/**
* insertNewCertificate() insert the new certificate into the robot hold
*
* Take a string holding the certificate and insert it into the keyhold
* given that the string is actually holding a valid certificate.
*
* @param String base64 encoded PEM formatted X.509 certificate
* @return boolean indicating the success of the opreation (true means inserted OK)
*/
private function insertCertificate($certificate, $comment)
{
/* validate certificate */
try {
$cert = new Certificate($certificate);
} catch (KeyNotFoundException $knfe) {
Framework::error_output(htmlentities($knfe->getMessage()));
return false;
} catch (CertificateException $ce) {
Framework::error_output(htmlentities($ce->getMessage()));
return false;
}
/* Find valid_until for cert */
try {
$query = "SELECT subscriber_id, uploaded_by, uploaded_date, valid_until, fingerprint ";
$query .= "FROM robot_certs WHERE fingerprint = ? OR serial=?";
$res = MDB2Wrapper::execute($query, array('text', 'text'), array($cert->getFingerprint(), $cert->getSerial()));
if (count($res) > 0) {
Framework::error_output($this->translateTag('l10n_err_certalrthere', 'robot'));
return false;
}
} catch (Exception $e) {
/* FIXME, add better exception mask & handling */
Framework::error_output(__FILE__ . ":" . __LINE__ . " FIXME: " . htmlentities($e->getMessage()));
return false;
}
/* Get subscriber, nren and admin_id */
try {
$query = "SELECT * FROM admins WHERE admin=? AND subscriber=? AND nren=? ";
$params = array('text', 'text', 'text');
$data = array($this->person->getEPPN(), $this->person->getSubscriber()->getDBID(), $this->person->getNREN()->getID());
$res = MDB2Wrapper::execute($query, $params, $data);
switch (count($res)) {
case 0:
/*
* Strange error. User is admin, yet not admin.
*
* Fixme: better error-reporting here, even
* though we cannot do much about it.
*/
$error_code = strtoupper(PW::create(8));
$error_msg = "[error_code: {$error_code}]<br /><br />\n";
$log_msg = "[{$error_code}] ";
$query = "SELECT * FROM admins WHERE admin=? AND admin_level=? AND subscriber IS NULL";
$params = array('text', 'text');
$data = array($this->person->getEPPN(), SUBSCRIBER_ADMIN);
$admin_query_res = MDB2Wrapper::execute($query, $params, $data);
if (count($admin_query_res) != 0) {
$error_msg .= "The subscriber-admin (" . htmlentites($this->person->getEPPN()) . ") is not properly connected ";
$error_msg .= "to any database. This is due to a database inconsistency ";
$error_msg .= "and is a direct result of someone manually adding the admin to the database ";
$error_msg .= "without connecting the admin to a subscriber.";
$log_msg .= "Subscriber-admin " . $this->person->getEPPN();
$log_msg .= " has not set any affilitated subscriber in the database.";
$log_msg .= " It should be " . $this->person->getSubscriber()->getOrgName();
$log_msg .= ", but is NULL. Please update the database.";
} else {
$error_msg .= "For some reason, the subscriber (" . $this->person->getSubscriber()->getOrgName() . ") ";
$error_msg .= "is not properly configured in the database. ";
$error_msg .= "The exact reason is unknown. Please contact operational support.";
$log_msg .= "Subscriber " . $this->person->getSubscriber()->getOrgName();
$log_msg .= " is not properly configured in the database.";
}
$error_msg .= "<br /><br />\nThis event has been logged, please contact operational support (provide the error-code) ";
$error_msg .= "to resolve this issue.";
Framework::error_output($error_msg);
Logger::log_event(LOG_ALERT, $log_msg);
return false;
case 1:
$admin_id = $res[0]['admin_id'];
$nren_id = $res[0]['nren'];
$subscriber_id = $res[0]['subscriber'];
break;
default:
/* FIXME: DB-inconsistency */
$error_code = strtoupper(PW::create(8));
$error_msg = "[error_code: {$error_code}] multiple instances of admin (";
$error_msg .= $this->person->getEPPN() . ") found in the database.";
$log_msg = "[{$error_code}] multiple hits (" . count($res) . ")on ";
$log_msg .= $this->person->getEPPN() . " in admins-table.";
Framework::error_output($error_msg);
Logger::log_event(LOG_ALERT, $log_msg);
return false;
}
} catch (Exception $e) {
Framework::error_output(hmtlentities($e->getMessage()));
/* FIXME, add proper exception handling */
return false;
}
try {
if (!isset($comment) || $comment == "") {
$comment = " ";
}
$update = "INSERT INTO robot_certs (subscriber_id, uploaded_by, uploaded_date, valid_until, cert, fingerprint, serial, comment)";
$update .= " VALUES(?, ?, current_timestamp(), ?, ?, ?, ?, ?)";
$params = array('text', 'text', 'text', 'text', 'text', 'text', 'text');
$data = array($subscriber_id, $admin_id, $cert->getEndDate(), $cert->getPEMContent(), $cert->getFingerprint(), $cert->getSerial(), $comment);
MDB2Wrapper::update($update, $params, $data);
Logger::log_event(LOG_INFO, "[RI] Added new certificate (" . $cert->getSerial() . ") for subscriber " . $this->person->getSubscriber()->getOrgName() . " associated with admin " . $this->person->getEPPN());
} catch (Exception $e) {
/* FIXME */
Framework::error_output("Couldn't update robot_certs, server said:<br />\n" . htmlentities($e->getMessage()));
return false;
}
Framework::success_output($this->translateTag('l10n_suc_insertcert1', 'robot') . " " . $cert->getSerial() . $this->translateTag('l10n_suc_insertcert2', 'robot'));
return true;
}
/**
* Provision the whole CA chain (the signing CA cert plus the intermediate
* CA cert, plus the root CA).
*
* @see makeCRLAvailabe
*/
private function makeChainAvailable()
{
if (Config::get_config('ca_mode') == CA_COMODO) {
$root_ca_content = CurlWrapper::curlContact(ConfusaConstants::$CAPI_ROOT_CA);
$interm_ca_content = CurlWrapper::curlContact(ConfusaConstants::$CAPI_INTERMEDIATE_CA);
$actual_ca_cert = CurlWrapper::curlContact($this->cert_url);
/* convert from DER to PEM */
$cert = new Certificate($actual_ca_cert);
$ca_chain = $root_ca_content . $interm_ca_content . $cert->getPEMContent(true);
file_put_contents($this->cert_path, $ca_chain);
}
}
