certificateprovider.cpp

Pegasus is an open-source implementationof the DMTF CIM and WBEM standards. It is designed to be por

//%2006////////////////////////////////////////////////////////////////////////
//
// Copyright (c) 2000, 2001, 2002 BMC Software; Hewlett-Packard Development
// Company, L.P.; IBM Corp.; The Open Group; Tivoli Systems.
// Copyright (c) 2003 BMC Software; Hewlett-Packard Development Company, L.P.;
// IBM Corp.; EMC Corporation, The Open Group.
// Copyright (c) 2004 BMC Software; Hewlett-Packard Development Company, L.P.;
// IBM Corp.; EMC Corporation; VERITAS Software Corporation; The Open Group.
// Copyright (c) 2005 Hewlett-Packard Development Company, L.P.; IBM Corp.;
// EMC Corporation; VERITAS Software Corporation; The Open Group.
// Copyright (c) 2006 Hewlett-Packard Development Company, L.P.; IBM Corp.;
// EMC Corporation; Symantec Corporation; The Open Group.
//
// Permission is hereby granted, free of charge, to any person obtaining a copy
// of this software and associated documentation files (the "Software"), to
// deal in the Software without restriction, including without limitation the
// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
// sell copies of the Software, and to permit persons to whom the Software is
// furnished to do so, subject to the following conditions:
// 
// THE ABOVE COPYRIGHT NOTICE AND THIS PERMISSION NOTICE SHALL BE INCLUDED IN
// ALL COPIES OR SUBSTANTIAL PORTIONS OF THE SOFTWARE. THE SOFTWARE IS PROVIDED
// "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
// LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
// PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
// HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
// ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
// WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
//
//==============================================================================
//
//%////////////////////////////////////////////////////////////////////////////

#include "CertificateProvider.h"

#define OPENSSL_NO_KRB5 1
#include <openssl/err.h>
#include <openssl/ssl.h>
#include <openssl/rand.h>

#include <Pegasus/Common/Config.h>
#include <Pegasus/Common/PegasusVersion.h>

#include <cctype>
#include <iostream>

#include <Pegasus/Common/Constants.h>
#include <Pegasus/Common/OperationContext.h>
#include <Pegasus/Common/Logger.h>
#include <Pegasus/Common/Tracer.h>
#include <Pegasus/Common/System.h>
#include <Pegasus/Common/FileSystem.h>
#include <Pegasus/Common/XmlReader.h>
#include <Pegasus/Common/XmlWriter.h>
#include <Pegasus/Common/XmlParser.h>

#ifdef PEGASUS_OS_OS400
#include <qycmutilu2.H>
#include "OS400ConvertChar.h"
#endif

#include <stdlib.h>

PEGASUS_USING_STD;
PEGASUS_NAMESPACE_BEGIN

//PG_SSLCertificate property names
static const CIMName ISSUER_NAME_PROPERTY           = "IssuerName";
static const CIMName SERIAL_NUMBER_PROPERTY         = "SerialNumber";
static const CIMName SUBJECT_NAME_PROPERTY          = "SubjectName";
static const CIMName USER_NAME_PROPERTY             = "RegisteredUserName";
static const CIMName TRUSTSTORE_TYPE_PROPERTY       = "TruststoreType";
static const CIMName FILE_NAME_PROPERTY             = "TruststorePath";
static const CIMName NOT_BEFORE_PROPERTY            = "NotBefore";
static const CIMName NOT_AFTER_PROPERTY             = "NotAfter";
static const CIMName CERTIFICATE_TYPE_PROPERTY      = "CertificateType";

//PG_SSLCertificateRevocationList property names
//also has IssuerName
static const CIMName LAST_UPDATE_PROPERTY           = "LastUpdate";
static const CIMName NEXT_UPDATE_PROPERTY           = "NextUpdate";
static const CIMName REVOKED_SERIAL_NUMBERS_PROPERTY    = "RevokedSerialNumbers";
static const CIMName REVOCATION_DATES_PROPERTY      = "RevocationDates";

//method names for PG_SSLCertificate
static const CIMName METHOD_ADD_CERTIFICATE         = "addCertificate";
static const CIMName PARAMETER_CERT_CONTENTS        = "certificateContents";
static const CIMName PARAMETER_USERNAME             = "userName";
static const CIMName PARAMETER_TYPE                 = "certificateType";

static const String TYPE_AUTHORITY                  = "a";
static const String TYPE_AUTHORITY_END_ENTITY       = "e";
static const String TYPE_SELF_SIGNED_IDENTITY       = "s";

static const Uint16 CERT_TYPE_UNKNOWN                    = 0;

//method names for PG_SSLCertificateRevocationList
static const CIMName METHOD_ADD_CRL                 = "addCertificateRevocationList";
static const CIMName PARAMETER_CRL_CONTENTS         = "CRLContents";

//truststore and crlstore directory mutexes
static Mutex _trustStoreMutex;
static Mutex _crlStoreMutex;

typedef struct Timestamp 
{
    char year[4];
    char month[2];
    char day[2];
    char hour[2];
    char minutes[2];
    char seconds[2];
    char dot;
    char microSeconds[6];
    char plusOrMinus;
    char utcOffset[3];
    char padding[3];
} Timestamp_t;

/** Convert ASN1_UTCTIME to CIMDateTime
 */
inline CIMDateTime getDateTime(const ASN1_UTCTIME *utcTime)
{
    struct tm time;
    int offset;
    Timestamp_t timeStamp;
    char tempString[80];
    char plusOrMinus = '+';
    unsigned char* utcTimeData = utcTime->data;

    memset(&time, '\0', sizeof(time));

#define g2(p) ( ( (p)[0] - '0' ) * 10 + (p)[1] - '0' )

    if (utcTime->type == V_ASN1_GENERALIZEDTIME)
    {
        time.tm_year = g2(utcTimeData) * 100;
        utcTimeData += 2;  // Remaining data is equivalent to ASN1_UTCTIME type
        time.tm_year += g2(utcTimeData);
    }
    else
    {
        time.tm_year = g2(utcTimeData);
        if (time.tm_year < 50)
        {
            time.tm_year += 2000;
        }
        else
        {
            time.tm_year += 1900;
        }
    }

    time.tm_mon = g2(utcTimeData + 2) - 1;
    time.tm_mday = g2(utcTimeData + 4);
    time.tm_hour = g2(utcTimeData + 6);
    time.tm_min = g2(utcTimeData + 8);
    time.tm_sec = g2(utcTimeData + 10);

    if (utcTimeData[12] == 'Z')
    {
        offset = 0;
    }
    else
    {
        offset = g2(utcTimeData + 13) * 60 + g2(utcTimeData + 15);
        if (utcTimeData[12] == '-')
        {
            plusOrMinus = '-';
        }
    }
#undef g2

    memset((void *)&timeStamp, 0, sizeof(Timestamp_t));

    // Format the date.
    sprintf((char *) &timeStamp,"%04d%02d%02d%02d%02d%02d.%06d%04d",
            time.tm_year,
            time.tm_mon + 1,  
            time.tm_mday,
            time.tm_hour,
            time.tm_min,
            time.tm_sec,
            0,
            offset);

    timeStamp.plusOrMinus = plusOrMinus;

    CIMDateTime dateTime;

    dateTime.clear();
    strcpy(tempString, (char *)&timeStamp);
    dateTime.set(tempString);

    return (dateTime);
}

/**
 * The issuer name should be in the format /type0=value0/type1=value1/type2=...
 * where characters may be escaped by \
 */
inline X509_NAME *getIssuerName(char *issuer, long chtype)
{
	PEG_METHOD_ENTER(TRC_CONTROLPROVIDER, "CertificateProvider::getIssuerName");

	//allocate buffers for type-value pairs
    size_t buflen = strlen(issuer)+1; 
    char *buf = (char*) malloc(buflen);
    size_t maxPairs = buflen / 2 + 1; 
    char **types = (char**) malloc(maxPairs * sizeof (char *));  //types
    char **values = (char**) malloc(maxPairs * sizeof (char *)); //values

    if (!buf || !types || !values)
    {
        return NULL;
    }

    char *sp = issuer, *bp = buf;
	int count = 0;

    while (*sp)
    {
        PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL4, "CertificateProvider::getIssuerName WHILE");

		if (*sp != '/') 
		{
			break;
		}
		sp++;

        types[count] = bp;
        while (*sp)
        {
            if (*sp == '\\')
            {
                if (*++sp)
                {
                    *bp++ = *sp++;
                }

            } else if (*sp == '=')
            {
                sp++;
                *bp++ = '\0';
                break;
            } else
            {
                *bp++ = *sp++;
            }
        }

        values[count] = bp;
        while (*sp)
        {
            if (*sp == '\\')
            {
                if (*++sp)
                {
                    *bp++ = *sp++;
                }
            }
            else if (*sp == '/')
            {
                break;
            }
            else
            {
                *bp++ = *sp++;
            }
        }
        *bp++ = '\0';
        count++;
    }


    PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL4, "CertificateProvider::getIssuerName  WHILE EXIT");

	//create the issuername object and add each type/value pair
	X509_NAME* issuerNameNew = X509_NAME_new();
	int nid;

    for (int i = 0; i < count; i++)
    {
		nid = OBJ_txt2nid(types[i]);

		//if we don't recognize the name element or there is no corresponding value, continue to the next one
		if (nid == NID_undef || !*values[i]) 
		{
            continue;
        }

        if (!X509_NAME_add_entry_by_NID(issuerNameNew, nid, chtype, (unsigned char*)values[i], -1, -1, 0))
		{
			X509_NAME_free(issuerNameNew);
			issuerNameNew = NULL;
			break;
		}
    }

    free(types);
    free(values);
    free(buf);

    PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL4, "Got issuerName successfully");
	PEG_METHOD_EXIT();

    return issuerNameNew;
}

/** Determines whether the user has sufficient access to perform a certificate operation.
  */
Boolean CertificateProvider::_verifyAuthorization(const String& userName)
{
    PEG_METHOD_ENTER(TRC_CONTROLPROVIDER, "CertificateProvider::_verifyAuthorization");

    if (_enableAuthentication) 
    {
#if !defined(PEGASUS_OS_OS400)
        if (!System::isPrivilegedUser(userName)) 
#else
        CString user = userName.getCString();
        const char * tmp = (const char *)user;
        AtoE((char *)tmp);
        if (!ycmCheckUserSecurityAuthorities(tmp))
#endif
        {
            PEG_METHOD_EXIT();
            return false;
        }
    }

    PEG_METHOD_EXIT();
    return true;
}

/** Constructor
 */
CertificateProvider::CertificateProvider(CIMRepository* repository,
                                         SSLContextManager* sslContextMgr) :
_repository(repository),
_sslContextMgr(sslContextMgr)
{
    PEG_METHOD_ENTER(TRC_CONTROLPROVIDER, "CertificateProvider::CertificateProvider");

    ConfigManager* configManager = ConfigManager::getInstance();

    //get config properties
    _enableAuthentication = ConfigManager::parseBooleanValue(
        configManager->getCurrentValue("enableAuthentication"));

    _sslTrustStore = ConfigManager::getHomedPath(configManager->getCurrentValue("sslTrustStore"));