/* Copyright (C) 2003 Frédéric Giudicelli (contact_nos@yahoo.com). All rights reserved. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com) This program is released under the GPL with the additional exemption that compiling, linking, and/or using OpenSSL is allowed. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ // RaStore.h: interface for the RaStore class. // ////////////////////////////////////////////////////////////////////// #ifndef RASTORE_H #define RASTORE_H #include "NewPKIStore.h" #include #include #include #include "AsynchJobs.h" #include "AutoSynchLDAP.h" #include "MailInfo.h" #include "RaStore_ASN1.h" /*! This class is the store for a RA */ class RaStore : public AutoSynchLDAPEvent, public NewPKIStore { public: /*! \brief This is the constructor. * \param EntityName [IN] The name of the entity. * \param e [IN] The ENGINE, can be NULL. */ RaStore(const mString & EntityName, ENGINE * e); /*! \brief This is the destructor. */ virtual ~RaStore(); bool CreateTables(const SQL_Connection * DbConn); /*! \brief This function sets the groups info. * \param groups [IN] The groups info. * \return true on success, false on failure. */ bool SetGroups(const mVector & groups); /*! \brief This function sets the validator. * \param AclValidator [IN] The validator. */ void SetAclValidator(const X509_ACL_Validator * AclValidator); /*! \brief This function sets the minimum PKCS12 password length. * \param MinPasswdLen [IN] The minimum PKCS12 password length. */ void SetMinPasswdLen(unsigned long MinPasswdLen); bool OnNewProfile(const NewpkiProfile & newProfile); bool GetKnownUIDs(mVector & KnownUIDs); /*! \brief This function inserts a new profile. * \param UserCert [IN] The certificate of the creator. * \param Profile [IN] The new profile. * \param ProfileId [OUT] The new profile's internal UID. * \return true on success, false on failure. */ bool InsertProfile(const PKI_CERT &UserCert, const NewpkiProfile & Profile, long & ProfileId); /*! \brief This function gets the list of profiles. * \param UserCert [IN] The certificate of the operator requesting the operation. * \param Profiles [OUT] The profiles list. * \param index [IN] The index for the enumeration. * \param num [IN] The maximum number of entries to return. * \return true on success, false on failure. */ bool EnumProfiles(const PKI_CERT &UserCert, mVector & Profiles, long index, long num); /*! \brief This function deletes a profile. * \param UserCert [IN] The optional certificate of the operator requesting the operation. * \param ProfileId [IN] The profile's internal UID. * \param CheckOwnership [IN] Should the ownership be checked. * \return true on success, false on failure. */ bool DeleteProfile(const PKI_CERT &UserCert, long ProfileId, bool CheckOwnership); /*! \brief This function gets a profile. * \param UserCert [IN] The certificate of the operator requesting the operation. * \param ProfileId [IN] The profile's internal UID. * \param Profile [OUT] The profile. * \return true on success, false on failure. */ bool GetProfile(const PKI_CERT & UserCert, unsigned long ProfileId, NewpkiProfileDatas & Profile); /*! \brief This function deletes the PKCS12 associated with a profile. * \param UserCert [IN] The certificate of the operator requesting the operation. * \param id [IN] The profile's internal UID. * \return true on success, false on failure. */ bool DeletePKCS12(const PKI_CERT &UserCert, unsigned long id); /*! \brief This function gets a certificate request. * \param transactionID [IN] The transactionID associated with the request. * \param Cert [OUT] The certificate request. * \return true on success, false on failure. */ bool GetCertReq(const Asn1OctetString & transactionID, NewpkiProfileDatasCert & Cert); /*! \brief This function deletes a certificate request. * \param CertReqId [IN] The certificate request's internal UID. * \return true on success, false on failure. */ bool DeleteCertReq(unsigned long CertReqId); /*! \brief This function suspends a certificate. * \param UserCert [IN] The certificate of the operator requesting the operation. * \param id [IN] The certificate's internal UID. * \param serial [OUT] The serial of the certificate. * \param ca_name [OUT] The name of the CA that generated the certificate. * \param ldap_uid [OUT] The LDAP uid of the associated profile. * \return true on success, false on failure. */ bool SuspendCertificate(const PKI_CERT & UserCert, unsigned long id, unsigned long & serial, mString & ca_name, mString & ldap_uid); /*! \brief This function unsuspends a certificate. * \param id [IN] The certificate's internal UID. * \return true on success, false on failure. */ bool UnsuspendCertificate(unsigned long id); /*! \brief This function suspends a certificate. * \param ca_name [IN] The name of the CA sending the response. * \param transactionID [IN] The transaction ID of the response. * \param resp [IN] The response. * \return true on success, false on failure. */ bool InsertResponse(const mString & ca_name, const Asn1OctetString & transactionID, const NewpkiResponse & resp); /*! \brief This function generates a new certificate request for a profile. * \param UserCert [IN] The certificate of the operator requesting the operation. * \param Request [IN] The request. * \param Csr [OUT] The CSR. * \param ldap_uid [OUT] The LDAP UID. * \param CertReqId [OUT] The request's internal UID. * \return true on success, false on failure. */ bool RequestCertificate(const PKI_CERT &UserCert, const RequestCert & Request, PKI_CSR & Csr, mString & ldap_uid, unsigned long & CertReqId); /*! \brief This function changes the DN of a profile. * \param UserCert [IN] The certificate of the operator requesting the operation. * \param id [IN] The profile's internal UID. * \param dn [IN] The new DN. * \return true on success, false on failure. */ bool ChangeProfileDN(const PKI_CERT & UserCert, unsigned long id, const X509_NAME * dn); /*! \brief This function changes the owner of a profile. * \param UserCert [IN] The certificate of the operator requesting the operation. * \param id [IN] The profile's internal UID. * \param group_id [IN] The new group id. * \return true on success, false on failure. */ bool ChangeProfileOwner(const PKI_CERT & UserCert, unsigned long id, unsigned long group_id); /*! \brief This function changes the LDAP UID of a profile. * \param UserCert [IN] The certificate of the operator requesting the operation. * \param id [IN] The profile's internal UID. * \param uid [IN] The new UID. * \return true on success, false on failure. */ bool ChangeProfileUID(const PKI_CERT & UserCert, unsigned long id, const mString & uid); private: bool GetProfileAccessCheck(const PKI_CERT &UserCert, unsigned long ProfileId, SQL & sql); bool GetCertificateAccessCheck(const PKI_CERT &UserCert, unsigned long CertId, SQL & sql); bool InsertResponseCert(const NewpkiCertResponse & cert_response, const mString & ca_name, PKI_CRL & Crl, LOG_MESSAGE_TYPE & LogMessage, LOG_MESSAGE_STATUS & LogStatus, int & Status, mString & strError, const HashTable_Dn & ProfileDn, mString & strPrivDatas, mString & x509, mString & p7b, unsigned long & serial, MailInfo & CertificateMail, MailInfo & PasswordMail, bool & SendCertificate, bool & SendPkcs12Pwd, bool & GenPkcs12Pwd); void GeneratePassword(mString & strP12Password); bool UpdateFromCRL(const mString & ca_name, const PKI_CRL & Crl); bool CanUserAccessProfile(const PKI_CERT & UserCert, unsigned long owner_serial, unsigned long owner_type); bool Sql2Cert(SQL * sql, NewpkiProfileDatasCert & Cert, int index); bool GetCerts(unsigned long ProfileId, mVector & Certs); #define OWNER_TYPE_USER 1 //!< The owner of the profile is a user #define OWNER_TYPE_GROUP 2 //!< The owner of the profile is a group #define RASTORE_PROFILES_TABLE "profiles" #define RASTORE_CERTS_TABLE "certs" #define RASTORE_CREATE_1 "create table "RASTORE_PROFILES_TABLE" (profile_id INT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY, owner_type INT UNSIGNED NOT NULL, owner_serial INT UNSIGNED NOT NULL, dn_hash VARCHAR(41) NOT NULL, dn LONGBLOB NOT NULL, ldap_uid LONGBLOB NOT NULL, state INT UNSIGNED NOT NULL, datas LONGBLOB NOT NULL, signature LONGBLOB NOT NULL, INDEX (profile_id), INDEX (dn_hash));" #define RASTORE_CREATE_2 "create table "RASTORE_CERTS_TABLE" (id INT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY, profile_id INT UNSIGNED NOT NULL, ca_name BLOB NOT NULL, pkcs10 LONGBLOB NOT NULL, priv_datas LONGBLOB NOT NULL, status INT UNSIGNED NOT NULL, type INT UNSIGNED NOT NULL, flags LONGBLOB NOT NULL, admin_mail BLOB NOT NULL, error LONGBLOB NOT NULL, serial INT UNSIGNED NOT NULL, x509 LONGBLOB NOT NULL, p7b LONGBLOB NOT NULL, INDEX (profile_id));" #define RASTORE_INSERT_PROFILE "INSERT INTO "RASTORE_PROFILES_TABLE" (owner_type, owner_serial, dn_hash, dn, ldap_uid, state, datas, signature) VALUES ('%d', '%ld', '%s', '%s', '%s', '%d', '%s', '%s');" #define RASTORE_GET_PROFILES "SELECT profile_id, state, datas, signature FROM "RASTORE_PROFILES_TABLE" %s ORDER BY profile_id DESC LIMIT %ld,%ld;" #define RASTORE_GET_PROFILES_CTRL "SELECT datas, signature FROM "RASTORE_PROFILES_TABLE";" #define RASTORE_SEARCH_PROFILE "SELECT profile_id FROM "RASTORE_PROFILES_TABLE" WHERE profile_id='%ld';" #define RASTORE_SEARCH_PROFILE_DN "SELECT profile_id FROM "RASTORE_PROFILES_TABLE" WHERE dn_hash='%s';" #define RASTORE_UPDATE_PROFILE_STATE "UPDATE "RASTORE_PROFILES_TABLE" SET state='%d' WHERE profile_id='%ld';" #define RASTORE_DELETE_PROFILE "DELETE FROM "RASTORE_PROFILES_TABLE" WHERE profile_id='%ld';" #define RASTORE_GET_ALL_PROFILES "SELECT profile_id, datas FROM "RASTORE_PROFILES_TABLE" LIMIT %ld,%ld;" #define RASTORE_GET_PROFILE "SELECT * FROM "RASTORE_PROFILES_TABLE" WHERE profile_id='%ld';" #define RASTORE_GET_KNOWN_RDNS "SELECT ldap_uid FROM "RASTORE_PROFILES_TABLE" WHERE ldap_uid!='';" #define RASTORE_SET_UID "UPDATE "RASTORE_PROFILES_TABLE" SET ldap_uid='%s', datas='%s', signature='%s' WHERE profile_id='%ld';" #define RASTORE_SET_OWNER "UPDATE "RASTORE_PROFILES_TABLE" SET owner_type='%d', owner_serial='%ld', datas='%s', signature='%s' WHERE profile_id='%ld';" #define RASTORE_SET_DN "UPDATE "RASTORE_PROFILES_TABLE" SET dn_hash='%s', dn='%s', datas='%s', signature='%s' WHERE profile_id='%ld';" #define RASTORE_INSERT_CERT "INSERT INTO "RASTORE_CERTS_TABLE" (profile_id, ca_name, pkcs10, priv_datas, type, status, flags, admin_mail, error, serial, x509, p7b) VALUES ('%ld', '%s', '%s', '%s', '%d', '%d', '%s', '%s', '', 0, '', '');" #define RASTORE_GET_CERTS "SELECT * FROM "RASTORE_CERTS_TABLE" WHERE profile_id=%ld ORDER BY id DESC;" #define RASTORE_SUSPEND_CERT "UPDATE "RASTORE_CERTS_TABLE" SET status=%d WHERE id='%ld';" #define RASTORE_GET_CERT "SELECT * FROM "RASTORE_CERTS_TABLE" WHERE id=%ld;" #define RASTORE_DELETE_CERT "DELETE FROM "RASTORE_CERTS_TABLE" WHERE id='%ld';" #define RASTORE_GET_CERT_BY_TID "SELECT "RASTORE_CERTS_TABLE".*, "RASTORE_PROFILES_TABLE".datas FROM "RASTORE_CERTS_TABLE", "REQUESTER_TABLE", "RASTORE_PROFILES_TABLE" WHERE "REQUESTER_TABLE"."REQUESTER_PRIV_ATTR" = "RASTORE_CERTS_TABLE".id AND "RASTORE_PROFILES_TABLE".profile_id = "RASTORE_CERTS_TABLE".profile_id AND "REQUESTER_TABLE"."REQUESTER_TID"='%s';" #define RASTORE_SET_CERT_RESP "UPDATE "RASTORE_CERTS_TABLE" SET pkcs10='', status='%d', x509='%s', p7b='%s', error='%s', priv_datas='%s', serial='%ld' WHERE id='%ld';" #define RASTORE_GET_CERT_4_REV "SELECT "RASTORE_CERTS_TABLE".x509, "RASTORE_CERTS_TABLE".ca_name, "RASTORE_CERTS_TABLE".status, "RASTORE_PROFILES_TABLE".owner_type, "RASTORE_PROFILES_TABLE".owner_serial, "RASTORE_PROFILES_TABLE".datas FROM "RASTORE_PROFILES_TABLE", "RASTORE_CERTS_TABLE" WHERE "RASTORE_CERTS_TABLE".id ='%ld' AND "RASTORE_PROFILES_TABLE".profile_id = "RASTORE_CERTS_TABLE".profile_id;" #define RASTORE_DELETE_PKCS12 "UPDATE "RASTORE_CERTS_TABLE" SET priv_datas='' WHERE id='%ld';" #define RASTORE_UPDATE_FROM_CRL "UPDATE "RASTORE_CERTS_TABLE" SET pkcs10='', priv_datas='', x509='', p7b='', status='%d', serial='0' WHERE ca_name='%s' AND status!='%d' AND (%s);" #define RASTORE_GET_CERT_OWNER "SELECT "RASTORE_CERTS_TABLE".*, "RASTORE_PROFILES_TABLE".owner_type, "RASTORE_PROFILES_TABLE".owner_serial FROM "RASTORE_PROFILES_TABLE", "RASTORE_CERTS_TABLE" WHERE "RASTORE_CERTS_TABLE".id ='%ld' AND "RASTORE_PROFILES_TABLE".profile_id = "RASTORE_CERTS_TABLE".profile_id;" #define NEWPKI_PROFILE_sign(x,sig,pkey) \ ASN1_item_sign(NewpkiProfile::get_ASN1_ITEM(), sig.get_sigAlg(), NULL, sig.get_signature(), (char *)x, pkey, EVP_sha1()) #define NEWPKI_PROFILE_verify(x,sig,pkey) \ ASN1_item_verify(NewpkiProfile::get_ASN1_ITEM(), sig.get_sigAlg(), sig.get_signature(),(char *)x, pkey) bool InsertCertReq(const mString & CaName, unsigned long ProfileId, int Type, const PKI_CSR & pkcs10, const RaStorePrivdatas & PrivDatas, const ASN1_BIT_STRING * flags, const mString & admin_mail, unsigned long & CertReqId); bool ProfileExists(const mString & dn_hash, bool & exists, unsigned long & ProfileId); bool IsValidGroupId(unsigned long group_id); bool SignProfile(const NewpkiProfile & Profile, mString & pem_signature); unsigned long m_MinPasswdLen; ReadersWriter ConfAccessLock; mVector m_groups; const X509_ACL_Validator * m_AclValidator; }; #endif