mainwindowx509.cpp

一个小型证书管理系统

/*
 * Copyright (C) 2001 Christian Hohnstaedt.
 *
 *  All rights reserved.
 *
 *
 *  Redistribution and use in source and binary forms, with or without 
 *  modification, are permitted provided that the following conditions are met:
 *
 *  - Redistributions of source code must retain the above copyright notice,
 *    this list of conditions and the following disclaimer.
 *  - Redistributions in binary form must reproduce the above copyright notice,
 *    this list of conditions and the following disclaimer in the documentation
 *    and/or other materials provided with the distribution.
 *  - Neither the name of the author nor the names of its contributors may be 
 *    used to endorse or promote products derived from this software without
 *    specific prior written permission.
 *
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
 * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *
 *
 * This program links to software with different licenses from:
 *
 *	http://www.openssl.org which includes cryptographic software
 * 	written by Eric Young (eay@cryptsoft.com)"
 *
 *	http://www.sleepycat.com
 *
 *	http://www.trolltech.com
 * 
 *
 *
 * http://www.hohnstaedt.de/xca
 * email: christian@hohnstaedt.de
 *
 * $Id: MainWindowX509.cpp,v 1.72 2003/01/06 19:35:46 chris Exp $ 
 *
 */                           


#include "MainWindow.h"

void MainWindow::newCert()
{
	NewX509 *dlg = new NewX509(this, NULL, keys, reqs, certs, temps, certImg, nsImg );
	dlg->setCert();
	if (dlg->exec()) {
		newCert(dlg);
	}
	delete dlg;
}

void MainWindow::newCert(pki_temp *templ)
{
	NewX509 *dlg = new NewX509(this, NULL, keys, reqs, certs, temps, certImg, nsImg );
	if (templ) {
		dlg->defineTemplate(templ);
	}
	dlg->setCert();
	if (dlg->exec()) {
		newCert(dlg);
	}
	delete dlg;
}

void MainWindow::newCert(pki_x509req *req)
{
	NewX509 *dlg = new NewX509(this, NULL, keys, reqs, certs, temps, certImg, nsImg );
	if (req) {
		dlg->defineRequest(req);
	}
	dlg->setCert();
	if (dlg->exec()) {
		newCert(dlg);
	}
	delete dlg;
}

void MainWindow::newCert(NewX509 *dlg)
{
	pki_x509 *cert = NULL;
	pki_x509 *signcert = NULL;
	pki_x509req *req = NULL;
	pki_key *signkey = NULL, *clientkey = NULL;
	int serial = 42; // :-)
	bool tempReq=false;
	int i, x, days;
	string cont="", subAltName="", issAltName="", constraints="",
		keyuse="", keyuse1="", pathstr="", certTypeStr = "";
	char *ekeyusage[]= {"serverAuth","clientAuth","codeSigning","emailProtection",
		"timeStamping","msCodeInd","msCodeCom",
		"msCTLSign","msSGC","msEFS","nsSGC"};
	char *keyusage[] ={"digitalSignature", "nonRepudiation", "keyEncipherment",
		"dataEncipherment", "keyAgreement", "keyCertSign",
		"cRLSign", "encipherOnly", "decipherOnly"};
	char *certTypeList[] = { "client", "server", "email", "objsign",
				 "sslCA", "emailCA", "objCA" };
	QListBoxItem *item;
	

    try {	
	// Step 1 - Subject and key
	if (!dlg->fromReqCB->isChecked()) {
	    clientkey = (pki_key *)keys->getSelectedPKI(dlg->keyList->currentText().latin1());
	    string cn = dlg->commonName->text().latin1();
	    string c = dlg->countryName->text().latin1();
	    string l = dlg->localityName->text().latin1();
	    string st = dlg->stateOrProvinceName->text().latin1();
	    string o = dlg->organisationName->text().latin1();
	    string ou = dlg->organisationalUnitName->text().latin1();
	    string email = dlg->emailAddress->text().latin1();
	    string desc = dlg->description->text().latin1();
	    tempReq = true;
	    req = new pki_x509req(clientkey, cn,c,l,st,o,ou,email,desc,"");
	}
	else {
	    // A PKCS#10 Request was selected 
	    req = (pki_x509req *)reqs->getSelectedPKI(dlg->reqList->currentText().latin1());
	    if (opensslError(req)) return;
	    clientkey = req->getKey();
	}
		
	// Step 2 - select Signing
	if (dlg->foreignSignRB->isChecked()) {
		signcert = (pki_x509 *)certs->getSelectedPKI(dlg->certList->currentText().latin1());
		signkey = signcert->getKey();
		// search for serial in database
		
	}
	else {
		signkey = clientkey;	
		bool ok;
		serial = dlg->serialNr->text().toInt(&ok);
		if (!ok) serial = 0;
	}
	
	
	// Step 3 - Choose the Date and all the V3 extensions
	// Date handling
	x = dlg->validNumber->text().toInt();
	days = dlg->validRange->currentItem();
	if (days == 1) x *= 30;
	if (days == 2) x *= 365;
	
	// increase serial here	
	if (dlg->foreignSignRB->isChecked()) {
		serial = signcert->getIncCaSerial();
		// get own serial to avoid having the same
		int sigser;
		sscanf(signcert->getSerial().c_str(), "%x", &sigser);
		if (serial == sigser) { // FIXME: anybody tell me the string method for this ?
			serial = signcert->getIncCaSerial(); // just take the next one
		}
		certs->updatePKI(signcert);  // not so pretty ....
		CERR("serial is: " << serial );
	}	
	
	// initially create cert 
	cert = new pki_x509(req->getDescription(), clientkey, req, signcert, x, serial);
	if (!signcert) signcert=cert;	
	if (cert->resetTimes(signcert) > 0) {
		if (QMessageBox::information(this,tr(XCA_TITLE),
			tr("The validity times for the certificate need to get adjusted to not exceed those of the signer"),
			tr("Continue creation"), tr("Abort")
		))
			throw errorEx("");
	}
			
	// handle extensions
	// basic constraints
	if (dlg->bcCritical->isChecked()) constraints = "critical,";
	constraints +="CA:";
	constraints += dlg->basicCA->currentText().latin1();
	pathstr = dlg->basicPath->text().latin1();
	if (pathstr.length()>0) {
		constraints += ", pathlen:";
		constraints += pathstr;
	}
	cert->addV3ext(NID_basic_constraints, constraints);
	// Subject Key identifier
	if (dlg->subKey->isChecked()) {
		string subkey="hash";
		cert->addV3ext(NID_subject_key_identifier, subkey);
		CERR( subkey );
	}
	// Authority Key identifier
	if (dlg->authKey->isChecked()) {
		string authkey="keyid:always,issuer:always";
		cert->addV3ext(NID_authority_key_identifier, authkey);
		CERR( authkey );
	}
	 
	// key usage
	for (i=0; (item = dlg->keyUsage->item(i)); i++) {	
		if (item->selected()){
			addStr(keyuse, keyusage[i]);
		}
	}
	
	if (keyuse.length() > 0) {
		keyuse1 = keyuse;
		if (dlg->kuCritical->isChecked()) keyuse1 = "critical, " +keyuse;
		cert->addV3ext(NID_key_usage, keyuse1);
		CERR( "KeyUsage:" <<keyuse1);
	}
	
	// extended key usage
	keyuse=""; keyuse1="";
	for (i=0; (item = dlg->ekeyUsage->item(i)); i++) {	
		if (item->selected()){
			addStr(keyuse, ekeyusage[i]);
		}
	}
	
	if (keyuse.length() > 0) {
		keyuse1 = keyuse;
		if (dlg->ekuCritical->isChecked()) keyuse1 = "critical, " +keyuse;
		cert->addV3ext(NID_ext_key_usage, keyuse1);
		CERR( "Extended Key Usage:" <<keyuse1 );
	}
	
	
	// STEP 4
	// Subject Alternative name
	cont = "";
	cont = dlg->subAltName->text().latin1();
	if (dlg->subAltCp->isChecked()) {
		if (req->getDN(NID_pkcs9_emailAddress).length() == 0) {
			if (QMessageBox::information(this,tr(XCA_TITLE),
			   tr("You requested to copy the subject E-Mail address but it is empty !"),
			   tr("Continue creation"), tr("Abort")
			))
				throw errorEx("");	
		}
		else {
			subAltName = "email:copy";
		}
	}
	if (cont.length() > 0){
		addStr(subAltName,cont.c_str());
	}
	if (subAltName.length() > 0) {
		CERR( "SubAltName:" << subAltName);
		cert->addV3ext(NID_subject_alt_name, subAltName);
	}
	
	cont = "";
	cont = dlg->issAltName->text().latin1();
	// issuer alternative name	
	if (dlg->issAltCp->isChecked()) {
		if (!signcert->hasSubAltName()) {
			if (QMessageBox::information(this,tr(XCA_TITLE),
			   tr("You requested to copy the issuer alternative name but it is empty !"),
			   tr("Continue creation"), tr("Abort")
			))
				throw errorEx("");	
		}
		else {
			issAltName = "issuer:copy";
		}
	}
	if (cont.length() > 0){
		addStr(issAltName,cont.c_str());
	}
	if (issAltName.length() > 0) {
		CERR("IssAltName:" << issAltName);
		cert->addV3ext(NID_issuer_alt_name, issAltName);
	}
	// CRL distribution points
	if (!dlg->crlDist->text().isEmpty()) {
		CERR("CRL dist. Point: "<<  dlg->crlDist->text().latin1() );
		cert->addV3ext(NID_crl_distribution_points, dlg->crlDist->text().latin1());
	}
		
	// Step 5
	// Nestcape extensions 
	for (i=0; (item = dlg->nsCertType->item(i)); i++) {	
		if (item->selected()){
			addStr(certTypeStr, certTypeList[i]);
		}
	}
	cert->addV3ext(NID_netscape_cert_type, certTypeStr);
	cert->addV3ext(NID_netscape_base_url, dlg->nsBaseUrl->text().latin1());
	cert->addV3ext(NID_netscape_revocation_url, dlg->nsRevocationUrl->text().latin1());
	cert->addV3ext(NID_netscape_ca_revocation_url, dlg->nsCARevocationUrl->text().latin1());
	cert->addV3ext(NID_netscape_renewal_url, dlg->nsRenewalUrl->text().latin1());
	cert->addV3ext(NID_netscape_ca_policy_url, dlg->nsCaPolicyUrl->text().latin1());
	cert->addV3ext(NID_netscape_ssl_server_name, dlg->nsSslServerName->text().latin1());
	cert->addV3ext(NID_netscape_comment, dlg->nsComment->text().latin1());
	
	// and finally sign the request 
	cert->sign(signkey);
	CERR( "SIGNED");
	insertCert(cert);
	CERR("inserted");
	if (tempReq && req) delete(req);
	CERR("Dialog deleted" );
	keys->updateView();
	return;
    }
    catch (errorEx &err) {
	Error(err);
    }
	
}
void MainWindow::addStr(string &str, const  char *add)
{
	string sadd = add;
	if (sadd.length() == 0) return;	
	if (str.length() > 0 ) {
		str += ", ";
	}
	str += add;
}

void MainWindow::extendCert()
{
	pki_x509 *oldcert = NULL, *signer = NULL, *newcert =NULL;
	pki_key *signkey = NULL;
	int serial, days, x;
	try {
		CertExtend_UI *dlg = new CertExtend_UI(this, NULL, true);
		dlg->image->setPixmap(*certImg);
		if (!dlg->exec()) {
			delete dlg;
			return;
		}
		oldcert = (pki_x509 *)certs->getSelectedPKI();
		if (!oldcert || !(signer = oldcert->getSigner()) || !(signkey = signer->getKey()) || signkey->isPubKey()) return;
		newcert = new pki_x509(oldcert);
		serial = signer->getIncCaSerial();
		
		// get signers own serial to avoid having the same
		if (serial == atoi(signer->getSerial().c_str())) { // FIXME: anybody tell me the string method for this ?
			serial = signer->getIncCaSerial(); // just take the next one
		}
		certs->updatePKI(signer);  // not so pretty ....
		CERR("serial is: " << serial );
		
		// Date handling
		x = dlg->validNumber->text().toInt();
		days = dlg->validRange->currentItem();
		if (days == 1) x *= 30;
		if (days == 2) x *= 365;
		
		// change date and serial
		newcert->setSerial(serial);
		newcert->setDates(x); // now and now + x days

		if (newcert->resetTimes(signer) > 0) {
			if (QMessageBox::information(this,tr(XCA_TITLE),
				tr("The validity times for the certificate need to get adjusted to not exceed those of the signer"),
				tr("Continue creation"), tr("Abort")
			))
				throw errorEx("");
		}
		
		
		// and finally sign the request 
		newcert->sign(signkey);
		CERR( "SIGNED");
		insertCert(newcert);
		CERR("inserted");
		delete dlg;
	}
	catch (errorEx &err) {
		Error(err);
	}
}