public function __construct(Cert $cert)
{
$this->cert = $cert;
if ($parent = $cert->getParent()) {
$this->parentValidator = new self($parent);
}
}
/**
* Verify certificate chain
*
* Verifies the chain of certificates based on the first one as root certificate.
*
* @access private
* @param int $now Unix timestamp in milliseconds
* @return array An array of Cert-objects based on the identity certificates
*/
private function verifyChain($now)
{
if (!is_array($this->certs)) {
throw new \Exception("certs must be an array of at least one cert");
}
$rootIssuer;
try {
// the root
$token = WebToken::parse($this->certs[0]);
$rootIssuer = $token->getPayload();
$rootIssuer = $rootIssuer["iss"];
} catch (Exception $x) {
// can't extract components
throw new \Exception("malformed signature");
}
// TODO: Check if PrimaryCache entry exists, try verifyChainAgainstKey with cached entry.
// If it fails, remove the cache entry and retry verifyChainAgainstKey with newly fetched key.
// TODO: Extract this into verifyChainAgainstKey
$rootPK = CertBundle::getPublicKey($rootIssuer);
$certResult = array();
for ($i = 0; $i < sizeof($this->certs); $i++) {
$cert = Cert::parse($this->certs[$i], $rootPK);
if (!$cert->verify($now)) {
throw new \Exception("certificate " . $i . " is not valid");
}
$certResult[] = $cert;
}
// TODO: Extract this into verifyChainAgainstKey
return $certResult;
}
private function _setCA(Cert &$cert, $insertMode = FALSE)
{
$method = "PUT";
$url = E3_PROV_URL_TRUSTSTORE . "/certs/" . rawurlencode($cert->getId());
if ($insertMode) {
$method = "POST";
$url = E3_PROV_URL_TRUSTSTORE . "/certs";
}
/**
* Send the XML payload the the Provisioning Backend
*/
LoggerInterface::log(($insertMode ? "Creating" : "Updating") . " Cert: {$cert->toXML()}\nEndpoint: ({$method}) {$url}", LoggerInterface::INFO);
$reply = $this->restClient->makeCall($url, $method, $cert->toXML());
$xml = simplexml_load_string($reply->getPayload());
if ($reply->getHTTPCode() === "200") {
if ($insertMode) {
if ($cert->getId() == NULL) {
$cert->setId((string) $xml->id);
}
}
return $cert;
} else {
throw new Exception(!empty($xml->error) ? $xml->error->errorText : UNDEFINED_ERROR_TEXT);
}
}
public function destroy($certId)
{
$cert = Cert::find($certId);
if (!$cert || $cert->owner->id != Auth::user()->id && !Auth::user()->isAdmin()) {
return Redirect::route('certs-path');
}
$sluggedDomain = Str::slug(str_replace('.', '_', $cert->domain));
$cert->delete();
File::delete($this->certDir . $sluggedDomain . '.key');
File::delete($this->certDir . $sluggedDomain . '.pem');
File::delete($this->certDir . $sluggedDomain . '.crt');
return Redirect::route('certs-path');
}
private function validateFormAndGetCA(&$validationErrors)
{
$registry = Zend_Registry::getInstance();
$translate = $registry->get("Zend_Translate");
$validationErrors = array();
$ca = new Cert();
$validate_alnum_wspace = new Zend_Validate_Alnum(array('allowWhiteSpace' => true));
// TODO: validate id field?
$id = $_POST['ca_id'];
$ca->setId($id);
$name = $_POST['ca_name'];
if (!$validate_alnum_wspace->isValid($name)) {
$validationErrors['ca_name'] = $translate->translate("The CA name must be only alpha-numeric characters");
}
$ca->setDisplayName($_POST['ca_name']);
if (isset($_FILES['ca_file']) && !empty($_FILES['ca_file']['name'])) {
if (!$_FILES['ca_file']['error']) {
$contents = file_get_contents($_FILES['ca_file']['tmp_name']);
if ($contents !== false) {
$ca->setContent($contents);
} else {
$validationErrors['ca_file'] = $translate->translate("There was an error getting contents of CA file.");
}
} else {
$validationErrors['ca_file'] = $translate->translate("There was an error uploading file: ") . $_FILES['content']['error'];
}
} else {
if (empty($id)) {
$validationErrors['ca_file'] = $translate->translate("Please upload a CA file.");
}
}
return $ca;
}
/**
* Parse serialized identity certificate
*
* Parses a serialized, signed identity certificate and check if it's valid by
* checking the signature against the public key of the issuer.
*
* @access public
* @static
* @param string $signedObject Signed identity certificate
* @param AbstractPublicKey $publicKey Public key of the issuer
* @return Cert Instance of the identity certificate
*/
public static function parse($signedObject, $publicKey)
{
$token = WebToken::parse($signedObject);
// try {
if (!$token->verify($publicKey)) {
throw new \Exception("cert was not valid signed");
}
/* } catch (\Exception $x) {
// can't extract components
throw new \Exception("cert was not valid signed");
}*/
$params = $token->getPayload();
return Cert::deserialize($params);
}
/**
* Create identity certificate
*
* Create an identity certificate that is signed by this identity providers key
*
* @access public
* @static
* @param string $principal The mail address of the person to identify
* @param AbstractPublicKey $publicKeyIdentity The public key of the person
* @param int $now Unix Timestamp in milliseconds or null for now
* @param string $issuer Issuer domain of the identity provider or null for the configured hostname
* @return string The serialized signed identity certificate
*/
public static function createIdentityCert($principal, $publicKeyIdentity, $now = null, $issuer = null)
{
if ($now == null) {
$now = time() * 1000;
}
if ($issuer == null) {
$issuer = Configuration::getInstance()->get('hostname');
}
$expires = $now + Configuration::getInstance()->get('identity_validity') * 1000;
$certAssertion = new Assertion($now, $expires, $issuer, null);
$certParams = new CertParams($publicKeyIdentity, array("email" => $principal));
$cert = new Cert($certAssertion, $certParams, null);
return $cert->sign(Secrets::loadSecretKey());
}
