal.cgi
@@ -0,0 +1,74 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use CGI;
+use PKI::Service::Op;
+use Template::Velocity;
+use PKI::Base::Conf;
+use PKI::Base::Registry;
+
+use vars qw (@ISA);
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ $self->debug_params($cfg, $q);
+
+ my $host = $cfg->get("service.machineName");
+ my $port = $cfg->get("service.securePort");
+
+ my %context;
+ $context{url} = "https://$host:$port/ee/user/renew.cgi";
+ my $result = $parser->execute_file_with_context("ee/user/renewal.vm",
+ \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/ee/user/submit.cgi b/base/ra/forms/ee/user/submit.cgi
new file mode 100755
index 000000000..26c900e00
--- /dev/null
+++ b/base/ra/forms/ee/user/submit.cgi
@@ -0,0 +1,112 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use Benchmark;
+use CGI;
+use PKI::Service::Op;
+use Template::Velocity;
+use PKI::Base::Conf;
+use PKI::Base::Util;
+use PKI::Base::Registry;
+use PKI::Request::Queue;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $st = new Benchmark;
+
+ my $util = PKI::Base::Util->new();
+
+ my $userid = $util->get_val($q->param('uid'));
+ my $fullname = $util->get_val($q->param('cn'));
+ my $site_id = $util->get_val($q->param('site_id'));
+ my $email = $util->get_val($q->param('email'));
+ my $csr_type = $util->get_alphanum_val($q->param('csr_type'));
+ my $csr = $util->get_val($q->param('csr'));
+
+ $csr = $util->normalize_csr($csr);
+
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ $self->debug_params($cfg, $q);
+
+ my $db_st = new Benchmark;
+ my $queue = PKI::Request::Queue->new();
+ $queue->open($cfg);
+ my $request_id = $queue->create_request("user",
+ "uid=" . $userid . ";" .
+ "cn=" . $fullname . ";" .
+ "site_id=" . $site_id . ";" .
+ "csr_type=" . $csr_type . ";" .
+ "csr=" . $csr,
+ "0",
+ $email);
+ my %context;
+ $context{request_id} = $util->html_encode($request_id);
+ $self->debug_log($cfg, "request $request_id created");
+ $queue->close();
+ my $db_et = new Benchmark;
+
+ my $t_st = new Benchmark;
+ my $result = $parser->execute_file_with_context("ee/user/submit.vm",
+ \%context);
+ my $t_et = new Benchmark;
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+
+ my $et = new Benchmark;
+ $self->debug_log($cfg, "benchmark " .
+ "total=" . timestr(timediff($et, $st)) . " " .
+ "db total=" . timestr(timediff($db_et, $db_st)) . " " .
+ "template total=" . timestr(timediff($t_et, $t_st)) . " "
+ );
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/ee/user/user.cgi b/base/ra/forms/ee/user/user.cgi
new file mode 100755
index 000000000..2d58a532b
--- /dev/null
+++ b/base/ra/forms/ee/user/user.cgi
@@ -0,0 +1,68 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use CGI;
+use PKI::Service::Op;
+use Template::Velocity;
+use PKI::Base::Registry;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+ my $q = CGI->new();
+
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ my %context;
+ my $result = $parser->execute_file_with_context("ee/user/user.vm",
+ \%context);
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%context);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/forms/index.cgi b/base/ra/forms/index.cgi
new file mode 100755
index 000000000..0e643166b
--- /dev/null
+++ b/base/ra/forms/index.cgi
@@ -0,0 +1,76 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package op;
+
+use lib $ENV{DOCUMENT_ROOT} . "/../lib/perl";
+
+use CGI;
+use PKI::Service::Op;
+use Template::Velocity;
+use PKI::Base::Conf;
+use PKI::Base::Registry;
+
+use vars qw (@ISA);
+use PKI::Service::Op;
+@ISA = qw(PKI::Service::Op);
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub process()
+{
+ my $self = shift;
+
+ my $q = CGI->new();
+
+ my $docroot = PKI::Base::Registry->get_docroot();
+ my $parser = PKI::Base::Registry->get_parser();
+ my $cfg = PKI::Base::Registry->get_config();
+
+ $self->debug_params($cfg, $q);
+
+ $::symbol{machineName} = $cfg->get("service.machineName");
+ $::symbol{non_clientauth_securePort} = $cfg->get("service.non_clientauth_securePort");
+ $::symbol{securePort} = $cfg->get("service.securePort");
+ $::symbol{unsecurePort} = $cfg->get("service.unsecurePort");
+
+ my $result = $parser->execute_file("index.vm");
+
+ my $xml = $q->param('xml');
+ if ($xml eq "true") {
+ print "Content-Type: text/xml\n\n";
+ print $self->xml_output(\%::symbol);
+ } else {
+ print "Content-Type: text/html\n\n";
+ print "$result";
+ }
+}
+
+
+my $op = op->new();
+$op->execute();
diff --git a/base/ra/lib/perl/PKI/Base/CertStore.pm b/base/ra/lib/perl/PKI/Base/CertStore.pm
new file mode 100644
index 000000000..1a31ff971
--- /dev/null
+++ b/base/ra/lib/perl/PKI/Base/CertStore.pm
@@ -0,0 +1,151 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+package PKI::Base::CertStore;
+
+use DBI;
+use PKI::Base::TimeTool;
+
+#######################################
+# Constructs a cert store
+#######################################
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+#######################################
+# Opens this store
+#######################################
+sub open {
+ my ($self, $cfg) = @_;
+ $self->{cfg} = $cfg;
+ my $dbfile = $cfg->get("database.dbfile");
+ $self->{dbh} = DBI->connect("dbi:SQLite:dbname=$dbfile","","");
+}
+
+sub read_certificate {
+ my ($self, $serialno) = @_;
+ my $dbh = $self->{dbh};
+ my $select = "select * from certificates " .
+ "where serialno=" . $dbh->quote($serialno);
+ my $sth = $dbh->prepare($select);
+ $sth->execute();
+ my $ref = $sth->fetchrow_hashref();
+ $sth->finish();
+ return $ref;
+}
+
+sub map_certificate {
+ my ($self, $certificate) = @_;
+ my $dbh = $self->{dbh};
+ my $select = "select * from certificates " .
+ "where " .
+ "certificate=" . $dbh->quote($certificate);
+ my $sth = $dbh->prepare($select);
+ $sth->execute();
+ my $ref = $sth->fetchrow_hashref();
+ $sth->finish();
+ return $ref;
+}
+
+sub read_certificate_by_approver {
+ my ($self, $uid, $serialno) = @_;
+ my $dbh = $self->{dbh};
+ my $select = "select * from certificates " .
+ "where approved_by=". $dbh->quote($uid).
+ "AND serialno=" . $dbh->quote($serialno);
+ my $sth = $dbh->prepare($select);
+ $sth->execute();
+ my $ref = $sth->fetchrow_hashref();
+ $sth->finish();
+ return $ref;
+}
+
+sub list_certs_by_approver {
+ my ($self, $uid, $startpos, $maxcount) = @_;
+ my $dbh = $self->{dbh};
+ my $select = "select *,approved_by from certificates " .
+ "where " .
+ "approved_by=". $dbh->quote($uid).
+ " limit $startpos, $maxcount";
+
+ my $sth = $dbh->prepare($select);
+ $sth->execute();
+ my @certs;
+ while (my $ref = $sth->fetchrow_hashref()) {
+ push(@certs, $ref);
+ }
+ $sth->finish();
+ return @certs;
+
+
+}
+
+sub add_certificate {
+ my ($self, $serialno, $csr, $subject_dn, $certificate, $reqid, $approved_by) = @_;
+ my $dbh = $self->{dbh};
+
+ my $timet = PKI::Base::TimeTool->new();
+ my $now = $timet->get_time();
+
+ # sqlite is not thread safe, do our own lock here
+ my $cmd = "insert into certificates (" .
+ "subject_dn" . "," .
+ "certificate" . "," .
+ "csr" . "," .
+ "serialno" . "," .
+ "rid" . "," .
+ "approved_by" . "," .
+ "created_at" .
+ ") values (" .
+ $dbh->quote($subject_dn) . "," .
+ $dbh->quote($certificate) . "," .
+ $dbh->quote($csr) . "," .
+ $dbh->quote($serialno) . "," .
+ $dbh->quote($reqid) . "," .
+ $dbh->quote($approved_by) . "," .
+ $dbh->quote($now) .
+ ")";
+REDO_ADD_CERT:
+ eval {
+ $dbh->do($cmd);
+ };
+ if ($dbh->err == 5) {
+ sleep(1);
+ goto REDO_ADD_CERT;
+ }
+
+}
+
+#######################################
+# Closes this store
+#######################################
+sub close {
+ my ($self) = @_;
+ my $dbh = $self->{dbh};
+ $dbh->disconnect();
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/Base/Conf.pm b/base/ra/lib/perl/PKI/Base/Conf.pm
new file mode 100755
index 000000000..895ab28a3
--- /dev/null
+++ b/base/ra/lib/perl/PKI/Base/Conf.pm
@@ -0,0 +1,130 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package PKI::Base::Conf;
+
+use strict;
+use warnings;
+use Exporter;
+
+$PKI::Base::Conf::VERSION = '1.00';
+
+#######################################################
+# Configuration Store
+#######################################################
+sub new {
+ my $class = shift;
+ my $self = {};
+ my %hash = ();
+ $self->{filename} = "";
+ $self->{hash} = \%hash;
+ bless $self,$class;
+ return $self;
+}
+
+sub load_file
+{
+ my ($self, $filename) = @_;
+
+ $self->{filename} = $filename;
+ if (-e $filename) {
+ open(CF, "<$filename");
+ if (defined fileno CF) {
+ while (<CF>) {
+ if (/^#/) {
+ # comments
+ } elsif (/([^=]+)=(.*)$/) {
+ # print "$1 = $2\n";
+ $self->{hash}{$1} = $2;
+ } else {
+ # preserve comments
+ }
+ }
+ }
+ close(CF);
+ }
+}
+
+sub get_filename
+{
+ my ($self) = @_;
+ return $self->{filename};
+}
+
+sub get
+{
+ my ($self, $n) = @_;
+ return $self->{hash}{$n};
+}
+
+sub put
+{
+ my ($self, $n, $v) = @_;
+ $self->{hash}{$n} = $v;
+}
+
+sub commit
+{
+ my ($self) = @_;
+
+ # write stuff back to the file
+# print $self->{filename} . "\n";
+ my $hash = $self->{hash};
+ my $suffix = time();
+
+ if (-e $self->{filename}) {
+ system("mv \"" . $self->{filename} . "\" \"" .
+ $self->{filename} . "." . $suffix . "\"");
+ }
+
+ open(F, ">" . $self->{filename});
+ foreach my $k (sort keys %{$hash}) {
+ print F "$k=$self->{hash}{$k}\n";
+ }
+ close(F);
+
+ if (-e $self->{filename} . "." . $suffix) {
+ system("rm \"" . $self->{filename} . "." . $suffix . "\"");
+ }
+}
+
+sub commit_with_backup
+{
+ my ($self) = @_;
+
+ # write stuff back to the file
+# print $self->{filename} . "\n";
+ my $hash = $self->{hash};
+ my $suffix = time();
+ system("mv \"" . $self->{filename} . "\" \"" .
+ $self->{filename} . "." . $suffix . "\"");
+
+ open(F, ">" . $self->{filename});
+ foreach my $k (sort keys %{$hash}) {
+ print F "$k=$self->{hash}{$k}\n";
+ }
+ close(F);
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/Base/PinStore.pm b/base/ra/lib/perl/PKI/Base/PinStore.pm
new file mode 100644
index 000000000..437d259ff
--- /dev/null
+++ b/base/ra/lib/perl/PKI/Base/PinStore.pm
@@ -0,0 +1,180 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+package PKI::Base::PinStore;
+
+use DBI;
+use PKI::Base::TimeTool;
+
+#######################################
+# Constructs a request queue
+#######################################
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+#######################################
+# Opens request queue
+#######################################
+sub open {
+ my ($self, $cfg) = @_;
+ $self->{cfg} = $cfg;
+ my $dbfile = $cfg->get("database.dbfile");
+ $self->{dbh} = DBI->connect("dbi:SQLite:dbname=$dbfile","","");
+}
+
+#######################################
+# Creates a new request
+#######################################
+sub generate_random
+{
+ my $low = $_[0];
+ my $high = $_[1];
+
+ my $number = 0;
+
+ if( $low >= $high || $low < 0 || $high < 0 ) {
+ return -1;
+ }
+
+ $number = int( rand( $high -$low +1 ) ) + $low;
+
+ return $number;
+}
+
+
+# arg0 length of string
+# return random string
+sub generate_random_string()
+{
+ my $length_of_randomstring=shift; # the length of the string
+
+ my @chars=( 'a'..'z','A'..'Z','0'..'9' );
+ my $random_string;
+
+ foreach( 1..$length_of_randomstring ) {
+ $random_string .= $chars[rand @chars];
+ }
+
+ return $random_string;
+}
+
+sub create_pin {
+ my ($self, $key, $rid, $created_by) = @_;
+ my $dbh = $self->{dbh};
+
+ my $pin = &generate_random_string(10);
+ my $timet = PKI::Base::TimeTool->new();
+ my $now = $timet->get_time();
+
+ # delete previous pin
+ my $delete = "delete from pins where key=" . $dbh->quote($key);
+ $dbh->do($delete);
+
+ my $insert = "insert into pins (" .
+ "key" . "," .
+ "pin" . "," .
+ "rid" . "," .
+ "created_by" . "," .
+ "created_at" .
+ ") values (" .
+ $dbh->quote($key) . "," .
+ $dbh->quote($pin) . "," .
+ $dbh->quote($rid) . "," .
+ $dbh->quote($created_by) . "," .
+ $dbh->quote($now) .
+ ")";
+REDO_CREATE_PIN:
+ eval {
+ $dbh->do($insert);
+ };
+ if ($dbh->err == 5) {
+ sleep(1);
+ goto REDO_CREATE_PIN;
+ }
+
+ my $rid = $dbh->func('last_insert_rowid');
+
+# my $ref = $self->read_pin($rid);
+
+ return $pin;
+}
+
+#######################################
+# Matches pin
+#######################################
+sub match {
+ my ($self, $key, $pin) = @_;
+ my $dbh = $self->{dbh};
+ my $select = "select * from pins " .
+ "where " .
+ "key=" . $dbh->quote($key) . " AND " .
+ "pin=" . $dbh->quote($pin);
+ my $sth = $dbh->prepare($select);
+ $sth->execute();
+ my $ref = $sth->fetchrow_hashref();
+ $sth->finish();
+ if (defined($ref)) {
+ return 1;
+ } else {
+ return 0;
+ }
+}
+
+sub read_pin {
+ my ($self, $key) = @_;
+ my $dbh = $self->{dbh};
+ my $select = "select * from pins " .
+ "where " .
+ "key=" . $dbh->quote($key);
+ my $sth = $dbh->prepare($select);
+ $sth->execute();
+ my $ref = $sth->fetchrow_hashref();
+ $sth->finish();
+ return $ref;
+}
+
+#######################################
+# Deletes pin
+#######################################
+sub delete {
+ my ($self, $key) = @_;
+ my $dbh = $self->{dbh};
+ my $cmd = "delete from pins " .
+ "where " .
+ "key=" . $dbh->quote($key);
+ $dbh->do($cmd);
+}
+
+#######################################
+# Closes request queue
+#######################################
+sub close {
+ my ($self) = @_;
+ my $dbh = $self->{dbh};
+ $dbh->disconnect();
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/Base/Registry.pm b/base/ra/lib/perl/PKI/Base/Registry.pm
new file mode 100644
index 000000000..a4fb83f28
--- /dev/null
+++ b/base/ra/lib/perl/PKI/Base/Registry.pm
@@ -0,0 +1,55 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+package PKI::Base::Registry;
+
+use PKI::Base::Conf;
+
+my $docroot;
+my $cfg;
+my $parser;
+
+BEGIN {
+ $docroot = $ENV{DOCUMENT_ROOT};
+ $cfg = PKI::Base::Conf->new();
+ $cfg->load_file("$docroot/../conf/CS.cfg");
+ $parser = new Template::Velocity($docroot);
+
+}
+
+sub get_docroot {
+ my ($self) = @_;
+ return $docroot;
+}
+
+sub get_parser {
+ my ($self) = @_;
+ return $parser;
+}
+
+sub get_config {
+ my ($self) = @_;
+ return $cfg;
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/Base/TimeTool.pm b/base/ra/lib/perl/PKI/Base/TimeTool.pm
new file mode 100755
index 000000000..11f4be208
--- /dev/null
+++ b/base/ra/lib/perl/PKI/Base/TimeTool.pm
@@ -0,0 +1,54 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+package PKI::Base::TimeTool;
+
+use Time::Local;
+
+use DBI;
+use PKI::Base::TimeTool;
+
+#######################################
+# Constructs a request queue
+#######################################
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub get_time()
+{
+ my ($self) = @_;
+ my ($sec, $min, $hr, $mday, $mnth, $y, $wd, $yd, $ds) = localtime();
+ my $r_year = 1900 + $y;
+ my $r_mnth;
+ my $r_day;
+ $r_day = $mday;
+ $mnth = $mnth + 1;
+ $r_mnth = $mnth;
+ return "$r_year-$r_mnth-$r_day $hr:$min:$sec";
+}
+
+
+1;
diff --git a/base/ra/lib/perl/PKI/Base/UserStore.pm b/base/ra/lib/perl/PKI/Base/UserStore.pm
new file mode 100644
index 000000000..c05683792
--- /dev/null
+++ b/base/ra/lib/perl/PKI/Base/UserStore.pm
@@ -0,0 +1,343 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+package PKI::Base::UserStore;
+
+use DBI;
+use PKI::Base::TimeTool;
+
+#######################################
+# Constructs a request queue
+#######################################
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+#######################################
+# Opens this store
+#######################################
+sub open {
+ my ($self, $cfg) = @_;
+ $self->{cfg} = $cfg;
+ my $dbfile = $cfg->get("database.dbfile");
+ $self->{dbh} = DBI->connect("dbi:SQLite:dbname=$dbfile","","");
+ my $timeout = $self->{dbh}->func("busy_timeout");
+ $self->{dbh}->func($timeout * 10, "busy_timeout");
+}
+
+#######################################
+# Maps user
+#######################################
+sub map_user {
+ my ($self, $certificate) = @_;
+ my $dbh = $self->{dbh};
+ my $select = "select * from users " .
+ "where " .
+ "certificate=" . $dbh->quote($certificate);
+ my $sth = $dbh->prepare($select);
+ $sth->execute();
+ my $ref = $sth->fetchrow_hashref();
+ $sth->finish();
+ return $ref;
+}
+
+#######################################
+# Gets roles of the given user
+#######################################
+sub get_roles {
+ my ($self, $uid) = @_;
+ my $dbh = $self->{dbh};
+ my $select = "select * from roles " .
+ "where " .
+ "uid=" . $dbh->quote($uid);
+ my @roles;
+ my $sth = $dbh->prepare($select);
+ $sth->execute();
+ while (my $ref = $sth->fetchrow_hashref()) {
+ push(@roles, $ref->{'gid'});
+ }
+ $sth->finish();
+ return @roles;
+}
+
+
+#######################################
+# Reads a user
+#######################################
+sub read_group {
+ my ($self, $gid) = @_;
+ my $dbh = $self->{dbh};
+ my $select = "select * from groups " .
+ "where gid=" . $dbh->quote($gid);
+ my $sth = $dbh->prepare($select);
+ $sth->execute();
+ my $ref = $sth->fetchrow_hashref();
+ $sth->finish();
+ return $ref;
+}
+
+sub read_user {
+ my ($self, $uid) = @_;
+ my $dbh = $self->{dbh};
+ my $select = "select * from users " .
+ "where uid=" . $dbh->quote($uid);
+ my $sth = $dbh->prepare($select);
+ $sth->execute();
+ my $ref = $sth->fetchrow_hashref();
+ $sth->finish();
+ return $ref;
+}
+
+sub set_user {
+ my ($self, $uid, $name, $value) = @_;
+ my $dbh = $self->{dbh};
+
+ my $timet = PKI::Base::TimeTool->new();
+ my $now = $timet->get_time();
+ my $update = "update users set " .
+ $name . "=" . $dbh->quote($value) . "," .
+ "updated_at=" . $dbh->quote($now) . " " .
+ "where uid=" . $dbh->quote($uid);
+ $dbh->do($update);
+
+ my $select = "select * from users " .
+ "where uid=" . $dbh->quote($uid);
+ my $sth = $dbh->prepare($select);
+ $sth->execute();
+ my $ref = $sth->fetchrow_hashref();
+ $sth->finish();
+
+ return $ref;
+}
+
+#######################################
+# Lists all members in the given group
+#######################################
+sub list_all_members {
+ my ($self, $gid) = @_;
+ my $dbh = $self->{dbh};
+ my $select = "select * from roles where " .
+ "gid=" . $dbh->quote($gid) . " " .
+ "order by uid desc ";
+ my $sth = $dbh->prepare($select);
+ $sth->execute();
+ my @reqs;
+ while (my $ref = $sth->fetchrow_hashref()) {
+ push(@reqs, $ref);
+ }
+ $sth->finish();
+ return @reqs;
+}
+
+#######################################
+# Lists
+#######################################
+sub list_all_non_members {
+ my ($self, $gid) = @_;
+ my $dbh = $self->{dbh};
+ # find members of the given group
+ my $select1 = "select * from roles where " .
+ "gid=" . $dbh->quote($gid);
+ my $sth1 = $dbh->prepare($select1);
+ $sth1->execute();
+ my $filter = "";
+ while (my $ref1 = $sth1->fetchrow_hashref()) {
+ if ($filter eq "") {
+ $filter = "uid<>" . $dbh->quote($ref1->{'uid'});
+ } else {
+ $filter = $filter . " AND " . "uid<>" . $dbh->quote($ref1->{'uid'});
+ }
+ }
+ $sth1->finish();
+
+ my $select;
+ if ($filter eq "") {
+ $select = "select * from users " .
+ "order by uid desc ";
+ } else {
+ $select = "select * from users where (" .
+ $filter . ") " .
+ "order by uid desc ";
+ }
+ my $sth = $dbh->prepare($select);
+ $sth->execute();
+ my @reqs;
+ while (my $ref = $sth->fetchrow_hashref()) {
+ push(@reqs, $ref);
+ }
+ $sth->finish();
+ return @reqs;
+}
+
+sub delete_user {
+ my ($self, $userid) = @_;
+ my $dbh = $self->{dbh};
+
+ my $cmd = "delete from roles where uid=" . $dbh->quote($userid);
+ $dbh->do($cmd);
+ $cmd = "delete from users where uid=" . $dbh->quote($userid);
+ $dbh->do($cmd);
+}
+
+sub add_user_to_group {
+ my ($self, $gid, $userid) = @_;
+ my $dbh = $self->{dbh};
+
+ my $timet = PKI::Base::TimeTool->new();
+ my $now = $timet->get_time();
+
+ my $cmd = "insert into roles (" .
+ "gid" . "," .
+ "uid" .
+ ") values (" .
+ $dbh->quote($gid) . "," .
+ $dbh->quote($userid) .
+ ")";
+ $dbh->do($cmd);
+}
+
+sub delete_user_from_group {
+ my ($self, $gid, $userid) = @_;
+ my $dbh = $self->{dbh};
+
+ my $timet = PKI::Base::TimeTool->new();
+ my $now = $timet->get_time();
+
+ my $cmd = "delete from roles where " .
+ "gid=" . $dbh->quote($gid) . " AND " .
+ "uid=" . $dbh->quote($userid);
+ $dbh->do($cmd);
+}
+
+sub add_user {
+ my ($self, $userid, $name, $email, $certificate) = @_;
+ my $dbh = $self->{dbh};
+
+ my $timet = PKI::Base::TimeTool->new();
+ my $now = $timet->get_time();
+
+ my $cmd = "insert into users (" .
+ "uid" . "," .
+ "name" . "," .
+ "email" . "," .
+ "certificate" . "," .
+ "created_at" .
+ ") values (" .
+ $dbh->quote($userid) . "," .
+ $dbh->quote($name) . "," .
+ $dbh->quote($email) . "," .
+ $dbh->quote($certificate) . "," .
+ $dbh->quote($now) .
+ ")";
+REDO_ADD_USER:
+ eval {
+ $dbh->do($cmd);
+ };
+ if ($dbh->err == 5) {
+ sleep(1);
+ goto REDO_ADD_USER;
+ }
+}
+
+sub add_group {
+ my ($self, $gid, $name) = @_;
+ my $dbh = $self->{dbh};
+
+ my $timet = PKI::Base::TimeTool->new();
+ my $now = $timet->get_time();
+
+ my $cmd = "insert into groups (" .
+ "gid" . "," .
+ "name" . "," .
+ "created_at" .
+ ") values (" .
+ $dbh->quote($gid) . "," .
+ $dbh->quote($name) . "," .
+ $dbh->quote($now) .
+ ")";
+REDO_ADD_GROUP:
+ eval {
+ $dbh->do($cmd);
+ };
+ if ($dbh->err == 5) {
+ sleep(1);
+ goto REDO_ADD_GROUP;
+ }
+}
+
+sub delete_group {
+ my ($self, $gid) = @_;
+ my $dbh = $self->{dbh};
+
+ my $timet = PKI::Base::TimeTool->new();
+ my $now = $timet->get_time();
+
+ my $cmd = "delete from roles where gid=" . $dbh->quote($gid);
+ $dbh->do($cmd);
+ $cmd = "delete from groups where gid=" . $dbh->quote($gid);
+ $dbh->do($cmd);
+}
+
+sub list_users {
+ my ($self, $startpos, $maxcount) = @_;
+ my $dbh = $self->{dbh};
+ my $select = "select * from users " .
+ "order by uid desc " .
+ "limit $startpos, $maxcount";
+ my $sth = $dbh->prepare($select);
+ $sth->execute();
+ my @reqs;
+ while (my $ref = $sth->fetchrow_hashref()) {
+ push(@reqs, $ref);
+ }
+ $sth->finish();
+ return @reqs;
+}
+
+sub list_groups {
+ my ($self, $startpos, $maxcount) = @_;
+ my $dbh = $self->{dbh};
+ my $select = "select * from groups " .
+ "order by gid desc " .
+ "limit $startpos, $maxcount";
+ my $sth = $dbh->prepare($select);
+ $sth->execute();
+ my @reqs;
+ while (my $ref = $sth->fetchrow_hashref()) {
+ push(@reqs, $ref);
+ }
+ $sth->finish();
+ return @reqs;
+}
+#######################################
+# Closes this store
+#######################################
+sub close {
+ my ($self) = @_;
+ my $dbh = $self->{dbh};
+ $dbh->disconnect();
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/Base/Util.pm b/base/ra/lib/perl/PKI/Base/Util.pm
new file mode 100755
index 000000000..f01062e42
--- /dev/null
+++ b/base/ra/lib/perl/PKI/Base/Util.pm
@@ -0,0 +1,155 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+package PKI::Base::Util;
+
+use Time::Local;
+
+use DBI;
+use HTML::Entities;
+
+#######################################
+# Constructs a util
+#######################################
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub get_val()
+{
+ my ($self, $s) = @_;
+ return $s;
+}
+
+sub get_integer_val()
+{
+ my ($self, $s) = @_;
+ return $s;
+}
+
+sub get_string_val()
+{
+ my ($self, $s) = @_;
+ return $s;
+}
+
+sub get_alphanum_val()
+{
+ my ($self, $s) = @_;
+ $s =~ s/[^A-Za-z0-9 ]*//g;
+ return $s;
+}
+
+sub normalize_csr()
+{
+ my ($self, $s) = @_;
+ $s =~ s/-----BEGIN CERTIFICATE REQUEST-----//g;
+ $s =~ s/-----END CERTIFICATE REQUEST-----//g;
+ $s =~ s/-----BEGIN NEW CERTIFICATE REQUEST-----//g;
+ $s =~ s/-----END NEW CERTIFICATE REQUEST-----//g;
+ $s =~ s/\s//g;
+ return $s;
+}
+
+sub breakline()
+{
+ my ($self, $s, $maxlen) = @_;
+
+ my $new_s;
+ my $i = 0;
+ foreach my $c (split(//, $s)) {
+ if ($i == $maxlen) {
+ $i = 0;
+ $new_s = $new_s . "<br/>";
+ }
+ $new_s = $new_s . $c;
+ $i++;
+ }
+ return $new_s;
+}
+
+sub nv_to_hash()
+{
+ my ($self, $s) = @_;
+ my %hash;
+ my @pairs = split(/;/, $s);
+ foreach $pair (@pairs) {
+ my $i = index('=', $pair);
+ my $n = substr($pair, 0, $i-1);
+ my $v = substr($pair, $i);
+ $hash{$n} = $v;
+ }
+ return \%hash;
+}
+
+sub nv_to_str()
+{
+ my ($self, $hash) = @_;
+ my $s = "";
+ foreach $k (keys %$hash) {
+ if ($s eq "") {
+ $s = $k . "=" . $$hash{$k};
+ } else {
+ $s = $s . ";" . $k . "=" . $$hash{$k};
+ }
+ }
+ return $s;
+}
+
+sub test()
+{
+ my %h;
+ $h{'x'} = 'y';
+ $h{'z'} = 'y';
+ my $o = PKI::Base::NameValueUtil->new();
+ print $o->to_str(\%h) . "\n";
+ print $o->to_str($o->to_hash("5=1;c=2")) . "\n";
+}
+
+sub html_encode()
+{
+ my ($self, $s) = @_;
+ return HTML::Entities::encode($s);
+}
+
+sub html_encode_and_break()
+{
+ my ($self, $s, $maxlen) = @_;
+ my $new_s = '';
+ my $i = 0;
+ foreach my $c (split(//, $s)) {
+ if ($i == $maxlen) {
+ $i = 0;
+ $new_s = $new_s . '***';
+ }
+ $new_s = $new_s . $c;
+ $i++;
+ }
+ $s = HTML::Entities::encode($new_s);
+ $s =~ s/\*\*\*/<br\/>/g;
+ return $s;
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/Conn/CA.pm b/base/ra/lib/perl/PKI/Conn/CA.pm
new file mode 100644
index 000000000..f3c8834ed
--- /dev/null
+++ b/base/ra/lib/perl/PKI/Conn/CA.pm
@@ -0,0 +1,390 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+package PKI::Conn::CA;
+
+use URI::URL;
+use URI::Escape;
+use XML::Simple;
+use Data::Dumper;
+use DBI;
+use PKI::Base::TimeTool;
+use PKI::Base::CertStore;
+use PKI::Base::Util;
+use PKI::Request::Queue;
+
+#######################################
+# Constructs a request queue
+#######################################
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+#######################################
+# Opens request queue
+#######################################
+sub open {
+ my ($self, $cfg) = @_;
+ $self->{cfg} = $cfg;
+ my $certstore = PKI::Base::CertStore->new();
+ $certstore->open($cfg);
+ $self->{certstore} = $certstore;
+}
+
+#######################################
+# Enrolls
+#######################################
+sub enroll {
+ my ($self, $rid, $con_id, $profile_id, $cert_request_type, $cert_request) = @_;
+
+ my $cfg = $self->{cfg};
+ my $instdir = $cfg->get("service.instanceDir");
+ my $db_password;
+
+ my $nickname = $cfg->get("conn." . $con_id . ".clientNickname");
+ my $cahostport = $cfg->get("conn." . $con_id . ".hostport");
+ my ($host, $port) = split(/:/, $cahostport);
+
+ if ($nickname =~ /(.*):(.*)/) {
+ $db_password = `grep \"$1:\" \"$instdir/conf/password.conf\" | awk -F: '{print \$2}'`;
+ } else {
+ $db_password = `grep \"internal:\" \"$instdir/conf/password.conf\" | cut -c10-`;
+ }
+ $db_password =~ s/\n$//g;
+
+ my $queue = PKI::Request::Queue->new();
+ $queue->open($cfg);
+ my $req = $queue->read_request($rid);
+ if ($req->{'subject_dn'} ne "unavailable") {
+ $subject = $req->{'subject_dn'};
+ }
+
+ my $tmpfile = "/tmp/tmp-$rid-$$";
+ my $params = "profileId=" . $profile_id . "&" .
+ "requestor_name=" .
+ URI::Escape::uri_escape("$requestor_name") . "&" .
+ "cert_request_type=" . $cert_request_type . "&" .
+ "subject=" .
+ URI::Escape::uri_escape("$subject") . "&" .
+ "cert_request=" .
+ URI::Escape::uri_escape("$cert_request") . "&" .
+ "xmlOutput=true";
+
+ system("/usr/bin/sslget -e \"$params\" -d \"$instdir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$port > $tmpfile");
+
+ my $content = `cat $tmpfile`;
+ if ($content eq "") {
+ $queue->set_request($rid, "errorString", "CA Connection Error");
+ $queue->set_request($rid, "status", "ERROR");
+ $queue->close();
+
+ $queue->close();
+ return "";
+ }
+
+ $content =~ /(\<XMLResponse\>.*\<\/XMLResponse\>)/;
+ $content = $1;
+ $content =~ s/\n//g;
+
+ my $xmlparser = XML::Simple->new();
+ my $response = $xmlparser->XMLin($content);
+
+ my $status = $response->{Status};
+ if ($status ne "0") {
+ my $errorString = $response->{Error};
+
+ $queue->set_request($rid, "errorString", "CA: ".$errorString);
+ $queue->set_request($rid, "status", "ERROR");
+
+ $queue->close();
+ return "";
+ }
+
+ #reset to 0 in case of re-approval
+ $queue->set_request($rid, "errorString", "0");
+ my $req = $queue->read_request($rid);
+ my $approved_by = $req->{'processed_by'};
+ my $serialno = $response->{Requests}->{Request}->{serialno};
+ $queue->set_request($rid, "serialno", $serialno);
+ my $subject_dn = $response->{Requests}->{Request}->{SubjectDN};
+ $queue->set_request($rid, "subject_dn", $subject_dn);
+ my $cert = $response->{Requests}->{Request}->{b64};
+ $queue->close();
+
+ my $util = PKI::Base::Util->new();
+ my $csr = $cert_request;
+ $csr = $util->normalize_csr($csr);
+
+ $self->{certstore}->add_certificate($serialno, $csr, $subject_dn, $cert, $rid, $approved_by);
+
+ system("rm $tmpfile");
+
+ return $cert;
+}
+
+sub get_http_content
+{
+ my ($self, $filename) = @_;
+ my $data = "";
+ my $count = `grep -a Content-Length $filename | cut -d' ' -f2`;
+ chomp($count);
+ my $file_size = -s $filename;
+ my $offset = $file_size - $count;
+
+ open(FP, "<$filename");
+ binmode(FP);
+ seek(FP, $offset-1, 0);
+ read(FP, $data, $count);
+ close(FP);
+ return $data;
+}
+
+#######################################
+# Revoke
+#######################################
+sub revoke {
+ my ($self, $rid, $con_id, $serialno, $reason) = @_;
+
+ my $cfg = $self->{cfg};
+ my $instdir = $cfg->get("service.instanceDir");
+ my $db_password;
+
+ my $nickname = $cfg->get("conn." . $con_id . ".clientNickname");
+ my $cahostport = $cfg->get("conn." . $con_id . ".hostagentport");
+
+ if ($nickname =~ /(.*):(.*)/) {
+ $db_password = `grep \"$1:\" \"$instdir/conf/password.conf\" | awk -F: '{print \$2}'`;
+ } else {
+ $db_password = `grep \"internal:\" \"$instdir/conf/password.conf\" | cut -c10-`;
+ }
+ $db_password =~ s/\n$//g;
+
+ my $tmpfile = "/tmp/tmp-revoke-$serialno-$$";
+ my ($host, $port) = split(/:/, $cahostport);
+ my $params = "op=" . "revoke" . "&" .
+ "revocationReason=" .$reason . "&" .
+ "revokeAll=(certRecordId=" ."0x".$serialno . ")&" .
+ "totalRecordCount=" ."1" . "&" .
+ "xml=true";
+ system("/usr/bin/sslget -e \"$params\" -d \"$instdir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/agent/ca/doRevoke\" $host:$port > $tmpfile");
+
+ my $content = `cat $tmpfile`;
+ my $queue = PKI::Request::Queue->new();
+ $queue->open($cfg);
+ if ($content eq "") {
+ $queue->set_request($rid, "errorString", "CA Connection Error");
+# $queue->set_request($rid, "status", "ERROR");
+ $queue->close();
+
+ $queue->close();
+ return "";
+ }
+ $content =~ s/\000//;
+ $content =~ /(\<xml\>.*\<\/xml\>)/s;
+ $content = $1;
+ $content =~ s/\n//g;
+
+ my $req = $queue->read_request($rid);
+
+ my $xmlparser = XML::Simple->new(NormalizeSpace => 2);
+ my $response = $xmlparser->XMLin($content);
+
+ my $errorString = $response->{fixed}->{errorDetails};
+ my $revoked = $response->{header}->{revoked};
+
+ if ($revoked ne "yes") {
+ $queue->set_request($rid, "errorString", "CA:".$errorString);
+ } else {
+ $queue->set_request($rid, "errorString", "0");
+ }
+ system("rm $tmpfile");
+
+ $queue->close();
+ return;
+}
+
+#######################################
+# Get Certificate Status
+#######################################
+sub getCertStatus {
+ my ($self, $con_id, $serialno) = @_;
+
+ my $cfg = $self->{cfg};
+ my $instdir = $cfg->get("service.instanceDir");
+ my $db_password;
+
+ my $nickname = $cfg->get("conn." . $con_id . ".clientNickname");
+ my $cahostport = $cfg->get("conn." . $con_id . ".hostport");
+ my ($host, $port) = split(/:/, $cahostport);
+
+ if ($nickname =~ /(.*):(.*)/) {
+ $db_password = `grep \"$1:\" \"$instdir/conf/password.conf\" | awk -F: '{print \$2}'`;
+ } else {
+ $db_password = `grep \"internal:\" \"$instdir/conf/password.conf\" | cut -c10-`;
+ }
+ $db_password =~ s/\n$//g;
+
+
+ my $tmpfile = "/tmp/tmp-$serialno-$$";
+ my $params = "serialNumber=" . "0x".$serialno . "&" .
+ "xml=true";
+ system("/usr/bin/sslget -e \"$params\" -d \"$instdir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/ee/ca/displayBySerial\" $host:$port > $tmpfile");
+
+ my $content = `cat $tmpfile`;
+ system("rm $tmpfile");
+ if ($content eq "") {
+ return "CA: Connection Error";
+ system("rm $tmpfile");
+ }
+
+ $content =~ /(\<xml\>.*\<\/xml\>)/s;
+ $content = $1;
+ $content =~ s/\n//g;
+
+ my $xmlparser = XML::Simple->new(NormalizeSpace => 2);
+ my $response = $xmlparser->XMLin($content);
+
+ my $errorString = $response->{fixed}->{errorDetails};
+ my $revokeReason = $response->{header}->{revocationReason};
+
+ if ($revokeReason eq "") {
+ if ($errorString eq "") {
+ return "not revoked";
+ } else {
+ return "CA:".$errorString;
+ }
+ } else {
+ return "revoked:".$revokeReason;
+ }
+}
+
+#######################################
+# SCEP
+#######################################
+sub scep_get_ca_cert {
+ my ($self, $con_id, $operation, $message) = @_;
+
+ my $cfg = $self->{cfg};
+ my $instdir = $cfg->get("service.instanceDir");
+ my $db_password;
+
+ my $nickname = $cfg->get("conn." . $con_id . ".clientNickname");
+ my $cahostport = $cfg->get("conn." . $con_id . ".hostport");
+ my ($host, $port) = split(/:/, $cahostport);
+
+ if ($nickname =~ /(.*):(.*)/) {
+ $db_password = `grep \"$1:\" \"$instdir/conf/password.conf\" | awk -F: '{print \$2}'`;
+ } else {
+ $db_password = `grep \"internal:\" \"$instdir/conf/password.conf\" | cut -c10-`;
+ }
+ $db_password =~ s/\n$//g;
+
+ my $tmpfile = "/tmp/tmp-$$";
+ my $params = "operation=" . $operation . "&" .
+ "message=" . $message;
+ system("/usr/bin/sslget -e \"$params\" -d \"$instdir/alias\" -p \"$db_password\" -n \"$nickname\" -r \"/ca/ee/ca/pkiclient\" $host:$port > $tmpfile");
+
+
+ my $content = $self->get_http_content($tmpfile);
+
+ system("rm $tmpfile");
+
+ return $content;
+}
+
+# decode PKI Message
+sub scep_decode {
+ my ($self, $con_id, $operation, $message) = @_;
+
+ my $cfg = $self->{cfg};
+ my $instdir = $cfg->get("service.instanceDir");
+ my $db_password;
+
+ my $nickname = $cfg->get("conn." . $con_id . ".clientNickname");
+ my $cahostport = $cfg->get("conn." . $con_id . ".hostport");
+ my ($host, $port) = split(/:/, $cahostport);
+
+ if ($nickname =~ /(.*):(.*)/) {
+ $db_password = `grep \"$1:\" \"$instdir/conf/password.conf\" | awk -F: '{print \$2}'`;
+ } else {
+ $db_password = `grep \"internal:\" \"$instdir/conf/password.conf\" | cut -c10-`;
+ }
+ $db_password =~ s/\n$//g;
+
+ my $tmpfile = "/tmp/tmp-$$";
+ my $params = "operation=" . $operation . "&" .
+ "message=" . $message . "&" .
+ "decode=true";
+ system("/usr/bin/sslget -e \"$params\" -d \"$instdir/alias\" -p \"$db_password\" -n \"$nickname\" -r \"/ca/ee/ca/pkiclient\" $host:$port > $tmpfile");
+
+
+ my $content = $self->get_http_content($tmpfile);
+
+ system("rm $tmpfile");
+
+ return $content;
+}
+
+sub scep_pki_message {
+ my ($self, $con_id, $operation, $message) = @_;
+
+ my $cfg = $self->{cfg};
+ my $instdir = $cfg->get("service.instanceDir");
+ my $db_password;
+
+ my $nickname = $cfg->get("conn." . $con_id . ".clientNickname");
+ my $cahostport = $cfg->get("conn." . $con_id . ".hostport");
+ my ($host, $port) = split(/:/, $cahostport);
+
+ if ($nickname =~ /(.*):(.*)/) {
+ $db_password = `grep \"$1:\" \"$instdir/conf/password.conf\" | awk -F: '{print \$2}'`;
+ } else {
+ $db_password = `grep \"internal:\" \"$instdir/conf/password.conf\" | cut -c10-`;
+ }
+ $db_password =~ s/\n$//g;
+
+ my $tmpfile = "/tmp/tmp-$$";
+ my $params = "operation=" . $operation . "&" .
+ "message=" . $message;
+ system("/usr/bin/sslget -e \"$params\" -d \"$instdir/alias\" -p \"$db_password\" -n \"$nickname\" -r \"/ca/ee/ca/pkiclient\" $host:$port > $tmpfile");
+
+
+ my $content = $self->get_http_content($tmpfile);
+
+ system("rm $tmpfile");
+
+ return $content;
+}
+
+
+#######################################
+# Closes connection
+#######################################
+sub close {
+ my ($self) = @_;
+ $self->{certstore}->close();
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/RA/AdminAuthPanel.pm b/base/ra/lib/perl/PKI/RA/AdminAuthPanel.pm
new file mode 100755
index 000000000..656dc2d5e
--- /dev/null
+++ b/base/ra/lib/perl/PKI/RA/AdminAuthPanel.pm
@@ -0,0 +1,86 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+use strict;
+use warnings;
+use PKI::RA::GlobalVar;
+use PKI::RA::Common;
+
+package PKI::RA::AdminAuthPanel;
+$PKI::RA::AdminAuthPanel::VERSION = '1.00';
+
+use PKI::RA::BasePanel;
+our @ISA = qw(PKI::RA::BasePanel);
+
+sub new {
+ my $class = shift;
+ my $self = {};
+
+ $self->{"isSubPanel"} = \&is_sub_panel;
+ $self->{"hasSubPanel"} = \&has_sub_panel;
+ $self->{"isPanelDone"} = \&PKI::RA::Common::no;
+ $self->{"getPanelNo"} = &PKI::RA::Common::r(8);
+ $self->{"getName"} = &PKI::RA::Common::r("Admin Authentication");
+ $self->{"vmfile"} = "adminauthenticatepanel.vm";
+ $self->{"update"} = \&update;
+ $self->{"panelvars"} = \&display;
+
+ bless $self,$class;
+ return $self;
+}
+
+sub is_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub has_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub validate
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("AdminAuthPanel: validate");
+ return 1;
+}
+
+sub update
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("AdminAuthPanel: update");
+ return 1;
+}
+
+sub display
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("AdminAuthPanel: display");
+ return 1;
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/RA/AdminPanel.pm b/base/ra/lib/perl/PKI/RA/AdminPanel.pm
new file mode 100755
index 000000000..a5538ef54
--- /dev/null
+++ b/base/ra/lib/perl/PKI/RA/AdminPanel.pm
@@ -0,0 +1,227 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+use strict;
+use warnings;
+use PKI::RA::GlobalVar;
+use PKI::RA::Common;
+use URI::URL;
+use URI::Escape;
+use DBI;
+
+package PKI::RA::AdminPanel;
+$PKI::RA::AdminPanel::VERSION = '1.00';
+
+use PKI::RA::BasePanel;
+our @ISA = qw(PKI::RA::BasePanel);
+
+sub new {
+ my $class = shift;
+ my $self = {};
+
+ $self->{"isSubPanel"} = \&is_sub_panel;
+ $self->{"hasSubPanel"} = \&has_sub_panel;
+ $self->{"isPanelDone"} = \&PKI::RA::Common::no;
+ $self->{"getPanelNo"} = &PKI::RA::Common::r(14);
+ $self->{"getName"} = &PKI::RA::Common::r("Administrator");
+ $self->{"vmfile"} = "adminpanel.vm";
+ $self->{"update"} = \&update;
+ $self->{"panelvars"} = \&display;
+ bless $self,$class;
+ return $self;
+}
+
+sub is_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub has_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub validate
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("AdminPanel: validate");
+ return 1;
+}
+
+
+sub update
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("AdminPanel: update");
+
+ my $uid = $q->param("uid");
+ my $name = $q->param("name");
+ my $email = $q->param("email");
+ my $password = $q->param("__pwd");
+ my $password_again = $q->param("__admin_password_again");
+
+ my $cert_request = $q->param("cert_request");
+ my $subject = $q->param("subject");
+ my $profile_id = $q->param("profileId");
+ my $cert_request_type = $q->param("cert_request_type");
+
+ $cert_request =~ s/%0D%0A//g; # remove carraige return
+
+ # submit request to CA
+
+ # Admin Certificate should be obtained from the ca selected in the
+ # name panel. If name panel use External CA, the admin certificate
+ # will be issued by the security domain CA.
+ my $cainfo = $::config->get("preop.ca.url");
+ &PKI::RA::Wizard::debug_log("AdminPanel: preop.ca.url=$cainfo");
+ if ($cainfo eq "" || $cainfo =~ /:$/) {
+ $cainfo = $::config->get("config.sdomainEEURL");
+ &PKI::RA::Wizard::debug_log("AdminPanel: config.sdomainEEURL=$cainfo");
+ }
+ &PKI::RA::Wizard::debug_log("AdminPanel: Connecting to CA: $cainfo");
+ my $cainfo_url = new URI::URL($cainfo);
+ my $sdom = $::config->get("config.sdomainEEURL");
+ my $sdom_url = new URI::URL($sdom);
+
+ my $machineName = $::config->get("service.machineName");
+ my $securePort = $::config->get("service.securePort");
+ my $session_id = $::config->get("preop.sessionID");
+
+ my $tokenname = $::config->get("preop.module.token");
+ my $token_pwd = $::pwdconf->get($tokenname);
+ my $nickname = $::config->get("preop.cert.sslserver.nickname");
+ my $instanceID = $::config->get("service.instanceID");
+ my $instanceDir = $::config->get("service.instanceDir");
+ my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`;
+ $db_password =~ s/\n$//g;
+
+ my $requestor_name = "RA-" . $machineName . "-" . $securePort;
+
+ my $params = "profileId=" . $profile_id . "&" .
+ "requestor_name=" . $requestor_name . "&" .
+ "cert_request_type=" . $cert_request_type . "&" .
+ "subject=" . $subject . "&" .
+ "cert_request=" .
+ URI::Escape::uri_escape("$cert_request") . "&" .
+ "xmlOutput=true" . "&" .
+ "sessionID=" . $session_id . "&" .
+ "auth_hostname=" . $sdom_url->host . "&" .
+ "auth_port=" . $sdom_url->port;
+
+ my $ca_host = $cainfo_url->host;
+ my $https_ee_port = $cainfo_url->port;
+ my $content = "";
+ my $tmpfile = "/tmp/admin-$$";
+ if (($tokenname eq "") || ($tokenname eq "NSS Certificate DB")) {
+ system("/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_host:$https_ee_port > $tmpfile");
+ $content = `cat $tmpfile`;
+ } else {
+ system("/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$nickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_host:$https_ee_port > $tmpfile");
+ $content = `cat $tmpfile`;
+ }
+ system("rm $tmpfile");
+ &PKI::RA::Wizard::debug_log("req = " . $content);
+
+ $content =~ /(\<XMLResponse\>.*\<\/XMLResponse\>)/;
+ $content = $1;
+
+ # create user in internal database
+ &PKI::RA::Wizard::debug_log("AdminPanel: Creating user in internal database");
+ # use scripts/addAgents.ldif
+
+ my $parser = XML::Simple->new();
+ my $response = $parser->XMLin($content);
+ my $admincert = $response->{Requests}->{Request}->{b64};
+ &PKI::RA::Wizard::debug_log("AdminPanel: admincert " . $admincert);
+
+ # create local database
+ my $dbh = DBI->connect(
+ "dbi:SQLite:dbname=$instanceDir/conf/dbfile","","");
+ my $insert = "insert into users (" .
+ "uid" . "," .
+ "name" . "," .
+ "password" . "," .
+ "email" . "," .
+ "certificate" .
+ ") values (" .
+ $dbh->quote($uid) . "," .
+ $dbh->quote($name) . "," .
+ $dbh->quote($password) . "," .
+ $dbh->quote($email) . "," .
+ $dbh->quote($admincert) .
+ ")";
+ $dbh->do($insert);
+ $insert = "insert into roles (" .
+ "uid" . "," .
+ "gid" .
+ ") values (" .
+ $dbh->quote($uid) . "," .
+ $dbh->quote("administrators") .
+ ")";
+ $dbh->do($insert);
+ $insert = "insert into roles (" .
+ "uid" . "," .
+ "gid" .
+ ") values (" .
+ $dbh->quote($uid) . "," .
+ $dbh->quote("agents") .
+ ")";
+ $dbh->do($insert);
+ $dbh->disconnect();
+
+ my $reqid = $response->{Requests}->{Request}->{Id};
+ $::config->put("preop.admincert.requestId.0", $reqid);
+ my $sn = $response->{Requests}->{Request}->{serialno};
+ $::config->put("preop.admincert.serialno.0", $sn);
+
+ # update email address
+ $::config->put("request.agent.create_request.1.mailTo", $email);
+ $::config->put("request.scep.create_request.1.mailTo", $email);
+ $::config->put("request.server.create_request.1.mailTo", $email);
+ $::config->put("request.user.create_request.1.mailTo", $email);
+
+ $::config->commit();
+
+ return 1;
+}
+
+sub display
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("AdminPanel: display");
+ $::symbol{admin_uid} = "admin";
+ $::symbol{admin_name} = "RA Administrator";
+ $::symbol{admin_email} = "";
+ $::symbol{admin_pwd} = "";
+ $::symbol{admin_pwd_again} = "";
+ $::symbol{import} = "true";
+ my $domain_name = $::config->get("preop.securitydomain.name");
+ $::symbol{securityDomain} = $domain_name;
+
+ return 1;
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/RA/AgentAuthPanel.pm b/base/ra/lib/perl/PKI/RA/AgentAuthPanel.pm
new file mode 100755
index 000000000..1ada5ad54
--- /dev/null
+++ b/base/ra/lib/perl/PKI/RA/AgentAuthPanel.pm
@@ -0,0 +1,86 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+use strict;
+use warnings;
+use PKI::RA::GlobalVar;
+use PKI::RA::Common;
+
+package PKI::RA::AgentAuthPanel;
+$PKI::RA::AgentAuthPanel::VERSION = '1.00';
+
+use PKI::RA::BasePanel;
+our @ISA = qw(PKI::RA::BasePanel);
+
+sub new {
+ my $class = shift;
+ my $self = {};
+
+ $self->{"isSubPanel"} = \&is_sub_panel;
+ $self->{"hasSubPanel"} = \&has_sub_panel;
+ $self->{"isPanelDone"} = \&PKI::RA::Common::no;
+ $self->{"getPanelNo"} = &PKI::RA::Common::r(7);
+ $self->{"getName"} = &PKI::RA::Common::r("Agent Authentication");
+ $self->{"vmfile"} = "agentauthenticatepanel.vm";
+ $self->{"update"} = \&update;
+ $self->{"panelvars"} = \&display;
+ bless $self,$class;
+ return $self;
+}
+
+sub is_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub has_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub validate
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("AgentAuthPanel: validate");
+ return 1;
+}
+
+sub update
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("AgentAuthPanel: update");
+ return 1;
+}
+
+sub display
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("AgentAuthPanel: display");
+ return 1;
+}
+
+
+1;
diff --git a/base/ra/lib/perl/PKI/RA/BasePanel.pm b/base/ra/lib/perl/PKI/RA/BasePanel.pm
new file mode 100755
index 000000000..5cb4d7697
--- /dev/null
+++ b/base/ra/lib/perl/PKI/RA/BasePanel.pm
@@ -0,0 +1,40 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+use strict;
+use warnings;
+use PKI::RA::GlobalVar;
+use PKI::RA::Common;
+
+package PKI::RA::BasePanel;
+$PKI::RA::BasePanel::VERSION = '1.00';
+
+sub new {
+ my ($class) = @_;
+ my $self = {};
+ bless $self, $class;
+ return $self;
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/RA/CAInfoPanel.pm b/base/ra/lib/perl/PKI/RA/CAInfoPanel.pm
new file mode 100755
index 000000000..4cc65e5cf
--- /dev/null
+++ b/base/ra/lib/perl/PKI/RA/CAInfoPanel.pm
@@ -0,0 +1,289 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+use strict;
+use warnings;
+use PKI::RA::GlobalVar;
+use PKI::RA::Common;
+use URI::URL;
+
+package PKI::RA::CAInfoPanel;
+$PKI::RA::CAInfoPanel::VERSION = '1.00';
+
+use PKI::RA::BasePanel;
+our @ISA = qw(PKI::RA::BasePanel);
+
+our $cert_header="-----BEGIN CERTIFICATE-----";
+our $cert_footer="-----END CERTIFICATE-----";
+
+sub new {
+ my $class = shift;
+ my $self = {};
+
+ $self->{"isSubPanel"} = \&is_sub_panel;
+ $self->{"hasSubPanel"} = \&has_sub_panel;
+ $self->{"isPanelDone"} = \&PKI::RA::Common::no;
+ $self->{"getPanelNo"} = &PKI::RA::Common::r(4);
+ $self->{"getName"} = &PKI::RA::Common::r("CA Information");
+ $self->{"vmfile"} = "cainfopanel.vm";
+ $self->{"update"} = \&update;
+ $self->{"panelvars"} = \&display;
+ bless $self,$class;
+ return $self;
+}
+
+sub is_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub has_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub validate
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("CAInfoPanel: validate");
+ return 1;
+}
+
+sub update
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("CAInfoPanel: update");
+
+ my $count = $q->param('urls');
+ &PKI::RA::Wizard::debug_log("CAInfoPanel: update - got urls = $count");
+
+ &PKI::RA::Wizard::debug_log("CAInfoPanel: update - selected ca= $count");
+
+ my $instanceID = $::config->get("service.instanceID");
+ my $host = "";
+ my $https_ee_port = "";
+ my $https_agent_port = "";
+ my $https_admin_port = "";
+ my $domain_xml = "";
+
+ if ($count =~ /http/) {
+ my $info = new URI::URL($count);
+ $host = $info->host;
+ $https_ee_port = $info->port;
+ $domain_xml = get_domain_xml($host, $https_ee_port);
+ if ($domain_xml eq "") {
+ $::symbol{errorString} = "missing security domain. CA must be installed prior to RA installation";
+ return 0;
+ }
+
+ $https_agent_port = get_secure_agent_port_from_domain_xml($domain_xml, $host, $https_ee_port);
+ $https_admin_port = get_secure_admin_port_from_domain_xml($domain_xml, $host, $https_ee_port);
+
+ if(($https_admin_port eq "") || ($https_agent_port eq "")) {
+ $::symbol{errorString} = "missing secure CA admin or agent port. CA must be installed prior to RA installation";
+ return 0;
+ }
+ } else {
+ $host = $::config->get("preop.securitydomain.ca$count.host");
+ $https_ee_port = $::config->get("preop.securitydomain.ca$count.secureport");
+ $https_agent_port = $::config->get("preop.securitydomain.ca$count.secureagentport");
+ $https_admin_port = $::config->get("preop.securitydomain.ca$count.secureadminport");
+ }
+
+ if (($host eq "") || ($https_ee_port eq "") || ($https_admin_port eq "") || ($https_agent_port eq "")) {
+ $::symbol{errorString} = "no CA found. CA must be installed prior to RA installation";
+ return 0;
+ }
+
+ &PKI::RA::Wizard::debug_log("CAInfoPanel: update - host= $host, https_ee_port= $https_ee_port");
+
+ $::config->put("preop.cainfo.select", "https://$host:$https_admin_port");
+ my $serverCertNickName = $::config->get("preop.cert.sslserver.nickname");
+
+ my $subsystemCertNickName = $::config->get("preop.cert.subsystem.nickname");
+ $::config->put("conn.ca1.clientNickname", $subsystemCertNickName);
+ $::config->put("conn.ca1.hostport", $host . ":" . $https_ee_port);
+ $::config->put("conn.ca1.hostagentport", $host . ":" . $https_agent_port);
+ $::config->put("conn.ca1.hostadminport", $host . ":" . $https_admin_port);
+
+ $::config->commit();
+
+ # connect to the CA, and retrieve the CA certificate
+ &PKI::RA::Wizard::debug_log("CAInfoPanel: update connecting to CA and retrieve cert chain");
+ my $instanceDir = $::config->get("service.instanceDir");
+ my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`;
+ $db_password =~ s/\n$//g;
+ my $tmpfile = "/tmp/ca-$$";
+ system("/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$serverCertNickName\" -r \"/ca/ee/ca/getCertChain\" $host:$https_ee_port > $tmpfile");
+ my $cmd = `cat $tmpfile`;
+ system("rm $tmpfile");
+ my $caCert;
+ if ($cmd =~ /\<ChainBase64\>(.*)\<\/ChainBase64\>/) {
+ $caCert = $1;
+ &PKI::RA::Wizard::debug_log("CAInfoPanel: ca= $caCert");
+ }
+ if ($caCert eq "") {
+ &PKI::RA::Wizard::debug_log("CAInfoPanel: update no cert chain found");
+ return 0;
+ }
+ open(F, ">$instanceDir/conf/caCertChain2.txt");
+ print F $cert_header."\n".$caCert."\n".$cert_footer;
+ close(F);
+
+ &PKI::RA::Wizard::debug_log("CAInfoPanel: update retrieve cert chain done");
+
+ #import cert chain
+ system("p7tool -d $instanceDir/alias -p $instanceDir/conf/chain2cert -a -i $instanceDir/conf/caCertChain2.txt -o $instanceDir/conf/CAchain2_pp.txt");
+ my $r = $? >> 8;
+ my $failed = $? & 127;
+ if (($r > 0) && ($r < 10) && !$failed) {
+ my $i = 0;
+ while ($i ne $r) {
+ my $tmp = `certutil -d $instanceDir/alias -D -n "Trusted CA c2cert$i"`;
+ $tmp = `certutil -d $instanceDir/alias -A -f $instanceDir/conf/.pwfile -n "Trusted CA c2cert$i" -t "CT,C,C" -i $instanceDir/conf/chain2cert$i.der`;
+ $i++;
+ }
+ }
+
+ return 1;
+}
+
+sub display
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("CAInfoPanel: display");
+
+ $::symbol{urls} = [];
+# unshift(@{$::symbol{urls}}, "External CA");
+ my $count = 0;
+ my $first = 1;
+ my $list = "";
+ while (1) {
+ my $host = $::config->get("preop.securitydomain.ca$count.host");
+ if ($host eq "") {
+ goto DONE;
+ }
+ my $https_ee_port = $::config->get("preop.securitydomain.ca$count.secureport");
+ my $name = $::config->get("preop.securitydomain.ca$count.subsystemname");
+ my $item = $name . " - https://" . $host . ":" . $https_ee_port;
+# my $item = "https://" . $host . ":" . $https_ee_port;
+# unshift(@{$::symbol{urls}}, $item);
+ $::symbol{urls}[$count++] = $item;
+ if ($first eq 1) {
+ $list = $item;
+ $first = 0;
+ } else {
+ $list = $list.",".$item;
+ }
+ }
+DONE:
+# $list = $list.",External CA";
+ $::config->put("preop.ca.list", $list);
+
+ $::symbol{urls_size} = $count;
+ if ($count eq 0) {
+ $::symbol{errorString} = "no CA found. CA, TKS, and optionally DRM must be installed prior to RA installation";
+ return 0;
+ }
+ return 1;
+}
+
+sub get_domain_xml
+{
+ my $host = $1;
+ my $https_ee_port = $2;
+
+ # get the domain xml
+ # e. g. - https://water.sfbay.redhat.com:9445/ca/admin/ca/getDomainXML
+
+ my $nickname = $::config->get("preop.cert.sslserver.nickname");
+ my $instanceID = $::config->get("service.instanceID");
+ my $instanceDir = $::config->get("service.instanceDir");
+ my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`;
+ $db_password =~ s/\n$//g;
+
+ my $sd_host = $::config->get("securitydomain.host");
+ my $sd_admin_port = $::config->get("securitydomain.httpsadminport");
+ my $content = `/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -r \"/ca/admin/ca/getDomainXML\" $sd_host:$sd_admin_port`;
+
+ $content =~ /(\<XMLResponse\>.*\<\/XMLResponse\>)/;
+ $content = $1;
+ return $content;
+}
+
+sub get_secure_admin_port_from_domain_xml
+{
+ my $content = $1;
+ my $host = $2;
+ my $https_ee_port = $3;
+
+ # Retrieve the secure admin port corresponding
+ # to the selected host and secure ee port.
+ my $parser = XML::Simple->new();
+ my $response = $parser->XMLin($content);
+ my $xml = $parser->XMLin( $response->{'DomainInfo'},
+ ForceArray => 1 );
+ my $https_admin_port = "";
+ my $count = 0;
+ foreach my $c (@{$xml->{'CAList'}[0]->{'CA'}}) {
+ if( ( $host eq $c->{'Host'}[0] ) &&
+ ( $https_ee_port eq $c->{'SecurePort'}[0] ) ) {
+ $https_admin_port = https_$c->{'SecureAdminPort'}[0];
+ }
+
+ $count++;
+ }
+
+ return $https_admin_port;
+}
+
+sub get_secure_agent_port_from_domain_xml
+{
+ my $content = $1;
+ my $host = $2;
+ my $https_ee_port = $3;
+
+ # Retrieve the secure agent port corresponding
+ # to the selected host and secure ee port.
+ my $parser = XML::Simple->new();
+ my $response = $parser->XMLin($content);
+ my $xml = $parser->XMLin( $response->{'DomainInfo'},
+ ForceArray => 1 );
+ my $https_agent_port = "";
+ my $count = 0;
+ foreach my $c (@{$xml->{'CAList'}[0]->{'CA'}}) {
+ if( ( $host eq $c->{'Host'}[0] ) &&
+ ( $https_ee_port eq $c->{'SecurePort'}[0] ) ) {
+ $https_agent_port = https_$c->{'SecureAgentPort'}[0];
+ }
+
+ $count++;
+ }
+
+ return $https_agent_port;
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/RA/CertInfo.pm b/base/ra/lib/perl/PKI/RA/CertInfo.pm
new file mode 100755
index 000000000..d1a8c3817
--- /dev/null
+++ b/base/ra/lib/perl/PKI/RA/CertInfo.pm
@@ -0,0 +1,133 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+use strict;
+use warnings;
+use PKI::RA::GlobalVar;
+use PKI::RA::Common;
+
+package PKI::RA::CertInfo;
+$PKI::RA::CertInfo::VERSION = '1.00';
+
+sub new {
+ my ($class, $name, $dn, $tag) = @_;
+ my $self = {};
+
+ &PKI::RA::Wizard::debug_log("CertInfo: start new");
+ $self->{"getUserFriendlyName"} = \&get_user_friendly_name;
+ $self->{"getCertTag"} = \&get_cert_tag;
+ $self->{"getDN"} = \&get_dn;
+ $self->{"getNickname"} = \&get_nickname;
+ $self->{"useDefaultKey"} = \&use_default_key;
+ $self->{"getCustomKeysize"} = \&get_custom_keysize;
+ $self->{"keyOption"} = \&get_key_option;
+ &PKI::RA::Wizard::debug_log("CertInfo: end new");
+
+ $self->{name} = $name;
+ $self->{dn} = $dn;
+ $self->{tag} = $tag;
+
+ bless $self, $class;
+ return $self;
+}
+
+sub get_user_friendly_name
+{
+ my ($self) = @_;
+ &PKI::RA::Wizard::debug_log("CertInfo: get_user_friendly_name");
+ return $self->{name};
+}
+
+sub get_cert_tag
+{
+ my ($self) = @_;
+ &PKI::RA::Wizard::debug_log("CertInfo: get_cert_tag");
+ return $self->{tag};
+}
+
+sub get_dn
+{
+ my ($self) = @_;
+ &PKI::RA::Wizard::debug_log("CertInfo: get_cert_dn");
+ return $self->{dn};
+}
+
+sub use_default_key
+{
+ my ($self) = @_;
+ &PKI::RA::Wizard::debug_log("CertInfo: use_default_key");
+ my $option = $::config->get("preop.cert.$self->{tag}.keysize.select");
+ if (($option ne "") && ($option ne "default")) {
+ return 0;
+ }
+ return 1;
+}
+
+sub get_nickname
+{
+ my ($self) = @_;
+ &PKI::RA::Wizard::debug_log("CertInfo: get_nickname");
+ my $nickname = $::config->get("preop.cert.$self->{tag}.nickname");
+
+ my $flavor = "pki";
+ $flavor =~ s/\n//g;
+
+ if ($nickname ne "") {
+ return $nickname;
+ } else {
+ return $self->{tag}."cert cert-$flavor-ra";
+ }
+}
+
+sub get_key_option
+{
+ my ($self) = @_;
+ &PKI::RA::Wizard::debug_log("CertInfo: get_key_option");
+ my $option = $::config->get("preop.cert.$self->{tag}.keysize.select");
+
+ if ($option ne "") {
+ &PKI::RA::Wizard::debug_log("CertInfo: get_key_option from config = $option");
+ return $option;
+ } else {
+ &PKI::RA::Wizard::debug_log("CertInfo: get_key_option not from config");
+ return "default";
+ }
+}
+
+sub get_custom_keysize
+{
+ my ($self) = @_;
+ &PKI::RA::Wizard::debug_log("CertInfo: get_custom_keysize");
+ my $size = $::config->get("preop.cert.$self->{tag}.keysize.customsize");
+ &PKI::RA::Wizard::debug_log("CertInfo: get_custom_keysize for preop.cert.$self->{tag}.keysize.customsize is $size");
+ if ($size ne "") {
+ &PKI::RA::Wizard::debug_log("CertInfo: get_custom_keysize from config is $size");
+ return $size;
+ } else {
+ &PKI::RA::Wizard::debug_log("CertInfo: get_custom_keysize not from config");
+ return 2048;
+ }
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/RA/CertPrettyPrintPanel.pm b/base/ra/lib/perl/PKI/RA/CertPrettyPrintPanel.pm
new file mode 100755
index 000000000..cf58d2327
--- /dev/null
+++ b/base/ra/lib/perl/PKI/RA/CertPrettyPrintPanel.pm
@@ -0,0 +1,85 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+use strict;
+use warnings;
+use PKI::RA::GlobalVar;
+use PKI::RA::Common;
+
+package PKI::RA::CertPrettyPrintPanel;
+$PKI::RA::CertPrettyPrintPanel::VERSION = '1.00';
+
+use PKI::RA::BasePanel;
+our @ISA = qw(PKI::RA::BasePanel);
+
+sub new {
+ my $class = shift;
+ my $self = {};
+
+ $self->{"isSubPanel"} = \&is_sub_panel;
+ $self->{"hasSubPanel"} = \&has_sub_panel;
+ $self->{"isPanelDone"} = \&PKI::RA::Common::no;
+ $self->{"getPanelNo"} = &PKI::RA::Common::r(13);
+ $self->{"getName"} = &PKI::RA::Common::r("Certificates");
+ $self->{"vmfile"} = "certprettyprintpanel.vm";
+ $self->{"update"} = \&update;
+ $self->{"panelvars"} = \&display;
+ bless $self,$class;
+ return $self;
+}
+
+sub is_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub has_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub validate
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("CertPrettyPrintPanel: validate");
+ return 1;
+}
+
+sub update
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("CertPrettyPrintPanel: update");
+ return 1;
+}
+
+sub display
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("CertPrettyPrintPanel: display");
+ return 1;
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/RA/CertRequestPanel.pm b/base/ra/lib/perl/PKI/RA/CertRequestPanel.pm
new file mode 100755
index 000000000..51eb1d400
--- /dev/null
+++ b/base/ra/lib/perl/PKI/RA/CertRequestPanel.pm
@@ -0,0 +1,301 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+use strict;
+use warnings;
+use PKI::RA::GlobalVar;
+use PKI::RA::Common;
+use PKI::RA::ReqCertInfo;
+use FileHandle;
+
+package PKI::RA::CertRequestPanel;
+$PKI::RA::CertRequestPanel::VERSION = '1.00';
+
+use PKI::RA::BasePanel;
+our @ISA = qw(PKI::RA::BasePanel);
+
+our $cert_req_header="-----BEGIN NEW CERTIFICATE REQUEST-----";
+our $cert_req_footer="-----END NEW CERTIFICATE REQUEST-----";
+our $cert_header="-----BEGIN CERTIFICATE-----";
+our $cert_footer="-----END CERTIFICATE-----";
+
+sub new {
+ my $class = shift;
+ my $self = {};
+
+ $self->{"isSubPanel"} = \&is_sub_panel;
+ $self->{"hasSubPanel"} = \&has_sub_panel;
+ $self->{"isPanelDone"} = \&PKI::RA::Common::no;
+ $self->{"getPanelNo"} = &PKI::RA::Common::r(13);
+ $self->{"getName"} = &PKI::RA::Common::r("Certificate Requests");
+ $self->{"vmfile"} = "certrequestpanel.vm";
+ $self->{"update"} = \&update;
+ $self->{"panelvars"} = \&display;
+ bless $self,$class;
+ return $self;
+}
+
+sub is_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub has_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub validate
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("CertRequestPanel: validate");
+ return 1;
+}
+
+sub update
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("CertRequestPanel: update");
+
+ my $i = 0;
+
+ my $instanceDir = $::config->get("service.instanceDir");
+
+ my $useExternalCA = $::config->get("preop.certenroll.useExternalCA");
+ if ($useExternalCA eq "on") {
+ &PKI::RA::Wizard::debug_log("CertRequestPanel: update: useExternalCA is on");
+ } else {
+ &PKI::RA::Wizard::debug_log("CertRequestPanel: update: useExternalCA is off");
+ &PKI::RA::Wizard::debug_log("CertRequestPanel: update auto enrollment should have been done, no more action needed");
+ return 1;
+ }
+
+ &PKI::RA::Wizard::debug_log("CertRequestPanel: update External CA selected, retrieve/process user input");
+
+ my $tokenname = $::config->get("preop.module.token");
+ &PKI::RA::Wizard::debug_log("CertRequestPanel: update got token name = $tokenname");
+ my $token_pwd = $::pwdconf->get($tokenname);
+ $token_pwd =~ s/\n//g;
+ open FILE, ">$instanceDir/conf/.pwfile";
+ system( "chmod 00660 $instanceDir/conf/.pwfile" );
+ print FILE $token_pwd;
+ close FILE;
+
+ my $hw;
+ my $tk;
+
+ if (($tokenname eq "") || ($tokenname eq "NSS Certificate DB")) {
+ $hw = "";
+ $tk = "";
+ } else {
+ $hw = "-h $tokenname";
+ $tk = $tokenname.":";
+ }
+
+ foreach my $certtag (@PKI::RA::Wizard::certtags) {
+ if ($certtag eq "subsystem") {
+ &PKI::RA::Wizard::debug_log("CertRequestPanel: update: subsystem cert is pre-generated by the security domain");
+ return 1;
+ }
+ &PKI::RA::Wizard::debug_log("CertRequestPanel: update: for certag= $certtag");
+ my $ccert = $::config->get("preop.cert.$certtag.cert");
+ if ($ccert ne "") {
+ &PKI::RA::Wizard::debug_log("CertRequestPanel: update: cert already exists in CS.cfg, go to next");
+ next;
+ }
+ my $certchain = $q->param($certtag.'_cc');
+ if ($certchain ne "") {
+ &PKI::RA::Wizard::debug_log("CertRequestPanel: update: $certtag certchain is $certchain");
+ my $cc_fn = "$instanceDir/conf/caCertChain.txt";
+ my $tmp = `echo "$certchain" > $cc_fn`;
+ # remove existing one
+ &PKI::RA::Wizard::debug_log("CertRequestPanel: update: try to delete existing certchain, if any....ok if it fails");
+# XXX remove should not be done lightly...
+ $tmp = `p7tool -d $instanceDir/alias -p $instanceDir/conf/chain1cert -a -i $cc_fn -o $instanceDir/conf/CAchain_pp.txt`;
+ my $r = $? >> 8;
+ my $failed = $? & 127;
+ if (($r > 0) && ($r < 10) && !$failed) {
+ my $i = 0;
+ while ($i ne $r) {
+ $tmp = `certutil -d $instanceDir/alias -D -n "Trusted CA $certtag cert$i"`;
+ $tmp = `certutil -d $instanceDir/alias -A -f $instanceDir/conf/.pwfile -n "Trusted CA $certtag cert$i" -t "CT,C,C" -i $instanceDir/conf/chain1cert$i.der`;
+# $tmp = `rm $cc_fn`;
+ $i++
+ }
+ }
+ } else {
+ &PKI::RA::Wizard::debug_log("CertRequestPanel: update: no certchain included for certtag $certtag");
+ }
+
+ my $cert = $q->param($certtag);
+ if ($cert ne "") {
+ &PKI::RA::Wizard::debug_log("CertRequestPanel: update: $certtag cert is $cert");
+ my $nickname = $::config->get("preop.cert.$certtag.nickname");
+ if ($nickname eq "") {
+ $nickname = "RA ".$certtag." cert";
+ $::config->put("preop.cert.$certtag.nickname", $nickname);
+ &PKI::RA::Wizard::debug_log("CertRequestPanel: update: $certtag cert nickname not found in CS.cfg, generating one= $nickname");
+ }
+ #remove existing one
+ &PKI::RA::Wizard::debug_log("CertRequestPanel: update: try to delete existing cert $nickname, if any....ok if it fails");
+#XXX remove should not be done lightly...
+ my $tmp = `certutil -d $instanceDir/alias -D -n "$nickname"`;
+ $tmp = `certutil -d $instanceDir/alias -D $hw -f $instanceDir/conf/.pwfile -n "$tk$nickname"`;
+ #now import the cert
+ &PKI::RA::Wizard::debug_log("CertRequestPanel: update: try to import cert");
+ my $cert_fn = "$instanceDir/conf/$certtag"."_cert.txt";
+ $tmp = `echo "$cert" > $cert_fn`;
+
+# $cert = extract_cert_from_file_sans_header_and_footer($cert_fn);
+ my $certa ="";
+ my $save_line = 0;
+ my @cert_a = split "\n", $cert;
+ foreach my $line (@cert_a) {
+ chomp( $line );
+ $line =~ s/\r//g;
+ if ($line eq $cert_header) {
+ $save_line = 1;
+ } elsif( $line eq $cert_footer ) {
+ $save_line = 0;
+ last;
+ } elsif( $save_line == 1 ) {
+ $certa .= "$line";
+ }
+ }
+
+ &PKI::RA::Wizard::debug_log("CertRequestPanel: update putting cert in CS.cfg: $certa");
+
+ $::config->put("preop.cert.$certtag.cert", $certa);
+
+ &PKI::RA::Wizard::debug_log("CertRequestPanel: update: about to certutil -d $instanceDir/alias $hw -A -f $instanceDir/conf/.pwfile -n $nickname -t u,u,u -a -i $cert_fn");
+ $tmp = `certutil -d $instanceDir/alias $hw -A -f $instanceDir/conf/.pwfile -n "$nickname" -t "u,u,u" -a -i $cert_fn`;
+ &PKI::RA::Wizard::debug_log("CertRequestPanel: update: done certutil: $tmp");
+ $tmp = `rm $cert_fn`;
+
+ # changed the cert, need to change nickname too, if necessary
+ if ($hw ne "") {
+ $::config->put("preop.cert.$certtag.nickname", "$tk$nickname");
+ if ($certtag eq "subsystem") {
+ $::config->put("conn.ca1.clientNickname","$tk$nickname");
+ $::config->put("conn.drm1.clientNickname","$tk$nickname");
+ $::config->put("conn.tks1.clientNickname","$tk$nickname");
+ }
+ }
+
+ } else {
+ &PKI::RA::Wizard::debug_log("CertRequestPanel: update: no cert");
+ }
+ }
+
+DONE:
+ $::config->commit();
+ my $tmp = `rm $instanceDir/conf/.pwfile`;
+
+ return 1;
+}
+
+sub display
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("CertRequestPanel: display");
+
+ my $domain_name = $::config->get("preop.securitydomain.name");
+ if ($domain_name eq "") {
+ $domain_name = "RA Domain";
+ }
+ my $machine_name = $::config->get("service.machineName");
+ my $instance_id = $::config->get("service.instanceID");
+
+ my $i = 0;
+ foreach my $certtag (@PKI::RA::Wizard::certtags) {
+ my $cert_dn = $::config->get("preop.cert.".$certtag.".dn");
+ if ($cert_dn eq "") {
+ if ($certtag eq "subsystem") {
+ $cert_dn = "CN=RA Subsystem, " .
+ "OU=" . $instance_id . ", " .
+ "O=" . $domain_name;
+ } elsif ($certtag eq "sslserver") {
+ $cert_dn ="CN=" . $machine_name . ", " .
+ "OU=" . $instance_id . ", " .
+ "O=" . $domain_name;
+ } else {
+ $cert_dn = $certtag;
+ }
+ }
+
+ my $name = $::config->get("preop.cert.".$certtag.".userfriendlyname");
+ if ($name eq "") {
+ $name = $certtag."Cert ".$instance_id;
+ }
+
+ my $reqcert = new PKI::RA::ReqCertInfo($name,
+ $cert_dn, $certtag);
+ $::symbol{reqscerts}[$i++] = $reqcert;
+ }
+
+ $::symbol{errorString} = "";
+ $::symbol{showApplyButton} = "true";
+
+ return 1;
+}
+
+# arg0 message containing certificate
+# return certificate sans header and footer
+# -- all in a one-liner
+sub extract_cert_from_file_sans_header_and_footer
+{
+ my $filename = $_[0];
+ my $save_line = 0;
+
+ my $fd = new FileHandle;
+
+ my $cert = "";
+
+ $fd->open( "<$filename" ) or die "Could not open '$filename'!\n";
+
+ while( <$fd> )
+ {
+ my $line = $_;
+ chomp( $line );
+ $line =~ s/^M//g;
+
+ if( $line eq $cert_header ) {
+ $save_line = 1;
+ } elsif( $line eq $cert_footer ) {
+ $save_line = 0;
+ last;
+ } elsif( $save_line == 1 ) {
+ $cert .= "$line";
+ }
+ }
+
+ $fd->close();
+
+ return $cert;
+}
+
+
+1;
diff --git a/base/ra/lib/perl/PKI/RA/Common.pm b/base/ra/lib/perl/PKI/RA/Common.pm
new file mode 100755
index 000000000..8deab8c6c
--- /dev/null
+++ b/base/ra/lib/perl/PKI/RA/Common.pm
@@ -0,0 +1,50 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package PKI::RA::Common;
+
+use strict;
+use warnings;
+use Exporter;
+
+use vars qw(@ISA @EXPORT @EXPORT_OK);
+@ISA = qw(Exporter Autoloader);
+@EXPORT = qw(r yes no);
+
+$PKI::RA::Common::VERSION = '1.00';
+
+sub yes {
+ return sub {1};
+}
+
+sub no {
+ return sub {0};
+}
+
+sub r {
+ my $a = shift;
+ return sub { $a; }
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/RA/Config.pm b/base/ra/lib/perl/PKI/RA/Config.pm
new file mode 100755
index 000000000..f1ace5b03
--- /dev/null
+++ b/base/ra/lib/perl/PKI/RA/Config.pm
@@ -0,0 +1,170 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package PKI::RA::Config;
+
+use strict;
+use warnings;
+use Exporter;
+
+$PKI::RA::Config::VERSION = '1.00';
+
+#######################################################
+# Configuration Store
+#######################################################
+sub new {
+ my $class = shift;
+ my $self = {};
+ my %hash = ();
+ $self->{filename} = "";
+ $self->{hash} = \%hash;
+ bless $self,$class;
+ return $self;
+}
+
+sub load_file
+{
+ my ($self, $filename) = @_;
+
+ $self->{filename} = $filename;
+ if (-e $filename) {
+ open(CF, "<$filename");
+ if (defined fileno CF) {
+ while (<CF>) {
+ if (/^#/) {
+ # comments
+ } elsif (/([^=]+)=(.*)$/) {
+ # print "$1 = $2\n";
+ $self->{hash}{$1} = $2;
+ } else {
+ # preserve comments
+ }
+ }
+ }
+ close(CF);
+ }
+}
+
+sub get_filename
+{
+ my ($self) = @_;
+ return $self->{filename};
+}
+
+sub get
+{
+ my ($self, $n) = @_;
+ return $self->{hash}{$n};
+}
+
+sub put
+{
+ my ($self, $n, $v) = @_;
+ $self->{hash}{$n} = $v;
+}
+
+sub deleteSubstore
+{
+ my ($self, $n) = @_;
+ foreach my $xkey (keys %{$self->{hash}}) {
+ if ($xkey =~ /^\Q$n\E/) {
+ delete $self->{hash}{$xkey};
+ }
+ }
+}
+
+sub commit
+{
+ my ($self) = @_;
+
+ # write stuff back to the file
+# print $self->{filename} . "\n";
+ my $hash = $self->{hash};
+ my $suffix = time();
+
+ if (-e $self->{filename}) {
+ # Create a copy of the original file which
+ # preserves the original file permissions
+ system("cp -p \"" . $self->{filename} . "\" \"" .
+ $self->{filename} . "." . $suffix . "\"");
+ }
+
+ # Overwrite the contents of the original file
+ # to preserve the original file permissions
+ open(F, ">" . $self->{filename});
+ foreach my $k (sort keys %{$hash}) {
+ print F "$k=$self->{hash}{$k}\n";
+ }
+ close(F);
+
+ if (-e $self->{filename} . "." . $suffix) {
+ system("rm \"" . $self->{filename} . "." . $suffix . "\"");
+ }
+}
+
+sub commit_with_backup
+{
+ my ($self) = @_;
+
+ # write stuff back to the file
+# print $self->{filename} . "\n";
+ my $hash = $self->{hash};
+ my $suffix = time();
+ # Create a copy of the original file which
+ # preserves the original file permissions
+ system("cp -p \"" . $self->{filename} . "\" \"" .
+ $self->{filename} . "." . $suffix . "\"");
+
+ # Overwrite the contents of the original file
+ # to preserve the original file permissions
+ open(F, ">" . $self->{filename});
+ foreach my $k (sort keys %{$hash}) {
+ print F "$k=$self->{hash}{$k}\n";
+ }
+ close(F);
+}
+
+1;
+
+#######################################################
+# Test Program
+#######################################################
+#my $config = PKI::RA::Config->new();
+#$config->load_file("/tmp/CS.cfg");
+#print $config->get("tokendb.indexAdminTemplate") . "\n";
+#$config->put("tokendb.indexAdminTemplate", "Testing");
+#print $config->get("tokendb.indexAdminTemplate") . "\n";
+#$config->commit();
+
+1;
+
+#######################################################
+# Test Program
+#######################################################
+#my $config = PKI::RA::Config->new();
+#$config->load_file("/tmp/CS.cfg");
+#print $config->get("tokendb.indexAdminTemplate") . "\n";
+#$config->put("tokendb.indexAdminTemplate", "Testing");
+#print $config->get("tokendb.indexAdminTemplate") . "\n";
+#$config->commit();
diff --git a/base/ra/lib/perl/PKI/RA/ConfigHSMLoginPanel.pm b/base/ra/lib/perl/PKI/RA/ConfigHSMLoginPanel.pm
new file mode 100755
index 000000000..bf74890cc
--- /dev/null
+++ b/base/ra/lib/perl/PKI/RA/ConfigHSMLoginPanel.pm
@@ -0,0 +1,104 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+use strict;
+use warnings;
+use PKI::RA::GlobalVar;
+use PKI::RA::Common;
+
+package PKI::RA::ConfigHSMLoginPanel;
+$PKI::RA::ConfigHSMLoginPanel::VERSION = '1.00';
+
+use PKI::RA::BasePanel;
+our @ISA = qw(PKI::RA::BasePanel);
+
+sub new {
+ my $class = shift;
+ my $self = {};
+
+ $self->{"isSubPanel"} = \&is_sub_panel;
+ $self->{"hasSubPanel"} = \&has_sub_panel;
+ $self->{"isPanelDone"} = \&PKI::RA::Common::no;
+ $self->{"getPanelNo"} = &PKI::RA::Common::r(9);
+ $self->{"getName"} = &PKI::RA::Common::r("Security Modules Login");
+ $self->{"vmfile"} = "config_hsmloginpanel.vm";
+ $self->{"update"} = \&update;
+ $self->{"panelvars"} = \&display;
+ bless $self,$class;
+ return $self;
+}
+
+sub is_sub_panel
+{
+ my ($q) = @_;
+ return 1;
+}
+
+sub has_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub validate
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("ConfigHSMLoginPanel: validate");
+ return 1;
+}
+
+sub update
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("ConfigHSMLoginPanel: update");
+ my $uTokName = $q->param('uTokName');
+ my $uPasswd = $q->param('__uPasswd');
+
+# &PKI::RA::Wizard::debug_log("ConfigHSMLoginPanel: update tokname= $uTokName pwd =$uPasswd");
+
+ $::pwdconf->put($uTokName, $uPasswd);
+ $::pwdconf->commit();
+
+ return 1;
+}
+
+sub display
+{
+ my ($q) = @_;
+ use Data::Dumper;
+ $Data::Dumper::Indent = 1;
+# &PKI::RA::Wizard::debug_log("ConfigHSMLoginPanel -> dump of q= ". Dumper($q));
+ $::symbol{SecToken} = $q->param('SecToken');
+# &PKI::RA::Wizard::debug_log("ConfigHSMLoginPanel -> display has ".$q->param('SecToken'));
+
+ &PKI::RA::Wizard::debug_log("ConfigHSMLoginPanel -> display retrieving $q->param('SecToken') ");
+ my $pwd = $::pwdconf->get( $q->param('SecToken'));
+ if ($pwd ne "") {
+ &PKI::RA::Wizard::debug_log("ConfigHSMLoginPanel -> display retrieved pwd from pwdconf");
+ }
+
+ return 1;
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/RA/ConfigHSMPanel.pm b/base/ra/lib/perl/PKI/RA/ConfigHSMPanel.pm
new file mode 100755
index 000000000..095ed5879
--- /dev/null
+++ b/base/ra/lib/perl/PKI/RA/ConfigHSMPanel.pm
@@ -0,0 +1,72 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+use strict;
+use warnings;
+use PKI::RA::GlobalVar;
+use PKI::RA::Common;
+
+package PKI::RA::ConfigHSMPanel;
+$PKI::RA::ConfigHSMPanel::VERSION = '1.00';
+
+use PKI::RA::BasePanel;
+our @ISA = qw(PKI::RA::BasePanel);
+
+sub new {
+ my $class = shift;
+ my $self = {};
+
+ $self->{"isSubPanel"} = \&PKI::RA::Common::no;
+ $self->{"isPanelDone"} = \&PKI::RA::Common::no;
+ $self->{"getPanelNo"} = &PKI::RA::Common::r(12);
+ $self->{"getName"} = &PKI::RA::Common::r("ConfigHSMLogin");
+ $self->{"vmfile"} = "config_hsm.vm";
+ $self->{"update"} = \&update;
+ $self->{"panelvars"} = \&display;
+ bless $self,$class;
+ return $self;
+}
+
+sub validate
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("ConfigHSMPanel: validate");
+ return 1;
+}
+
+sub update
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("ConfigHSMPanel: update");
+ return 1;
+}
+
+sub display
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("ConfigHSMPanel: display");
+ return 1;
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/RA/DRMInfoPanel.pm b/base/ra/lib/perl/PKI/RA/DRMInfoPanel.pm
new file mode 100755
index 000000000..fadd7727c
--- /dev/null
+++ b/base/ra/lib/perl/PKI/RA/DRMInfoPanel.pm
@@ -0,0 +1,140 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+use strict;
+use warnings;
+use PKI::RA::GlobalVar;
+use PKI::RA::Common;
+use URI::URL;
+
+package PKI::RA::DRMInfoPanel;
+$PKI::RA::DRMInfoPanel::VERSION = '1.00';
+
+use PKI::RA::BasePanel;
+our @ISA = qw(PKI::RA::BasePanel);
+
+sub new {
+ my $class = shift;
+ my $self = {};
+
+ $self->{"isSubPanel"} = \&is_sub_panel;
+ $self->{"hasSubPanel"} = \&has_sub_panel;
+ $self->{"isPanelDone"} = \&PKI::RA::Common::no;
+ $self->{"getPanelNo"} = &PKI::RA::Common::r(6);
+ $self->{"getName"} = &PKI::RA::Common::r("DRM Information");
+ $self->{"vmfile"} = "drminfopanel.vm";
+ $self->{"update"} = \&update;
+ $self->{"panelvars"} = \&display;
+ bless $self,$class;
+ return $self;
+}
+
+sub is_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub has_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub validate
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("DRMInfoPanel: validate");
+ return 1;
+}
+
+sub update
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("DRMInfoPanel: update");
+
+ my $choice = $q->param('choice');
+ $::config->put("preop.krainfo.keygen", $choice);
+
+ if ($choice eq "keygen") {
+ my $count = $q->param('urls');
+ my $instanceID = $::config->get("service.instanceID");
+ my $host = "";
+ my $https_agent_port = "";
+ if ($count =~ /http/) {
+ my $info = new URI::URL($count);
+ $host = $info->host;
+ $https_agent_port = $info->port;
+ } else {
+ $host = $::config->get("preop.securitydomain.kra$count.host");
+ $https_agent_port = $::config->get("preop.securitydomain.kra$count.secureagentport");
+ }
+ if (($host eq "") || ($https_agent_port eq "")) {
+ $::symbol{errorString} = "no DRM found. CA, TKS and DRM must be installed prior to RA installation";
+ return 0;
+ }
+
+ $::config->put("preop.krainfo.select", "https://$host:$https_agent_port");
+ my $subsystemCertNickName = $::config->get("preop.cert.subsystem.nickname");
+ $::config->put("conn.drm1.clientNickname", $subsystemCertNickName);
+ $::config->put("conn.drm1.hostport", $host . ":" . $https_agent_port);
+ $::config->put("conn.tks1.serverKeygen", "true");
+ $::config->put("op.enroll.userKey.keyGen.encryption.serverKeygen.enable", "true");
+ $::config->put("op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.enable", "true");
+ } else {
+ # no keygen
+ $::config->put("conn.tks1.serverKeygen", "false");
+ $::config->put("op.enroll.userKey.keyGen.encryption.serverKeygen.enable", "false");
+ $::config->put("op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.enable", "false");
+ $::config->put("conn.drm1.clientNickname", "");
+ $::config->put("conn.drm1.hostport", "");
+ }
+ $::config->commit();
+
+ return 1;
+}
+
+sub display
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("DRMInfoPanel: display");
+
+ $::symbol{urls} = [];
+ my $count = 0;
+ while (1) {
+ my $host = $::config->get("preop.securitydomain.kra$count.host");
+ if ($host eq "") {
+ goto DONE;
+ }
+ my $https_agent_port = $::config->get("preop.securitydomain.kra$count.secureagentport");
+ my $name = $::config->get("preop.securitydomain.kra$count.subsystemname");
+ $::symbol{urls}[$count++] = $name . " - https://" . $host . ":" . $https_agent_port;
+ }
+DONE:
+ $::symbol{urls_size} = $count;
+
+ return 1;
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/RA/DatabasePanel.pm b/base/ra/lib/perl/PKI/RA/DatabasePanel.pm
new file mode 100755
index 000000000..e469e51f8
--- /dev/null
+++ b/base/ra/lib/perl/PKI/RA/DatabasePanel.pm
@@ -0,0 +1,109 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+use strict;
+use warnings;
+use PKI::RA::GlobalVar;
+use PKI::RA::Common;
+
+use DBI;
+package PKI::RA::DatabasePanel;
+$PKI::RA::DatabasePanel::VERSION = '1.00';
+
+use PKI::RA::BasePanel;
+our @ISA = qw(PKI::RA::BasePanel);
+
+sub new {
+ my $class = shift;
+ my $self = {};
+
+ $self->{"isSubPanel"} = \&is_sub_panel;
+ $self->{"hasSubPanel"} = \&has_sub_panel;
+ $self->{"isPanelDone"} = \&PKI::RA::Common::no;
+ $self->{"getPanelNo"} = &PKI::RA::Common::r(8);
+ $self->{"getName"} = &PKI::RA::Common::r("Internal Database");
+ $self->{"vmfile"} = "databasepanel.vm";
+ $self->{"update"} = \&update;
+ $self->{"panelvars"} = \&display;
+ bless $self,$class;
+ return $self;
+}
+
+sub is_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub has_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub validate
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("DatabasePanel: validate");
+ return 1;
+}
+
+sub update
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("DatabasePanel: update");
+ my $instDir = $::config->get("service.instanceDir");
+
+ # create local database
+ my $dbh = DBI->connect(
+ "dbi:SQLite:dbname=$instDir/conf/dbfile","","");
+
+ # create database lockfile
+ system("touch $instDir/conf/dblock");
+
+ open(F, "/usr/share/pki/ra/scripts/schema.sql");
+ while (<F>) {
+ if (!($_ =~ /^#/)) {
+ $dbh->do($_);
+ }
+ }
+ close(F);
+
+ $dbh->disconnect();
+
+ return 1;
+}
+
+sub display
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("DatabasePanel: display");
+
+ my $machineName = $::config->get("service.machineName");
+ my $instanceId = $::config->get("service.instanceID");
+
+ return 1;
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/RA/DisplayCertChain2Panel.pm b/base/ra/lib/perl/PKI/RA/DisplayCertChain2Panel.pm
new file mode 100755
index 000000000..46c8a2902
--- /dev/null
+++ b/base/ra/lib/perl/PKI/RA/DisplayCertChain2Panel.pm
@@ -0,0 +1,179 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+use strict;
+use warnings;
+use PKI::RA::GlobalVar;
+use PKI::RA::Common;
+use FileHandle;
+
+package PKI::RA::DisplayCertChain2Panel;
+$PKI::RA::DisplayCertChain2Panel::VERSION = '1.00';
+
+use PKI::RA::BasePanel;
+our @ISA = qw(PKI::RA::BasePanel);
+
+our $cert_header="-----BEGIN CERTIFICATE-----";
+our $cert_footer="-----END CERTIFICATE-----";
+
+sub new {
+ my $class = shift;
+ my $self = {};
+
+ $self->{"isSubPanel"} = \&is_sub_panel;
+ $self->{"hasSubPanel"} = \&has_sub_panel;
+ $self->{"isPanelDone"} = \&PKI::RA::Common::no;
+ $self->{"getPanelNo"} = &PKI::RA::Common::r(7);
+ $self->{"getName"} = &PKI::RA::Common::r("Display Certificate Chain");
+ $self->{"vmfile"} = "displaycertchain2panel.vm";
+ $self->{"update"} = \&update;
+ $self->{"panelvars"} = \&display;
+ bless $self,$class;
+ return $self;
+}
+
+sub is_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub has_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub readFile
+{
+ my $fn = $_[0];
+ open FILE, "< $fn" or return "";
+ my $content = join "",<FILE>;
+ close FILE;
+
+ return $content;
+}
+
+sub validate
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("DisplayCertChain2Panel: validate");
+ return 1;
+}
+
+sub update
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("DisplayCertChain2Panel: update");
+
+ my $instanceDir = $::config->get("service.instanceDir");
+
+# my $caCert = readFile("$instanceDir/conf/caCertChain2.txt");
+ my $caCert = extract_cert_from_file_sans_header_and_footer("$instanceDir/conf/caCertChain2.txt");
+
+ #store in config
+ $::config->put("preop.ca.certchain", $caCert);
+ $::config->commit();
+ # import it into the security database
+ my $tmp = `p7tool -d $instanceDir/alias -p $instanceDir/conf/chain2cert -a -i $instanceDir/conf/caCertChain2.txt -o $instanceDir/conf/CAchain2_pp.txt`;
+ my $r = $? >> 8;
+ my $failed = $? & 127;
+ if (($r > 0) && ($r < 10) && !$failed) {
+ my $i = 0;
+ while ($i ne $r) {
+ $tmp = `certutil -d $instanceDir/alias -D -n "Trusted CA c2cert$i"`;
+ $tmp = `certutil -d $instanceDir/alias -A -f $instanceDir/conf/.pwfile -n "Trusted CA c2cert$i" -t "CT,C,C" -i $instanceDir/conf/chain2cert$i.der`;
+ $i++
+ }
+ }
+
+ # clean up
+# my $tmp = `rm $instanceDir/conf/caCertChain2.txt`;
+# $tmp = `rm $instanceDir/conf/CAchain2_pp.txt`;
+
+ return 1;
+}
+
+sub display
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("DisplayCertChain2Panel: display");
+ my $instanceDir = $::config->get("service.instanceDir");
+
+ my $found = -e "$instanceDir/conf/caCertChain2.txt";
+ my $certpp = "";
+ if ($found) {
+ &PKI::RA::Wizard::debug_log("DisplayCertChain2Panel: display found caCertChain2.txt");
+ my $tmp = `p7tool -d $instanceDir/alias -p $instanceDir/conf/chain2cert -a -i $instanceDir/conf/caCertChain2.txt -o $instanceDir/conf/CAchain2_pp.txt`;
+
+ $certpp = readFile("$instanceDir/conf/CAchain2_pp.txt");
+ &PKI::RA::Wizard::debug_log("DisplayCertChain2Panel: display read CAchain2_pp.txt");
+ $certpp =~ s/"//g;
+ &PKI::RA::Wizard::debug_log("DisplayCertChain2Panel: certpp2= $certpp");
+ }
+
+# $symbol{certchain} = [ "cert1", "cert2" ];
+# $symbol{certchain_size} = 2;
+ $::symbol{certchain} = "$certpp";
+ $::symbol{certchain_size} = 1;
+
+ &PKI::RA::Wizard::debug_log("DisplayCertChain2Panel: display done");
+ return 1;
+}
+
+# return certificate sans header and footer
+# -- all in a one-liner
+sub extract_cert_from_file_sans_header_and_footer
+{
+ my $filename = $_[0];
+ my $save_line = 0;
+
+ my $fd = new FileHandle;
+
+ my $cert = "";
+
+ $fd->open( "<$filename" ) or die "Could not open '$filename'!\n";
+
+ while( <$fd> )
+ {
+ my $line = $_;
+ chomp( $line );
+ $line =~ s/^M//g;
+
+ if( $line eq $cert_header ) {
+ $save_line = 1;
+ } elsif( $line eq $cert_footer ) {
+ $save_line = 0;
+ last;
+ } elsif( $save_line == 1 ) {
+ $cert .= "$line";
+ }
+ }
+
+ $fd->close();
+
+ return $cert;
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/RA/DisplayCertChainPanel.pm b/base/ra/lib/perl/PKI/RA/DisplayCertChainPanel.pm
new file mode 100755
index 000000000..dd991a917
--- /dev/null
+++ b/base/ra/lib/perl/PKI/RA/DisplayCertChainPanel.pm
@@ -0,0 +1,348 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+use strict;
+use warnings;
+use PKI::RA::GlobalVar;
+use PKI::RA::Common;
+use URI::URL;
+use MIME::Base64;
+
+package PKI::RA::DisplayCertChainPanel;
+$PKI::RA::DisplayCertChainPanel::VERSION = '1.00';
+
+use PKI::RA::BasePanel;
+our @ISA = qw(PKI::RA::BasePanel);
+
+sub new {
+ my $class = shift;
+ my $self = {};
+
+ $self->{"isSubPanel"} = \&is_sub_panel;
+ $self->{"hasSubPanel"} = \&has_sub_panel;
+ $self->{"isPanelDone"} = \&PKI::RA::Common::no;
+ $self->{"getPanelNo"} = &PKI::RA::Common::r(2);
+ $self->{"getName"} = &PKI::RA::Common::r("Display Certificate Chain");
+ $self->{"vmfile"} = "displaycertchainpanel.vm";
+ $self->{"update"} = \&update;
+ $self->{"panelvars"} = \&display;
+ bless $self,$class;
+ return $self;
+}
+
+sub is_sub_panel
+{
+ my ($q) = @_;
+ return 1;
+}
+
+sub has_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub validate
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("DisplayCertChainPanel: validate");
+ return 1;
+}
+
+sub readFile
+{
+ my $fn = $_[0];
+ open FILE, "< $fn" or return "";
+ my $content = join "",<FILE>;
+ close FILE;
+
+ return $content;
+}
+
+sub update
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("DisplayCertChainPanel: update");
+
+ my $instanceDir = $::config->get("service.instanceDir");
+
+ my $caCert = readFile("$instanceDir/conf/caCert.txt");
+
+ #store in config
+ $::config->put("preop.ca.certchain", $caCert);
+ $::config->commit();
+
+ # import it into the security database
+# my $cmd1 = `/usr/bin/AtoB $instanceDir/conf/caCert.txt $instanceDir/conf/caCert.der`;
+ my $cmd2 = `/usr/bin/certutil -A -d \"$instanceDir/alias\" -t \"CT,CT,CT\" -n \"caCert\" -i $instanceDir/conf/caCert.der`;
+
+ # clean up
+ my $tmp = `rm $instanceDir/conf/caCert.txt`;
+ $tmp = `rm $instanceDir/conf/caCert.der`;
+ $tmp = `rm $instanceDir/conf/caCert_pp.txt`;
+
+ # complete the SecurityDomain task
+ my $sdomainAdminURL = $::config->get("config.sdomainAdminURL");
+ if ($sdomainAdminURL eq "") {
+ return 2;
+ }
+
+ my $machineName = $::config->get("service.machineName");
+ my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort");
+ my $unsecurePort = $::config->get("service.unsecurePort");
+
+ # check if url is accessible
+ # redirect to the security domain authentication
+ if ($ENV{'SERVER_PORT'} eq $unsecurePort) {
+ $::symbol{redirect} = $sdomainAdminURL . "/ca/admin/ca/securityDomainLogin?url=http%3A%2F%2F" . $machineName . "%3A" . $unsecurePort . "%2Fra%2Fadmin%2Fconsole%2Fconfig%2Fwizard%3Fp%3D3%26subsystem%3DRA";
+ } else {
+ $::symbol{redirect} = $sdomainAdminURL . "/ca/admin/ca/securityDomainLogin?url=https%3A%2F%2F" . $machineName . "%3A" . $non_clientauth_securePort . "%2Fra%2Fadmin%2Fconsole%2Fconfig%2Fwizard%3Fp%3D3%26subsystem%3DRA";
+ }
+
+ get_domain_xml($sdomainAdminURL);
+
+
+ return 3;
+}
+
+sub display
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("DisplayCertChainPanel: display");
+
+ # connect to the CA, and retrieve the CA certificate
+ &PKI::RA::Wizard::debug_log("DisplayCertChainPanel: update connecting to CA and retrieve cert chain");
+ my $instanceID = $::config->get("service.instanceID");
+ my $instanceDir = $::config->get("service.instanceDir");
+ my $sdomainAdminURL = $::config->get("config.sdomainAdminURL");
+ if ($sdomainAdminURL eq "") {
+ return 2;
+ }
+
+ my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`;
+ $db_password =~ s/\n$//g;
+
+ my $url_info = new URI::URL($sdomainAdminURL);
+ my $sd_host = $url_info->host;
+ my $sd_admin_port = $url_info->port;
+ my $nickname = $::config->get("preop.cert.sslserver.nickname");
+ my $cmd = `/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -r \"/ca/admin/ca/getCertChain\" $sd_host:$sd_admin_port`;
+
+ my $caCert = "";
+ if ($cmd =~ /\<ChainBase64\>(.*)\<\/ChainBase64\>/) {
+ $caCert = $1;
+ &PKI::RA::Wizard::debug_log("DisplayCertChainPanel: ca= $caCert");
+ }
+
+ my $certpp = "";
+ if ($caCert ne "") {
+ open(F, ">$instanceDir/conf/caCert.txt");
+ print F $caCert;
+ close(F);
+
+ # test to see if tmp directory exists, if not, create
+ my $found = -e "$instanceDir/conf/tmp";
+ if (! $found) {
+ my $tmp = `mkdir $instanceDir/conf/tmp`;
+ }
+
+ # import it into a temporary security database
+# my $cmd1 = `/usr/bin/AtoB $instanceDir/conf/caCert.txt $instanceDir/conf/caCert.der`;
+ # my $cmd1 = `/usr/bin/openssl base64 -d -A -in $instanceDir/conf/caCert.txt -out $instanceDir/conf/caCert.der`;
+
+ my $txt = `cat $instanceDir/conf/caCert.txt`;
+ open(OUT, ">$instanceDir/conf/caCert.der");
+ print OUT MIME::Base64::decode($txt);
+ close(OUT);
+
+ my $cmd2 = `/usr/bin/certutil -A -d \"$instanceDir/conf/tmp\" -t \"CT,CT,CT\" -n \"caCert\" -i $instanceDir/conf/caCert.der`;
+
+ # get pretty print from temp db
+ my $tmp = `certutil -d $instanceDir/conf/tmp -n "caCert" -L > $instanceDir/conf/caCert_pp.txt`;
+ $certpp = readFile("$instanceDir/conf/caCert_pp.txt");
+ $certpp =~ s/"//g;
+ &PKI::RA::Wizard::debug_log("DisplayCertChainPanel: certpp= $certpp");
+ # clean up temp db
+ $tmp = `certutil -d $instanceDir/alias/tmp -D -n "caCert"`;
+ } else {
+ &PKI::RA::Wizard::debug_log("DisplayCertChainPanel: update no certchain found");
+ }
+
+ &PKI::RA::Wizard::debug_log("DisplayCertChainPanel: display certchain=$caCert");
+
+# $symbol{certchain} = [ "cert1", "cert2" ];
+# $symbol{certchain_size} = 2;
+ $::symbol{certchain} = "$certpp";
+# This certchain_size does not matter
+ $::symbol{certchain_size} = 1;
+
+ return 1;
+}
+
+sub get_domain_xml
+{
+ my ($sdomainAdminURL) = @_;
+
+ my $sdom_info = new URI::URL($sdomainAdminURL);
+ # get the domain xml
+ # e. g. - https://water.sfbay.redhat.com:9445/ca/admin/ca/getDomainXML
+
+ my $nickname = $::config->get("preop.cert.sslserver.nickname");
+ my $instanceID = $::config->get("service.instanceID");
+ my $instanceDir = $::config->get("service.instanceDir");
+ my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`;
+ $db_password =~ s/\n$//g;
+
+ my $sd_host = $sdom_info->host;
+ my $sd_admin_port = $sdom_info->port;
+ my $content = `/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -r \"/ca/admin/ca/getDomainXML\" $sd_host:$sd_admin_port`;
+
+ $content =~ /(\<XMLResponse\>.*\<\/XMLResponse\>)/;
+ $content = $1;
+
+ &PKI::RA::Wizard::debug_log("content = " . $content);
+
+ my $parser = XML::Simple->new();
+ my $response = $parser->XMLin($content);
+ my $xml = $parser->XMLin($response->{'DomainInfo'},
+ ForceArray => 1);
+
+ &PKI::RA::Wizard::debug_log("DisplayCertChainPanel: security domain '" .
+ $xml->{'Name'}[0] . "'");
+ $::config->put("preop.securitydomain.name", $xml->{'Name'}[0]);
+ $::config->put("securitydomain.name", $xml->{'Name'}[0]);
+
+ # parse xml and store information in CS.cfg
+ my $count = 0;
+ $count = 0;
+ foreach my $c (@{$xml->{'CAList'}[0]->{'CA'}}) {
+ &PKI::RA::Wizard::debug_log("DisplayCertChainPanel: Found CA '" .
+ $c->{'SubsystemName'}[0] . "'");
+ $::config->put("preop.securitydomain.ca" . $count . ".subsystemname",
+ $c->{'SubsystemName'}[0]);
+ $::config->put("preop.securitydomain.ca" . $count . ".secureport",
+ $c->{'SecurePort'}[0]);
+ $::config->put("preop.securitydomain.ca" . $count . ".secureagentport",
+ $c->{'SecureAgentPort'}[0]);
+ $::config->put("preop.securitydomain.ca" . $count . ".secureadminport",
+ $c->{'SecureAdminPort'}[0]);
+ $::config->put("preop.securitydomain.ca" . $count . ".unsecureport",
+ $c->{'UnSecurePort'}[0]);
+ $::config->put("preop.securitydomain.ca" . $count . ".host",
+ $c->{'Host'}[0]);
+
+ # The user previously specified the CA Security Domain's
+ # SSL Admin URL in the "Security Domain Panel";
+ # now retrieve this specified CA Security Domain's
+ # non-SSL EE, SSL Agent, and SSL EE URLs:
+ if( $sd_admin_port eq $c->{'SecureAdminPort'}[0] ) {
+ # Build the URLs
+ my $http_ee_port = "https://"
+ . $c->{'Host'}[0]
+ . ":"
+ . $c->{'UnSecurePort'}[0];
+ my $https_agent_port = "https://"
+ . $c->{'Host'}[0]
+ . ":"
+ . $c->{'SecureAgentPort'}[0];
+ my $https_ee_port = "https://"
+ . $c->{'Host'}[0]
+ . ":"
+ . $c->{'SecurePort'}[0];
+
+ # Store the URLs
+ $::config->put( "config.sdomainHttpURL", $http_ee_port );
+ $::config->put( "config.sdomainAgentURL", $https_agent_port );
+ $::config->put( "config.sdomainEEURL", $https_ee_port );
+
+ # Store additional values necessary for 'pkiremove' . . .
+ $::config->put( "securitydomain.httpport",
+ $c->{'UnSecurePort'}[0] );
+ $::config->put( "securitydomain.httpsagentport",
+ $c->{'SecureAgentPort'}[0] );
+ $::config->put( "securitydomain.httpseeport",
+ $c->{'SecurePort'}[0] );
+ }
+
+ $count++;
+ }
+
+ $count = 0;
+ foreach my $c (@{$xml->{'TKSList'}[0]->{'TKS'}}) {
+ &PKI::RA::Wizard::debug_log("DisplayCertChainPanel: Found TKS '" .
+ $c->{'SubsystemName'}[0] . "'");
+ $::config->put("preop.securitydomain.tks" . $count . ".subsystemname",
+ $c->{'SubsystemName'}[0]);
+ $::config->put("preop.securitydomain.tks" . $count . ".secureport",
+ $c->{'SecurePort'}[0]);
+ $::config->put("preop.securitydomain.tks" . $count . ".secureagentport",
+ $c->{'SecureAgentPort'}[0]);
+ $::config->put("preop.securitydomain.tks" . $count . ".secureadminport",
+ $c->{'SecureAdminPort'}[0]);
+ $::config->put("preop.securitydomain.tks" . $count . ".unsecureport",
+ $c->{'UnSecurePort'}[0]);
+ $::config->put("preop.securitydomain.tks" . $count . ".host",
+ $c->{'Host'}[0]);
+ $count++;
+ }
+
+ $count = 0;
+ foreach my $c (@{$xml->{'KRAList'}[0]->{'KRA'}}) {
+ &PKI::RA::Wizard::debug_log("DisplayCertChainPanel: Found KRA '" .
+ $c->{'SubsystemName'}[0] . "'");
+ $::config->put("preop.securitydomain.kra" . $count . ".subsystemname",
+ $c->{'SubsystemName'}[0]);
+ $::config->put("preop.securitydomain.kra" . $count . ".secureport",
+ $c->{'SecurePort'}[0]);
+ $::config->put("preop.securitydomain.kra" . $count . ".secureagentport",
+ $c->{'SecureAgentPort'}[0]);
+ $::config->put("preop.securitydomain.kra" . $count . ".secureadminport",
+ $c->{'SecureAdminPort'}[0]);
+ $::config->put("preop.securitydomain.kra" . $count . ".unsecureport",
+ $c->{'UnSecurePort'}[0]);
+ $::config->put("preop.securitydomain.kra" . $count . ".host",
+ $c->{'Host'}[0]);
+ $count++;
+ }
+
+ $count = 0;
+ foreach my $c (@{$xml->{'RAList'}[0]->{'RA'}}) {
+ &PKI::RA::Wizard::debug_log("DisplayCertChainPanel: Found RA '" .
+ $c->{'SubsystemName'}[0] . "'");
+ $::config->put("preop.securitydomain.ra" . $count . ".subsystemname",
+ $c->{'SubsystemName'}[0]);
+ $::config->put("preop.securitydomain.ra" . $count . ".secureport",
+ $c->{'SecureAgentPort'}[0]);
+ $::config->put("preop.securitydomain.ra" . $count . ".non_clientauth_secure_port",
+ $c->{'SecurePort'}[0]);
+ $::config->put("preop.securitydomain.ra" . $count . ".unsecureport",
+ $c->{'UnSecurePort'}[0]);
+ $::config->put("preop.securitydomain.ra" . $count . ".host",
+ $c->{'Host'}[0]);
+ $count++;
+ }
+ $::config->commit();
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/RA/DonePanel.pm b/base/ra/lib/perl/PKI/RA/DonePanel.pm
new file mode 100755
index 000000000..4a32a8270
--- /dev/null
+++ b/base/ra/lib/perl/PKI/RA/DonePanel.pm
@@ -0,0 +1,399 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+use strict;
+use warnings;
+use PKI::RA::GlobalVar;
+use PKI::RA::Common;
+use URI::URL;
+use XML::Simple;
+
+package PKI::RA::DonePanel;
+$PKI::RA::DonePanel::VERSION = '1.00';
+
+use PKI::RA::BasePanel;
+our @ISA = qw(PKI::RA::BasePanel);
+
+sub new {
+ my $class = shift;
+ my $self = {};
+
+ $self->{"isSubPanel"} = \&is_sub_panel;
+ $self->{"hasSubPanel"} = \&has_sub_panel;
+ $self->{"isPanelDone"} = \&PKI::RA::Common::no;
+ $self->{"getPanelNo"} = &PKI::RA::Common::r(16);
+ $self->{"getName"} = &PKI::RA::Common::r("Done");
+ $self->{"vmfile"} = "donepanel.vm";
+ $self->{"update"} = \&update;
+ $self->{"panelvars"} = \&display;
+ bless $self,$class;
+ return $self;
+}
+
+sub is_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub has_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub validate
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("DonePanel: validate");
+ return 1;
+}
+sub update
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("DonePanel: update");
+ return 1;
+}
+
+sub register_ra
+{
+ my ($sdom, $url, $uri, $xname) = @_;
+
+ &PKI::RA::Wizard::debug_log("DonePanel: register_ra at $url");
+ &PKI::RA::Wizard::debug_log("DonePanel: subsystem $xname uri=$uri");
+
+ my $url_info = new URI::URL($url);
+ my $sdom_info = new URI::URL($sdom);
+
+ # register RA to Security Domain
+ # submit request to CA
+ &PKI::RA::Wizard::debug_log("DonePanel: Connecting to Security Domain");
+
+ my $machineName = $::config->get("service.machineName");
+ my $unsecurePort = $::config->get("service.unsecurePort");
+ my $securePort = $::config->get("service.securePort");
+ my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort");
+ my $session_id = $::config->get("preop.sessionID");
+
+ &PKI::RA::Wizard::debug_log("DonePanel: Security Domain Info " . $url);
+
+ # add service.securityDomainPort to the config file in case pkiremove
+ # needs to remove system reference from the security domain
+ $::config->put("service.securityDomainPort", $securePort);
+ $::config->commit();
+
+ my $uid = "RA-" . $machineName . "-" . $securePort;
+ my $name = "Registration Authority Subsystem";
+
+ my $instDir = $::config->get("service.instanceDir");
+ my $nickname = $::config->get("preop.cert.sslserver.nickname");
+
+ my $hw;
+ my $tk;
+ my $tokenname = $::config->get("preop.module.token");
+ &PKI::RA::Wizard::debug_log("ReqCertInfo: update got token name = $tokenname");
+
+ if (($tokenname eq "") || ($tokenname eq "NSS Certificate DB")) {
+ $hw = "";
+ $tk = "";
+ } else {
+ $hw = "-h $tokenname";
+ $tk = $tokenname.":";
+ }
+
+ my $token_pwd = $::pwdconf->get($tokenname);
+ open FILE, ">$instDir/conf/.pwfile";
+ system( "chmod 00660 $instDir/conf/.pwfile" );
+ $token_pwd =~ s/\n//g;
+ print FILE $token_pwd;
+ close FILE;
+
+ my $subsystemNickname = $::config->get("preop.cert.subsystem.nickname");
+ my $certificate = `/usr/bin/certutil -d "$instDir/alias" -L $hw -f "$instDir/conf/.pwfile" -n "$subsystemNickname" -a`;
+ $certificate =~ s/-----BEGIN CERTIFICATE-----//g;
+ $certificate =~ s/-----END CERTIFICATE-----//g;
+ $certificate =~ s/\n$//g;
+
+
+ &PKI::RA::Wizard::debug_log("DonePanel: Connecting");
+
+ my $instanceID = $::config->get("service.instanceID");
+ my $instanceDir = $::config->get("service.instanceDir");
+ my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`;
+ $db_password =~ s/\n$//g;
+
+ my $params = "uid=" . $uid . "&" .
+ "name=" . $name . "&" .
+ "certificate=" .
+ URI::Escape::uri_escape("$certificate") . "&" .
+ "xmlOutput=true" . "&" .
+ "sessionID=" . $session_id . "&" .
+ "auth_hostname=" . $sdom_info->host . "&" .
+ "auth_port=" . $sdom_info->port;
+
+ my $host = $url_info->host;
+ my $port = $url_info->port;
+ my $tmpfile = "/tmp/donepanel-$$";
+ if (($tokenname eq "") || ($tokenname eq "NSS Certificate DB")) {
+ system("/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"$uri\" $host:$port > $tmpfile");
+ } else {
+ system("/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$nickname\" -r \"$uri\" $host:$port > $tmpfile");
+ }
+ my $content = `cat $tmpfile`;
+ system("rm $tmpfile");
+
+ &PKI::RA::Wizard::debug_log("req = " . $content);
+ $content =~ /(\<XMLResponse\>.*\<\/XMLResponse\>)/;
+ $content = $1;
+
+ &PKI::RA::Wizard::debug_log("DonePanel: result " . $content);
+ my $tmp = `rm $instDir/conf/.pwfile`;
+}
+
+sub get_kra_transport_cert
+{
+ my ($sdom) = @_;
+
+ my $sdom_info = new URI::URL($sdom);
+
+ # register RA to Security Domain
+ # submit request to CA
+ &PKI::RA::Wizard::debug_log("DonePanel: Connecting to KRA");
+
+ my $krainfo = $::config->get("preop.krainfo.select");
+ my $krainfo_url = new URI::URL($krainfo);
+
+ my $machineName = $::config->get("service.machineName");
+ my $unsecurePort = $::config->get("service.unsecurePort");
+ my $securePort = $::config->get("service.securePort");
+ my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort");
+ my $session_id = $::config->get("preop.sessionID");
+
+ my $nickname = $::config->get("preop.cert.sslserver.nickname");
+ my $tokenname = $::config->get("preop.module.token");
+ my $token_pwd = $::pwdconf->get($tokenname);
+ my $instanceID = $::config->get("service.instanceID");
+ my $instanceDir = $::config->get("service.instanceDir");
+ my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`;
+ $db_password =~ s/\n$//g;
+
+ my $params = "sessionID=" . $session_id . "&" .
+ "auth_hostname=" . $sdom_info->host . "&" .
+ "auth_port=" . $sdom_info->port;
+
+ my $host = $krainfo_url->host;
+ my $port = $krainfo_url->port;
+ my $tmpfile = "/tmp/donepanel-$$";
+ if (($tokenname eq "") || ($tokenname eq "NSS Certificate DB")) {
+ system("/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -r \"/kra/admin/kra/getTransportCert\" $host:$port > $tmpfile");
+ } else {
+ system("/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -r \"/kra/admin/kra/getTransportCert\" $host:$port > $tmpfile");
+ }
+ my $content = `cat $tmpfile`;
+ system("rm $tmpfile");
+
+ $content =~ /(\<XMLResponse\>.*\<\/XMLResponse\>)/;
+ $content = $1;
+
+ my $parser = XML::Simple->new();
+ my $response = $parser->XMLin($content);
+ my $transportCert = $response->{TransportCert};
+
+ &PKI::RA::Wizard::debug_log("DonePanel: TransportCert " . $transportCert);
+
+ return $transportCert;
+}
+
+sub send_kra_transport_cert
+{
+ my ($sdom, $certificate) = @_;
+
+ my $sdom_info = new URI::URL($sdom);
+
+ # register RA to Security Domain
+ # submit request to CA
+ &PKI::RA::Wizard::debug_log("DonePanel: Connecting to TKS");
+ my $tksinfo = $::config->get("preop.tksinfo.select");
+ my $tksinfo_url = new URI::URL($tksinfo);
+
+ my $machineName = $::config->get("service.machineName");
+ my $unsecurePort = $::config->get("service.unsecurePort");
+ my $securePort = $::config->get("service.securePort");
+ my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort");
+ my $session_id = $::config->get("preop.sessionID");
+
+ my $nickname = $::config->get("preop.cert.sslserver.nickname");
+ my $tokenname = $::config->get("preop.module.token");
+ my $token_pwd = $::pwdconf->get($tokenname);
+ my $instanceID = $::config->get("service.instanceID");
+ my $instanceDir = $::config->get("service.instanceDir");
+ my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`;
+ $db_password =~ s/\n$//g;
+
+ my $name = "transportCert-" . $machineName . "-" . $securePort;
+ my $params = "name=" . $name . "&" .
+ "certificate=" .
+ URI::Escape::uri_escape("$certificate") . "&" .
+ "xmlOutput=true" . "&" .
+ "sessionID=" . $session_id . "&" .
+ "auth_hostname=" . $sdom_info->host . "&" .
+ "auth_port=" . $sdom_info->port;
+
+ my $host = $tksinfo_url->host;
+ my $port = $tksinfo_url->port;
+ my $tmpfile = "/tmp/donepanel-$$";
+ if (($tokenname eq "") || ($tokenname eq "NSS Certificate DB")) {
+ system("/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -r \"/tks/admin/tks/importTransportCert\" $host:$port > $tmpfile");
+ } else {
+ system("/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -r \"/tks/admin/tks/importTransportCert\" $host:$port > $tmpfile");
+ }
+
+ my $content = `cat $tmpfile`;
+ system("rm $tmpfile");
+
+ $content =~ /(\<XMLResponse\>.*\<\/XMLResponse\>)/;
+ $content = $1;
+
+ &PKI::RA::Wizard::debug_log("DonePanel: Response from TKS " . $content);
+}
+
+sub display
+{
+ my ($q) = @_;
+ # $symbol{systemType} = "ra";
+ # $symbol{host} = "chico";
+ # $symbol{port} = "443";
+ &PKI::RA::Wizard::debug_log("DonePanel: display");
+
+ my $status = $::config->get("preop.done.status");
+ if ($status eq "done") {
+ return 1;
+ }
+
+ my $instDir = $::config->get("service.instanceDir");
+ my $tokenname = $::config->get("preop.module.token");
+ my $token_pwd = $::pwdconf->get($tokenname);
+ my $nickname = $::config->get("preop.cert.sslserver.nickname");
+ if (($tokenname ne "") && ($tokenname ne "NSS Certificate DB")) {
+ open(PWD_CONF, ">>$instDir/conf/password.conf");
+ print PWD_CONF "$tokenname:$token_pwd\n";
+ close (PWD_CONF);
+ }
+
+ # Add this RA's server certificate to the subsystems
+ my $sdom = $::config->get("config.sdomainEEURL");
+ my $cainfo = $::config->get("preop.cainfo.select");
+ $cainfo =~ s/.* - //g;
+ &register_ra($sdom, $cainfo, $::config->get("conn.ca1.servlet.addagent"), "CA");
+
+ $::config->put("preop.done.status", "done");
+ $::config->commit();
+
+ # update httpd.conf
+ open(TMP_HTTPD_CONF, ">$instDir/conf/httpd.conf.tmp");
+ system( "chmod 00660 $instDir/conf/httpd.conf.tmp" );
+ open(HTTPD_CONF, "<$instDir/conf/httpd.conf");
+ while (<HTTPD_CONF>) {
+ if (/^#\[ErrorDocument_404\]/) {
+ print TMP_HTTPD_CONF "ErrorDocument 404 /404.html\n";
+ } elsif (/^#\[ErrorDocument_500\]/) {
+ print TMP_HTTPD_CONF "ErrorDocument 500 /500.html\n";
+ } else {
+ print TMP_HTTPD_CONF $_;
+ }
+ }
+ close(HTTPD_CONF);
+ close(TMP_HTTPD_CONF);
+
+ # Create a copy of the original file which
+ # preserves the original file permissions
+ system( "cp -p $instDir/conf/httpd.conf.tmp $instDir/conf/httpd.conf" );
+
+ # Remove the original file only if the backup copy was successful
+ if( -e "$instDir/conf/httpd.conf" ) {
+ system( "rm $instDir/conf/httpd.conf.tmp" );
+ }
+
+ # update nss.conf
+ open(TMP_NSS_CONF, ">$instDir/conf/nss.conf.tmp");
+ system( "chmod 00660 $instDir/conf/nss.conf.tmp" );
+ open(NSS_CONF, "<$instDir/conf/nss.conf");
+ while (<NSS_CONF>) {
+ if (/^NSSNickname/) {
+ print TMP_NSS_CONF "NSSNickname \"$nickname\"\n";
+ } else {
+ print TMP_NSS_CONF $_;
+ }
+ }
+ close(NSS_CONF);
+ close(TMP_NSS_CONF);
+
+ # Create a copy of the original file which
+ # preserves the original file permissions
+ system( "cp -p $instDir/conf/nss.conf.tmp $instDir/conf/nss.conf" );
+
+ # Remove the original file only if the backup copy was successful
+ if( -e "$instDir/conf/nss.conf" ) {
+ system( "rm $instDir/conf/nss.conf.tmp" );
+ }
+
+ &PKI::RA::Wizard::debug_log("DonePanel: Connecting to Security Domain");
+
+ my $machineName = $::config->get("service.machineName");
+ my $unsecurePort = $::config->get("service.unsecurePort");
+ my $securePort = $::config->get("service.securePort");
+ my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort");
+ my $instanceID = $::config->get("service.instanceID");
+
+ my $initDaemon = "pki-rad";
+ my $initCommand = "";
+ if( $^O eq "linux" ) {
+ $initCommand = "/sbin/service $initDaemon";
+ } else {
+ ## default case: e. g. - ( $^O eq "solaris" )
+ $initCommand = "/etc/init.d/$initDaemon";
+ }
+
+ $::symbol{host} = $machineName;
+ $::symbol{unsecurePort} = $unsecurePort;
+ $::symbol{port} = $securePort;
+ $::symbol{non_clientauth_port} = $non_clientauth_securePort;
+ $::symbol{initCommand} = $initCommand;
+ $::symbol{instanceID} = $instanceID;
+
+ $::config->deleteSubstore("preop.");
+ $::config->commit();
+
+ ## Create an empty file that designates the fact that although
+ ## this server instance has been configured, it has NOT yet
+ ## been restarted!
+ my $restart_server = "$instDir/conf/restart_server_after_configuration";
+ system( "touch $restart_server" );
+ system( "chmod 00660 $restart_server" );
+
+ system("rm $instDir/conf/*.txt $instDir/conf/*.der");
+ return 1;
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/RA/GlobalVar.pm b/base/ra/lib/perl/PKI/RA/GlobalVar.pm
new file mode 100755
index 000000000..388a41349
--- /dev/null
+++ b/base/ra/lib/perl/PKI/RA/GlobalVar.pm
@@ -0,0 +1,42 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+use strict;
+use warnings;
+
+package PKI::RA::GlobalVar;
+$PKI::RA::GlobalVar::VERSION = '1.00';
+
+sub new {
+ my $class = shift;
+ my $self = {};
+ my %args = (@_);
+ foreach my $q (keys %args) {
+ $self->{$q} = $args{$q};
+ }
+ bless $self,$class;
+ return $self;
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/RA/ImportAdminCertPanel.pm b/base/ra/lib/perl/PKI/RA/ImportAdminCertPanel.pm
new file mode 100755
index 000000000..9f9bef94a
--- /dev/null
+++ b/base/ra/lib/perl/PKI/RA/ImportAdminCertPanel.pm
@@ -0,0 +1,142 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+use strict;
+use warnings;
+use PKI::RA::GlobalVar;
+use PKI::RA::Common;
+use URI::URL;
+
+package PKI::RA::ImportAdminCertPanel;
+$PKI::RA::ImportAdminCertPanel::VERSION = '1.00';
+
+use PKI::RA::BasePanel;
+our @ISA = qw(PKI::RA::BasePanel);
+
+sub new {
+ my $class = shift;
+ my $self = {};
+
+ $self->{"isSubPanel"} = \&is_sub_panel;
+ $self->{"hasSubPanel"} = \&has_sub_panel;
+ $self->{"isPanelDone"} = \&PKI::RA::Common::no;
+ $self->{"getPanelNo"} = &PKI::RA::Common::r(15);
+ $self->{"getName"} = &PKI::RA::Common::r("Import Administrator Certificate");
+ $self->{"vmfile"} = "importadmincertpanel.vm";
+ $self->{"update"} = \&update;
+ $self->{"panelvars"} = \&display;
+ bless $self,$class;
+ return $self;
+}
+
+sub is_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub has_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub validate
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("ImportAdminCertPanel: validate");
+ return 1;
+}
+
+sub update
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("ImportAdminCertPanel: update");
+
+ # register to Security Domain
+ my $sdom = $::config->get("config.sdomainAgentURL");
+ my $sdom_url = new URI::URL($sdom);
+
+ #
+ # we need to authenticate to the security domain with the subsystem
+ # certificate
+ #
+ my $machineName = $::config->get("service.machineName");
+ my $instanceID = $::config->get("service.instanceID");
+ my $instanceDir = $::config->get("service.instanceDir");
+ my $securePort = $::config->get("service.securePort");
+ my $subsystemName = $::config->get("preop.subsystem.name");
+ my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`;
+ my $name = $subsystemName;
+ my $subCertNickName = $::config->get("preop.cert.subsystem.nickname");
+
+ $db_password =~ s/\n$//g;
+
+ my $params = "list=" . "RAList" . "&" .
+ "type=" . "RA" . "&" .
+ "host=" . $machineName . "&" .
+ "name=" . $name . "&" .
+ "sport=" . $securePort . "&" .
+ "dm=false"; # domain manager or not
+
+ my $cmd = `/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$subCertNickName\" -r \"/ca/agent/ca/updateDomainXML?$params\" $sdom_url->host:$sdom_url->port`;
+
+ # Fetch the "updated" security domain and display it
+ &PKI::RA::Wizard::debug_log("ImportAdminCertPanel: Dump contents of updated Security Domain . . .");
+ my $sdomainAdminURL = $::config->get("config.sdomainAdminURL");
+ my $sdom_info = new URI::URL($sdomainAdminURL);
+ my $nickname = $::config->get("preop.cert.sslserver.nickname");
+ my $sd_host = $sdom_info->host;
+ my $sd_admin_port = $sdom_info->port;
+ my $content = `/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -r \"/ca/admin/ca/getDomainXML\" $sd_host:$sd_admin_port`;
+ $content =~ /(\<XMLResponse\>.*\<\/XMLResponse\>)/;
+ $content = $1;
+ &PKI::RA::Wizard::debug_log($content);
+
+ return 1;
+}
+
+sub display
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("ImportAdminCertPanel: display");
+
+ my $cainfo = $::config->get("preop.cainfo.select");
+
+ my $cainfo_url = new URI::URL($cainfo);
+ my $serialNumber = $::config->get("preop.admincert.serialno.0");
+
+ $::symbol{info} = "";
+ $::symbol{errorString} = "";
+ $::symbol{import} = "true";
+ $::symbol{ca} = "false";
+ $::symbol{caType} = "ca";
+ $::symbol{caHost} = $cainfo_url->host;
+ $::symbol{caPort} = $cainfo_url->port;
+ $::symbol{serialNumber} = $serialNumber;
+
+ return 1;
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/RA/Login.pm b/base/ra/lib/perl/PKI/RA/Login.pm
new file mode 100755
index 000000000..d248e5481
--- /dev/null
+++ b/base/ra/lib/perl/PKI/RA/Login.pm
@@ -0,0 +1,466 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+# wizard -
+# Fedora Certificate System - Registration Authority System configuration wizard
+
+
+# This script is run as a 'mod_perl' CGI. Configure mod_perl by adding
+# the following to /etc/httpd/conf.d/perl.conf
+#
+# PerlModule ModPerl::Registry
+# PerlModule Apache::compat
+# PerlModule PKI::RA::Wizard
+# PerlSetEnv PKI_DOCROOT /u/sparkins/t/cs_tip/certsystem/prj/common/ui
+# <Location /wizard>
+# SetHandler perl-script
+# PerlHandler PKI::RA::Wizard
+# Order deny,allow
+# Allow from all
+# </Location>
+
+
+# Note: The Velocity parser is not very helpful when it comes to
+# errors right now. Here are some common errors, and what they mean:
+#
+# ERROR:
+# [Mon Apr 03 13:57:33 2006] [error] [client 172.16.24.26]
+# Can't use string ("0") as an ARRAY ref while "strict refs"
+# in use at /usr/lib/perl5/site_perl/5.8.5/Template/Velocity.pm
+# line 423.\n, referer: http://chico/wizard?p=2
+# MEANING
+# This probably means that your *.vm file refers to an array
+# variable in a foreach statement that is not defined
+# Check your foreach array variables.
+
+use warnings;
+use ModPerl::Registry;
+use Template::Velocity;
+use Getopt::Std;
+use Data::Dumper;
+use CGI::Carp qw(fatalsToBrowser);
+use CGI;
+use APR::Const -compile => qw(:error SUCCESS);
+use PKI::RA::GlobalVar;
+use PKI::RA::WelcomePanel;
+use PKI::RA::SecurityDomainPanel;
+use PKI::RA::DisplayCertChainPanel;
+use PKI::RA::SubsystemTypePanel;
+use PKI::RA::CAInfoPanel;
+use PKI::RA::TKSInfoPanel;
+use PKI::RA::DRMInfoPanel;
+use PKI::RA::DisplayCertChain2Panel;
+use PKI::RA::AdminAuthPanel;
+use PKI::RA::AgentAuthPanel;
+use PKI::RA::DatabasePanel;
+use PKI::RA::ModulePanel;
+use PKI::RA::SizePanel;
+use PKI::RA::NamePanel;
+use PKI::RA::ConfigHSMLoginPanel;
+use PKI::RA::CertRequestPanel;
+use PKI::RA::AdminPanel;
+use PKI::RA::ImportAdminCertPanel;
+use PKI::RA::LoginPanel;
+use PKI::RA::DonePanel;
+use PKI::RA::Config;
+
+use PKI::RA::Common qw(yes no r);
+
+package PKI::RA::Login;
+$PKI::RA::Login::VERSION = '1.00';
+
+# read configuration file
+my $flavor = "pki";
+$flavor =~ s/\n//g;
+
+my $pkiroot = $ENV{PKI_ROOT};
+
+my $config = PKI::RA::Config->new();
+$config->load_file("$pkiroot/conf/CS.cfg");
+# read password cache file
+my $pwdconf = PKI::RA::Config->new();
+$pwdconf->load_file("$pkiroot/conf/pwcache.conf");
+# SELinux disallows performing a "chmod" on this file
+if( $^O ne "linux" ) {
+ system( "chmod 00660 $pkiroot/conf/pwcache.conf" );
+}
+
+# create cfg debug log
+my $logfile = $config->get("service.instanceDir") . "/logs/debug";
+open( DEBUG, ">>" . $logfile ) ||
+warn( "Could not open '" . $logfile . "': $!" );
+
+# apache server
+
+our $debug;
+
+my $STATUS_OK = 1;
+my $STATUS_ERROR = 2;
+my $STATUS_REDIRECT = 3;
+
+&debug_log("RA wizard: starting up");
+
+my $docroot = $ENV{PKI_DOCROOT};
+
+if (! $docroot) {
+ &debug_log("RA wizard: ERROR: PKI_DOCROOT is null");
+ return 0;
+}
+
+our $parser = new Template::Velocity($docroot);
+our $symbol;
+our @certtags;
+
+makepanels();
+
+&debug_log("RA wizard: start up complete");
+
+1;
+
+sub debug_log
+{
+ my ($msg) = @_;
+ my $date = `date`;
+ chomp($date);
+ if( -w $logfile ) {
+ print DEBUG "$date - $msg\n";
+ }
+}
+
+ # initializes entries in parser's global symbol table for panels
+sub makepanels
+{
+ #REAL PANELS BELOW
+ my $login = new PKI::RA::LoginPanel();
+
+ $symbol{panels} = [
+ $login, # com.netscape.cms.servlet.csadmin.WelcomePanel
+ ];
+};
+
+sub render_panel
+{
+ my ($panelnum, $q) = @_;
+
+ $symbol{errorString} = "";
+
+ my $currentpanel;
+
+ if ($q->param('op') && $q->param('op') eq "next") {
+ $currentpanel = $symbol{panels}[$panelnum];
+ # validate variables for panel
+ if ($currentpanel->{validate}) {
+ $currentpanel->{validate}($q);
+ }
+ # execute current panel
+ my $status = "0";
+
+ if ($currentpanel->{update}) {
+ $status = $currentpanel->{update}($q);
+ &debug_log("RA wizard: update returns status '" .
+ $status . "'");
+ if ($status == $STATUS_REDIRECT) {
+ return $STATUS_REDIRECT;
+ }
+
+ }
+
+ &debug_log("RA wizard: about to find out about sub panel");
+ if ($status eq "1") {
+ if ($currentpanel->{hasSubPanel} && &{$currentpanel->{hasSubPanel}}($q)) {
+ &debug_log("RA wizard: has sub panel");
+ $panelnum = $panelnum + 2;
+ } elsif ($currentpanel->{isSubPanel} && &{$currentpanel->{isSubPanel}}($q)) {
+ &debug_log("RA wizard: is sub panel");
+ $panelnum = $panelnum - 1;
+ } else {
+ &debug_log("RA wizard: no sub panel and is not subpanel");
+ $panelnum = $panelnum + 1;
+ }
+ }
+ } elsif ($q->param('op') && $q->param('op') eq "back") {
+ $panelnum = $panelnum - 1;
+ #check if this a subpanel, if so, go back to it's parent.
+ #only handles one-deep at this point
+ my $panel = $symbol{panels}[$panelnum];
+ if (&{$panel->{isSubPanel}}($q)) {
+ $panelnum = $panelnum - 1;
+ }
+ } elsif ($q->param('op') && $q->param('op') eq "apply") {
+ &debug_log("RA wizard: update : apply button pressed");
+ $currentpanel = $symbol{panels}[$panelnum];
+ # validate variables for panel
+ if ($currentpanel->{validate}) {
+ $currentpanel->{validate}($q);
+ }
+ # execute current panel
+ if ($currentpanel->{update}) {
+ my $status = $currentpanel->{update}($q);
+ &debug_log("RA wizard: update returns status '" .
+ $status . "'");
+ if ($status == $STATUS_REDIRECT) {
+ return $STATUS_REDIRECT;
+ }
+
+ }
+ }
+
+ &debug_log("RA wizard: after looking into about sub panel");
+
+ # advance to next panel
+ $currentpanel = $symbol{panels}[$panelnum];
+
+ # initialize symbol table values
+ $symbol{showApplyButton} = "false";
+
+ # fill in variables for new panel
+ if ($currentpanel->{panelvars}) {
+ $Data::Dumper::Indent = 1;
+ # The '&debug_log("q=".Dumper($q));' call must be commented out to fix
+ # Bugzilla Bug #249923: Incorrect file permissions on
+ # various files and/or directories
+ # &debug_log("q=".Dumper($q));
+ $currentpanel->{panelvars}($q);
+ }
+
+ $symbol{panel} = "ra/admin/console/config/".$currentpanel->{vmfile};
+
+ #wizard.vm:
+ $symbol{name} = "Registration Authority System";
+ $symbol{title} = $currentpanel->{getName}();
+ if ($panelnum == 0) {
+ $symbol{firstpanel} = "1";
+ } else {
+ $symbol{firstpanel} = "0";
+ }
+ if ($panelnum == 17) {
+ $symbol{lastpanel} = "1";
+ } else {
+ $symbol{lastpanel} = "0";
+ }
+ $symbol{p} = $panelnum;
+ $symbol{subpanelno} = $panelnum+1;
+ $symbol{csstate} = "1";
+
+# $symbol{urls} = [ "cert1", "cert2" ]; #createsubsystem
+# $symbol{urls_size} = 2;
+# $symbol{instanceId} = "ra";
+# $symbol{errorString} = "";
+
+ #modulepanel
+# $symbol{certs} = [ ];
+# $symbol{reqscerts} = [ ];
+ $symbol{ppcerts} = [ ];
+
+ return $STATUS_OK;
+}
+
+
+
+sub dbg {
+ my $msg = shift;
+ $::symbol{dbg} .= "$msg\n";
+}
+
+sub handler {
+ my $r = shift;
+
+ *::symbol = \%symbol;
+ *::s = \$s;
+ *::config = \$config;
+ *::pwdconf = \$pwdconf;
+
+ &debug_log("RA wizard: in handler");
+ if ($#ARGV == -1) {
+ $r->send_http_header('text/html');
+ }
+
+ my $q = new CGI;
+
+ # check cookie
+ my $pin = $q->param('pin');
+ if (defined($pin)) {
+ my $cookie = $q->cookie(
+ -name=>'pin',
+ -value=> $pin,
+ -expires=>'+1y',
+ -path=>'/');
+ print $q->redirect(-location => "wizard", -cookie => $cookie);
+ return;
+ }
+
+ # output http parameters
+ &debug_log("RA wizard: uri='" . $ENV{REQUEST_URI} . "'");
+ my @pnames = $q->param();
+ foreach $pn (@pnames) {
+ # added this facility so that password can be hidden,
+ # all sensitive parameters should be prefixed with
+ # __ (double underscores); however, in the event that
+ # a security parameter slips through, we perform multiple
+ # additional checks to insure that it is NOT displayed
+ if( $pn =~ /^__/ ||
+ $pn =~ /password$/ ||
+ $pn =~ /passwd$/ ||
+ $pn =~ /pwd$/ ||
+ $pn =~ /admin_password_again/i ||
+ $pn =~ /directoryManagerPwd/i ||
+ $pn =~ /bindpassword/i ||
+ $pn =~ /bindpwd/i ||
+ $pn =~ /passwd/i ||
+ $pn =~ /password/i ||
+ $pn =~ /pin/i ||
+ $pn =~ /pwd/i ||
+ $pn =~ /pwdagain/i ||
+ $pn =~ /uPasswd/i ) {
+ &debug_log("RA wizard: http parameter name='" . $pn . "' value='(sensitive)'");
+ } else {
+ &debug_log("RA wizard: http parameter name='" . $pn . "' value='" . $q->param($pn) . "'");
+ }
+ }
+
+ my $panelnum = $q->param('p');
+ if (!defined($panelnum) || $panelnum eq "") {
+ # Apache fails to pick up the p parameter after
+ # redirecting from the security domain. This is
+ # a quick hack to solve the issue.
+ if ($ENV{'QUERY_STRING'} ne "") {
+ $ENV{'QUERY_STRING'} =~ /p=([0-9]+)&/;
+ $panelnum = $1;
+ }
+ }
+
+ use subs qw(debug);
+ *debug = \&Template::Velocity::Executor::debug;
+
+ $::symbol{dbg} = "";
+
+ &debug_log("RA wizard: before argparsing");
+ if ($#ARGV == -1) {
+ $Data::Dumper::Maxdepth = 7;
+ $startfile = "ra/admin/console/config/login.vm";
+ }
+
+ &debug_log("RA wizard: setting up test objects");
+
+ #initialize from config file
+ my $certlist = $::config->get("preop.cert.list");
+ if ($certlist eq "") {
+ $certlist = "sslserver,subsystem";
+ }
+ @certtags = split(/,/, $certlist);
+ $numtags = @certtags;
+ if ($numtags eq 0) {
+ @certtags = ("sslserver", "subsystem");
+ }
+ &debug_log("RA wizard: found $numtags certtags");
+
+ if (! $panelnum) {
+ $panelnum = 0;
+ }
+
+ my $status = render_panel($panelnum, $q);
+ if ($status == 3) {
+ $r->header_out(Location => $symbol{redirect});
+ $r->status(301);
+ $r->send_http_header();
+ return;
+ }
+
+ use Data::Dumper;
+ &debug_log("RA wizard: executing file $startfile");
+ foreach $q (sort keys %symbol) {
+ &debug_log("RA wizard:/config/wizard?p=9&SecToken=NSS%20Generic%20Crypto%20Services sym{$q}=".$symbol{$q});
+ }
+
+ my $result;
+ if ($q->param("xml") eq "true") {
+ $r->send_http_header('text/xml');
+ $result = "<xml>";
+ foreach $s (sort keys %symbol) {
+ if ($s =~ /^__/) {
+ next;
+ }
+ $result .= "<" . $s . ">";
+ my $v = $symbol{$s};
+ $result .= &get_xml($s, $v);
+ $result .= "</" . $s . ">";
+ }
+ $result .= "</xml>";
+ } else {
+ $result = $parser->execute_file($startfile);
+ if (!defined $result) {
+ die("Couldn't execute template file: $docroot/$startfile");
+ }
+ }
+
+ print "$result\n";
+ return $STATUS_OK;
+}
+
+sub get_xml
+{
+ my ($s, $v) = @_;
+
+ my $result;
+ if (ref($v) eq "HASH") {
+ foreach my $xkey (keys %$v) {
+ $result .= "<" . $xkey . ">";
+ $result .= &get_xml($xkey, $v{$xkey});
+ # $result .= "-" . ref($xkey);
+ $result .= "</" . $xkey . ">";
+ }
+ } elsif (ref($v) eq "PKI::RA::CertInfo") {
+ my $certinfo = $v;
+ $result .= "<certinfo>";
+ $result .= "<dn>" . $certinfo->get_dn() ."</dn>";
+ $result .= "<tag>" . $certinfo->get_cert_tag() . "</tag>";
+ $result .= "<friendly>" . $certinfo->get_user_friendly_name() .
+ "</friendly>";
+ $result .= "</certinfo>";
+ } elsif (ref($v) eq "PKI::RA::ReqCertInfo") {
+ my $reqcertinfo = $v;
+ $result .= "<reqcertinfo>";
+ $result .= "<name>" . $reqcertinfo->get_user_friendly_name() ."</name>";
+ $result .= "<req>" . $reqcertinfo->get_request() ."</req>";
+ $result .= "<cert>" . $reqcertinfo->get_cert() ."</cert>";
+ $result .= "<certpp>" . $reqcertinfo->get_cert_pp() ."</certpp>";
+ $result .= "<tag>" . $reqcertinfo->get_cert_tag() ."</tag>";
+ $result .= "<dn>" . $reqcertinfo->get_cert_tag() ."</dn>";
+ $result .= "</reqcertinfo>";
+ } elsif (ref($v) eq "ARRAY") {
+ my $pos = 0;
+ foreach my $item (@$v) {
+ $result .= "<element>";
+ $result .= &get_xml("p" . $pos, $item);
+ # $result .= "-" . ref($item);
+ $result .= "</element>";
+ $pos++;
+ }
+ } else {
+ $result .= $v;
+ }
+ return $result;
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/RA/LoginPanel.pm b/base/ra/lib/perl/PKI/RA/LoginPanel.pm
new file mode 100755
index 000000000..66f40acfe
--- /dev/null
+++ b/base/ra/lib/perl/PKI/RA/LoginPanel.pm
@@ -0,0 +1,91 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+use strict;
+use warnings;
+use PKI::RA::GlobalVar;
+use PKI::RA::Common;
+
+package PKI::RA::LoginPanel;
+$PKI::RA::LoginPanel::VERSION = '1.00';
+
+use PKI::RA::BasePanel;
+our @ISA = qw(PKI::RA::BasePanel);
+
+sub new {
+ my $class = shift;
+ my $self = {};
+
+ $self->{"isSubPanel"} = \&is_sub_panel;
+ $self->{"hasSubPanel"} = \&has_sub_panel;
+ $self->{"isPanelDone"} = \&PKI::RA::Common::no;
+ $self->{"getPanelNo"} = &PKI::RA::Common::r(0);
+ $self->{"getName"} = &PKI::RA::Common::r("Welcome");
+ $self->{"vmfile"} = "login.vm";
+ $self->{"update"} = \&update;
+ $self->{"panelvars"} = \&display;
+ bless $self,$class;
+ return $self;
+}
+
+sub is_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub has_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub validate
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("WelcomePanel: validate");
+ return 1;
+}
+
+sub update
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("WelcomePanel: update");
+ return 1;
+}
+
+sub display
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log($ENV{'SERVER_PORT'});
+ &PKI::RA::Wizard::debug_log("Debug=" . $::config->get("logging.debug.enable"));
+ &PKI::RA::Wizard::debug_log("WelcomePanel: display");
+ $::symbol{wizardname} = "RA Configuration Wizard";
+ $::symbol{systemname} = "RA";
+ $::symbol{fullsystemname} = "Registration Authority";
+
+ return 1;
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/RA/ModulePanel.pm b/base/ra/lib/perl/PKI/RA/ModulePanel.pm
new file mode 100755
index 000000000..87ce056bc
--- /dev/null
+++ b/base/ra/lib/perl/PKI/RA/ModulePanel.pm
@@ -0,0 +1,273 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+use strict;
+use warnings;
+use PKI::RA::GlobalVar;
+use PKI::RA::Common;
+use PKI::RA::Modutil;
+
+package PKI::RA::ModulePanel;
+$PKI::RA::ModulePanel::VERSION = '1.00';
+
+use PKI::RA::BasePanel;
+our @ISA = qw(PKI::RA::BasePanel);
+
+our $modutil;
+
+sub new {
+ my $class = shift;
+ my $self = {};
+
+ $self->{"isSubPanel"} = \&is_sub_panel;
+ $self->{"hasSubPanel"} = \&has_sub_panel;
+ $self->{"isPanelDone"} = \&PKI::RA::Common::no;
+ $self->{"getPanelNo"} = &PKI::RA::Common::r(9);
+ $self->{"getName"} = &PKI::RA::Common::r("Security Modules");
+ $self->{"vmfile"} = "modulepanel.vm";
+ $self->{"update"} = \&update;
+ $self->{"panelvars"} = \&display;
+
+ my $flavor = "pki";
+ $flavor =~ s/\n//g;
+
+ my $pkiroot = $ENV{PKI_ROOT};
+ $modutil = new PKI::RA::Modutil("$pkiroot/alias");
+
+ bless $self,$class;
+ return $self;
+}
+
+sub is_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub has_sub_panel
+{
+ my ($q) = @_;
+ return 1;
+}
+
+sub validate
+{
+ my ($q) = @_;
+ return 1;
+}
+
+sub update
+{
+ my ($q) = @_;
+ my $defTok = $::config->get("preop.module.token");
+ my $select = $q->param('choice');
+ if ($select eq "") {
+ &PKI::RA::Wizard::debug_log("ModulePanel -> update no selection found");
+ $::symbol{errorString} = "No selection found";
+ return 0;
+ } elsif ($defTok ne $select) {
+ &PKI::RA::Wizard::debug_log("ModulePanel -> update changing defTok to $select");
+ $::config->put("preop.module.token", $select);
+ $::config->put("preop.ModulePanel.done", "true");
+ } else {
+ # this is not an error...just information
+ &PKI::RA::Wizard::debug_log("ModulePanel -> update defTok not changed");
+ }
+
+ $::config->commit();
+ return 1;
+}
+
+sub display
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("ModulePanel -> display");
+ getModules();
+ my $defTok = $::config->get("preop.module.token");
+
+ $::symbol{defTok} = $defTok;
+
+ return 1;
+}
+
+use Data::Dumper;
+sub getTokens {
+ my $modulename = shift;
+
+ &PKI::RA::Wizard::debug_log("ModulePanel -> getTokens");
+
+#$Data::Dumper::Indent = 0;
+#PKI::RA::Wizard::dbg("in gettokens. modutil = ".Dumper($modutil));
+ my @tokens;
+ my $mod = $modutil->getmodule($modulename);
+ foreach my $tokenname (keys %{$mod->{tokens}}) {
+ #PKI::RA::Wizard::dbg("found token $tokenname");
+ if ($tokenname ne "NSS Generic Crypto Services") {
+ my $token = $modutil->gettoken($tokenname);
+ my $t = new PKI::RA::GlobalVar(
+ getNickName => sub { return $tokenname; },
+ isLoggedIn => sub { return isLoggedIn($tokenname); },
+ isPresent => sub { return 1; },
+ );
+ push @tokens, $t;
+ } else {
+ &PKI::RA::Wizard::debug_log("ModulePanel -> getTokens token NSS Generic Crypto Services not available for key generation");
+
+ }
+ }
+
+ return \@tokens;
+}
+
+# if password is found, then it's considered "logged in"
+# otherwise it is "not logged in"
+sub Login {
+ my $tokenname = $_[0];
+ my $pwd = $::pwdconf->get($tokenname);
+ if ($pwd ne "") {
+ &PKI::RA::Wizard::debug_log("ModulePanel -> isLoggedIn retrieved pwd from pwdconf");
+ return 1;
+ }
+ &PKI::RA::Wizard::debug_log("ModulePanel -> isLoggedIn pwd not found from pwdconf for token: $tokenname");
+
+ if ($tokenname eq "NSS Certificate DB") {
+ my $instanceDir = $::config->get("service.instanceDir");
+ &PKI::RA::Wizard::debug_log("ModulePanel -> isLoggedIn get internal password for $tokenname");
+ # these are referred as "internal" in password.conf
+ $pwd = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`;
+ $pwd =~ s/\n//g;
+ $::pwdconf->put($tokenname, $pwd);
+ $::pwdconf->commit();
+
+ return 1;
+ }
+ return 0;
+}
+
+sub isLoggedIn {
+ my $tokenname = $_[0];
+ return &Login($tokenname);
+}
+
+sub getModules {
+ my $count;
+ my $i;
+ my @supportedModules;
+
+ &PKI::RA::Wizard::debug_log("ModulePanel -> getModules");
+ $count = $::config->get("preop.configModules.count");
+ &PKI::RA::Wizard::debug_log("ModulePanel -> getModules count =$count");
+
+ my @modules = $modutil->getmodules();
+ # $::symbol{steve} = join ",Module:", @modules;
+ # $::symbol{steve}.= "\n";
+
+ my $x = "
+ preop.configModules.count=3
+ preop.configModules.module0.commonName=NSS Internal PKCS #11 Module
+ preop.configModules.module0.imagePath=../img/mozilla.png
+ preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module
+ preop.configModules.module1.commonName=nfast
+ preop.configModules.module1.imagePath=../img/ncipher.png
+ preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module
+ preop.configModules.module2.commonName=lunasa
+ preop.configModules.module2.imagePath=../img/safenet.png
+ preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module
+ ";
+
+ my %supmodules;
+ for ($i=0; $i <$count; $i++) {
+ my $cn;
+ my $pn;
+ my $img;
+# &PKI::RA::Wizard::debug_log("ModulePanel -> getModules look for cn=","preop.configModules.module" , $i , ".commonName");
+ $cn = $::config->get("preop.configModules.module$i.commonName");
+ $supmodules{$cn} = 1;
+
+ $pn = $::config->get("preop.configModules.module$i.userFriendlyName");
+ $img = $::config->get("preop.configModules.module$i.imagePath");
+ &PKI::RA::Wizard::debug_log("ModulePanel -> getModules: got module $cn from config");
+
+ my $module = $modutil->getmodule($cn);
+ my $file = $module->{detail}->{"Library file"};
+ &PKI::RA::Wizard::debug_log("ModulePanel -> getModules Library file = $file");
+ my $found = 0;
+ if ($file) {
+ $found = ($file =~ /Internal ONLY module/) || -e $file;
+ }
+
+ my $name = $module->{detail}->{Name};
+# PKI::RA::Wizard::dbg("name: $name");
+
+ $supportedModules[$i] = new PKI::RA::GlobalVar(
+ getImagePath => sub { return $img; },
+ getUserFriendlyName => sub { return $pn; },
+ isFound => sub { return $found; },
+ getTokens => sub { return getTokens($name); },
+ );
+
+ # login to tokens
+ &PKI::RA::Wizard::debug_log("Ready to login to tokens for $name");
+ my $mod = $modutil->getmodule($name);
+ foreach my $tokenname (keys %{$mod->{tokens}}) {
+ &PKI::RA::Wizard::debug_log("Logging in Module $name Token " . $tokenname);
+ &Login($tokenname);
+ }
+
+ }
+
+ my @otherModules;
+ #compile the "others" modules
+
+ foreach my $modname (@modules) {
+ #is this modname in the supported modules list?
+ if ($supmodules{$modname}) {
+ &PKI::RA::Wizard::debug_log("ModulePanel -> getModules: found module $modname supported");
+ # does not belong to "others"
+ } else {
+ &PKI::RA::Wizard::debug_log("ModulePanel -> getModules: found module $modname unsupported");
+ #add the module to "others" list
+ my $m = $modutil->getmodule($modname);
+ my $mod = new PKI::RA::GlobalVar(
+ getImagePath => sub { return ""; },
+ getUserFriendlyName => sub { return $m->{modulename}; },
+ isFound => sub { return 1; },
+ getTokens => sub { return getTokens($m->{detail}->{Name});}
+ );
+
+ push @otherModules, $mod;
+
+ &PKI::RA::Wizard::debug_log("ModulePanel -> getModules: module $modname added to otherModules list");
+ }
+ }
+
+ $::symbol{sms} = \@supportedModules;
+ $::symbol{oms} = \@otherModules;
+# PKI::RA::Wizard::dbg("oms: ". Dumper([@otherModules]));
+# PKI::RA::Wizard::dbg("sms: ". Dumper([@supportedModules]));
+
+ &PKI::RA::Wizard::debug_log("ModulePanel -> set sms, oms");
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/RA/Modutil.pm b/base/ra/lib/perl/PKI/RA/Modutil.pm
new file mode 100755
index 000000000..82c66e87d
--- /dev/null
+++ b/base/ra/lib/perl/PKI/RA/Modutil.pm
@@ -0,0 +1,262 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package PKI::RA::Modutil;
+
+
+sub new {
+ my $class = shift;
+ my ($dir) = @_;
+
+ if (! $dir) { die "no module directory provided\n"; }
+
+ my $self = {};
+
+ $self->{dir} = $dir;
+ $self->{modules} = makemodules($self);
+
+ bless $self, $class;
+ return $self;
+}
+
+sub exists {
+ my $self = shift;
+
+ return -e "$self->{dir}/secmod.db";
+}
+
+sub create {
+ my $self = shift;
+
+ my $mods = `modutil -force -dbdir '$self->{dir}' -nocertdb -create`;
+ return $mods;
+}
+
+use Data::Dumper;
+
+sub makemodules {
+ my $self = shift;
+ my $modules = {};
+
+ my $mods = `modutil -force -dbdir '$self->{dir}' -nocertdb -list`;
+ #my $mods = join "",<::DATA>;
+
+ #print "raw mods = $mods";
+
+ my (@modules) = (
+ $mods =~ /
+ ^ #beginning of a line
+ \s+ #some spaces
+ \d+\.\s* #some digits
+ (.*?) #lots of text
+ ((?=^\s*\d+)|(?=------)) #if we would next match some spaces and digits
+ /msxg );
+
+ @modules = grep /.+/ms, @modules;
+
+ foreach $module (@modules) {
+ #print "Module #$i:$module --\n";
+ $module = "modulename:$module";
+ my ($moduleheader, $rest) = (
+ $module =~ /
+ (.*status: .*?\n) # moduleheader
+ (\s*slot:.*) # slot
+ (?=\n(\n|$)) #empty line
+ /msxg );
+ #print "moduleheader: $moduleheader\n";
+ my $m = makehash($moduleheader);
+ $modules->{$m->{modulename}} = $m;
+ $m->{tokens} = {};
+
+ my @tokens = split "\n\n", $rest;
+
+
+
+# get summary slot info with: -list
+ foreach my $token (@tokens) {
+ #print "slottext: $slot\n";
+ my $slh = makehash($token);
+ $m->{tokens}->{$slh->{token}} = $slh;
+ }
+
+# get detailed slot info with: -list "modulename"
+
+ my $moduledetail = `modutil -force -dbdir '$self->{dir}' -nocertdb -list "$m->{modulename}" 2> /dev/null`;
+ my @details= split "\n\n", $moduledetail;
+ while ($details[0] !~ /.*Name:.*/) {
+ shift @details;
+ };
+ $m->{detail} = makehash(shift @details);
+ foreach $d (@details) {
+ my $sdh = makehash($d);
+ my $tokenname = $sdh->{"Token Name"};
+ $tokenname =~ s/\s+$//; # remove trailing spaces
+ if ($tokenname) {
+ $m->{tokens}->{$tokenname}->{detail} = $sdh;
+ }
+ }
+ $i++;
+
+ }
+ return $modules;
+}
+
+# input: a multi-list string with nv/pairs
+# return a hashtable reference
+sub makehash {
+ my $str = shift;
+ my $ht = { };
+ my @lines = split "\n", $str;
+ my $line;
+LINE:
+ foreach $line (@lines) {
+ if ($line =~ /Using database directory/) { next LINE; }
+ if ($line =~ /--------------/) { next LINE; }
+ my ($name, $value) = ($line =~ /^\s*(.*?):\s*(.*?)\s*$/);
+ if ($name) {
+ #print "name:$name\n";
+ #print "value:$value\n";
+ $ht->{$name} = $value;
+ }
+ }
+ return $ht;
+}
+
+sub getmodules {
+ my $self = shift;
+ #print "modules: ".$self->{modules}. "\n";
+ #print "keys: ".(join ",",keys %{$self->{modules}})."\n";
+ return keys %{$self->{modules}};
+}
+
+sub getmodule {
+ my $self = shift;
+ my $modulename = shift;
+
+ #print Dumper($self->{modules});
+ return $self->{modules}->{$modulename};
+}
+
+
+sub gettokens {
+ my $self = shift;
+ my $module = shift;
+
+ return keys %{$module->{tokens}};
+}
+
+sub gettoken {
+ my $self = shift;
+ my $token= shift;
+ foreach my $m (values %{$self->{modules}}) {
+ foreach $t (values %{$m->{tokens}}) {
+ #print join ",", keys %{$t};
+ #print Dumper($t->{detail});
+ if ($t->{detail}->{"Token Name"} eq $token) {
+ return $t;
+ }
+ }
+ }
+}
+
+
+
+package main;
+
+sub ::test {
+
+# initialize
+ my $modutil = new PKI::RA::Modutil(".");
+
+#make database if it doesn't exist
+ if (! $modutil->exists()) {
+ $modutil->create();
+ }
+
+#get an array of module names
+ my @mods = $modutil->getmodules();
+
+ print "Found ".@mods." pkcs#11 modules\n";
+
+#for each module...
+ foreach my $modname (@mods) {
+ my $module = $modutil->getmodule($modname);
+
+ print "Module: $modname\n";
+ print "Library: ".$module->{detail}->{"Library file"}."\n";
+ print "Other keys: ".(join ",", keys %{$module->{detail}})."\n";
+
+#find all the tokens in a module, e.g. each partition for a lunasa
+ foreach my $tokenname ($modutil->gettokens($module)) {
+ print " token: $tokenname\n";
+ my $token = $modutil->gettoken($tokenname);
+
+#dump out the information we have on the token
+ foreach my $key (keys %{$token}) {
+ print " token keys/values: $key: ".$token->{$key}."\n";
+ }
+ my @detailkeys = (keys %{$token->{detail}}) ;
+ print " token detail keys:". (join ",", @detailkeys)."\n";
+ print " token detail Manufacturer:". $token->{detail}->{Manufacturer}."\n";
+ print "\n";
+ }
+ print "\n";
+ }
+
+}
+
+# this is where 'main' starts
+
+if ($ARGV[0] eq "--test") {
+ ::test();
+}
+
+1;
+
+__DATA__
+Listing of PKCS #11 Modules
+-----------------------------------------------------------
+ 1. NSS Internal PKCS #11 Module
+ slots: 2 slots attached
+ status: loaded
+
+ slot: NSS Internal Cryptographic Services
+ token: NSS Generic Crypto Services
+
+ slot: NSS User Private Key and Certificate Services
+ token: NSS Certificate DB
+
+ 2. lunasa
+ library name: /usr/lunasa/lib/libCryptoki2.so
+ slots: 2 slots attached
+ status: loaded
+
+ slot: LunaNet Slot
+ token: lunasa1-ca
+
+ slot: LunaNet Slot
+ token: lunasa2-ca
+-----------------------------------------------------------
+
+
diff --git a/base/ra/lib/perl/PKI/RA/NamePanel.pm b/base/ra/lib/perl/PKI/RA/NamePanel.pm
new file mode 100755
index 000000000..c30715aa2
--- /dev/null
+++ b/base/ra/lib/perl/PKI/RA/NamePanel.pm
@@ -0,0 +1,570 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+use strict;
+use warnings;
+use FileHandle;
+use PKI::RA::GlobalVar;
+use PKI::RA::Common;
+use PKI::RA::CertInfo;
+use URI::URL;
+use URI::Escape;
+
+package PKI::RA::NamePanel;
+$PKI::RA::NamePanel::VERSION = '1.00';
+
+use PKI::RA::BasePanel;
+our @ISA = qw(PKI::RA::BasePanel);
+our $cert_req_header="-----BEGIN NEW CERTIFICATE REQUEST-----";
+our $cert_req_footer="-----END NEW CERTIFICATE REQUEST-----";
+our $cert_header="-----BEGIN CERTIFICATE-----";
+our $cert_footer="-----END CERTIFICATE-----";
+
+sub new {
+ my $class = shift;
+ my $self = {};
+
+ $self->{"isSubPanel"} = \&is_sub_panel;
+ $self->{"hasSubPanel"} = \&has_sub_panel;
+ $self->{"isPanelDone"} = \&PKI::RA::Common::no;
+ $self->{"getPanelNo"} = &PKI::RA::Common::r(12);
+ $self->{"getName"} = &PKI::RA::Common::r("Subject Names");
+ $self->{"vmfile"} = "namepanel.vm";
+ $self->{"update"} = \&update;
+ $self->{"panelvars"} = \&display;
+ bless $self,$class;
+ return $self;
+}
+
+sub is_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub has_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub validate
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("NamePanel: validate");
+ return 1;
+}
+
+sub update
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("NamePanel: update");
+ my $instanceDir = $::config->get("service.instanceDir");
+
+ my $count = $q->param('urls');
+
+ &PKI::RA::Wizard::debug_log("NamePanel: update - selected ca= $count");
+
+ my $host = "";
+ my $https_ee_port = "";
+
+ my $useExternalCA = "off";
+ if ($count =~ /http/) {
+ my $info = new URI::URL($count);
+ $host = $info->host;
+ $https_ee_port = $info->port;
+ } else {
+ $host = $::config->get("preop.securitydomain.ca$count.host");
+ if ($host eq "") {
+ $useExternalCA = "on";
+ } else {
+ $https_ee_port = $::config->get("preop.securitydomain.ca$count.secureport");
+ &PKI::RA::Wizard::debug_log("NamePanel: update - host= $host, https_ee_port= $https_ee_port");
+ }
+ }
+ $::config->put("preop.certenroll.useExternalCA", $useExternalCA);
+
+ $::config->put("preop.ca.url", "https://" . $host . ":" . $https_ee_port);
+
+ my $tokenname = $::config->get("preop.module.token");
+ &PKI::RA::Wizard::debug_log("NamePanel: update got token name = $tokenname");
+ my $hw;
+ my $tk;
+
+ if (($tokenname eq "") || ($tokenname eq "NSS Certificate DB")) {
+ $hw = "";
+ $tk = "";
+ } else {
+ $hw = "-h $tokenname";
+ $tk = $tokenname.":";
+ }
+
+ # is nickname changed because of token (hardware) selection?
+ my $changed = "false";
+ foreach my $certtag (@PKI::RA::Wizard::certtags) {
+ &PKI::RA::Wizard::debug_log("NamePanel: update begins for certag= $certtag");
+ my $cert_dn = $q->param($certtag);
+ $::config->put("preop.cert.".$certtag.".dn", $cert_dn);
+ $::config->commit();
+
+ my $sslnickname = $::config->get("preop.cert.sslserver.nickname");
+ my $nickname = $q->param($certtag . "_nick");
+ if ($nickname ne "") {
+ &PKI::RA::Wizard::debug_log("NamePanel: update nickname for $certtag set to $nickname");
+ &PKI::RA::Wizard::debug_log("NamePanel: update nickname for $certtag being updated in config file");
+ $::config->put("preop.cert.".$certtag.".nickname", $nickname);
+ $::config->commit();
+ } else {
+ $nickname = $::config->get("preop.cert.$certtag.nickname");
+ if ($nickname eq "") {
+ $nickname = "RA ".$certtag." cert";
+ &PKI::RA::Wizard::debug_log("NamePanel: update nickname not found for $certtag -- try $nickname");
+ }
+ }
+
+ my $cert_request = $::config->get("preop.cert.$certtag.certreq");
+ if ($cert_request ne "") {
+ &PKI::RA::Wizard::debug_log("NamePanel: update do not generate new keys");
+ goto GEN_CERT;
+ }
+ &PKI::RA::Wizard::debug_log("NamePanel: update generate new keys");
+
+ # =====generate requests========
+ # getting new request should void old cert
+
+ my $file= "$instanceDir/conf/".$certtag."_cert.txt";
+ my $tmp = `rm $file`;
+
+ &PKI::RA::Wizard::debug_log("NamePanel: retrieving $tokenname from pwdconf");
+ my $token_pwd = $::pwdconf->get($tokenname);
+ &PKI::RA::Wizard::debug_log("NamePanel: creating pwfile");
+ open FILE, ">$instanceDir/conf/.pwfile";
+ system( "chmod 00660 $instanceDir/conf/.pwfile" );
+ $token_pwd =~ s/\n//g;
+ print FILE $token_pwd;
+ close FILE;
+
+ my $keytype = $::config->get("preop.cert.$certtag.keytype");
+ if ($keytype eq "") {
+ $keytype = "rsa";
+ }
+
+ my $select = $::config->get("preop.cert.$certtag.keysize.select");
+
+ my $keysize;
+
+ if ($keytype eq "rsa") {
+ $keysize = 2048;
+ } elsif ($keytype eq "ecc") {
+ $keysize = 256;
+ }
+
+ if (($select eq "") || ($select eq "default")) {
+ my $size = $::config->get("preop.cert.$certtag.keysize.size");
+ if ($size ne "") {
+ $keysize = $size;
+ }
+ } else {
+ my $size = $::config->get("preop.cert.$certtag.keysize.customsize");
+ if ($size ne "") {
+ $keysize = $size;
+ }
+ if (($keytype eq "ecc") && ($keysize ne 256)) {
+ &PKI::RA::Wizard::debug_log("NamePanel: update got keysize from config= $keysize changing to 256, the only supported ECC strength");
+ $keysize = 256;
+ }
+ }
+
+ &PKI::RA::Wizard::debug_log("NamePanel: update got key type $keytype");
+ my $req;
+ my $debug_req;
+ my $filename = "/tmp/random.$$";
+ `dd if\=/dev/urandom of\=\"$filename\" count\=256 bs\=1`;
+ if ($keytype eq "rsa") {
+ #XXX temporary
+ &PKI::RA::Wizard::debug_log("NamePanel: update "."certutil -R -s $cert_dn -k $keytype -g $keysize -d $instanceDir/alias $hw -f $instanceDir/conf/.pwfile -a -z $filename");
+ my $tmpfile = "/tmp/req$$";
+ system("certutil -R -s \"$cert_dn\" -k $keytype -g $keysize -d $instanceDir/alias $hw -f $instanceDir/conf/.pwfile -a -z $filename > $tmpfile");
+ $req = `cat $tmpfile`;
+ system("rm $tmpfile");
+ } elsif ($keytype eq "ecc") {
+ #only support curve nistp256 for now
+ my $tmpfile = "/tmp/req$$";
+ system("certutil -d $instanceDir/alias $hw -f $instanceDir/conf/.pwfile -R -s \"$cert_dn\" -k ec -q nistp256 -a -z $filename> $tmpfile");
+ $req = `cat $tmpfile`;
+ system("rm $tmpfile");
+ } else {
+ &PKI::RA::Wizard::debug_log("NamePanel: update unsupported keytype $keytype");
+ }
+ system("rm $filename");
+
+ my $save_line = 0;
+ my @req_a = split "\n", $req;
+ foreach my $line (@req_a) {
+ chomp( $line );
+ $line =~ s/ //g;
+ if ($line eq $cert_req_header) {
+ $save_line = 1;
+ } elsif( $line eq $cert_req_footer ) {
+ $save_line = 0;
+ last;
+ } elsif( $save_line == 1 ) {
+ $cert_request .= "$line";
+ }
+ }
+ &PKI::RA::Wizard::debug_log("NamePanel: update putting cert_request in CS.cfg: $cert_request");
+ $::config->put("preop.cert.$certtag.certreq", $cert_request);
+ $::config->commit();
+
+GEN_CERT:
+# =====request for certs========
+# see if there is an existing cert
+
+ my $cert = $::config->get("preop.cert.$certtag.cert");
+ my $sdom = $::config->get("config.sdomainEEURL");
+ my $sdom_url = new URI::URL($sdom);
+
+ if (($useExternalCA eq "on") && ($certtag ne "subsystem")) {
+ &PKI::RA::Wizard::debug_log("NamePanel: update External CA selected");
+ if ($cert eq "") {
+ &PKI::RA::Wizard::debug_log("NamePanel: update no cert found...need manual enrollment");
+ }
+ } else {
+ if ($cert eq "") {
+ &PKI::RA::Wizard::debug_log("NamePanel: update External CA not selected...need automatic enrollment");
+
+ my $machineName = $::config->get("service.machineName");
+ my $securePort = $::config->get("service.securePort");
+ my $session_id = $::config->get("preop.sessionID");
+
+ if ($cert_request ne "") {
+ &PKI::RA::Wizard::debug_log("NamePanel: update found existing request: $cert_request");
+ } else {
+ &PKI::RA::Wizard::debug_log("NamePanel: update existing request not found");
+ #something is wrong...no request, no cert
+ goto DONE;
+ return $cert;
+ }
+
+ my $instanceID = $::config->get("service.instanceID");
+ my $instanceDir = $::config->get("service.instanceDir");
+ my $db_password = "";
+ &PKI::RA::Wizard::debug_log("NamePanel: greping password");
+
+ my $tmpfile = "/tmp/grep$$";
+ system ("grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10- > $tmpfile");
+ $db_password = `cat $tmpfile`;
+ $db_password =~ s/\n$//g;
+ system("rm $tmpfile");
+
+ my $profile_id = $::config->get("preop.cert.$certtag.profile");
+ &PKI::RA::Wizard::debug_log("NamePanel: profileId=" . $profile_id);
+ my $requestor_name = "RA-" . $machineName . "-" . $securePort;
+ my $params = "profileId=" . $profile_id . "&" .
+ "cert_request_type=" . "pkcs10" . "&" .
+ "requestor_name=" . $requestor_name . "&" .
+ "cert_request=" .
+ URI::Escape::uri_escape("$cert_request") . "&" .
+ "xmlOutput=true" . "&" .
+ "sessionID=" . $session_id . "&" .
+ "auth_hostname=" . $sdom_url->host . "&" .
+ "auth_port=" . $sdom_url->port;
+
+ if ($certtag eq "subsystem") {
+ $host = $sdom_url->host;
+ $https_ee_port = $sdom_url->port;
+ }
+ if ($changed eq "true") {
+$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$https_ee_port";
+$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$https_ee_port";
+ } else {
+$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$https_ee_port";
+$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$https_ee_port";
+ }
+
+ &PKI::RA::Wizard::debug_log("debug_req = " . $debug_req);
+ my $content = `$req`;
+ &PKI::RA::Wizard::debug_log("content = " . $content);
+
+ $content =~ /(\<XMLResponse\>.*\<\/XMLResponse\>)/;
+ $content = $1;
+
+ if ($content eq "") {
+ $::symbol{errorString} = "CA returned no response. Please check that the CA is available and also check the host's firewall settings.";
+ return 0;
+ }
+
+ my $parser = XML::Simple->new();
+ &PKI::RA::Wizard::debug_log("NamePanel: response content= " . $content);
+ my $response = $parser->XMLin($content);
+ my $status = $response->{Status};
+ if ($status ne "0") {
+ my $error = $response->{Error};
+ &PKI::RA::Wizard::debug_log("NamePanel: Error = $error");
+ $::symbol{errorString} = "CA response: $error. Please check previous related panels." . " Please check that the CA is available and also check the host's firewall settings.";
+ return 0;
+ }
+ $cert = $response->{Requests}->{Request}->{b64};
+ &PKI::RA::Wizard::debug_log("NamePanel: new cert generated= " . $cert);
+
+# my $reqid = $response->{Requests}->{Request}->{Id};
+# $::config->put("preop.admincert.requestId.0", $reqid);
+# my $sn = $response->{Requests}->{Request}->{serialno};
+# $::config->put("preop.admincert.serialno.0", $sn);
+# $::config->commit();
+
+ &PKI::RA::Wizard::debug_log("NamePanel: update putting cert in CS.cfg: $cert");
+ $::config->put("preop.cert.$certtag.cert", $cert);
+ $::config->commit();
+
+ } else {
+ # cert is not null
+ &PKI::RA::Wizard::debug_log("NamePanel: update External CA not selected. Cert found...no need for enrollment");
+ }
+
+# write cert to file so certutil can import
+ my $cert_fn = "$instanceDir/conf/".$certtag."_cert.txt";
+ open FILE, "> $cert_fn";
+ print FILE $cert_header."\n".$cert."\n".$cert_footer;
+ close FILE;
+
+ # import cert, whether it was imported before or not
+ my $nickname = $::config->get("preop.cert.$certtag.nickname");
+ if ($nickname eq "") {
+ #XXX
+ $nickname = "RA ".$certtag." cert";
+ &PKI::RA::Wizard::debug_log("NamePanel: update nickname not found for $certtag -- try $nickname");
+ }
+
+ if ($certtag ne "sslserver") {
+ &PKI::RA::Wizard::debug_log("NamePanel: update: try to delete existing cert $nickname, if any....ok if it fails");
+ $tmp = `certutil -d $instanceDir/alias -D -n "$nickname"`;
+ $tmp = `certutil -d $instanceDir/alias -D $hw -f $instanceDir/conf/.pwfile -n "$tk$nickname"`;
+ } else {
+ &PKI::RA::Wizard::debug_log("NamePanel: update: try to delete existing cert $sslnickname, if any....ok if it fails");
+ $tmp = `certutil -d $instanceDir/alias -D -n "$sslnickname"`;
+ $tmp = `certutil -d $instanceDir/alias -D $hw -f $instanceDir/conf/.pwfile -n "$tk$sslnickname"`;
+ }
+
+ &PKI::RA::Wizard::debug_log("NamePanel: update: try to import cert from $cert_fn");
+ $tmp = `certutil -d $instanceDir/alias $hw -f $instanceDir/conf/.pwfile -A -n "$nickname" -t "u,u,u" -a -i $cert_fn`;
+ # changed the cert, need to change nickname too, if necessary
+ if ($hw ne "") {
+ if ($certtag eq "sslserver") {
+ if ($changed eq "false") {
+ $::config->put("preop.cert.$certtag.nickname", "$tk$nickname");
+ }
+ $changed = "true";
+ } elsif ($certtag eq "subsystem") {
+ &PKI::RA::Wizard::debug_log("NamePanel: update: subsystem nickname changed");
+ $::config->put("preop.cert.$certtag.nickname", "$tk$nickname");
+ $::config->put("conn.ca1.clientNickname", "$tk$nickname");
+ $::config->put("conn.drm1.clientNickname", "$tk$nickname");
+ $::config->put("conn.tks1.clientNickname", "$tk$nickname");
+ $::config->put( "ra.cert.subsystem.nickname", "$tk$nickname");
+ } else {
+ &PKI::RA::Wizard::debug_log("NamePanel: update: $certtag nickname changed");
+ $::config->put("preop.cert.$certtag.nickname", "$tk$nickname");
+ }
+ $::config->commit();
+ } else {
+ if ($certtag eq "subsystem") {
+ # setting these just in case the subsystem nickname changed.
+ &PKI::RA::Wizard::debug_log("NamePanel: update: setting in case the subsystem nickname changed");
+ $::config->put("conn.ca1.clientNickname", "$nickname");
+ $::config->put("conn.drm1.clientNickname", "$nickname");
+ $::config->put("conn.tks1.clientNickname", "$nickname");
+ $::config->put("ra.cert.subsystem.nickname", "$nickname");
+ }
+ $::config->commit();
+ }
+
+ &PKI::RA::Wizard::debug_log("NamePanel: update: done importing cert: $tk$nickname");
+ $tmp = `rm $cert_fn`;
+ }
+ }
+
+DONE:
+ &PKI::RA::Wizard::debug_log("NamePanel: removing pwfile");
+ my $tmp = `rm $instanceDir/conf/.pwfile`;
+ return 1;
+}
+
+sub readFile
+{
+ my $fn = $_[0];
+ open FILE, "< $fn" or return "";
+ my $content = join "",<FILE>;
+ close FILE;
+
+ return $content;
+}
+
+use Data::Dumper;
+
+sub display
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("NamePanel: display");
+
+ my $domain_name = $::config->get("preop.securitydomain.name");
+ if ($domain_name eq "") {
+ $domain_name = "RA Domain";
+ }
+ my $machine_name = $::config->get("service.machineName");
+ my $instance_id = $::config->get("service.instanceID");
+
+ my $i = 0;
+ foreach my $certtag (@PKI::RA::Wizard::certtags) {
+ &PKI::RA::Wizard::debug_log("NamePanel: display certtag=$certtag");
+ my $cert_dn = $::config->get("preop.cert.".$certtag.".dn");
+ if ($cert_dn eq "") {
+ if ($certtag eq "subsystem") {
+ $cert_dn = "CN=RA Subsystem, " .
+ "OU=" . $instance_id . ", " .
+ "O=" . $domain_name;
+ } elsif ($certtag eq "sslserver") {
+ $cert_dn ="CN=" . $machine_name . ", " .
+ "OU=" . $instance_id . ", " .
+ "O=" . $domain_name;
+ } else {
+ &PKI::RA::Wizard::debug_log("NamePanel: display other certtag=$certtag");
+ $cert_dn = $certtag;
+ }
+ $::config->put("preop.cert.".$certtag.".dn", $cert_dn);
+ $::config->commit();
+ } else {
+ if (!($cert_dn =~ /O=/)) {
+ $cert_dn .= ", O=" . $domain_name;
+ $::config->put("preop.cert.".$certtag.".dn", $cert_dn);
+ $::config->commit();
+ }
+ }
+
+ my $name = $::config->get("preop.cert.".$certtag.".userfriendlyname");
+ if ($name eq "") {
+ $name = $certtag."Cert ".$instance_id;
+ $::config->put("preop.cert.".$certtag.".userfriendlyname", $name);
+ $::config->commit();
+ }
+
+ my $cert = new PKI::RA::CertInfo($name,
+ $cert_dn, $certtag);
+ $::symbol{certs}[$i++] = $cert;
+ }
+
+ &PKI::RA::Wizard::debug_log("NamePanel: getting CA info");
+ $::symbol{urls} = [];
+ my $count = 0;
+
+ while (1) {
+ my $host = $::config->get("preop.securitydomain.ca$count.host");
+ if ($host eq "") {
+ goto DONE;
+ }
+ my $https_ee_port = $::config->get("preop.securitydomain.ca$count.secureport");
+ my $name = $::config->get("preop.securitydomain.ca$count.subsystemname");
+ my $item = $name . " - https://" . $host . ":" . $https_ee_port;
+ $::symbol{urls}[$count++] = $item;
+
+ }
+DONE:
+
+ $::symbol{urls}[$count++] = "External CA";
+ $::symbol{urls_size} = $count+1;
+
+ return 1;
+}
+
+
+# arg0 filename containing certificate request
+# return certificate request plus header and footer
+sub extract_cert_req_from_file
+{
+ my $save_line = 0;
+
+ my $filename = $_[0];
+
+ my $fd = new FileHandle;
+
+ my $cert_request = "";
+
+ $fd->open( "<$filename" ) or die "Could not open '$filename'!\n";
+
+ while( <$fd> )
+ {
+ my $line = $_;
+ chomp( $line );
+
+ if( $line eq $cert_req_header ) {
+ $save_line = 1;
+ $cert_request .= "$line\n";
+ } elsif( $line eq $cert_req_footer ) {
+ $cert_request .= "$line\n";
+ $save_line = 0;
+ last;
+ } elsif( $save_line == 1 ) {
+ $cert_request .= "$line\n";
+ }
+ }
+
+ $fd->close();
+
+ return $cert_request;
+}
+
+# arg0 message containing certificate request
+# return certificate request sans header and footer
+sub extract_cert_req_from_file_sans_header_and_footer
+{
+ my $filename = $_[0];
+ my $save_line = 0;
+
+ my $fd = new FileHandle;
+
+ my $cert_request = "";
+
+ $fd->open( "<$filename" ) or die "Could not open '$filename'!\n";
+
+ while( <$fd> )
+ {
+ my $line = $_;
+ chomp( $line );
+
+ if( $line eq $cert_req_header ) {
+ $save_line = 1;
+ } elsif( $line eq $cert_req_footer ) {
+ $save_line = 0;
+ last;
+ } elsif( $save_line == 1 ) {
+ $cert_request .= "$line\n";
+ }
+ }
+
+ $fd->close();
+
+ return $cert_request;
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/RA/ReqCertInfo.pm b/base/ra/lib/perl/PKI/RA/ReqCertInfo.pm
new file mode 100755
index 000000000..51c22cd24
--- /dev/null
+++ b/base/ra/lib/perl/PKI/RA/ReqCertInfo.pm
@@ -0,0 +1,235 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+use strict;
+use warnings;
+use PKI::RA::GlobalVar;
+use PKI::RA::Common;
+
+package PKI::RA::ReqCertInfo;
+$PKI::RA::ReqCertInfo::VERSION = '1.00';
+
+our $cert_req_header="-----BEGIN NEW CERTIFICATE REQUEST-----";
+our $cert_req_footer="-----END NEW CERTIFICATE REQUEST-----";
+our $cert_header="-----BEGIN CERTIFICATE-----";
+our $cert_footer="-----END CERTIFICATE-----";
+
+sub new {
+ my ($class, $name, $dn, $tag) = @_;
+ my $self = {};
+ &PKI::RA::Wizard::debug_log("ReqCertInfo: start new");
+ &PKI::RA::Wizard::debug_log("ReqCertInfo: creating name: $name, dn: $dn, tag: $tag");
+
+ $self->{"getUserFriendlyName"} = \&get_user_friendly_name;
+ $self->{"getCertTag"} = \&get_cert_tag;
+ $self->{"getCert"} = \&get_cert;
+ $self->{"getCertpp"} = \&get_cert_pp;
+ $self->{"getRequest"} = \&get_request;
+ $self->{"getDN"} = \&get_dn;
+ $self->{"useDefaultKey"} = \&use_default_key;
+ $self->{"getCustomKeysize"} = \&get_custom_keysize;
+ &PKI::RA::Wizard::debug_log("ReqCertInfo: end new");
+
+ $self->{name} = $name;
+ $self->{dn} = $dn;
+ $self->{tag} = $tag;
+
+ bless $self, $class;
+ return $self;
+}
+
+sub get_user_friendly_name
+{
+ my ($self) = @_;
+ &PKI::RA::Wizard::debug_log("ReqCertInfo: get_user_friendly_name");
+ return $self->{name};
+}
+
+sub readFile
+{
+ my $fn = $_[0];
+ open FILE, "< $fn" or return "";
+ my $content = join "",<FILE>;
+ close FILE;
+
+ return $content;
+}
+
+sub wrap_lines
+{
+ my $lines = shift;
+ my $temp ;
+ foreach my $line (split "\n", $lines) {
+ if (length $line > 59) {
+ $line =~ s/(.{0,60})/$1\n/g;
+ }
+ # get rid of a line that is just an empty newline
+ $line =~ s/^\n$//gms;
+ $temp .= $line;
+ }
+ # collapse multiple newlines into one
+ $temp =~ s/\n+/\n/gms;
+ $temp =~ s/\n$//gms;
+ $temp;
+
+}
+
+sub get_request
+{
+ my ($self) = @_;
+ &PKI::RA::Wizard::debug_log("ReqCertInfo: get_request");
+ # first, try to see if request has been made before
+# my $req = readFile( "/var/lib/pki-ra/conf/$self->{tag}_cert_request.txt");
+
+ my $req = $::config->get("preop.cert.$self->{tag}.certreq");
+
+ $req = wrap_lines($req);
+
+ if ($req ne "") {
+ &PKI::RA::Wizard::debug_log("ReqCertInfo: get_request found existing request");
+ return $cert_req_header."\n".$req."\n".$cert_req_footer;;
+ } else {
+ &PKI::RA::Wizard::debug_log("ReqCertInfo: get_request existing request not found");
+ }
+
+ return $req;
+}
+
+sub get_cert
+{
+ my ($self) = @_;
+ &PKI::RA::Wizard::debug_log("ReqCertInfo: get_cert");
+# see if there is an existing cert
+# my $cert = readFile("/var/lib/pki-ra/conf/".$self->{tag}."_cert.txt");
+ my $cert = $::config->get("preop.cert.$self->{tag}.cert");
+
+ $cert = wrap_lines($cert);
+ if ($cert ne "") {
+ &PKI::RA::Wizard::debug_log("ReqCertInfo: get_cert found existing cert");
+ return $cert_header."\n".$cert."\n".$cert_footer;;
+ } else {
+ &PKI::RA::Wizard::debug_log("ReqCertInfo: get_cert existing cert not found");
+ }
+ if ($cert eq "") {
+ $cert = "...paste certificate here...";
+ }
+
+
+ return $cert;
+}
+
+sub get_cert_pp
+{
+ my ($self) = @_;
+ &PKI::RA::Wizard::debug_log("ReqCertInfo: get_cert_pp");
+ my $instanceDir = $::config->get("service.instanceDir");
+
+ my $hw;
+ my $tokenname = $::config->get("preop.module.token");
+ &PKI::RA::Wizard::debug_log("ReqCertInfo: update got token name = $tokenname");
+
+ if (($tokenname eq "") || ($tokenname eq "NSS Certificate DB")) {
+ $hw = "";
+ } else {
+ $hw = "-h $tokenname";
+ }
+
+ my $token_pwd = $::pwdconf->get($tokenname);
+ open FILE, ">$instanceDir/conf/.pwfile";
+ system( "chmod 00660 $instanceDir/conf/.pwfile" );
+ $token_pwd =~ s/\n//g;
+ print FILE $token_pwd;
+ close FILE;
+
+ my $nickname = $::config->get("preop.cert.$self->{tag}.nickname");
+ if ($nickname eq "") {
+#XXX
+ $nickname = "RA ".$self->{tag}." cert";
+ &PKI::RA::Wizard::debug_log("ReqCertInfo: get_cert_pp nickname not found for $self->{tag} -- try $nickname");
+ }
+ my $certpp="";
+# my $found = -e "/var/lib/pki-ra/conf/$self->{tag}_cert.txt";
+ my $cert = $::config->get("preop.cert.$self->{tag}.cert");
+
+ if ($cert ne "") {
+ &PKI::RA::Wizard::debug_log("ReqCertInfo: get_cert_pp found request, ready to get prettyprint");
+ my $tmp = `certutil -d $instanceDir/alias $hw -f $instanceDir/conf/.pwfile -n "$nickname" -L > $instanceDir/conf/$self->{tag}_cert_pp.txt`;
+ $certpp = readFile("$instanceDir/conf/$self->{tag}_cert_pp.txt");
+ $certpp =~ s/"//g;
+ &PKI::RA::Wizard::debug_log("ReqCertInfo: get_cert_pp pp=$certpp");
+ $tmp =`rm $instanceDir/conf/$self->{tag}_cert_pp.txt`;
+ } else {
+ &PKI::RA::Wizard::debug_log("ReqCertInfo: get_cert_pp cert not found, will not get prettyprint");
+ }
+ my $tmp = `rm $instanceDir/conf/.pwfile`;
+
+ return $certpp;
+}
+
+sub get_cert_tag
+{
+ my ($self) = @_;
+ &PKI::RA::Wizard::debug_log("ReqCertInfo: get_cert_tag");
+ return $self->{tag};
+}
+
+sub get_dn
+{
+ my ($self) = @_;
+ &PKI::RA::Wizard::debug_log("ReqCertInfo: get_cert_dn");
+ return $self->{dn};
+}
+
+sub use_default_key
+{
+ my ($self) = @_;
+ &PKI::RA::Wizard::debug_log("ReqCertInfo: use_default_key");
+ my $select = $::config->get("preop.cert.$self->{tag}.keysize.select");
+ if ($select ne "") {
+ if ($select eq "custom") {
+ &PKI::RA::Wizard::debug_log("ReqCertInfo: use_default_key from config = $select returning 0");
+ return 0;
+ }
+ }
+
+ &PKI::RA::Wizard::debug_log("ReqCertInfo: use_default_key returning 1");
+ return 1;
+}
+
+sub get_custom_keysize
+{
+ my ($self) = @_;
+ &PKI::RA::Wizard::debug_log("ReqCertInfo: get_custom_keysize");
+ my $keysize = $::config->get("preop.cert.$self->{tag}.keysize.customsize");
+ if ($keysize ne "") {
+ &PKI::RA::Wizard::debug_log("ReqCertInfo: get_custom_keysize from config = $keysize");
+ return $keysize;
+ } else {
+ &PKI::RA::Wizard::debug_log("ReqCertInfo: get_custom_keysize not from config");
+ }
+ return 2048;
+}
+
+
+1;
diff --git a/base/ra/lib/perl/PKI/RA/SecurityDomainPanel.pm b/base/ra/lib/perl/PKI/RA/SecurityDomainPanel.pm
new file mode 100755
index 000000000..114b19ef0
--- /dev/null
+++ b/base/ra/lib/perl/PKI/RA/SecurityDomainPanel.pm
@@ -0,0 +1,199 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+use strict;
+use warnings;
+use PKI::RA::GlobalVar;
+use PKI::RA::Common;
+use URI::URL;
+use XML::Simple;
+use Data::Dumper;
+
+package PKI::RA::SecurityDomainPanel;
+$PKI::RA::SecurityDomainPanel::VERSION = '1.00';
+
+use PKI::RA::BasePanel;
+our @ISA = qw(PKI::RA::BasePanel);
+
+sub new {
+ my $class = shift;
+ my $self = {};
+
+ $self->{"isSubPanel"} = \&is_sub_panel;
+ $self->{"hasSubPanel"} = \&has_sub_panel;
+ $self->{"isPanelDone"} = \&PKI::RA::Common::no;
+ $self->{"getPanelNo"} = &PKI::RA::Common::r(1);
+ $self->{"getName"} = &PKI::RA::Common::r("Security Domain");
+ $self->{"vmfile"} = "securitydomainpanel.vm";
+ $self->{"update"} = \&update;
+ $self->{"panelvars"} = \&display;
+ bless $self,$class;
+ return $self;
+}
+
+sub validate
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("SecurityPanel: validate");
+
+ return 1;
+}
+
+sub is_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub has_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub pingCS
+{
+ my( $instanceDir ) = $_[0];
+ my( $db_password ) = $_[1];
+ my( $nickname ) = $_[2];
+ my( $hostname ) = $_[3];
+ my( $port ) = $_[4];
+
+ my $content = `/usr/bin/sslget -d $instanceDir/alias -p $db_password -v -r "/ca/admin/ca/getStatus" $hostname:$port`;
+ if( "$content" eq "" ) {
+ return 0;
+ } else {
+ $content =~ /(\<XMLResponse\>.*\<\/XMLResponse\>)/;
+ $content = $1;
+
+ my $parser = XML::Simple->new();
+ my $response = $parser->XMLin($content);
+ my $state = $response->{State};
+
+ if( "$state" eq "1" ) {
+ return 1;
+ } else {
+ return 0;
+ }
+ }
+}
+
+sub display
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("SecurityPanel: display");
+ $::symbol{panelname} = "Security Domain";
+ $::symbol{sdomainName} = "Security Domain";
+
+ my $instanceDir = $::config->get("service.instanceDir");
+ my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`;
+ $db_password =~ s/\n$//g;
+ my $nickname = $::config->get("preop.cert.sslserver.nickname");
+ my $hostname = $::config->get("service.machineName");
+ my $default_https_admin_port = 9445;
+
+ # check to see if "default" security domain exists on local machine
+ my $status = pingCS( $instanceDir,
+ $db_password,
+ $nickname,
+ $hostname,
+ $default_https_admin_port );
+ if( "$status" eq "1" ) {
+ # "default" security domain exists on local machine;
+ # fill "sdomainURL" in with "default" security domain
+ # as an initial "guess"
+ $::symbol{sdomainURL} = "https://" . $hostname . ":"
+ . $default_https_admin_port;
+ } else {
+ # "default" security domain does NOT exist on local machine;
+ # leave "sdomainURL" blank
+ $::symbol{sdomainURL} = "";
+ }
+
+ $::symbol{sdomainAdminURL} = "https://" . $hostname . ":"
+ . $default_https_admin_port;
+
+ my $initDaemon = "pki-cad";
+ my $initCommand = "";
+ my $instanceID ="&lt;security_domain_instance_name&gt; ";
+ if( $^O eq "linux" ) {
+ $initCommand = "/sbin/service $initDaemon";
+ } else {
+ ## default case: e. g. - ( $^O eq "solaris" )
+ $initCommand = "/etc/init.d/$initDaemon";
+ }
+ $::symbol{initCommand} = $initCommand;
+ $::symbol{instanceID} = $instanceID;
+ return 1;
+}
+
+
+sub update
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("SecurityPanel: update");
+ my $sdomainURL = $q->param("sdomainURL");
+
+ if ($sdomainURL eq "") {
+ &PKI::RA::Wizard::debug_log("SecurityPanel: sdomainURL has not been specified!");
+ $::symbol{errorString} = "Security Domain HTTPS has not been specified!";
+ return 0;
+ }
+
+ my $sdomainURL_info = new URI::URL($sdomainURL);
+
+ my $instanceDir = $::config->get("service.instanceDir");
+ my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`;
+ $db_password =~ s/\n$//g;
+ my $nickname = $::config->get("preop.cert.sslserver.nickname");
+ my $hostname = $sdomainURL_info->host;
+ my $https_admin_port = $sdomainURL_info->port;
+
+ # check to see if "default" security domain exists on local machine
+ my $status = pingCS( $instanceDir,
+ $db_password,
+ $nickname,
+ $hostname,
+ $https_admin_port );
+ if( "$status" ne "1" ) {
+ # invalid security domain specified
+ &PKI::RA::Wizard::debug_log("SecurityPanel: sdomainURL not found");
+ $::symbol{errorString} = "Security Domain HTTPS Admin URL not found";
+ return 0;
+ }
+
+ # save urls in CS.cfg
+ &PKI::RA::Wizard::debug_log("SecurityPanel: sdomainURL=" . $sdomainURL);
+ $::config->put("config.sdomainAdminURL", $sdomainURL);
+
+ # Add values necessary for 'pkiremove' . . .
+ $::config->put("securitydomain.select", "existing");
+ $::config->put("securitydomain.host", $sdomainURL_info->host);
+ $::config->put("securitydomain.httpsadminport", $sdomainURL_info->port);
+ $::config->commit();
+
+ return 1;
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/RA/SizePanel.pm b/base/ra/lib/perl/PKI/RA/SizePanel.pm
new file mode 100755
index 000000000..f55dc41e9
--- /dev/null
+++ b/base/ra/lib/perl/PKI/RA/SizePanel.pm
@@ -0,0 +1,245 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+use strict;
+use warnings;
+use PKI::RA::GlobalVar;
+use PKI::RA::Common;
+use PKI::RA::CertInfo;
+
+package PKI::RA::SizePanel;
+$PKI::RA::SizePanel::VERSION = '1.00';
+
+use PKI::RA::BasePanel;
+our @ISA = qw(PKI::RA::BasePanel);
+
+sub new {
+ my $class = shift;
+ my $self = {};
+
+ $self->{"isSubPanel"} = \&is_sub_panel;
+ $self->{"hasSubPanel"} = \&has_sub_panel;
+ $self->{"isPanelDone"} = \&PKI::RA::Common::no;
+ $self->{"getPanelNo"} = &PKI::RA::Common::r(11);
+ $self->{"getName"} = &PKI::RA::Common::r("Key Pairs");
+ $self->{"vmfile"} = "sizepanel.vm";
+ $self->{"update"} = \&update;
+ $self->{"panelvars"} = \&display;
+ bless $self,$class;
+ return $self;
+}
+
+sub is_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub has_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub validate
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("SizePanel: validate");
+ return 1;
+}
+
+sub update
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("SizePanel: update");
+
+ my $instanceDir = $::config->get("service.instanceDir");
+ my $done = $::config->get("preop.SizePanel.done");
+ my $genKeyPair = $q->param('generateKeyPair');
+ &PKI::RA::Wizard::debug_log("SizePanel: update generateKeyPair value=$genKeyPair");
+ if ($done eq "true") {
+ if ($genKeyPair eq "") {
+ &PKI::RA::Wizard::debug_log("SizePanel: update generateKeyPair value not found, turn to off");
+ $genKeyPair = "off";
+ }
+ } else {
+ # firstime should always generate keys
+ $genKeyPair = "on";
+ }
+
+ foreach my $certtag (@PKI::RA::Wizard::certtags) {
+ my $select = $q->param($certtag.'_choice');
+ my $keytype = $q->param($certtag.'_keytype');
+ my $size = $q->param($certtag.'_custom_size');
+
+ &PKI::RA::Wizard::debug_log("SizePanel: update $certtag _choice=$select $certtag _keytype=$keytype customsize= $size");
+
+ $::config->put("preop.keysize.select", $select);
+ $::config->put("preop.cert.".$certtag.".keysize.select", $select);
+
+ if (! isSupportedSize($keytype, $size)) {
+ &PKI::RA::Wizard::debug_log("SizePanel: update size $size not supported");
+ return 0;
+ }
+ $::config->put("preop.cert.".$certtag.".keysize.customsize", $size);
+ $::config->put("preop.cert.".$certtag.".keytype", $keytype);
+
+ if ($select eq "default") {
+ my $defaultSize = getDefaultSize($keytype);
+ &PKI::RA::Wizard::debug_log("SizePanel: update in default, defaultsize = $defaultSize");
+ $::config->put("preop.keysize.customsize", $defaultSize);
+ $::config->put("preop.keysize.size", $defaultSize);
+ $::config->put("preop.cert.".$certtag.".keysize.size", $defaultSize);
+
+ } elsif ($select eq "custom") {
+ &PKI::RA::Wizard::debug_log("SizePanel: update in custom, customsize = $size");
+ $::config->put("preop.keysize.size", $size);
+ $::config->put("preop.cert.".$certtag.".keysize.size", $size);
+ }
+
+ if ($genKeyPair eq "on") {
+ $::config->put("preop.cert.".$certtag.".certreq", "");
+ $::config->put("preop.cert.".$certtag.".cert", "");
+ }
+ }
+#XXX should have better error checking to work better
+ $done = $::config->put("preop.SizePanel.done", "true");
+ $::config->commit();
+
+ return 1;
+}
+
+sub getDefaultSize {
+ my $keytype = $_[0];
+
+ if ($keytype eq "ecc") {
+ return 256;
+ } elsif ($keytype eq "rsa") {
+ return 2048;
+ }
+
+ $::symbol{errorString} = "Unsupported keytype $keytype";
+ return 0;
+}
+
+sub isSupportedSize {
+ my $keytype = $_[0];
+ my $size = $_[1];
+
+ if (($keytype eq "ecc") && ($size ne "256")) {
+ &PKI::RA::Wizard::debug_log("SizePanel: isSupportedSize ECC only supports size 256");
+ $::symbol{errorString} = "Unsupported Size $size. ECC only supports size 256";
+ return 0;
+ }
+
+ if (($size eq "256") || ($size eq "512") || ($size eq "1024") ||
+ ($size eq "2048") || ($size eq "4096")) {
+ return 1;
+ }
+ # wrong size
+ $::symbol{errorString} = "Unsupported Size $size. RSA only supports sizes 256, 512, 1024, 2048, and 4096";
+ return 0;
+}
+
+sub display
+{
+ my ($q) = @_;
+
+ &PKI::RA::Wizard::debug_log("SizePanel: display");
+
+ my $done = $::config->get("preop.SizePanel.done");
+ &PKI::RA::Wizard::debug_log("SizePanel: display is panel done? $done");
+ if ($done eq "true") {
+ $::symbol{firsttime} = "false";
+ } else {
+ $::symbol{firsttime} = "true";
+ }
+
+ my $domain_name = $::config->get("preop.securitydomain.name");
+ if ($domain_name eq "") {
+ $domain_name = "RA Domain";
+ }
+
+ my $machine_name = $::config->get("service.machineName");
+ my $instance_id = $::config->get("service.instanceID");
+
+ my $i = 0;
+ foreach my $certtag (@PKI::RA::Wizard::certtags) {
+ my $cert_dn = $::config->get("preop.cert.".$certtag.".dn");
+ if ($cert_dn eq "") {
+ if ($certtag eq "subsystem") {
+ $cert_dn = "CN=RA Subsystem, " .
+ "OU=" . $instance_id . ", " .
+ "O=" . $domain_name;
+ } elsif ($certtag eq "sslserver") {
+ $cert_dn ="CN=" . $machine_name . ", " .
+ "OU=" . $instance_id . ", " .
+ "O=" . $domain_name;
+ } else {
+ $cert_dn = $certtag;
+ }
+ }
+ my $name = $::config->get("preop.cert.".$certtag.".userfriendlyname");
+ if ($name eq "") {
+ $name = $certtag."Cert ".$instance_id;
+ }
+ my $cert = new PKI::RA::CertInfo($name,
+ $cert_dn, $certtag);
+ $::symbol{certs}[$i++] = $cert;
+ }
+
+ #for "common key settings"
+ my $select = $::config->get("preop.keysize.select");
+ if (($select eq "") || ($select eq "default")) {
+ $::symbol{select} = "default";
+ } else {
+ &PKI::RA::Wizard::debug_log("SizePanel: display keysize select= $select");
+ $::symbol{select} = $select;
+ }
+ my $default_size = $::config->get("preop.keysize.size");
+ if ($default_size eq "") {
+ $::symbol{default_keysize} = 2048;
+ } else {
+ $::symbol{default_keysize} = $default_size;
+ }
+
+ my $default_ecc_size = $::config->get("preop.keysize.ecc.size");
+ if ($default_ecc_size eq "") {
+ $::symbol{default_ecc_keysize} = 256;
+ } else {
+ $::symbol{default_ecc_keysize} = $default_ecc_size;
+ }
+
+ my $custom_size = $::config->get("preop.keysize.customsize");
+ if ($custom_size eq "") {
+ $::symbol{custom_size} = 2048;
+ } else {
+ $::symbol{custom_size} = $default_size;
+ }
+
+
+ return 1;
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/RA/SubsystemTypePanel.pm b/base/ra/lib/perl/PKI/RA/SubsystemTypePanel.pm
new file mode 100755
index 000000000..3d946bca0
--- /dev/null
+++ b/base/ra/lib/perl/PKI/RA/SubsystemTypePanel.pm
@@ -0,0 +1,142 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+use strict;
+use warnings;
+use PKI::RA::GlobalVar;
+use PKI::RA::Common;
+
+package PKI::RA::SubsystemTypePanel;
+$PKI::RA::SubsystemTypePanel::VERSION = '1.00';
+
+use PKI::RA::BasePanel;
+our @ISA = qw(PKI::RA::BasePanel);
+
+sub new {
+ my $class = shift;
+ my $self = {};
+
+ $self->{"isSubPanel"} = \&is_sub_panel;
+ $self->{"hasSubPanel"} = \&has_sub_panel;
+ $self->{"isPanelDone"} = \&PKI::RA::Common::no;
+ $self->{"getPanelNo"} = &PKI::RA::Common::r(3);
+ $self->{"getName"} = &PKI::RA::Common::r("Subsystem Type");
+ $self->{"vmfile"} = "createsubsystempanel.vm";
+ $self->{"update"} = \&update;
+ $self->{"panelvars"} = \&display;
+ bless $self,$class;
+ return $self;
+}
+
+sub is_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub has_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub validate
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("SubsystemTypePanel: validate");
+ return 1;
+}
+
+sub update
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("SubsystemTypePanel: update");
+ $::symbol{systemname} = "Registration Authority ";
+ $::symbol{subsystemName} = "Registration Authority";
+ $::symbol{fullsystemname} = "Registration Authority";
+ $::symbol{machineName} = "localhost";
+ $::symbol{http_port} = "12888";
+ $::symbol{https_port} = "12889";
+ $::symbol{non_clientauth_https_port} = "12890";
+ $::symbol{check_clonesubsystem} = " ";
+ $::symbol{check_newsubsystem} = " ";
+ $::symbol{disableClone} = 1;
+
+ my $subsystemName = $q->param('subsystemName');
+ $::config->put("preop.subsystem.name", $subsystemName);
+ $::config->commit();
+
+ return 1;
+}
+
+sub display
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("SubsystemTypePanel: display");
+ $::symbol{systemname} = "Registration Authority ";
+ $::symbol{subsystemName} = "Registration Authority";
+ $::symbol{fullsystemname} = "Registration Authority ";
+
+ my $machineName = $::config->get("service.machineName");
+ my $unsecurePort = $::config->get("service.unsecurePort");
+ my $securePort = $::config->get("service.securePort");
+ my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort");
+
+
+ $::symbol{machineName} = $machineName;
+ $::symbol{http_port} = $unsecurePort;
+ $::symbol{https_port} = $securePort;
+ $::symbol{non_clientauth_https_port} = $non_clientauth_securePort;
+ $::symbol{check_clonesubsystem} = "";
+ $::symbol{check_newsubsystem} = "checked ";
+
+ my $session_id = $q->param("session_id");
+ $::config->put("preop.sessionID", $session_id);
+ $::config->commit();
+
+ $::symbol{urls} = [];
+ my $count = 0;
+ while (1) {
+ my $host = $::config->get("preop.securitydomain.ra$count.host");
+ if ($host eq "") {
+ goto DONE;
+ }
+ my $port = $::config->get("preop.securitydomain.ra$count.non_clientauth_secure_port");
+ my $name = $::config->get("preop.securitydomain.ra$count.subsystemname");
+ unshift(@{$::symbol{urls}}, "https://" . $host . ":" . $port);
+ $count++;
+ }
+DONE:
+ $::symbol{urls_size} = $count;
+
+# if ($count == 0) {
+ $::symbol{disableClone} = 1;
+# }
+
+ # XXX - how to deal with urls
+ return 1;
+}
+
+
+1;
diff --git a/base/ra/lib/perl/PKI/RA/TKSInfoPanel.pm b/base/ra/lib/perl/PKI/RA/TKSInfoPanel.pm
new file mode 100755
index 000000000..ddf1124a9
--- /dev/null
+++ b/base/ra/lib/perl/PKI/RA/TKSInfoPanel.pm
@@ -0,0 +1,134 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+use strict;
+use warnings;
+use PKI::RA::GlobalVar;
+use PKI::RA::Common;
+use URI::URL;
+
+package PKI::RA::TKSInfoPanel;
+$PKI::RA::TKSInfoPanel::VERSION = '1.00';
+
+use PKI::RA::BasePanel;
+our @ISA = qw(PKI::RA::BasePanel);
+
+sub new {
+ my $class = shift;
+ my $self = {};
+
+ $self->{"isSubPanel"} = \&is_sub_panel;
+ $self->{"hasSubPanel"} = \&has_sub_panel;
+ $self->{"isPanelDone"} = \&PKI::RA::Common::no;
+ $self->{"getPanelNo"} = &PKI::RA::Common::r(5);
+ $self->{"getName"} = &PKI::RA::Common::r("TKS Information");
+ $self->{"vmfile"} = "tksinfopanel.vm";
+ $self->{"update"} = \&update;
+ $self->{"panelvars"} = \&display;
+ bless $self,$class;
+ return $self;
+}
+
+sub is_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub has_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub validate
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("TKSInfoPanel: validate");
+ return 1;
+}
+
+sub update
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("TKSInfoPanel: update");
+
+ my $count = $q->param('urls');
+
+ my $instanceID = $::config->get("service.instanceID");
+
+ my $host = "";
+ my $https_agent_port = "";
+ if ($count =~ /http/) {
+ my $info = new URI::URL($count);
+ $host = $info->host;
+ $https_agent_port = $info->port;
+ if (($host eq "") || ($https_agent_port eq "")) {
+ $::symbol{errorString} = "no TKS found. CA, TKS and optionally DRM must be installed prior to RA installation";
+ return 0;
+ }
+ $::config->put("preop.tksinfo.select", $count);
+ } else {
+ $host = $::config->get("preop.securitydomain.tks$count.host");
+ $https_agent_port = $::config->get("preop.securitydomain.tks$count.secureagentport");
+ if (($host eq "") || ($https_agent_port eq "")) {
+ $::symbol{errorString} = "no TKS found. CA, TKS and optionally DRM must be installed prior to RA installation";
+ return 0;
+ }
+ $::config->put("preop.tksinfo.select", "https://$host:$https_agent_port");
+ }
+ my $subsystemCertNickName = $::config->get("preop.cert.subsystem.nickname");
+ $::config->put("conn.tks1.clientNickname", $subsystemCertNickName);
+ $::config->put("conn.tks1.hostport", $host . ":" . $https_agent_port);
+ $::config->commit();
+
+ return 1;
+}
+
+sub display
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("TKSInfoPanel: display");
+ $::symbol{urls} = [];
+ my $count = 0;
+ while (1) {
+ my $host = $::config->get("preop.securitydomain.tks$count.host");
+ if ($host eq "") {
+ goto DONE;
+ }
+ my $https_agent_port = $::config->get("preop.securitydomain.tks$count.secureagentport");
+ my $name = $::config->get("preop.securitydomain.tks$count.subsystemname");
+ $::symbol{urls}[$count++] = $name . " - https://" . $host . ":" . $https_agent_port;
+ }
+DONE:
+ $::symbol{urls_size} = $count;
+ if ($count eq 0) {
+ $::symbol{errorString} = "no TKS found. CA, TKS and optionally DRM must be installed prior to RA installation";
+ return 0;
+ }
+
+ return 1;
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/RA/WelcomePanel.pm b/base/ra/lib/perl/PKI/RA/WelcomePanel.pm
new file mode 100755
index 000000000..c88c138be
--- /dev/null
+++ b/base/ra/lib/perl/PKI/RA/WelcomePanel.pm
@@ -0,0 +1,90 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+use strict;
+use warnings;
+use PKI::RA::GlobalVar;
+use PKI::RA::Common;
+
+package PKI::RA::WelcomePanel;
+$PKI::RA::WelcomePanel::VERSION = '1.00';
+
+use PKI::RA::BasePanel;
+our @ISA = qw(PKI::RA::BasePanel);
+
+sub new {
+ my $class = shift;
+ my $self = {};
+
+ $self->{"isSubPanel"} = \&is_sub_panel;
+ $self->{"hasSubPanel"} = \&has_sub_panel;
+ $self->{"isPanelDone"} = \&PKI::RA::Common::no;
+ $self->{"getPanelNo"} = &PKI::RA::Common::r(0);
+ $self->{"getName"} = &PKI::RA::Common::r("Welcome");
+ $self->{"vmfile"} = "welcomepanel.vm";
+ $self->{"update"} = \&update;
+ $self->{"panelvars"} = \&display;
+ bless $self,$class;
+ return $self;
+}
+
+sub is_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub has_sub_panel
+{
+ my ($q) = @_;
+ return 0;
+}
+
+sub validate
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("WelcomePanel: validate");
+ return 1;
+}
+
+sub update
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("WelcomePanel: update");
+ return 1;
+}
+
+sub display
+{
+ my ($q) = @_;
+ &PKI::RA::Wizard::debug_log("XXX " . $::config->get("logging.debug.enable"));
+ &PKI::RA::Wizard::debug_log("WelcomePanel: display");
+ $::symbol{wizardname} = "RA Configuration Wizard";
+ $::symbol{systemname} = "RA";
+ $::symbol{fullsystemname} = "Registration Authority";
+
+ return 1;
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/RA/wizard.pm b/base/ra/lib/perl/PKI/RA/wizard.pm
new file mode 100755
index 000000000..5fe1e7536
--- /dev/null
+++ b/base/ra/lib/perl/PKI/RA/wizard.pm
@@ -0,0 +1,502 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+# wizard -
+# Fedora Certificate System - Registration Authority System configuration wizard
+
+
+# This script is run as a 'mod_perl' CGI. Configure mod_perl by adding
+# the following to /etc/httpd/conf.d/perl.conf
+#
+# PerlModule ModPerl::Registry
+# PerlModule Apache::compat
+# PerlModule PKI::RA::Wizard
+# PerlSetEnv PKI_DOCROOT /u/sparkins/t/cs_tip/certsystem/prj/common/ui
+# <Location /wizard>
+# SetHandler perl-script
+# PerlHandler PKI::RA::Wizard
+# Order deny,allow
+# Allow from all
+# </Location>
+
+
+# Note: The Velocity parser is not very helpful when it comes to
+# errors right now. Here are some common errors, and what they mean:
+#
+# ERROR:
+# [Mon Apr 03 13:57:33 2006] [error] [client 172.16.24.26]
+# Can't use string ("0") as an ARRAY ref while "strict refs"
+# in use at /usr/lib/perl5/site_perl/5.8.5/Template/Velocity.pm
+# line 423.\n, referer: http://chico/wizard?p=2
+# MEANING
+# This probably means that your *.vm file refers to an array
+# variable in a foreach statement that is not defined
+# Check your foreach array variables.
+
+use warnings;
+use ModPerl::Registry;
+use Template::Velocity;
+use Getopt::Std;
+use Data::Dumper;
+use CGI::Carp qw(fatalsToBrowser);
+use CGI;
+use APR::Const -compile => qw(:error SUCCESS);
+use PKI::RA::GlobalVar;
+use PKI::RA::WelcomePanel;
+use PKI::RA::SecurityDomainPanel;
+use PKI::RA::DisplayCertChainPanel;
+use PKI::RA::SubsystemTypePanel;
+use PKI::RA::CAInfoPanel;
+use PKI::RA::DisplayCertChain2Panel;
+use PKI::RA::AdminAuthPanel;
+use PKI::RA::AgentAuthPanel;
+use PKI::RA::DatabasePanel;
+use PKI::RA::ModulePanel;
+use PKI::RA::SizePanel;
+use PKI::RA::NamePanel;
+use PKI::RA::ConfigHSMLoginPanel;
+use PKI::RA::CertRequestPanel;
+use PKI::RA::AdminPanel;
+use PKI::RA::ImportAdminCertPanel;
+use PKI::RA::DonePanel;
+use PKI::RA::Config;
+
+use PKI::RA::Common qw(yes no r);
+
+package PKI::RA::Wizard;
+$PKI::RA::Wizard::VERSION = '1.00';
+
+# read configuration file
+my $flavor = "pki";
+$flavor =~ s/\n//g;
+
+my $pkiroot = $ENV{PKI_ROOT};
+
+my $config = PKI::RA::Config->new();
+$config->load_file("$pkiroot/conf/CS.cfg");
+# read password cache file
+my $pwdconf = PKI::RA::Config->new();
+$pwdconf->load_file("$pkiroot/conf/pwcache.conf");
+# SELinux disallows performing a "chmod" on this file
+if( $^O ne "linux" ) {
+ system( "chmod 00660 $pkiroot/conf/pwcache.conf" );
+}
+
+# create cfg debug log
+my $logfile = $config->get("service.instanceDir") . "/logs/debug";
+system( "touch $logfile" );
+system( "chmod 00640 $logfile" );
+open( DEBUG, ">>" . $logfile ) ||
+warn( "Could not open '" . $logfile . "': $!" );
+
+# apache server
+
+our $debug;
+
+my $HTTP_OK = 0;
+
+my $STATUS_OK = 0; # Apache 2 needs this to be zero
+my $STATUS_ERROR = 2;
+my $STATUS_REDIRECT = 3;
+
+&debug_log("RA wizard: starting up");
+
+my $docroot = $ENV{PKI_DOCROOT};
+
+if (! $docroot) {
+ &debug_log("RA wizard: ERROR: PKI_DOCROOT is null");
+ return 0;
+}
+
+our $parser = new Template::Velocity($docroot);
+our $symbol;
+our @certtags;
+
+makepanels();
+
+&debug_log("RA wizard: start up complete");
+
+1;
+
+sub debug_log
+{
+ my ($msg) = @_;
+ my $date = `date`;
+ chomp($date);
+ if( -w $logfile ) {
+ print DEBUG "$date - $msg\n";
+ }
+}
+
+ # initializes entries in parser's global symbol table for panels
+sub makepanels
+{
+ #REAL PANELS BELOW
+ my $welcome = new PKI::RA::WelcomePanel();
+ my $securitydomain = new PKI::RA::SecurityDomainPanel();
+ my $displaycertchain = new PKI::RA::DisplayCertChainPanel();
+ my $subsystem = new PKI::RA::SubsystemTypePanel();
+ my $cainfopanel = new PKI::RA::CAInfoPanel();
+# my $displaycertchain2 = new PKI::RA::DisplayCertChain2Panel();
+ my $databasepanel = new PKI::RA::DatabasePanel();
+ my $modulepanel = new PKI::RA::ModulePanel();
+ my $confighsmloginpanel = new PKI::RA::ConfigHSMLoginPanel();
+ my $sizepanel = new PKI::RA::SizePanel();
+ my $namepanel = new PKI::RA::NamePanel();
+ my $certrequestpanel = new PKI::RA::CertRequestPanel();
+ my $adminpanel = new PKI::RA::AdminPanel();
+ my $importadmincertpanel = new PKI::RA::ImportAdminCertPanel();
+ my $donepanel = new PKI::RA::DonePanel();
+
+ $symbol{panels} = [
+ $welcome, # com.netscape.cms.servlet.csadmin.WelcomePanel
+ $securitydomain, # com.netscape.cms.servlet.csadmin.SecurityDomainPanel
+ $displaycertchain, # com.netscape.cms.servlet.csadmin.DisplayCertChainPanel
+ $subsystem, # com.netscape.cms.servlet.csadmin.CreateSubsystemPanel
+ $cainfopanel, # com.netscape.cms.servlet.csadmin.CAInfoPanel
+# $displaycertchain2, # com.netscape.cms.servlet.csadmin.DisplayCertChain2Panel
+ $databasepanel, # com.netscape.cms.servlet.csadmin.DatabasePanel
+ $modulepanel, # com.netscape.cms.servlet.csadmin.ModulePanel
+ $confighsmloginpanel, # com.netscape.cms.servlet.csadmin.ConfigHSMLoginPanel
+ $sizepanel, # com.netscape.cms.servlet.csadmin.SizePanel
+ $namepanel, # com.netscape.cms.servlet.csadmin.NamePanel
+ $certrequestpanel, # com.netscape.cms.servlet.csadmin.CertRequestPanel
+ $adminpanel, # com.netscape.cms.servlet.csadmin.AdminPanel
+ $importadmincertpanel, # com.netscape.cms.servlet.csadmin.ImportAdminCertPanel
+ $donepanel, # com.netscape.cms.servlet.csadmin.DonePanel</param-value>
+ ];
+};
+
+sub render_panel
+{
+ my ($panelnum, $q) = @_;
+
+ $symbol{errorString} = "";
+
+ my $currentpanel;
+
+ if ($q->param('op') && $q->param('op') eq "next") {
+ $currentpanel = $symbol{panels}[$panelnum];
+ # validate variables for panel
+ if ($currentpanel->{validate}) {
+ $currentpanel->{validate}($q);
+ }
+ # execute current panel
+ my $status = "0";
+
+ if ($currentpanel->{update}) {
+ $status = $currentpanel->{update}($q);
+ &debug_log("RA wizard: update returns status '" .
+ $status . "'");
+ if ($status == $STATUS_REDIRECT) {
+ return $STATUS_REDIRECT;
+ }
+
+ }
+
+ &debug_log("RA wizard: about to find out about sub panel");
+ if ($status eq "1") {
+ if ($currentpanel->{hasSubPanel} && &{$currentpanel->{hasSubPanel}}($q)) {
+ &debug_log("RA wizard: has sub panel");
+ $panelnum = $panelnum + 2;
+ } elsif ($currentpanel->{isSubPanel} && &{$currentpanel->{isSubPanel}}($q)) {
+ &debug_log("RA wizard: is sub panel");
+ $panelnum = $panelnum - 1;
+ } else {
+ &debug_log("RA wizard: no sub panel and is not subpanel");
+ $panelnum = $panelnum + 1;
+ }
+ }
+ } elsif ($q->param('op') && $q->param('op') eq "back") {
+ $panelnum = $panelnum - 1;
+ #check if this a subpanel, if so, go back to it's parent.
+ #only handles one-deep at this point
+ my $panel = $symbol{panels}[$panelnum];
+ if (&{$panel->{isSubPanel}}($q)) {
+ $panelnum = $panelnum - 1;
+ }
+ } elsif ($q->param('op') && $q->param('op') eq "apply") {
+ &debug_log("RA wizard: update : apply button pressed");
+ $currentpanel = $symbol{panels}[$panelnum];
+ # validate variables for panel
+ if ($currentpanel->{validate}) {
+ $currentpanel->{validate}($q);
+ }
+ # execute current panel
+ if ($currentpanel->{update}) {
+ my $status = $currentpanel->{update}($q);
+ &debug_log("RA wizard: update returns status '" .
+ $status . "'");
+ if ($status == $STATUS_REDIRECT) {
+ return $STATUS_REDIRECT;
+ }
+
+ }
+ }
+
+ &debug_log("RA wizard: after looking into about sub panel");
+
+ # advance to next panel
+ $currentpanel = $symbol{panels}[$panelnum];
+
+ # initialize symbol table values
+ $symbol{showApplyButton} = "false";
+
+ # fill in variables for new panel
+ if ($currentpanel->{panelvars}) {
+ $Data::Dumper::Indent = 1;
+ # The '&debug_log("q=".Dumper($q));' call must be commented out to fix
+ # Bugzilla Bug #249923: Incorrect file permissions on
+ # various files and/or directories
+ # &debug_log("q=".Dumper($q));
+ $currentpanel->{panelvars}($q);
+ }
+
+ $symbol{panel} = "ra/admin/console/config/".$currentpanel->{vmfile};
+
+ #wizard.vm:
+ $symbol{name} = "Registration Authority";
+ $symbol{title} = $currentpanel->{getName}();
+ if ($panelnum == 0) {
+ $symbol{firstpanel} = "1";
+ } else {
+ $symbol{firstpanel} = "0";
+ }
+ if ($panelnum == 13) {
+ $symbol{lastpanel} = "1";
+ } else {
+ $symbol{lastpanel} = "0";
+ }
+ $symbol{p} = $panelnum;
+ $symbol{subpanelno} = $panelnum+1;
+ $symbol{productversion} = $::config->get("preop.product.version");
+ $symbol{csstate} = "1";
+
+# $symbol{urls} = [ "cert1", "cert2" ]; #createsubsystem
+# $symbol{urls_size} = 2;
+# $symbol{instanceId} = "ra";
+# $symbol{errorString} = "";
+
+ #modulepanel
+# $symbol{certs} = [ ];
+# $symbol{reqscerts} = [ ];
+ $symbol{ppcerts} = [ ];
+
+ return $STATUS_OK;
+}
+
+
+
+sub dbg {
+ my $msg = shift;
+ $::symbol{dbg} .= "$msg\n";
+}
+
+sub handler {
+ my $r = shift;
+
+ *::symbol = \%symbol;
+ *::s = \$s;
+ *::config = \$config;
+ *::pwdconf = \$pwdconf;
+
+ &debug_log("RA wizard: in handler");
+
+ my $q = new CGI;
+
+ # check cookie
+ my $cookie = $q->cookie('pin');
+ my $pin = $::config->get("preop.pin");
+ if ($cookie ne $pin) {
+ print $q->redirect("login");
+ return;
+ }
+
+ # output http parameters
+ &debug_log("RA wizard: uri='" . $ENV{REQUEST_URI} . "'");
+ my @pnames = $q->param();
+ foreach $pn (@pnames) {
+ # added this facility so that password can be hidden,
+ # all sensitive parameters should be prefixed with
+ # __ (double underscores); however, in the event that
+ # a security parameter slips through, we perform multiple
+ # additional checks to insure that it is NOT displayed
+ if( $pn =~ /^__/ ||
+ $pn =~ /password$/ ||
+ $pn =~ /passwd$/ ||
+ $pn =~ /pwd$/ ||
+ $pn =~ /admin_password_again/i ||
+ $pn =~ /directoryManagerPwd/i ||
+ $pn =~ /bindpassword/i ||
+ $pn =~ /bindpwd/i ||
+ $pn =~ /passwd/i ||
+ $pn =~ /password/i ||
+ $pn =~ /pin/i ||
+ $pn =~ /pwd/i ||
+ $pn =~ /pwdagain/i ||
+ $pn =~ /uPasswd/i ) {
+ &debug_log("RA wizard: http parameter name='" . $pn . "' value='(sensitive)'");
+ } else {
+ &debug_log("RA wizard: http parameter name='" . $pn . "' value='" . $q->param($pn) . "'");
+ }
+ }
+
+ my $panelnum = $q->param('p');
+ if (!defined($panelnum) || $panelnum eq "") {
+ # Apache fails to pick up the p parameter after
+ # redirecting from the security domain. This is
+ # a quick hack to solve the issue.
+ if ($ENV{'QUERY_STRING'} ne "") {
+ $ENV{'QUERY_STRING'} =~ /p=([0-9]+)&/;
+ $panelnum = $1;
+ }
+ }
+
+ use subs qw(debug);
+ *debug = \&Template::Velocity::Executor::debug;
+
+ $::symbol{dbg} = "";
+
+ &debug_log("RA wizard: before argparsing");
+ if ($#ARGV == -1) {
+ $Data::Dumper::Maxdepth = 7;
+ $startfile = "ra/admin/console/config/wizard.vm";
+ }
+
+ &debug_log("RA wizard: setting up test objects");
+
+ #initialize from config file
+ my $certlist = $::config->get("preop.cert.list");
+ if ($certlist eq "") {
+ $certlist = "sslserver,subsystem";
+ }
+ @certtags = split(/,/, $certlist);
+ $numtags = @certtags;
+ if ($numtags eq 0) {
+ @certtags = ("sslserver", "subsystem");
+ }
+ &debug_log("RA wizard: found $numtags certtags");
+
+ if (! $panelnum) {
+ $panelnum = 0;
+ }
+
+ my $status = render_panel($panelnum, $q);
+ if ($status == 3) {
+ $r->header_out(Location => $symbol{redirect});
+ $r->status(301);
+ $r->send_http_header();
+ return;
+ }
+
+ use Data::Dumper;
+ &debug_log("RA wizard: executing file $startfile");
+ foreach $q (sort keys %symbol) {
+ &debug_log("RA wizard:/config/wizard?p=9&SecToken=NSS%20Generic%20Crypto%20Services sym{$q}=".$symbol{$q});
+ }
+
+ my $result;
+ if ($q->param('xml') && $q->param('xml') eq "true") {
+ $r->send_http_header('text/xml');
+ $result = "<xml>";
+ foreach $s (sort keys %symbol) {
+ if ($s =~ /^__/) {
+ next;
+ }
+ $result .= "<" . $s . ">";
+ my $v = $symbol{$s};
+ $result .= &get_xml($s, $v);
+ $result .= "</" . $s . ">";
+ }
+ $result .= "</xml>";
+ } else {
+ $result = $parser->execute_file($startfile);
+ if (!defined $result) {
+ die("Couldn't execute template file: $docroot/$startfile");
+ }
+ }
+
+ $r->send_http_header('text/html');
+ print "$result\n";
+
+ return $HTTP_OK;
+}
+
+sub escape_xml
+{
+ my ($v) = @_;
+ $v =~ s/\"/&quot;/g;
+ $v =~ s/\'/&apos;/g;
+ $v =~ s/\&/&amp;/g;
+ $v =~ s/</&lt;/g;
+ $v =~ s/>/&gt;/g;
+ return $v;
+}
+
+sub get_xml
+{
+ my ($s, $v) = @_;
+
+ my $result;
+ if (ref($v) eq "HASH") {
+ foreach my $xkey (keys %$v) {
+ $result .= "<" . $xkey . ">";
+ $result .= &get_xml($xkey, $v{$xkey});
+ # $result .= "-" . ref($xkey);
+ $result .= "</" . $xkey . ">";
+ }
+ } elsif (ref($v) eq "PKI::RA::CertInfo") {
+ my $certinfo = $v;
+ $result .= "<certinfo>";
+ $result .= "<dn>" . $certinfo->get_dn() ."</dn>";
+ $result .= "<tag>" . $certinfo->get_cert_tag() . "</tag>";
+ $result .= "<friendly>" . $certinfo->get_user_friendly_name() .
+ "</friendly>";
+ $result .= "</certinfo>";
+ } elsif (ref($v) eq "PKI::RA::ReqCertInfo") {
+ my $reqcertinfo = $v;
+ $result .= "<reqcertinfo>";
+ $result .= "<name>" . $reqcertinfo->get_user_friendly_name() ."</name>";
+ $result .= "<req>" . $reqcertinfo->get_request() ."</req>";
+ $result .= "<cert>" . $reqcertinfo->get_cert() ."</cert>";
+ $result .= "<certpp>" . &escape_xml($reqcertinfo->get_cert_pp()) ."</certpp>";
+ $result .= "<tag>" . $reqcertinfo->get_cert_tag() ."</tag>";
+ $result .= "<dn>" . $reqcertinfo->get_cert_tag() ."</dn>";
+ $result .= "</reqcertinfo>";
+ } elsif (ref($v) eq "ARRAY") {
+ my $pos = 0;
+ foreach my $item (@$v) {
+ $result .= "<element>";
+ $result .= &get_xml("p" . $pos, $item);
+ # $result .= "-" . ref($item);
+ $result .= "</element>";
+ $pos++;
+ }
+ } else {
+ $result .= &escape_xml($v);
+ }
+ return $result;
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/Request/Plugin/AutoAssign.pm b/base/ra/lib/perl/PKI/Request/Plugin/AutoAssign.pm
new file mode 100644
index 000000000..671f2418d
--- /dev/null
+++ b/base/ra/lib/perl/PKI/Request/Plugin/AutoAssign.pm
@@ -0,0 +1,52 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+#######################################
+# This plugins assigns a request to a group.
+#######################################
+package PKI::Request::Plugin::AutoAssign;
+
+use DBI;
+use PKI::Base::TimeTool;
+
+#######################################
+# Instantiate this plugin
+#######################################
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+#######################################
+# Processes plugin
+#######################################
+sub process {
+ my ($self, $cfg, $queue, $prefix, $req) = @_;
+
+ my $assignTo = $cfg->get($prefix . ".assignTo");
+ $queue->set_request($req->{'rowid'}, "assigned_to", $assignTo);
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/Request/Plugin/CreatePin.pm b/base/ra/lib/perl/PKI/Request/Plugin/CreatePin.pm
new file mode 100644
index 000000000..b90096664
--- /dev/null
+++ b/base/ra/lib/perl/PKI/Request/Plugin/CreatePin.pm
@@ -0,0 +1,75 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+#######################################
+# This plugins creates a one time pin.
+#######################################
+package PKI::Request::Plugin::CreatePin;
+
+use DBI;
+use PKI::Base::TimeTool;
+use PKI::Base::PinStore;
+
+#######################################
+# Instantiates this plugin
+#######################################
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+#######################################
+# Processes plugin
+#######################################
+sub process {
+ my ($self, $cfg, $queue, $prefix, $req) = @_;
+
+ my $pin_store = PKI::Base::PinStore->new();
+ $pin_store->open($cfg);
+
+
+ my $pin_format = $cfg->get($prefix . ".pinFormat");
+
+ my $client_id = "";
+ my $site_id = "";
+
+ my $data = $req->{'data'};
+ foreach $nv (split(/;/, $data)) {
+ my ($n, $v) = split(/=/, $nv);
+ $pin_format =~ s/\$$n/$v/g;
+ }
+ my $created_by = "admin";
+ my $pin = $pin_store->create_pin($pin_format, $req->{'rowid'}, $created_by);
+
+ # save pin to output
+ $output = "pin=" . $pin;
+ $queue->set_request_output($req->{'rowid'}, $output);
+
+ $req->{'output'} = $output;
+
+ $pin_store->close();
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/Request/Plugin/EmailNotification.pm b/base/ra/lib/perl/PKI/Request/Plugin/EmailNotification.pm
new file mode 100644
index 000000000..95274bfa7
--- /dev/null
+++ b/base/ra/lib/perl/PKI/Request/Plugin/EmailNotification.pm
@@ -0,0 +1,100 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+#######################################
+# This plugins mails a notification
+# to an email specified in the request.
+#######################################
+package PKI::Request::Plugin::EmailNotification;
+
+use DBI;
+use PKI::Base::TimeTool;
+
+#######################################
+# Instantiate this plugin
+#######################################
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub substitute {
+ my ($self, $cfg, $queue, $prefix, $req, $line) = @_;
+
+ my $mail_to = $cfg->get($prefix . ".mailTo");
+
+ # if mail_to starts with $, retrieve value from request
+ if ($mail_to =~ /^\$/) {
+ $mail_to =~ s/\$//g;
+ $mail_to = $req->{$mail_to};
+ }
+ my $machineName = $cfg->get("service.machineName");
+ my $securePort = $cfg->get("service.securePort");
+ my $unsecurePort = $cfg->get("service.unsecurePort");
+ my $nonClientAuthSecurePort = $cfg->get("service.non_clientauth_securePort");
+ my $subject_dn = $req->{'subject_dn'};
+
+ $line =~ s/\$mail_to/$mail_to/g;
+ $line =~ s/\$request_id/$req->{'rowid'}/g;
+ $line =~ s/\$machineName/$machineName/g;
+ $line =~ s/\$securePort/$securePort/g;
+ $line =~ s/\$unsecurePort/$unsecurePort/g;
+ $line =~ s/\$subject_dn/$subject_dn/g;
+ $line =~ s/\$nonClientAuthSecurePort/$nonClientAuthSecurePort/g;
+ return $line;
+}
+
+#######################################
+# Processes plugin
+#######################################
+sub process {
+ my ($self, $cfg, $queue, $prefix, $req) = @_;
+ my $queue = PKI::Request::Queue->new();
+ $queue->open($cfg);
+ my $ref = $queue->read_request($req->{rowid});
+
+ my $req_err = $ref->{errorString};
+ if ($req_err ne "0") {
+ return;
+ }
+
+ my $mail_to = $cfg->get($prefix . ".mailTo");
+ if ($mail_to eq "") {
+ return;
+ }
+
+ my $template_dir = $cfg->get($prefix . ".templateDir");
+ my $template_file = $cfg->get($prefix . ".templateFile");
+
+ open(SENDMAIL, "|/usr/sbin/sendmail -t");
+ open(F,"$template_dir/$template_file");
+ while (<F>) {
+ print SENDMAIL $self->substitute($cfg, $queue, $prefix, $ref, $_);
+ }
+ close(F);
+ close(SENDMAIL);
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/Request/Plugin/RequestToCA.pm b/base/ra/lib/perl/PKI/Request/Plugin/RequestToCA.pm
new file mode 100644
index 000000000..1c5b7d6b2
--- /dev/null
+++ b/base/ra/lib/perl/PKI/Request/Plugin/RequestToCA.pm
@@ -0,0 +1,89 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+#######################################
+# This plugins mails a notification
+# to an email specified in the request.
+#######################################
+package PKI::Request::Plugin::RequestToCA;
+
+use DBI;
+use PKI::Base::TimeTool;
+use PKI::Conn::CA;
+
+#######################################
+# Instantiate this plugin
+#######################################
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+#######################################
+# Processes plugin
+#######################################
+sub process {
+ my ($self, $cfg, $queue, $prefix, $req) = @_;
+
+ my $ca = $cfg->get($prefix . ".ca");
+ my $profile_id = $cfg->get($prefix . ".profileId");
+ my $req_type = $cfg->get($prefix . ".reqType");
+
+ my $server_id = "";
+ my $site_id = "";
+ my $csr = "";
+ my $csr_type = "";
+
+ my $data = $req->{'data'};
+ foreach $nv (split(/;/, $data)) {
+ my ($n, $v) = split(/=/, $nv);
+ if ($n eq "server_id") {
+ $server_id = $v;
+ }
+ if ($n eq "site_id") {
+ $site_id = $v;
+ }
+ if ($n eq "csr") {
+ $csr = $v;
+ }
+ if ($n eq "csr_type") {
+ $csr_type = $v;
+ }
+ }
+
+ if ($csr_type ne "") {
+ $req_type = $csr_type;
+ }
+
+ my $ca_conn = PKI::Conn::CA->new();
+ $ca_conn->open($cfg);
+ my $cert = $ca_conn->enroll($req->{'rowid'}, $ca, $profile_id, $req_type, $csr);
+ $queue->set_request($req->{'rowid'}, "output", $cert);
+ $req->{'output'} = $cert;
+ $ca_conn->close();
+
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/Request/Queue.pm b/base/ra/lib/perl/PKI/Request/Queue.pm
new file mode 100644
index 000000000..dc8418d22
--- /dev/null
+++ b/base/ra/lib/perl/PKI/Request/Queue.pm
@@ -0,0 +1,387 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+package PKI::Request::Queue;
+
+use DBI;
+use PKI::Base::TimeTool;
+
+#######################################
+# Constructs a request queue
+#######################################
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+#######################################
+# Opens request queue
+#######################################
+sub open {
+ my ($self, $cfg) = @_;
+ $self->{cfg} = $cfg;
+ my $dbfile = $cfg->get("database.dbfile");
+ $self->{dbh} = DBI->connect("dbi:SQLite:dbname=$dbfile","","");
+ my $timeout = $self->{dbh}->func("busy_timeout");
+ $self->{dbh}->func($timeout * 10, "busy_timeout");
+}
+
+#######################################
+# Creates a new request
+#######################################
+sub invoke_plugins {
+ my ($self, $prefix, $type, $ref) = @_;
+
+ my $num_plugins = $self->{cfg}->get($prefix . ".num_plugins");
+ for (my $i = 0; $i < $num_plugins; $i++) {
+ my $plugin = $self->{cfg}->get($prefix . "." . $i . ".plugin");
+ eval("require $plugin");
+ my $p = $plugin->new();
+ $p->process($self->{cfg}, $self, $prefix . "." . $i, $ref);
+ }
+}
+
+#######################################
+# Creates a new request
+#######################################
+sub create_request {
+ my ($self, $type, $data, $meta_info, $created_by) = @_;
+ my $dbh = $self->{dbh};
+
+ my $timet = PKI::Base::TimeTool->new();
+ my $now = $timet->get_time();
+
+ my $insert = "insert into requests (" .
+ "type" . "," .
+ "status" . "," .
+ "errorString" . "," .
+ "ip" . "," .
+ "data" . "," .
+ "serialno" . "," .
+ "subject_dn" . "," .
+ "meta_info" . "," .
+ "created_by" . "," .
+ "updated_at" . "," .
+ "created_at" .
+ ") values (" .
+ $dbh->quote($type) . "," .
+ $dbh->quote("OPEN") . "," .
+ $dbh->quote("0") . "," .
+ $dbh->quote($ENV{REMOTE_ADDR}) . "," .
+ $dbh->quote($data) . "," .
+ $dbh->quote("unavailable") . "," .
+ $dbh->quote("unavailable") . "," .
+ $dbh->quote($meta_info) . "," .
+ $dbh->quote($created_by) . "," .
+ $dbh->quote($now) . "," .
+ $dbh->quote($now) .
+ ")";
+REDO_CREATE_REQUEST:
+ eval {
+ $dbh->do($insert);
+ };
+ if ($dbh->err == 5) {
+ sleep(1);
+ goto REDO_CREATE_REQUEST;
+ }
+ my $rid = $dbh->func('last_insert_rowid');
+
+ my $ref = $self->read_request($rid);
+
+ # call plugins
+ my $prefix = "request." . $type . ".create_request";
+ $self->invoke_plugins($prefix, $type, $ref);
+
+ return $rid;
+}
+
+#######################################
+# Reads a request
+#######################################
+sub read_request {
+ my ($self, $reqid) = @_;
+ my $dbh = $self->{dbh};
+ my $select = "select *,rowid from requests " .
+ "where rowid=" . $dbh->quote($reqid);
+ my $sth = $dbh->prepare($select);
+ $sth->execute();
+ my $ref = $sth->fetchrow_hashref();
+ $sth->finish();
+ return $ref;
+}
+
+sub read_request_by_roles {
+ my ($self, $roles, $reqid) = @_;
+ my $dbh = $self->{dbh};
+
+ my $select;
+ if (grep /^administrators/, @$roles) {
+ # administrator see all requests
+ $select = "select *,rowid from requests " .
+ "where rowid=" . $dbh->quote($reqid);
+ } else {
+ my $filter = $self->get_role_filter($roles);
+ $select = "select *,rowid from requests where " .
+ "(" . $filter . ")" . " AND " .
+ "rowid=" . $dbh->quote($reqid);
+ }
+ my $sth = $dbh->prepare($select);
+ $sth->execute();
+ my $ref = $sth->fetchrow_hashref();
+ $sth->finish();
+ return $ref;
+}
+
+#######################################
+# Sets request attributes
+#######################################
+sub set_request {
+ my ($self, $reqid, $name, $value) = @_;
+ my $dbh = $self->{dbh};
+
+ my $timet = PKI::Base::TimeTool->new();
+ my $now = $timet->get_time();
+ my $update = "update requests set " .
+ $name . "=" . $dbh->quote($value) . "," .
+ "updated_at=" . $dbh->quote($now) . " " .
+ "where rowid=" . $dbh->quote($reqid);
+REDO_SET_REQUEST:
+ eval {
+ $dbh->do($update);
+ };
+ if ($dbh->err == 5) {
+ sleep(1);
+ goto REDO_SET_REQUEST;
+ }
+
+ my $select = "select *,rowid from requests " .
+ "where rowid=" . $dbh->quote($reqid);
+ my $sth = $dbh->prepare($select);
+ $sth->execute();
+ my $ref = $sth->fetchrow_hashref();
+ $sth->finish();
+
+ return $ref;
+}
+
+#######################################
+# Sets output
+#######################################
+sub set_request_output {
+ my ($self, $reqid, $output) = @_;
+
+ return $self->set_request($reqid, "output", $output);
+}
+
+#######################################
+# Approves a request
+#######################################
+sub approve_request {
+ my ($self, $reqid, $processed_by) = @_;
+ my $dbh = $self->{dbh};
+
+ # XXX - check assigned_to
+
+ my $timet = PKI::Base::TimeTool->new();
+ my $now = $timet->get_time();
+ my $update = "update requests set " .
+ "processed_by=" . $dbh->quote($processed_by) . "," .
+ "status='APPROVED' " . "," .
+ "errorString='0' " . "," .
+ "updated_at=" . $dbh->quote($now) . " " .
+ "where rowid=" . $dbh->quote($reqid);
+REDO_APPROVE_REQUEST:
+ eval {
+ $dbh->do($update);
+ };
+ if ($dbh->err == 5) {
+ sleep(1);
+ goto REDO_APPROVE_REQUEST;
+ }
+
+ my $select = "select *,rowid from requests " .
+ "where rowid=" . $dbh->quote($reqid);
+ my $sth = $dbh->prepare($select);
+ $sth->execute();
+ my $ref = $sth->fetchrow_hashref();
+ $sth->finish();
+
+ # call plugins
+ my $prefix = "request." . $ref->{'type'} . ".approve_request";
+ $self->invoke_plugins($prefix, $ref->{'type'}, $ref);
+
+ my $select = "select *,rowid from requests " .
+ "where rowid=" . $dbh->quote($reqid);
+ my $sth = $dbh->prepare($select);
+ $sth->execute();
+ my $ref = $sth->fetchrow_hashref();
+ $sth->finish();
+
+ return $ref;
+}
+
+#######################################
+# Rejects a request
+#######################################
+sub reject_request {
+ my ($self, $reqid, $processed_by) = @_;
+ my $dbh = $self->{dbh};
+
+ my $timet = PKI::Base::TimeTool->new();
+ my $now = $timet->get_time();
+ my $update = "update requests set " .
+ "processed_by=" . $dbh->quote($processed_by) . "," .
+ "status='REJECTED' " . "," .
+ "updated_at=" . $dbh->quote($now) . " " .
+ "where rowid=" . $dbh->quote($reqid);
+REDO_REJECT_REQUEST:
+ eval {
+ $dbh->do($update);
+ };
+ if ($dbh->err == 5) {
+ sleep(1);
+ goto REDO_REJECT_REQUEST;
+ }
+
+ my $select = "select *,rowid from requests " .
+ "where rowid=" . $dbh->quote($reqid);
+ my $sth = $dbh->prepare($select);
+ $sth->execute();
+ my $ref = $sth->fetchrow_hashref();
+ $sth->finish();
+
+ # call plugins
+ my $prefix = "request." . $ref->{'type'} . ".reject_request";
+ $self->invoke_plugins($prefix, $ref->{'type'}, $ref);
+
+ my $select = "select *,rowid from requests " .
+ "where rowid=" . $dbh->quote($reqid);
+ my $sth = $dbh->prepare($select);
+ $sth->execute();
+ my $ref = $sth->fetchrow_hashref();
+ $sth->finish();
+
+ return $ref;
+}
+
+sub get_role_filter {
+ my ($self, $roles) = @_;
+ my $dbh = $self->{dbh};
+
+ my $filter = "";
+ foreach $rr (@$roles) {
+ if ($filter eq "") {
+ $filter = "assigned_to=" . $dbh->quote($rr);
+ } else {
+ $filter = $filter . " OR " . "assigned_to=" . $dbh->quote($rr);
+ }
+ }
+ return $filter;
+}
+
+#######################################
+# Lists requests
+#######################################
+sub list_requests {
+ my ($self, $startpos, $maxcount) = @_;
+ my $dbh = $self->{dbh};
+ my $select = "select *,rowid from requests " .
+ "order by rowid desc " .
+ "limit $startpos, $maxcount";
+ my $sth = $dbh->prepare($select);
+ $sth->execute();
+ my @reqs;
+ while (my $ref = $sth->fetchrow_hashref()) {
+ push(@reqs, $ref);
+ }
+ $sth->finish();
+ return @reqs;
+}
+
+sub count_requests_by_roles {
+ my ($self, $roles, $status) = @_;
+ my $dbh = $self->{dbh};
+
+ my $select;
+
+ if (grep /^administrators$/, @$roles) {
+ # administrator sees everything
+ $select = "select count(*) from requests where " .
+ "status like '$status%' ";
+ } else {
+ # shows requests that are owned by the groups
+ my $filter = $self->get_role_filter($roles);
+ $select = "select count(*) from requests where " .
+ "status like '$status%' AND " .
+ "(" . $filter . ") ";
+ }
+ my $sth = $dbh->prepare($select);
+ $sth->execute();
+ my $ref = $sth->fetchrow_hashref();
+ $sth->finish();
+ return $ref->{'count(*)'};
+}
+
+sub list_requests_by_roles {
+ my ($self, $roles, $status, $startpos, $maxcount) = @_;
+ my $dbh = $self->{dbh};
+
+ my $select;
+
+# if ($roles =~ /administrators/) {
+ if (grep /^administrators$/, @$roles) {
+ # administrator sees everything
+ $select = "select *,rowid from requests where " .
+ "status like '$status%' " .
+ "order by rowid desc " .
+ "limit $startpos, $maxcount";
+ } else {
+ # shows requests that are owned by the groups
+ my $filter = $self->get_role_filter($roles);
+ $select = "select *,rowid from requests where " .
+ "status like '$status%' AND " .
+ "(" . $filter . ") " .
+ "order by rowid desc " .
+ "limit $startpos, $maxcount";
+ }
+ my $sth = $dbh->prepare($select);
+ $sth->execute();
+ my @reqs;
+ while (my $ref = $sth->fetchrow_hashref()) {
+ push(@reqs, $ref);
+ }
+ $sth->finish();
+ return @reqs;
+}
+
+#######################################
+# Closes request queue
+#######################################
+sub close {
+ my ($self) = @_;
+ my $dbh = $self->{dbh};
+ $dbh->disconnect();
+}
+
+1;
diff --git a/base/ra/lib/perl/PKI/Service/Op.pm b/base/ra/lib/perl/PKI/Service/Op.pm
new file mode 100644
index 000000000..602f1a29f
--- /dev/null
+++ b/base/ra/lib/perl/PKI/Service/Op.pm
@@ -0,0 +1,290 @@
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+package PKI::Service::Op;
+
+use PKI::Base::UserStore;
+use PKI::Base::CertStore;
+
+sub new {
+ my $self = {};
+ bless ($self);
+ return $self;
+}
+
+sub debug_log()
+{
+ my ($self, $cfg, $msg) = @_;
+
+ my $date = `date`;
+ chomp($date);
+ open(DEBUG, ">>" . $cfg->get("logging.debug.filename"));
+ print DEBUG "$date - $msg\n";
+ close(DEBUG);
+}
+
+sub debug_params()
+{
+ my ($self, $cfg, $q) = @_;
+
+ my $date = `date`;
+ chomp($date);
+ $self->debug_log($cfg, "$date - URL '" . $ENV{REQUEST_URI} . "'");
+ my @names = $q->param();
+ foreach my $k (@names) {
+ $self->debug_log($cfg, "$date - Param $k='" . $q->param($k) . "'");
+ }
+}
+
+sub get_client_certificate()
+{
+ my ($self) = @_;
+
+ my $user_cert = $ENV{"SSL_CLIENT_CERT"};
+ $user_cert =~ s/-----BEGIN CERTIFICATE-----//g;
+ $user_cert =~ s/-----END CERTIFICATE-----//g;
+ $user_cert =~ s/\n//g;
+
+ return $user_cert;
+}
+
+sub get_current_uid()
+{
+ my ($self, $cfg) = @_;
+
+ my $user_cert = $self->get_client_certificate();
+
+ my $us = PKI::Base::UserStore->new();
+ $us->open($cfg);
+ my $ref = $us->map_user($user_cert);
+ if (!defined($ref)) {
+ return "";
+ }
+ $us->close();
+
+ return $ref->{'uid'};
+}
+
+sub get_csr_by_cert()
+{
+ my ($self, $cfg) = @_;
+
+ my $user_cert = $self->get_client_certificate();
+ my $cs = PKI::Base::CertStore->new();
+ $cs->open($cfg);
+ my $ref = $cs->map_certificate($user_cert);
+ if (!defined($ref)) {
+ return "";
+ }
+ $us->close();
+
+ return $ref->{'csr'};
+}
+
+sub get_cert_record()
+{
+ my ($self, $cfg) = @_;
+
+$self->debug_log( $cfg, "in get_cert_record");
+ my $user_cert = $self->get_client_certificate();
+ my $cs = PKI::Base::CertStore->new();
+ $cs->open($cfg);
+ my $ref = $cs->map_certificate($user_cert);
+ if (!defined($ref)) {
+$self->debug_log( $cfg, "in get_cert_record: map_certificate ref none");
+ return "";
+ }
+$self->debug_log( $cfg, "in get_cert_record: got map_certificate ref");
+ $cs->close();
+
+ return $ref;
+}
+
+sub get_current_roles()
+{
+ my ($self, $cfg) = @_;
+
+ my $uid = $self->get_current_uid($cfg);
+ my $us = PKI::Base::UserStore->new();
+ $us->open($cfg);
+ my @roles = $us->get_roles($uid);
+ $us->close();
+
+ return @roles;
+}
+
+sub get_roles_of()
+{
+ my ($self, $cfg, $uid) = @_;
+
+ my $us = PKI::Base::UserStore->new();
+ $us->open($cfg);
+ my @roles = $us->get_roles($uid);
+ $us->close();
+
+ return @roles;
+}
+
+sub admin_auth()
+{
+ my ($self, $cfg) = @_;
+
+ my $user_cert = $self->get_client_certificate();
+
+ # authentication
+ my $us = PKI::Base::UserStore->new();
+ $us->open($cfg);
+ my $ref = $us->map_user($user_cert);
+ if (!defined($ref)) {
+ return 0;
+ }
+ my @roles = $us->get_roles($ref->{'uid'});
+ $us->close();
+
+ # authorization
+ my $authorized_groups = $cfg->get("admin.authorized_groups");
+ $self->debug_log( $cfg, "in admin_auth: authorized groups are: $authorized_groups");
+ my @authorizedGroups = split(/,/, $authorized_groups);
+ my $authorized = 0;
+ foreach my $role (@roles) {
+ $self->debug_log( $cfg, "in admin_auth: user has group $role");
+ if (grep /^$role$/, @authorizedGroups) {
+ $self->debug_log( $cfg, "in admin_auth: group matched");
+ $authorized = 1;
+ }
+ }
+ if (!$authorized) {
+ $self->debug_log( $cfg, "in admin_auth: no group matched");
+ return 0;
+ }
+ return 1;
+}
+
+sub agent_auth()
+{
+ my ($self, $cfg) = @_;
+
+ my $user_cert = $self->get_client_certificate();
+
+ # authentication
+ my $us = PKI::Base::UserStore->new();
+ $us->open($cfg);
+ my $ref = $us->map_user($user_cert);
+ if (!defined($ref)) {
+ return 0;
+ }
+ my @roles = $us->get_roles($ref->{'uid'});
+ my $j = join(",", @roles);
+ $self->debug_log( $cfg, "in agent_auth: $ref->{'uid'} has roles: $j");
+ $us->close();
+
+ # authorization
+ my $authorized_groups = $cfg->get("agent.authorized_groups");
+ $self->debug_log( $cfg, "in agent_auth: authorized groups are: $authorized_groups");
+ my @authorizedGroups = split(/,/, $authorized_groups);
+ my $authorized = 0;
+ foreach $role (@roles) {
+ if (grep /^$role$/, @authorizedGroups) {
+ $self->debug_log( $cfg, "in agent_auth: group matched");
+ $authorized = 1;
+ }
+ }
+ if (!$authorized) {
+ $self->debug_log( $cfg, "in agent_auth: no group matched");
+ return 0;
+ }
+ return 1;
+}
+
+sub process {
+ my ($self) = @_;
+}
+
+sub escape_xml
+{
+ my ($v) = @_;
+ $v =~ s/\"/&quot;/g;
+ $v =~ s/\'/&apos;/g;
+ $v =~ s/\&/&amp;/g;
+ $v =~ s/</&lt;/g;
+ $v =~ s/>/&gt;/g;
+ return $v;
+}
+
+sub get_xml
+{
+ my ($s, $v) = @_;
+
+ my $result;
+ if (ref($v) eq "HASH") {
+ foreach my $xkey (keys %$v) {
+ $result .= "<" . $xkey . ">";
+ $result .= &get_xml($xkey, $v{$xkey});
+ # $result .= "-" . ref($xkey);
+ $result .= "</" . $xkey . ">";
+ }
+ } elsif (ref($v) eq "PKI::RA::GlobalVar") {
+ foreach my $xkey (keys %$v) {
+ $result .= "<" . $xkey . ">";
+ $result .= &get_xml($xkey, $$v{$xkey}->());
+ # $result .= "-" . ref($xkey);
+ $result .= "</" . $xkey . ">";
+ }
+ } elsif (ref($v) eq "ARRAY") {
+ my $pos = 0;
+ foreach my $item (@$v) {
+ $result .= "<element>";
+ $result .= &get_xml("p" . $pos, $item);
+ # $result .= "-" . ref($item);
+ $result .= "</element>";
+ $pos++;
+ }
+ } else {
+ $result .= &escape_xml($v);
+ }
+ return $result;
+}
+
+sub xml_output {
+ my ($self, $c) = @_;
+
+ my $result = "<xml>";
+ foreach $s (sort keys %$c) {
+ if ($s =~ /^__/) {
+ next;
+ }
+ $result .= "<" . $s . ">";
+ my $v = $$c{$s};
+ $result .= &get_xml($s, $v);
+ $result .= "</" . $s . ">";
+ }
+ $result .= "</xml>";
+ return "$result\n";
+}
+
+sub execute {
+ my ($self) = @_;
+ $self->process();
+}
+
+1;
diff --git a/base/ra/lib/perl/Template/Velocity.pm b/base/ra/lib/perl/Template/Velocity.pm
new file mode 100755
index 000000000..848de65fd
--- /dev/null
+++ b/base/ra/lib/perl/Template/Velocity.pm
@@ -0,0 +1,1099 @@
+#!/usr/bin/perl
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+use strict;
+
+package Template::Velocity::Executor;
+sub new;
+
+package Template::Velocity;
+
+
+# The Template::Velocity package implements a Template execution
+# engine similar to the Java Velocity package.
+
+use Parse::RecDescent;
+use Data::Dumper;
+use Thread::Semaphore;
+
+
+$Template::Velocity::parser;
+
+our $docroot="docroot";
+our $parser;
+my %parsetrees = ();
+my $debugflag = 0;
+my $semaphore;
+
+
+#GRAMMAR defined here
+
+my $vmgrammar = q{
+
+ {
+ use Data::Dumper;
+ sub Dumper
+ {
+ $::debugdumper = undef;
+ if ($::debugflag && $::debugdumper ) { return Data::Dumper(@_); }
+ else {""};
+ }
+
+ }
+
+
+# Template is the top-level object
+ template: <skip:'[ \t]*'> section(s) /\Z/
+
+ section: blockdirective
+ | nonblockdirective
+ | plainline
+
+ blockdirective: ifblock
+ | foreachblock
+
+ plainline : <skip:''> /[ \t]*/ ...!'#' linecomp(s?) /\n*/
+
+ HASH: '#'
+
+# HMM - this doesn't handle multiple variables on one line?
+ linecomp: variable
+ | <skip:'[ \t]*'> /[^\$\n]*/
+
+ nonblockdirective: '#' 'include' <commit> includeargs /\n*/ { $item[4] ; }
+ | '#' 'parse' <commit> parseargs /\n*/ { $item[4] ; }
+ | '#' 'set' <commit> setargs /\n*/ { $item[4] ; }
+ | <error:unknown command $text>
+
+
+ ifblock: ifdirective section(s) elseclause(?) enddirective
+
+
+# this bubbles up the result of the expression inside the if()
+# which is from the 'ifargs' rule
+ ifdirective: '#' 'if' <skip:'[ \t]*'> ifargs /\n/
+
+ enddirective: <skip:'[ \t]*'> '#' 'end' "\n"
+
+ elseclause: elsedirective section(s)
+
+ elsedirective: '#' 'else' "\n"
+
+ foreachblock: foreachdirective section(s) enddirective
+
+ foreachdirective: '#' 'foreach' foreachargs "\n"
+
+ ifargs: '(' expression ')'
+ | <error:Argument to if must be an expression: $text>
+
+ foreachargs: '(' variablename 'in' variable ')'
+ | <error:Arguments to 'foreach' must be of form \$a in \$b: $text>
+
+ includeargs: '(' string ')'
+ | <error:invalid argument to include: $text>
+
+ parseargs: '(' expression ')'
+ | <error:invalid argument to parsearges: $text>
+
+
+ setargs: <skip:'[ \t]*'> '(' assignment ')'
+ | <error:Argument to set must be an assignment : $text>
+
+
+# expression evaluation
+
+# this goes roughly in order of precendence:
+# ==
+# &&, ||
+# +, -
+# *
+# !
+
+# does not properly distinguish between lvalues and rvalues
+
+
+ expression: boolean
+ | <error>
+
+
+ assignment: variablename '=' boolean
+
+ boolean: equality (boolean_operator equality)(?)
+
+ boolean_operator: ( '&&' | '||' )
+
+ equality: summation (equality_operator summation)(?)
+
+
+ equality_operator: ( '==' | '!=' )
+
+ summation: product (summation_operator summation)(?)
+
+ summation_operator: ( '+' | '-' )
+
+
+# must parenthesize operator '*' to get it to appear in the $item array
+
+ product: negation ('*' product)(?)
+
+#XXX need to implement
+ negation: notoperator(?) factor
+
+ notoperator: "!"
+
+ factor: number
+ | string
+ | variable
+
+
+
+# These rules deal with variables
+# handles $process
+# $file.executablename
+# $process.getpid()
+# $person.getparent().getbrother().slap()
+# $fred.getchildren()
+
+# You'd make a dependency on the 'variable' rule if you want the value
+# of the variable.
+# You'd make a dependency on the 'variablename' rule if you want the
+# name of the variable.
+# (There's no real difference here - the expression evaluation is
+# in the variable() subroutine)
+
+ variable: variablename { ["variable", $item[1][1] ]; }
+
+ variablename: '$' identifier subfield(s?)
+ {
+ my $variableinfo = {
+ top => $item{identifier},
+ fields => $item{'subfield(s?)'}
+ };
+ $return = [ "variablename", \$variableinfo ];
+ }
+
+ subfield: '.' identifier arglist(?)
+ {
+ my $d;
+ my $a = $item{"arglist(?)"};
+ my $args;
+
+ #::debug "arglist = ".Dumper($a)."\n";
+ if ($a) {
+
+ my ($argcount, $al, $alpresent);
+
+ #$args = @{$a}->[2];
+ $args = $a->[0][2];
+ #::debug "arglist args=".Dumper($args)."\n";
+ $alpresent = $args;
+ $argcount = $#$args;
+ if ($alpresent && $argcount == -1) {
+ $args->[0] = [ ];
+ }
+ }
+
+ #::debug "arglist identifier=".$item{identifier}."\n";
+ $return = [ "subfield", {
+ fieldname => $item{identifier},
+ arglist => $args->[0],
+ } ];
+ }
+
+ arglist: '(' list(?) ')'
+
+ list: expression (',' list)(s?)
+
+
+# Basic data types
+# identifiers, numbers and strings
+
+ identifier: /[A-Za-z0-9_]+/ { $item[1]; }
+
+ number: /\d+/ {$item[1]; }
+
+ #XXX skip is all wrong here... should be in []
+ string: <skip:'[ \t]'> '"' <skip:""> /[^"]*/ '"' { $return = ["string",$item[4]]; }
+ | <skip:'[ \t]'> "'" <skip:""> /[^']*/ "'" { $return = ["string",$item[4]]; }
+
+
+# other literals
+ whitespace: /\s*/
+
+
+};
+
+
+# Get a parser object (transforming the built-in text grammar into RecDescent
+# data structure). This object can be reused for parsing multiple velocity files
+sub new
+{
+ #$::debugflag = 0;
+ my $class = shift;
+ $docroot = shift;
+ undef $::RD_HINT;
+ undef $::RD_WARN;
+ #$::RD_TRACE = 1;
+ $parser = new Parse::RecDescent($vmgrammar) or die "Bad Grammar\n";
+ $semaphore = new Thread::Semaphore;
+ $Data::Dumper::Maxdepth = 1;;
+ my $self = {};
+ $self->{parser} = $parser;
+ # ugly - :-(
+ $Template::Velocity::parser = $parser;
+ bless $self, $class;
+ return $self;
+}
+
+
+# Execute a template. Given a text string and a parser object, will return
+# a parse tree, useful for feeding into the executor.
+sub execute_string
+{
+ my $self = shift;
+ my $string = shift;
+ my $rule = shift;
+ if (! $rule ) { $rule = "template"; }
+ #print Dumper($self);
+
+ my $parser = $self->{parser};
+ my $parsetree = $parser->$rule($string);
+ my $executor = new Template::Velocity::Executor($parsetree, $parser );
+
+ my @value = $executor->run();
+ #my @value = Template::Velocity::Executor::execute($parsetree, $parser);
+ my $value = shift @value;
+ return $value;
+}
+
+sub execute_file_with_context
+{
+
+ my $self = shift;
+ my $filename = shift;
+ my $hash = shift;
+
+ # This perl Velocity implementation uses global variable to
+ # store values that go to the template. This is not thread
+ # safe and should be fixed in near future.
+ #
+ # For this release, we just a lock to prevent the global
+ # variable (i.e. symbol) being changed by multiple threads
+ # at the same time.
+
+ $semaphore->down;
+ my %c = %$hash;
+ foreach my $h (keys %c) {
+ $::symbol{$h} = $c{$h};
+ }
+
+ my $rule;
+ my $tree = $parsetrees{$filename};
+
+ if (! $tree) {
+ $rule = "template";
+ open my $fh, "<$docroot/$filename" or return undef;
+ my $string = join "",<$fh>;
+ close $fh;
+ $tree = $parser->$rule($string);
+ $parsetrees{$filename} = $tree;
+ }
+
+ my $executor = new Template::Velocity::Executor($tree, $parser );
+
+ my @value = $executor->run();
+ my $value = shift @value;
+
+ $semaphore->up;
+
+ return $value;
+
+
+}
+
+sub execute_file
+{
+
+ my $self = shift;
+ my $filename = shift;
+
+ my $rule;
+ my $tree = $parsetrees{$filename};
+
+ if (! $tree) {
+ $rule = "template";
+ open my $fh, "<$docroot/$filename" or return undef;
+ my $string = join "",<$fh>;
+ close $fh;
+ $tree = $parser->$rule($string);
+ $parsetrees{$filename} = $tree;
+ }
+
+ my $executor = new Template::Velocity::Executor($tree, $parser );
+
+ my @value = $executor->run();
+ my $value = shift @value;
+ return $value;
+
+
+}
+
+
+
+
+
+
+
+
+sub Dumper
+{
+ return "";
+ if ($::debugflag && $::debugdumper) {
+ return Data::Dumper->Dump([@_]);
+ }
+ else {""};
+}
+
+
+
+
+# This autoaction returns an array of each parse element
+# The net result is a parse tree
+# I couldn't use <autotree> because I wanted to preserve
+# the order of the elements, and <autotree> returns a
+# hashtable, not an array
+
+$::RD_AUTOACTION = q{
+ [@item];
+};
+
+# debug flags set here
+
+
+
+
+
+
+######### EXECUTE FUNCTIONS
+
+
+# These functions deal with executing the velocity parse tree
+{
+ package Template::Velocity::Executor::Rules;
+ use Data::Dumper;
+
+ # this imports symbols from these other packages, so
+ # we don't have to always use the fully-qualified names
+ *exe_all = \&Template::Velocity::Executor::exe_all;
+ *exe_optional = \&Template::Velocity::Executor::exe_optional;
+ *execute = \&Template::Velocity::Executor::execute;
+ *debug = \&Template::Velocity::Executor::debug;
+ *indent = \&Template::Velocity::Executor::indent;
+ *deindent = \&Template::Velocity::Executor::deindent;
+#XXX probably should be $, not &
+ *docroot = \&Template::Velocity::docroot;
+
+ sub Dumper
+ {
+ return "";
+ if ($::debugflag && $::debugdumper) { return Dumper(@_); }
+ else {""};
+ }
+
+ #template: <skip:'[ \t]*'> section(s) /\Z/
+ sub template {
+ my $f = "template";
+ my @item = exe_all(@_);
+ debug ("$::level $f - sections should be an array of text: .".Dumper($item[2])."\n");
+ my $sections = $item[2];
+ debug ("sections is a: ".(ref $sections)." - it should be an array\n");
+ my $r= ( join "", @{$item[2]});
+ return $r;
+ }
+
+
+ #linecomp: variable
+ # | <skip:'[ \t]*'> /[^\$\n]*/
+ sub linecomp {
+ my $item;
+ debug ("linecomp: _[2] = '".$_[2]."'\n");
+ if ($_[2]) {
+ debug ("linecomp: inside if\n");
+ $item = $_[1].$_[2];
+ } else {
+ debug ("linecomp: inside else{\n");
+ ($item) = exe_all($_[1]);
+ debug ("linecomp: end of else}\n");
+ debug ("linecomp: item =\n".Dumper($item)."\n");
+ }
+ debug ("linecomp: returning $item\n");
+ return $item;
+ }
+
+ # plainline : <skip:''> /[ \t]*/ ...!'#' linecomp(s?) /\n+/
+ sub plainline {
+ my @item = exe_all(@_);
+ debug ("$::level in plainline - linecomps should be an array of text: .".Dumper($item[4])."\n");
+ my $r = join "", @{$item[4]};
+ debug ("$::level in plainline - joined as: $r\n");
+ $r = $item[2] . $r. $item[5];
+ debug ("$::level in plainline - returning : $r\n");
+ return $r;
+ }
+
+ sub expression {
+ debug ("$::level expression = ".Dumper($_[1])."\n");
+ my ($item) = exe_all($_[1]);
+ debug ("$::level expression returning $item\n");
+ return $item;
+ }
+
+ #foreachblock: foreachdirective section(s) enddirective
+ sub foreachblock {
+ my $f = "foreachblock";
+ debug ("$::level $f started!\n");
+ my ($directive) = exe_all($_[1]);
+ debug ("$::level $f directive = \n".Dumper($directive)."\n");
+ my ($variable, $list) = @{$directive};
+ my $variablename = $$variable->{top};
+ debug ("$::level $f variable = $variablename\n");
+ debug ("$::level $f list = \n".Dumper($list)."\n");
+
+ my $result = "";
+ foreach my $q (@{$list}) {
+ debug ("$::level $f q=$q\n");
+ $::symbol{$variablename} = $q;
+ debug ("$::level $f setting variable $variablename = $q\n");
+
+ my ($sections) = exe_all($_[2]);
+ debug ("$::level $f sections was: ".Dumper($sections)."\n");
+ $result .= join "",@{$sections};
+ }
+ return $result;
+ }
+
+ #foreachdirective: '#' 'foreach' foreachargs "\n"
+ sub foreachdirective {
+ my ($item) = exe_all($_[3]);
+ return $item;
+ }
+
+ #foreachargs: '(' variablename 'in' expression ')'
+ sub foreachargs {
+ my $f = "foreachargs";
+ my ($variable, $list) = exe_all($_[2], $_[4]);
+ debug ("$::level $f variable = \n".Dumper($variable)."\n");
+ debug ("$::level $f list = \n".Dumper($list)."\n");
+ return [$variable, $list];
+ }
+
+ # XXX if block should only execute section(s) if if arg is positve)
+ # likewise for else
+ #ifblock: ifdirective section(s) elseclause(?) enddirective
+ sub ifblock {
+ my $f = "ifblock";
+ my @item = exe_all(@_);
+ debug ("$::level $f - sections should be an array of text: .".Dumper($item[2])."\n");
+ my $sections = $item[2];
+ my $else = $item[3];
+ debug ("$::level $f sections is a: ".(ref $sections)." - it should be an array\n");
+ debug ("$::level item1: if expression = ".$item[1]."\n");
+ debug ("$::level $f elseclause is a: ".(ref $else)." - it should be an scalar\n");
+ my $r= (
+ $item[1]>0 ? # if expression
+ (join "", @{$item[2]}) :
+ ($item[3] ? join "",@{$item[3]} : "")
+ );
+ # this is not quite right ... elseclause returns a scalar (it joins the sections)
+ # so why do I have to join again here? possibly because it's a '?'
+ return $r;
+ }
+
+ #elseclause: elsedirective section(s)
+ sub elseclause {
+ my $f = "elseclause";
+ my ($sections) = exe_all($_[2]);
+ debug ("$::level $f sections is a: ".(ref $sections)." - it should be an array\n");
+ my $return = join "", @{$sections};
+ debug ("$::level $f returning: $return\n");
+ return $return;
+ }
+
+ sub ifargs {
+ debug ("$::level ifargs [2] = ".Dumper($_[2])."\n");
+ my ($item) = exe_all($_[2]);
+ debug ("$::level item = ".Dumper($item)."\n");
+ my $r = $item>0 ? 1 : 0;
+ debug ("$::level ifargs returning $r\n");
+ return $r;
+ }
+
+ #ifdirective: '#' 'if' <skip:'[ \t]*'> ifargs /\n/
+ sub ifdirective {
+ my ($item) = exe_all($_[4]);
+ my $r = $item>0 ? 1 : 0;
+ debug ("$::level ifdirective returning $r\n");
+ return $r;
+ }
+
+ #boolean: equality (boolean_operator equality)(?)
+ sub boolean {
+ my $f = "boolean";
+ my ($equality, $alt) = ( execute($_[1]), $_[2]);
+ my $r = $equality;
+ if (scalar @$alt) {
+ my ($op, $equality2) = exe_optional($alt, 1,2);
+
+ if ($op eq '&&') {
+ $r = $equality && $equality2;
+ }
+ if ($op eq '||') {
+ $r = $equality || $equality2;
+ }
+ }
+
+ return $r;
+ }
+
+
+ #summation: product (summation_operator summation)(?)
+ sub summation {
+ #my @item = exe_all(@_);
+ my $f = "summation";
+ my ($product, $alt) = ( execute($_[1]), $_[2]);
+ debug("$::level $f - product = $product, alternation = $alt\n");
+ debug("$::level $f - alternation = \n".Dumper($alt)."\n");
+
+ if (scalar @$alt) {
+ if (0) {
+ debug("$::level $f - alt1= \n".Dumper($alt->[0][1])."\n");
+ debug("$::level $f - alt2= \n".Dumper($alt->[0][2])."\n");
+ my ($operator, $summation) = ( execute($alt->[0][1]), execute($alt->[0][2]),);
+ }
+ my ($operator, $summation) = exe_optional($alt, 1,2);
+
+ if ($operator eq '+') { return $product + $summation;
+ } else { return $product - $summation; }
+ } else {
+ return $product;
+ }
+ }
+
+
+
+ #equality: summation (equality_operator summation)(?)
+ sub equality {
+ my $f = "equality";
+ my ($summation, $alt) = ( execute($_[1]), $_[2] );
+
+ if (scalar @$alt) {
+ my ($operator, $summation2) = exe_optional($alt, 1,2);
+
+ # string comparison used, so (0.0) is NOT equal to (0)
+ if ($operator eq '==') { return ($summation eq $summation2) ? 1:0; }
+ else { return ($summation eq $summation2) ? 0:1; }
+ } else {
+ return $summation;
+ }
+ }
+
+
+ sub product {
+ my $f = "product";
+ my ($negation, $alt) = ( execute($_[1]), $_[2]);
+ debug("$::level $f negation = $negation, alternation = $alt\n");
+ debug("$::level $f - alternation = ".Dumper($alt)."\n");
+
+ if (scalar @$alt) {
+ if (0) {
+ debug("$::level $f - alt1= \n".Dumper($alt->[0][1])."\n");
+ debug("$::level $f - alt2= \n".Dumper($alt->[0][2])."\n");
+ my ($operator, $product) = ( execute($alt->[0][1]), execute($alt->[0][2]),);
+ }
+ my ($operator, $product) = exe_optional($alt,1,2);
+ return ($negation * $product);
+ } else {
+ return $negation;
+ }
+ }
+
+ sub factor {
+ my ($value) = exe_all($_[1]);
+ return $value;
+ }
+
+ #negation: notoperator(?) factor
+ sub negation {
+ debug ("$::level in negation... input = ".(join ",",@_)."\n");
+ #my @item = exe_all(@_);
+ my ($alt, $value) = ( $_[1], execute($_[2]) );
+ debug ("$::level negation: alternation= $alt\n");
+ debug ("$::level negation: value = $value\n");
+ my $operator = execute($alt->[0][1]);
+
+ my $r;
+ if ($operator && $operator eq '!') {
+ if ($value ) { $r = 0; }
+ else { $r = 1; }
+ debug ("$::level negation: inverting\n");
+ } else {
+ debug ("$::level negation: not inverting\n");
+ $r = $value;
+ }
+ debug ("$::level negation: returning $r\n");
+ return $r;
+ }
+
+ #setargs: <skip:'[ \t]*'> '(' assignment ')'
+ sub setargs {
+ my $f = "setargs";
+ my ($args) = exe_all($_[3]);
+ debug("$::level $f args = \n".Dumper($args)."\n");
+ my ($variable, $value) = @{$args};
+ debug("$::level $f variable type =".(ref $variable)."\n");
+ debug("$::level $f variable = \n".Dumper($variable)."\n");
+ my $symbolname = $$variable->{top};
+ debug("$::level $f setting variable '$symbolname' = $value\n");
+ $::symbol{$symbolname} = $value;
+ return "";
+ }
+
+ #assignment: variablename '=' boolean
+ sub assignment {
+ my $f = "assignment";
+ my ($variable, $value) = exe_all($_[1],$_[3]);
+ debug("$::level $f variable = \n".Dumper($variable)."\n");
+ my $r = [ $variable, $value ];
+ debug("$::level $f returning: \n".Dumper($r)."\n");
+ return $r;
+ }
+
+ #includeargs: '(' string ')'
+ sub includeargs {
+ my $f = "includeargs";
+ my ($filename ) = execute($_[2]);
+
+ debug("including file: $filename\n");
+ open my $fh, "<$docroot/$filename" or return "filenotfound $docroot/$filename!\n";
+ my $file = join "", <$fh>;
+ close FILE;
+
+ return $file;
+ }
+
+ sub parseargs {
+ my $f = "parseargs";
+ my ($filename ) = execute($_[2]);
+
+ debug("parsing file: $filename\n");
+
+ #open my $fh, "<$docroot/$filename" or return "filenotfound $docroot/$filename!\n";
+ #my $file = join "", <$fh>;
+ #close FILE;
+
+ #my $parsetree = $Template::Velocity::parser->template($file);
+ #my @value = execute($parsetree);
+ #my $value = shift @value;
+
+ my @value = Template::Velocity::execute_file(undef,$filename);
+ my $value = shift @value;
+
+ return $value;
+ }
+
+# variables
+
+# variables
+# this rule converts a variable name/identifier into its value
+# $main.subfield(argument1,argument2).subfield2(arg1,arg2)
+# There are two data structures at work here.
+# 1. the data structure specifying the variable name to be queried
+# this represents $a.b.c(100,9,5,4)
+#{
+# 'top' => 'a'
+# 'fields' => [
+# { 'fieldname' => 'b', 'arglist' => undef },
+# { 'fieldname' => 'c', 'arglist' => [ '100', 9, 5, '4', ], }
+# ],
+#}
+# 2. Data structure specifying the symbol table
+
+# return value could be:
+# a scalar: either a string/number value or reference to an array of values
+# an array
+
+ sub variable {
+# look up the root object in the symbol table
+ my $f = "variable";
+ debug("$::level $f: input\n".Dumper(\@_)."\n");
+ my $var = $_[1];
+ debug("$::level $f var=\n".Dumper($var)."\n");
+# $$var works with # 27: '#set (\$a=1+3)\n\$a\n'
+#0 REF(0x8fa0510)
+# -> HASH(0x8fa1454)
+# 'fields' => ARRAY(0x8fa8c08)
+# empty array
+# 'top' => 'a'
+
+# $var works with # 25: '$employee.add(100,4+5,2+3,4,4,5,6)'
+#DB<2> x $var
+#0 HASH(0x9c7a340)
+# 'fields' => ARRAY(0xa06e7d8)
+# 0 ARRAY(0xa06e9ac)
+# 0 'subfield'
+# 1 HASH(0xa06e880)
+# 'arglist' => ARRAY(0xa074184)
+
+ my $top = $$var->{top}; # name of the root object
+ debug("$::level $f top=\n".Dumper($top)."\n");
+ my $fields = $$var->{fields}; # array of the subidentifiers
+ my $val = "";
+
+ debug("$::level $f - top_id = $top\n");
+ debug("$::level $f : var: \n".Dumper($var)."\n");
+ debug("$::level $f - fields = \n".Dumper($fields)."\n");
+
+
+ debug("$::level $f : top = ".$top."\n");
+ if (! defined $::symbol{$top} ) {
+# XXX
+ debug ("symbol table = ",(join ",",sort keys %::symbol)."\n");
+ debug ("undefined variable: $top\n");
+ return 0;
+ }
+ debug("$::level $f symbol table: \n".Dumper(\%::symbol)."\n");
+ $val = $::symbol{$top};
+ debug("$::level $f val before: \n".Dumper($val)."\n");
+
+ debug("$::level $f - fields = \n".Dumper($fields)."\n");
+ my $pass = 1;
+ foreach my $field (@$fields) {
+ my $args;
+
+ my ($fieldname, $values);
+ {
+ debug("$::level $f pass $pass \@_=\n".Dumper(\@_)."\n");
+ debug("$::level $f before strip field = \n".Dumper($field)."\n");
+#shift @$fn; # 'subfield' string
+#$fn = $fn->[0];
+#$fn = [ (@{$fn}) ];
+#shift @$fn;
+ debug("$::level $f after strip fn = \n".Dumper($field)."\n");
+
+ $fieldname = $field->[1]->{fieldname};
+ debug("$::level $f processing field: $fieldname\n");
+ $args= $field->[1]->{arglist};
+
+
+# convert the argument list (which could be expressions, other
+# variables, etc) into raw values
+ if ($args) {
+ debug("$::level $f executing $fieldname with args:\n".Dumper($args)."\n");
+ ($values) = execute($args);
+ debug("$::level $f returned values:\n".Dumper($values)."\n");
+ }
+ }
+
+ debug("$::level $f after execute, \@_=\n".Dumper(\@_)."\n");
+
+#call the function
+ if (ref $val) {
+ debug("$::level $f : inside loop(before) {\n".Dumper($val)."\n");
+ debug("$::level $f : inside loop(before) {\n".Dumper($val)."\n");
+ if ($args) {
+ debug("$::level $f: function call\n");
+#$val = $$val->$fieldname ($args); # method call
+ my $func = $val->{$fieldname}; # method call
+ debug("$::level $f: $fieldname func=\n ".Dumper($func)."\n");
+ no strict;
+ $val = &$func($val, @$values);
+ debug("$::level $f: $fieldname result=$val\n");
+ debug("$::level $f: $fieldname result=\n".Dumper($val)."\n");
+
+ } else {
+ &::debug("$::level $f: plain field access\n");
+ if (ref $val eq "REF") {
+ $val = $$val->{$fieldname}; # field access
+ } else {
+ $val = $val->{$fieldname}; # field access
+ }
+ }
+ debug("$::level $f } inside loop(after val retrieval) val=\n".Dumper($val)."\n");
+ }
+ $pass++;
+
+ }
+
+ return $val;
+ }
+
+ #$return = [ "variablename", \$variableinfo ];
+ sub variablename {
+ my $f = "variablename";
+ debug("$::level $f: input\n".Dumper(\@_)."\n");
+ my $var = $_[1];
+ return $var;
+ }
+
+ #arglist: '(' list(?) ')'
+ sub arglist {
+ my ($list) = exe_all($_[2]);
+ debug("$::level list: ".Dumper($list)."\n");
+ if ($list) {
+ my $ll = $list->[0];
+ debug("$::level ll \n".Dumper($ll)."\n");
+ debug("$::level \$\$list: \n");
+ return $ll;
+ }
+ return undef;
+ }
+
+ #list: expression (',' list)(s?)
+ sub list {
+ my ($expr, $alt) = ( execute($_[1]), $_[2] );
+
+ if (scalar @$alt) {
+ my ($list) = exe_optional($alt, 2);
+
+ debug("$::level list: expr: $expr\n");
+ debug("$::level list: list: $list\n:");
+ debug("$::level list ".Dumper($list)."\n");
+ my $r = [ $expr, (@$list) ];
+ return $r;
+ }
+ debug("$::level returning simple expression: $expr\n:");
+ return [$expr];
+ }
+
+
+
+ sub _default {
+ debug ("$::level default rule {\n");
+ indent();
+ debug ("$::level parsing parameters\n");
+ my @item = exe_all(@_);
+ debug ("$::level default rule - last item in array is: ".$item[$#item]."\n");
+ my $r = join "",@item[1..$#item];
+ debug ("$::level default rule - returning: $r\n");
+ deindent();
+ debug ("$::level }\n");
+ return $r;
+
+ }
+
+
+}
+
+
+package Template::Velocity::Executor;
+
+use Data::Dumper;
+
+
+
+sub new
+{
+ my $class = shift;
+
+ my $parsetree = shift;
+ my $parser = shift;
+
+ my $self = {};
+ $self->{parser} = $parser;
+ $self->{parsetree} = $parsetree;
+ bless $self, $class;
+ return $self;
+}
+
+
+sub run {
+ my $self = shift;
+
+ return (execute($self->{parsetree}));
+}
+
+
+
+my $level = " ";
+
+sub debug {
+ if ($::debugflag) {
+ print @_;
+ }
+}
+
+# This basically all works calling execute($parsetree).
+# Execute will look the Parsetree, which is built by a special autoaction
+#
+# It will call top-down, into functions called 'Executor::XXX', (where XXX is
+# the name of the production)
+#
+# Additional trees, representing child productions, will be passed in
+# as arguments to the Executor::XXX function. These arguments be processed
+# before the Executor::XXX function can proceed.
+#
+# If no such function is present, Executor:_default will be run
+#
+# To process the arguments, use this in the Executor function:
+# my @item = exe(@_);
+# Which will give you an @item array similar to that in the RD rules, one
+# exception being that productions which return arrays are flattened into
+# the @item array. (bad idea?)
+#
+
+
+
+# executes a parsetree (gotten as a result of calling recdescent $parser->rule()
+# and returns the string value of the result.
+
+sub Dumper {
+ "";
+}
+
+sub execute {
+ my $result;
+ my $tree = shift; # a reference to a tree is passed in
+ debug "$level execute: {\n";
+ indent();
+ debug ("$level tree = \n".Dumper($tree)."\n");
+
+# there are 3 possible things this tree could be:
+
+# 1 a scalar .. in which case this rule represents a literal, and the
+# the literal is just returned
+#
+# 2 an array of the form (array, ...) - in which case this is the result of a production
+# which returned an array of trees. This happens
+# if you specify (s), (?), etc, in a production.
+# 3 an array of the form (scalar, ...) - in which case this refers to a subrule
+#
+
+# case 1...
+ my $type = ref $tree;
+ if ($type) {
+ debug "\n$level tree type: ".(ref $tree)." \n";
+ } else {
+ debug "\n$level tree type: scalar \n";
+ }
+ if ($type ne "ARRAY") {
+ debug "$level returning literal: '$tree'\n";
+ deindent();
+ debug "$level }\n\n";
+ return $tree;
+ }
+
+ my @result;
+
+# if this tree is the result of a auto-generated rule (e.g. alternation)
+# then tree[0] is not a name.. it is an array. just call the default action with
+# the arguments
+
+ my $rule = @{$tree}->[0]; # rule name is first
+
+ if ($rule && ref $rule eq "ARRAY") { # case 2
+ debug "$level element[0] is an array (case 2) \n";
+ debug "$level contents of input: \n".Dumper(\@{$tree})."\n";
+ #@result = exe(@{$rule});
+ debug "$level running exe on the array..\n";
+ # not sure about this...
+ @result = (exe_all(@{$tree}));
+ debug "$level contents of output: \n".Dumper(\@result)."\n";
+ #shift @result; # get rid of function name
+ $result = \@result;
+
+ } else { # case 3
+ my @args = @{$tree};
+
+ debug "$level rule is a function to execute (case 3): '$rule'\n";
+ indent();
+ my $qr = "Template::Velocity::Executor::Rules::$rule";
+ if (defined &$qr) {
+ no strict ;
+ $result = (&$qr(@args));
+ } else {
+ debug "$level no function defined for: '$rule' - calling default action\n";
+ $result = Template::Velocity::Executor::Rules::_default(@args);
+ }
+ }
+ deindent();
+ debug "$level function: $rule returned=\n".Dumper($result)."\n";
+
+ debug "$level }\n";
+ return $result;
+
+ }
+
+# these hold and set the current indent level. It's only used for nested debug messages
+sub indent {
+ if (!$debugflag) { return; }
+ $level .= " ";
+ $Data::Dumper::Pad = $level." ";
+}
+sub deindent {
+ if (!$debugflag) { return; }
+ $level = substr ($level,0,-2);
+ $Data::Dumper::Pad = $level." ";
+}
+
+
+sub exe_optional {
+ my @r;
+ my $f = shift;
+ foreach my $q (@_) {
+ debug("$level: getting arg# $q\n");
+ push @r, execute($f->[0][$q]);
+ }
+ return @r;
+}
+
+# exe: for each argument, run the 'execute' function
+#
+
+sub exe_all {
+ my $d = $Data::Dumper::Maxdepth;
+ $Data::Dumper::Maxdepth = 9;
+ debug "\n$level exe_all (".$_[0].") arguments: {\n".Dumper(\@_)." \n";
+ my @r;
+ indent();
+
+ foreach my $i (@_) {
+ push @r, execute($i);
+ }
+ deindent();
+ debug "$level exe_all: returning: \n".Dumper(\@r)."$level}\n\n";
+ $Data::Dumper::Maxdepth = $d;
+ return @r;
+}
+
+
+
+
+
+#package PKI::RA::GlobalVar;
+
+#sub new { my $self = {}; bless $self; return $self; }
+
+
+1;
+
diff --git a/base/ra/scripts/nss_pcache b/base/ra/scripts/nss_pcache
new file mode 100755
index 000000000..bf978b48b
--- /dev/null
+++ b/base/ra/scripts/nss_pcache
@@ -0,0 +1,66 @@
+#!/bin/bash
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+#
+#
+
+# Check to insure that this script's original invocation directory
+# has not been deleted!
+CWD=`/bin/pwd > /dev/null 2>&1`
+if [ $? -ne 0 ] ; then
+ echo "Cannot invoke '$0' from non-existent directory!"
+ exit 255
+fi
+
+OS=`uname -s`
+
+if [ $OS = "Linux" ]; then
+ PLATFORM=`uname -i`
+ if [ $PLATFORM = "i386" ]; then
+ # 32-bit Linux
+ LD_LIBRARY_PATH=/usr/lib/dirsec:/usr/lib:$LD_LIBRARY_PATH
+ elif [ $PLATFORM = "x86_64" ]; then
+ # 64-bit Linux
+ LD_LIBRARY_PATH=/usr/lib64/dirsec:/usr/lib64:/usr/lib:$LD_LIBRARY_PATH
+ fi
+ export LD_LIBRARY_PATH
+elif [ $OS = "SunOS" ]; then
+ PLATFORM=`uname -p`
+ if [ "${PLATFORM}" = "sparc" ] &&
+ [ -d "/usr/lib/sparcv9/" ] ; then
+ PLATFORM="sparcv9"
+ fi
+ if [ $PLATFORM = "sparc" ]; then
+ # 32-bit Solaris
+ LD_LIBRARY_PATH=/usr/lib/dirsec:/usr/lib:$LD_LIBRARY_PATH
+ elif [ $PLATFORM = "sparcv9" ]; then
+ # 64-bit Solaris
+ LD_LIBRARY_PATH=/usr/lib/sparcv9/dirsec:/usr/lib/sparcv9:/usr/lib/dirsec:/usr/lib:$LD_LIBRARY_PATH
+ fi
+ export LD_LIBRARY_PATH
+fi
+
+FORTITUDE_DIR=/usr/sbin
+if [ $OS = "SunOS" ]; then
+ FORTITUDE_DIR=/opt/fortitude/bin
+fi
+
+$FORTITUDE_DIR/nss_pcache $@
diff --git a/base/ra/scripts/schema.sql b/base/ra/scripts/schema.sql
new file mode 100644
index 000000000..18fd8a39c
--- /dev/null
+++ b/base/ra/scripts/schema.sql
@@ -0,0 +1,33 @@
+#
+# --- BEGIN COPYRIGHT BLOCK ---
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
+#
+#
+# sql schema
+#
+CREATE TABLE requests ( type TEXT, ip TEXT, note TEXT, data TEXT, output TEXT, serialno TEXT, subject_dn TEXT, meta_info TEXT, status TEXT, errorString TEXT, processed_by TEXT, assigned_to TEXT, updated_at TEXT, created_at TEXT, created_by TEXT )
+CREATE TABLE users ( uid TEXT, name TEXT, password TEXT, email TEXT, certificate TEXT, created_at TEXT, created_by TEXT )
+CREATE TABLE groups ( gid TEXT, name TEXT, created_at TEXT, created_by TEXT )
+CREATE TABLE roles ( uid TEXT, gid TEXT )
+CREATE TABLE pins ( key TEXT, pin TEXT, rid TEXT, created_at TEXT, created_by TEXT )
+CREATE TABLE certificates ( rid TEXT, csr TEXT, subject_dn TEXT, certificate TEXT, serialno TEXT, approved_by TEXT, created_at TEXT )
+#
+# add defaults
+#
+INSERT INTO groups (gid, name) values ('administrators','Administrators');
+INSERT INTO groups (gid, name) values ('agents','Agents');
diff --git a/base/ra/setup/CMakeLists.txt b/base/ra/setup/CMakeLists.txt
new file mode 100644
index 000000000..f5f069cdb
--- /dev/null
+++ b/base/ra/setup/CMakeLists.txt
@@ -0,0 +1,8 @@
+set(VERSION ${APPLICATION_VERSION})
+
+install(
+ FILES
+ registry_instance
+ DESTINATION
+ ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/setup
+)
diff --git a/base/ra/setup/registry_instance b/base/ra/setup/registry_instance
new file mode 100644
index 000000000..64a73197f
--- /dev/null
+++ b/base/ra/setup/registry_instance
@@ -0,0 +1,116 @@
+# Establish PKI Variable "Slot" Substitutions
+
+PKI_FLAVOR=[PKI_FLAVOR]
+export PKI_FLAVOR
+
+PKI_SUBSYSTEM_TYPE=[PKI_SUBSYSTEM_TYPE]
+export PKI_SUBSYSTEM_TYPE
+
+PKI_USER=[PKI_USER]
+export PKI_USER
+
+PKI_GROUP=[PKI_GROUP]
+export PKI_GROUP
+
+PKI_INSTANCE_ID=[PKI_INSTANCE_ID]
+export PKI_INSTANCE_ID
+
+PKI_INSTANCE_INITSCRIPT=[PKI_INSTANCE_INITSCRIPT]
+export PKI_INSTANCE_INITSCRIPT
+
+PKI_HTTPD_CONF=[HTTPD_CONF]
+export PKI_HTTPD_CONF
+
+PKI_SERVER_ROOT=[SERVER_ROOT]
+export PKI_SERVER_ROOT
+
+PKI_SYSTEM_USER_LIBRARIES=[SYSTEM_USER_LIBRARIES]
+export PKI_SYSTEM_USER_LIBRARIES
+
+PKI_FORTITUDE_DIR=[FORTITUDE_DIR]
+export PKI_FORTITUDE_DIR
+
+PKI_NSS_CONF=[NSS_CONF]
+export PKI_NSS_CONF
+
+PKI_SERVER_NAME=[SERVER_NAME]
+export PKI_SERVER_NAME
+
+PKI_LOCK_FILE="[PKI_LOCKDIR]/${PKI_INSTANCE_ID}.pid"
+export PKI_LOCK_FILE
+
+PKI_PID_FILE="[PKI_PIDDIR]/${PKI_INSTANCE_ID}.pid"
+export PKI_PID_FILE
+
+PKI_SELINUX_TYPE="pki_ra_t"
+export PKI_SELINUX_TYPE
+
+pki_instance_configuration_file=${PKI_SERVER_ROOT}/conf/CS.cfg
+export pki_instance_configuration_file
+
+RESTART_SERVER=${PKI_SERVER_ROOT}/conf/restart_server_after_configuration
+export RESTART_SERVER
+
+########################################################################
+# This section contains modified content of "/etc/sysconfig/httpd" #
+########################################################################
+# Configuration file for the ${PKI_INSTANCE_ID} service.
+
+#
+# The default processing model (MPM) is the process-based
+# 'prefork' model. A thread-based model, 'worker', is also
+# available, but does not work with some modules (such as PHP).
+# The service must be stopped before changing this variable.
+#
+PKI_HTTPD=${PKI_FORTITUDE_DIR}/sbin/httpd.worker
+export PKI_HTTPD
+
+#
+# To pass additional options (for instance, -D definitions) to the
+# httpd binary at startup, set PKI_OPTIONS here.
+#
+PKI_OPTIONS="-f ${PKI_HTTPD_CONF}"
+export PKI_OPTIONS
+
+#
+# By default, the httpd process is started in the C locale; to
+# change the locale in which the server runs, the PKI_HTTPD_LANG
+# variable can be set.
+#
+PKI_HTTPD_LANG=C
+export PKI_HTTPD_LANG
+########################################################################
+# #
+########################################################################
+
+# This will prevent initlog from swallowing up a pass-phrase prompt if
+# mod_ssl needs a pass-phrase from the user.
+PKI_INITLOG_ARGS=""
+export PKI_INITLOG_ARGS
+
+# Set PKI_HTTPD=/usr/sbin/httpd.worker in /etc/sysconfig/httpd to use a server
+# with the thread-based "worker" MPM; BE WARNED that some modules may not
+# work correctly with a thread-based MPM; notably PHP will refuse to start.
+
+# Path to the server binary and short-form for messages.
+httpd=${PKI_HTTPD}
+export httpd
+
+pki_logs_directory=${PKI_SERVER_ROOT}/logs
+export pki_logs_directory
+
+# see if httpd is linked with the openldap libraries - we need to override
+# their use of OpenSSL
+if [ ${OS} = "Linux" ]; then
+ hasopenldap=0
+
+ /usr/bin/ldd ${httpd} 2>&1 | grep libldap- > /dev/null 2>&1 && hasopenldap=1
+
+ if [ ${hasopenldap} -eq 1 ] ; then
+ LD_PRELOAD="${PKI_SYSTEM_USER_LIBRARIES}/libssl3.so:${LD_PRELOAD}"
+ export LD_PRELOAD
+ fi
+elif [ ${OS} = "SunOS" ]; then
+ LD_PRELOAD_64="${PKI_SYSTEM_USER_LIBRARIES}/dirsec/libssl3.so:${LD_PRELOAD_64}"
+ export LD_PRELOAD_64
+fi