function __construct() { parent::__construct(); $this->ca = CAHandler::getCA($this->person); $perm = $this->person->mayRequestCertificate(); if (!$perm->isPermissionGranted()) { $this->errorNotAuthorized($perm); } }
public function setCA() { if (!isset($this->person)) { Framework::error_output("You are trying to set the CA before person is set!"); return; } $this->ca = CAHandler::getCA($this->person); if (!$this->ca) { throw new ConfusaGenException("Could not instantiate CA-object. " . "Notify operational support and check the logs."); } }
/** * parseRevList() work through a list of eppns and revoke certificates for those users * * @param list Array list of ePPNs for users to revoke * @param admin Person the admin owning the client-certiticate * * @return Array of a list of persons coupled to the number of revoked * certificates. */ static function parseRevList($list, $admin) { $revokedUsers = array(); $ca = CAHandler::getCA($admin); foreach ($list as $value) { /* Get eppn from value*/ $uid = $value['uid']; if (!isset($uid) || $uid == "") { echo "Need the UID. This is a REQUIRED attribute.<br />\n"; break; } /* Search after matches for cn and subscriber */ $list = $ca->getCertListForEPPN($uid, $admin->getSubscriber()->getOrgName()); Logger::log_event(LOG_DEBUG, "[Robot] Got list (" . count($list) . " in total) of certs for {$uid} to revoke."); $count = 0; if (count($list) > 0) { foreach ($list as $key => $value) { try { if ($ca->revokeCert($value['auth_key'], "privilegeWithdrawn")) { $count = $count + 1; } } catch (CGE_KeyRevokeException $kre) { echo htmlentities($kre->getMessage()) . "<br />\n"; } } /* end foreach() uid-list */ $revokedUsers[] = array('eppn' => $uid, 'count' => $count); } } /* end foreach() */ return $revokedUsers; }
/** * delSubscriber - remove the subscriber from the NREN and Confusa. * * This will remove the subscriber *permanently* along with all it's * affiliated subscriber admins (this is handled by the database-schema * with the 'ON DELETE CASCADE'. * * @param id String|integer the ID of the institution/subscriber in the database. * */ private function delSubscriber($id) { if (!isset($id) || $id === "") { Framework::error_output("Cannot delete subscriber with unknown id!"); } $nren = $this->person->getNREN(); /* * Make sure that we are deleting a subscriber from the current NREN. */ try { $query = "SELECT nren_id, subscriber FROM nren_subscriber_view "; $query .= "WHERE nren=? AND subscriber_id=?"; $res = MDB2Wrapper::execute($query, array('text', 'text'), array($this->person->getNREN(), $id)); } catch (DBQueryException $dbqe) { $errorTag = PW::create(); $msg = "Could not delete subscriber with ID {$id} from DB."; Logger::logEvent(LOG_NOTICE, "NRENAdmin", "delSubscriber()", $msg, __LINE__, $errorTag); Framework::message_output($msg . "<br />[{$errorTag}] Server said: " . htmlentities($dbqe->getMessage())); return false; } catch (DBStatementException $dbse) { $errorTag = PW::create(); $msg = "Could not delete subsriber with ID {$id} from DB, due to problems with the " . "statement. Probably this is a configuration error. Server said: " . $dbse->getMessage(); Logger::logEvent(LOG_NOTICE, "NRENAdmin", "delSubscriber()", $msg, __LINE__, $errorTag); Framework::message_output("[{$errorTag}]" . htmlentities($msg)); return false; } if (count($res) != 1) { Framework::error_output("Could not find a unique NREN/subscriber pair for subscriber with id " . htmlentities($id)); return false; } $nren_id = $res[0]['nren_id']; $subscriberName = $res[0]['subscriber']; if (!isset($nren_id) || $nren_id == "") { Framework::error_output("Could not get the NREN-ID for subscriber " . htmlentities($id) . "Will not delete subscriber (" . htmlentites($id) . ")."); return false; } /* * Revoke all certificates for subscriber */ $ca = CAHandler::getCA($this->person); $list = $ca->getCertListForPersons("", $subscriberName); $count = 0; foreach ($list as $key => $value) { try { if (isset($value['auth_key'])) { echo "<pre>\n"; print_r($value); echo "</pre>\n"; if ($ca->revokeCert($value['auth_key'], "privilegeWithdrawn")) { $count = $count + 1; } } } catch (CGE_KeyRevokeException $kre) { echo $kre->getMessage() . "<br />\n"; } Logger::logEvent(LOG_INFO, "NRENAdmin", "delSubscriber()", "Deleting subscriber, revoked {$count} issued certificates " . "for subscriber {$subscriberName}."); } MDB2Wrapper::update("DELETE FROM subscribers WHERE subscriber_id = ? AND nren_id = ?", array('text', 'text'), array($id, $nren_id)); Logger::logEvent(LOG_INFO, "NRENAdmin", "delSubscriber()", "Deleted subscriber with ID {$id}.\n"); $msg = $this->translateTag('l10n_suc_deletesubs1', 'nrenadmin') . htmlentities($subscriberName) . $this->translateTag('l10n_suc_deletesubs2', 'nrenadmin') . " " . htmlentities($id) . ". " . $this->translateTag('l10n_suc_deletesubs3', 'nrenadmin') . " " . $count . " " . $this->translateTag('l10n_suc_deletesubs4', 'nrenadmin'); Framework::success_output($msg); }
function __construct() { parent::__construct(); $this->ca = CAHandler::getCA($this->person); }
/** * save() store updated results to the database, encrypting the password * before storage. */ public function save($validate = true) { if (!$this->changed) { return false; } if ($validate && !CAHandler::getCA($this->person)->verifyCredentials($this->login_name, $this->password)) { /* FIXME: l10n */ throw new ConfusaGenException("Invalid username/password, Comodo will not accept!"); } /* We create a new ivector every time we save the password */ $size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CFB); $iv = mcrypt_create_iv($size, MCRYPT_DEV_URANDOM); $cryptpw = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, Config::get_config('capi_enc_pw'), base64_encode($this->password), MCRYPT_MODE_CFB, $iv)); if (MDB2Wrapper::testColumn('nrens', 'login_name') && MDB2Wrapper::testColumn('nrens', 'password') && MDB2Wrapper::testColumn('nrens', 'ivector') && MDB2Wrapper::testColumn('nrens', 'ap_name')) { $sql = " UPDATE nrens SET login_name=?, password=?, ivector=?, ap_name=?"; $sql .= " WHERE nren_id = ?"; Logger::log_event(LOG_DEBUG, "Using the new database-schema for account-details"); } else { if (isset($this->account_id)) { $sql = "UPDATE account_map SET login_name=?, password=?, ivector=?, ap_name=?"; $sql .= " WHERE nren_id = ?"; } else { $sql = "INSERT INTO account_map (login_name, password, ivector, ap_name, nren_id) "; $sql .= "VALUES(?, ?, ?, ?, ?)"; } } $params = array('text', 'text', 'text', 'text', 'integer'); $data = array($this->login_name, $cryptpw, base64_encode($iv), $this->ap_name, $this->nren->getID()); try { MDB2Wrapper::update($sql, $params, $data); Logger::log_event(LOG_NOTICE, "account-data updated for NREN " . $this->nren->getID()); } catch (DBQueryException $dqe) { $errorTag = PW::create(); Logger::log_event(LOG_ERR, "Could not update the login-account with ID " . $this->account_id . " for " . $this->nren->getID() . "(" . $this->login_name . ")"); return false; } catch (DBStatementException $dse) { $errorTag = PW::create(); Logger::log_event(LOG_ERR, "Could not update the login-account for NREN " . $this->nren->getID() . " to new value {$login_name} " . $dse->getMessage()); return false; } $this->changed = false; return true; }
public static function getCA($person) { if (!isset(CAHandler::$ca)) { if (Config::get_config('cert_product') == PRD_PERSONAL) { /* if no NREN object is set, we can not know anything about the days */ if (!is_object($person->getNREN())) { $days = min(ConfusaConstants::$CAPI_VALID_PERSONAL); } else { $days = $person->getNREN()->getCertValidity(); } } else { if (Config::get_config('cert_product') == PRD_ESCIENCE) { $days = ConfusaConstants::$CAPI_VALID_ESCIENCE; } else { throw new ConfusaGenException("Confusa's configured product-mode is " . "illegal! Must be one of: PRD_ESCIENCE, " . "PRD_PERSONAL. Please contact an IT " . "administrator about that!"); } } switch ((int) Config::get_config('ca_mode')) { case CA_STANDALONE: require_once 'CA_Standalone.php'; CAHandler::$ca = new CA_Standalone($person, $days); break; case CA_COMODO: require_once 'CA_Comodo.php'; if (Config::get_config('capi_test') == TRUE) { $days = ConfusaConstants::$CAPI_TEST_VALID_DAYS; } CAHandler::$ca = new CA_Comodo($person, $days); break; default: /* This is going to produce a *lot* of errors, * but it should also catch the attention of * the operators. */ Logger::log_event(LOG_ALERT, "Tried to instantiate CA " . Config::get_config('ca_mode') . " but this is unknow. Config-file has errors. Check the ca_mode."); return null; } } return CAHandler::$ca; }
function queryOrder($nren, $order) { echo "Looking for {$order} issued to nren {$nren}\n"; $nren = NREN_Handler::getByID($nren); if (!$nren) { echo "\n\tError when retrieving NREN {$nren}, please use correct NREN-ID\n\n"; listNRENs(); return; } $person = new Person(); $person->setNREN($nren); $person->isAuth(true); $ca = CAHandler::getCA($person); $status = $ca->pollCertStatus($order, true); $errors = explode("\n", $status, 2); if (!is_numeric($errors[0])) { echo "Malformed response from CA, all bets are off :/\n"; return; } echo "Response from CA backend: " . $errors[0] . ":\n"; switch ($errors[0]) { case 0: echo "Certificate is currently being processed by Comodo\n"; break; case 1: echo "Certificate available, no errors detected\n"; getCert($ca, $order, $person); break; case -1: echo "Request via vulnerable channel (non-https)\n"; break; case -2: echo "Unrecognized argument sent to CA backend.\n"; echo $status . "\n"; break; case "-3": case "-4": /* invalid password? */ echo "You are not allowed to log in and view this certificate\n"; $caa = "CA Account problems -"; if (strpos($errors[1], "loginPassword") !== FALSE) { echo "{$caa} invalid password\n"; } /* invalid username? */ if (strpos($errors[1], "loginName") !== FALSE) { echo "{$caa} invalid username\n"; } if (strpos($errors[1], "ap") !== FALSE) { echo "{$caa} invalid AP-Name\n"; } if (strpos($errors[1], "orderNumber") !== FALSE) { echo "Invalid orderNumber, make sure that the certificate you are looking for" . " are accessible via this NREN-account!\n"; } break; case "-13": echo "The CSR contained a publickey with invalid keysize, make sure it is long enough!\n"; break; case "-14": echo "Unknown error\n"; break; case "-16": echo "Permission denied when contacting Comodo backend\n"; break; case "-17": echo "Confusa used GET insted of POST when contacting CA backend\n"; break; case "-20": echo "CSR rejected by CA\n"; break; case "-21": echo "Certificate has been revoked\n"; break; case "-22": echo "Awaiting payment, certificate on hold\n"; break; default: echo "unknown error (" . $errors[0] . ")\n"; break; } /* endswitch */ print_r($errors[1]); echo "\n"; }