Esempio n. 1
0
 function __construct()
 {
     parent::__construct();
     $this->ca = CAHandler::getCA($this->person);
     $perm = $this->person->mayRequestCertificate();
     if (!$perm->isPermissionGranted()) {
         $this->errorNotAuthorized($perm);
     }
 }
Esempio n. 2
0
 public function setCA()
 {
     if (!isset($this->person)) {
         Framework::error_output("You are trying to set the CA before person is set!");
         return;
     }
     $this->ca = CAHandler::getCA($this->person);
     if (!$this->ca) {
         throw new ConfusaGenException("Could not instantiate CA-object. " . "Notify operational support and check the logs.");
     }
 }
Esempio n. 3
0
 /**
  * parseRevList() work through a list of eppns and revoke certificates for those users
  *
  * @param list Array list of ePPNs for users to revoke
  * @param admin Person the admin owning the client-certiticate
  *
  * @return Array of a list of persons coupled to the number of revoked
  * certificates.
  */
 static function parseRevList($list, $admin)
 {
     $revokedUsers = array();
     $ca = CAHandler::getCA($admin);
     foreach ($list as $value) {
         /* Get eppn from value*/
         $uid = $value['uid'];
         if (!isset($uid) || $uid == "") {
             echo "Need the UID. This is a REQUIRED attribute.<br />\n";
             break;
         }
         /* Search after matches for cn and subscriber */
         $list = $ca->getCertListForEPPN($uid, $admin->getSubscriber()->getOrgName());
         Logger::log_event(LOG_DEBUG, "[Robot] Got list (" . count($list) . " in total) of certs for {$uid} to revoke.");
         $count = 0;
         if (count($list) > 0) {
             foreach ($list as $key => $value) {
                 try {
                     if ($ca->revokeCert($value['auth_key'], "privilegeWithdrawn")) {
                         $count = $count + 1;
                     }
                 } catch (CGE_KeyRevokeException $kre) {
                     echo htmlentities($kre->getMessage()) . "<br />\n";
                 }
             }
             /* end foreach() uid-list */
             $revokedUsers[] = array('eppn' => $uid, 'count' => $count);
         }
     }
     /* end foreach() */
     return $revokedUsers;
 }
Esempio n. 4
0
 /**
  * delSubscriber - remove the subscriber from the NREN and Confusa.
  *
  * This will remove the subscriber *permanently* along with all it's
  * affiliated subscriber admins (this is handled by the database-schema
  * with the 'ON DELETE CASCADE'.
  *
  * @param id String|integer the ID of the institution/subscriber in the database.
  *
  */
 private function delSubscriber($id)
 {
     if (!isset($id) || $id === "") {
         Framework::error_output("Cannot delete subscriber with unknown id!");
     }
     $nren = $this->person->getNREN();
     /*
      * Make sure that we are deleting a subscriber from the current NREN.
      */
     try {
         $query = "SELECT nren_id, subscriber FROM nren_subscriber_view ";
         $query .= "WHERE nren=? AND subscriber_id=?";
         $res = MDB2Wrapper::execute($query, array('text', 'text'), array($this->person->getNREN(), $id));
     } catch (DBQueryException $dbqe) {
         $errorTag = PW::create();
         $msg = "Could not delete subscriber with ID {$id} from DB.";
         Logger::logEvent(LOG_NOTICE, "NRENAdmin", "delSubscriber()", $msg, __LINE__, $errorTag);
         Framework::message_output($msg . "<br />[{$errorTag}] Server said: " . htmlentities($dbqe->getMessage()));
         return false;
     } catch (DBStatementException $dbse) {
         $errorTag = PW::create();
         $msg = "Could not delete subsriber with ID {$id} from DB, due to problems with the " . "statement. Probably this is a configuration error. Server said: " . $dbse->getMessage();
         Logger::logEvent(LOG_NOTICE, "NRENAdmin", "delSubscriber()", $msg, __LINE__, $errorTag);
         Framework::message_output("[{$errorTag}]" . htmlentities($msg));
         return false;
     }
     if (count($res) != 1) {
         Framework::error_output("Could not find a unique NREN/subscriber pair for subscriber with id " . htmlentities($id));
         return false;
     }
     $nren_id = $res[0]['nren_id'];
     $subscriberName = $res[0]['subscriber'];
     if (!isset($nren_id) || $nren_id == "") {
         Framework::error_output("Could not get the NREN-ID for subscriber " . htmlentities($id) . "Will not delete subscriber (" . htmlentites($id) . ").");
         return false;
     }
     /*
      * Revoke all certificates for subscriber
      */
     $ca = CAHandler::getCA($this->person);
     $list = $ca->getCertListForPersons("", $subscriberName);
     $count = 0;
     foreach ($list as $key => $value) {
         try {
             if (isset($value['auth_key'])) {
                 echo "<pre>\n";
                 print_r($value);
                 echo "</pre>\n";
                 if ($ca->revokeCert($value['auth_key'], "privilegeWithdrawn")) {
                     $count = $count + 1;
                 }
             }
         } catch (CGE_KeyRevokeException $kre) {
             echo $kre->getMessage() . "<br />\n";
         }
         Logger::logEvent(LOG_INFO, "NRENAdmin", "delSubscriber()", "Deleting subscriber, revoked {$count} issued certificates " . "for subscriber {$subscriberName}.");
     }
     MDB2Wrapper::update("DELETE FROM subscribers WHERE subscriber_id = ? AND nren_id = ?", array('text', 'text'), array($id, $nren_id));
     Logger::logEvent(LOG_INFO, "NRENAdmin", "delSubscriber()", "Deleted subscriber with ID {$id}.\n");
     $msg = $this->translateTag('l10n_suc_deletesubs1', 'nrenadmin') . htmlentities($subscriberName) . $this->translateTag('l10n_suc_deletesubs2', 'nrenadmin') . " " . htmlentities($id) . ". " . $this->translateTag('l10n_suc_deletesubs3', 'nrenadmin') . " " . $count . " " . $this->translateTag('l10n_suc_deletesubs4', 'nrenadmin');
     Framework::success_output($msg);
 }
Esempio n. 5
0
 function __construct()
 {
     parent::__construct();
     $this->ca = CAHandler::getCA($this->person);
 }
Esempio n. 6
0
 /**
  * save() store updated results to the database, encrypting the password
  * before storage.
  */
 public function save($validate = true)
 {
     if (!$this->changed) {
         return false;
     }
     if ($validate && !CAHandler::getCA($this->person)->verifyCredentials($this->login_name, $this->password)) {
         /* FIXME: l10n */
         throw new ConfusaGenException("Invalid username/password, Comodo will not accept!");
     }
     /* We create a new ivector every time we save the password */
     $size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CFB);
     $iv = mcrypt_create_iv($size, MCRYPT_DEV_URANDOM);
     $cryptpw = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, Config::get_config('capi_enc_pw'), base64_encode($this->password), MCRYPT_MODE_CFB, $iv));
     if (MDB2Wrapper::testColumn('nrens', 'login_name') && MDB2Wrapper::testColumn('nrens', 'password') && MDB2Wrapper::testColumn('nrens', 'ivector') && MDB2Wrapper::testColumn('nrens', 'ap_name')) {
         $sql = " UPDATE nrens SET login_name=?, password=?, ivector=?, ap_name=?";
         $sql .= " WHERE nren_id = ?";
         Logger::log_event(LOG_DEBUG, "Using the new database-schema for account-details");
     } else {
         if (isset($this->account_id)) {
             $sql = "UPDATE account_map SET login_name=?, password=?, ivector=?, ap_name=?";
             $sql .= " WHERE nren_id = ?";
         } else {
             $sql = "INSERT INTO account_map (login_name, password, ivector, ap_name, nren_id) ";
             $sql .= "VALUES(?, ?, ?, ?, ?)";
         }
     }
     $params = array('text', 'text', 'text', 'text', 'integer');
     $data = array($this->login_name, $cryptpw, base64_encode($iv), $this->ap_name, $this->nren->getID());
     try {
         MDB2Wrapper::update($sql, $params, $data);
         Logger::log_event(LOG_NOTICE, "account-data updated for NREN " . $this->nren->getID());
     } catch (DBQueryException $dqe) {
         $errorTag = PW::create();
         Logger::log_event(LOG_ERR, "Could not update the login-account with ID " . $this->account_id . " for " . $this->nren->getID() . "(" . $this->login_name . ")");
         return false;
     } catch (DBStatementException $dse) {
         $errorTag = PW::create();
         Logger::log_event(LOG_ERR, "Could not update the login-account for NREN " . $this->nren->getID() . " to new value {$login_name} " . $dse->getMessage());
         return false;
     }
     $this->changed = false;
     return true;
 }
Esempio n. 7
0
 public static function getCA($person)
 {
     if (!isset(CAHandler::$ca)) {
         if (Config::get_config('cert_product') == PRD_PERSONAL) {
             /* if no NREN object is set, we can not know anything about the days */
             if (!is_object($person->getNREN())) {
                 $days = min(ConfusaConstants::$CAPI_VALID_PERSONAL);
             } else {
                 $days = $person->getNREN()->getCertValidity();
             }
         } else {
             if (Config::get_config('cert_product') == PRD_ESCIENCE) {
                 $days = ConfusaConstants::$CAPI_VALID_ESCIENCE;
             } else {
                 throw new ConfusaGenException("Confusa's configured product-mode is " . "illegal! Must be one of: PRD_ESCIENCE, " . "PRD_PERSONAL. Please contact an IT " . "administrator about that!");
             }
         }
         switch ((int) Config::get_config('ca_mode')) {
             case CA_STANDALONE:
                 require_once 'CA_Standalone.php';
                 CAHandler::$ca = new CA_Standalone($person, $days);
                 break;
             case CA_COMODO:
                 require_once 'CA_Comodo.php';
                 if (Config::get_config('capi_test') == TRUE) {
                     $days = ConfusaConstants::$CAPI_TEST_VALID_DAYS;
                 }
                 CAHandler::$ca = new CA_Comodo($person, $days);
                 break;
             default:
                 /* This is going to produce a *lot* of errors,
                  * but it should also catch the attention of
                  * the operators. */
                 Logger::log_event(LOG_ALERT, "Tried to instantiate CA " . Config::get_config('ca_mode') . " but this is unknow. Config-file has errors. Check the ca_mode.");
                 return null;
         }
     }
     return CAHandler::$ca;
 }
Esempio n. 8
0
function queryOrder($nren, $order)
{
    echo "Looking for {$order} issued to nren {$nren}\n";
    $nren = NREN_Handler::getByID($nren);
    if (!$nren) {
        echo "\n\tError when retrieving NREN {$nren}, please use correct NREN-ID\n\n";
        listNRENs();
        return;
    }
    $person = new Person();
    $person->setNREN($nren);
    $person->isAuth(true);
    $ca = CAHandler::getCA($person);
    $status = $ca->pollCertStatus($order, true);
    $errors = explode("\n", $status, 2);
    if (!is_numeric($errors[0])) {
        echo "Malformed response from CA, all bets are off :/\n";
        return;
    }
    echo "Response from CA backend: " . $errors[0] . ":\n";
    switch ($errors[0]) {
        case 0:
            echo "Certificate is currently being processed by Comodo\n";
            break;
        case 1:
            echo "Certificate available, no errors detected\n";
            getCert($ca, $order, $person);
            break;
        case -1:
            echo "Request via vulnerable channel (non-https)\n";
            break;
        case -2:
            echo "Unrecognized argument sent to CA backend.\n";
            echo $status . "\n";
            break;
        case "-3":
        case "-4":
            /* invalid password? */
            echo "You are not allowed to log in and view this certificate\n";
            $caa = "CA Account problems -";
            if (strpos($errors[1], "loginPassword") !== FALSE) {
                echo "{$caa} invalid password\n";
            }
            /* invalid username? */
            if (strpos($errors[1], "loginName") !== FALSE) {
                echo "{$caa} invalid username\n";
            }
            if (strpos($errors[1], "ap") !== FALSE) {
                echo "{$caa} invalid AP-Name\n";
            }
            if (strpos($errors[1], "orderNumber") !== FALSE) {
                echo "Invalid orderNumber, make sure that the certificate you are looking for" . " are accessible via this NREN-account!\n";
            }
            break;
        case "-13":
            echo "The CSR contained a publickey with invalid keysize, make sure it is long enough!\n";
            break;
        case "-14":
            echo "Unknown error\n";
            break;
        case "-16":
            echo "Permission denied when contacting Comodo backend\n";
            break;
        case "-17":
            echo "Confusa used GET insted of POST when contacting CA backend\n";
            break;
        case "-20":
            echo "CSR rejected by CA\n";
            break;
        case "-21":
            echo "Certificate has been revoked\n";
            break;
        case "-22":
            echo "Awaiting payment, certificate on hold\n";
            break;
        default:
            echo "unknown error (" . $errors[0] . ")\n";
            break;
    }
    /* endswitch */
    print_r($errors[1]);
    echo "\n";
}