📄 certificateprovider.cpp
字号:
#ifdef PEGASUS_ENABLE_SSL_CRL_VERIFICATION _crlStore = ConfigManager::getHomedPath(configManager->getCurrentValue("crlStore"));#else _crlStore = String::EMPTY;#endif PEG_METHOD_EXIT();}/** Destructor */ CertificateProvider::~CertificateProvider(void){ PEG_METHOD_ENTER(TRC_CONTROLPROVIDER, "CertificateProvider::~CertificateProvider"); PEG_METHOD_EXIT();}/** Delivers a single instance to the CIMOM */ void CertificateProvider::getInstance( const OperationContext & context, const CIMObjectPath & cimObjectPath, const Boolean includeQualifiers, const Boolean includeClassOrigin, const CIMPropertyList & propertyList, InstanceResponseHandler & handler){ PEG_METHOD_ENTER(TRC_CONTROLPROVIDER, "CertificateProvider::getInstance"); //verify authorization const IdentityContainer container = context.get(IdentityContainer::NAME); if (!_verifyAuthorization(container.getUserName())) { MessageLoaderParms parms("ControlProviders.CertificateProvider.MUST_BE_PRIVILEGED_USER", "Superuser authority is required to run this CIM operation."); throw CIMException(CIM_ERR_ACCESS_DENIED, parms); } CIMName className(cimObjectPath.getClassName()); //verify classname if (className == PEGASUS_CLASSNAME_CERTIFICATE) { // process request handler.processing(); //verify the keys are set //ATTN: do we need to do this, or will the getInstance call handle it? Array<CIMKeyBinding> keyBindings = cimObjectPath.getKeyBindings(); String keyName; for (Uint32 i=0; i < keyBindings.size(); i++) { keyName = keyBindings[i].getName().getString(); if (!String::equal(keyName, ISSUER_NAME_PROPERTY.getString()) && !String::equal(keyName, SERIAL_NUMBER_PROPERTY.getString())) { throw CIMException(CIM_ERR_INVALID_PARAMETER, keyName); } } CIMInstance cimInstance = _repository->getInstance(cimObjectPath.getNameSpace(), cimObjectPath); PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL4, "Returning certificate COP " + cimInstance.getPath().toString()); // deliver instance handler.deliver(cimInstance); // complete request handler.complete(); } #ifdef PEGASUS_ENABLE_SSL_CRL_VERIFICATION else if (className == PEGASUS_CLASSNAME_CRL) { //ATTN: Fill in } #endif else { throw CIMException(CIM_ERR_INVALID_CLASS, className.getString()); } PEG_METHOD_EXIT();}/** Builds and returns a PG_SSLCertificateRevocationList from an X509_CRL object */ inline CIMInstance _getCRLInstance(X509_CRL* xCrl, String host, CIMNamespaceName nameSpace){ char issuerName[1024]; STACK_OF(X509_REVOKED) *revoked = NULL; X509_REVOKED *r = NULL; int numRevoked = -1; long rawSerialNumber; char serial[1024]; CIMDateTime revocationDate; PEG_METHOD_ENTER(TRC_CONTROLPROVIDER, "CertificateProvider::_getCRLInstance"); // build instance CIMInstance cimInstance(PEGASUS_CLASSNAME_CRL); // CA issuer name sprintf(issuerName, "%s", X509_NAME_oneline(X509_CRL_get_issuer(xCrl), NULL, 0)); cimInstance.addProperty(CIMProperty(ISSUER_NAME_PROPERTY, CIMValue(String(issuerName)))); // validity dates CIMDateTime lastUpdate = getDateTime(X509_CRL_get_lastUpdate(xCrl)); cimInstance.addProperty(CIMProperty(LAST_UPDATE_PROPERTY, CIMValue(lastUpdate))); CIMDateTime nextUpdate = getDateTime(X509_CRL_get_nextUpdate(xCrl)); cimInstance.addProperty(CIMProperty(NEXT_UPDATE_PROPERTY, CIMValue(nextUpdate))); Array<String> revokedSerialNumbers; Array<CIMDateTime> revocationDates; // get revoked certificate information revoked = X509_CRL_get_REVOKED(xCrl); numRevoked = sk_X509_REVOKED_num(revoked); for (int i = 0; i < numRevoked; i++) { r = sk_X509_REVOKED_value(revoked, i); rawSerialNumber = ASN1_INTEGER_get(r->serialNumber); sprintf(serial, "%lu", rawSerialNumber); revokedSerialNumbers.append(String(serial)); revocationDate = getDateTime(r->revocationDate); revocationDates.append(revocationDate); } cimInstance.addProperty(CIMProperty(REVOKED_SERIAL_NUMBERS_PROPERTY, CIMValue(revokedSerialNumbers))); cimInstance.addProperty(CIMProperty(REVOCATION_DATES_PROPERTY, CIMValue(revocationDates))); // set keys Array<CIMKeyBinding> keys; CIMKeyBinding key; key.setName(ISSUER_NAME_PROPERTY.getString()); key.setValue(issuerName); key.setType(CIMKeyBinding::STRING); keys.append(key); // set object path for instance cimInstance.setPath(CIMObjectPath(host, nameSpace, PEGASUS_CLASSNAME_CRL, keys)); PEG_METHOD_EXIT(); return (cimInstance);}/** Delivers the complete collection of instances to the CIMOM */ void CertificateProvider::enumerateInstances( const OperationContext & context, const CIMObjectPath & cimObjectPath, const Boolean includeQualifiers, const Boolean includeClassOrigin, const CIMPropertyList & propertyList, InstanceResponseHandler & handler){ PEG_METHOD_ENTER(TRC_CONTROLPROVIDER, "CertificateProvider::enumerateInstances"); //verify authorization const IdentityContainer container = context.get(IdentityContainer::NAME); if (!_verifyAuthorization(container.getUserName())) { MessageLoaderParms parms( "ControlProviders.CertificateProvider.MUST_BE_PRIVILEGED_USER", "Superuser authority is required to run this CIM operation."); throw CIMException(CIM_ERR_ACCESS_DENIED, parms); } CIMName className(cimObjectPath.getClassName()); //verify classname if (className == PEGASUS_CLASSNAME_CERTIFICATE) { // process request handler.processing(); // get instances from the repository Array<CIMInstance> cimInstances; cimInstances = _repository->enumerateInstancesForClass( cimObjectPath.getNameSpace(), PEGASUS_CLASSNAME_CERTIFICATE); for (Uint32 i = 0, n = cimInstances.size(); i < n; i++) { Uint16 truststoreType = 0; Uint16 certType = 0; // // The truststore type key property is deprecated. To retain // backward compatibility, if there were instances of an earlier // version in the repository that specify a truststore type // other than cimserver, those instances will be ignored. // Also, if there are instances that do not specify a certificate // type, the type for such instances is set to unknown (1). // // // Retrieve the truststore type // Uint32 pos = cimInstances[i].findProperty( TRUSTSTORE_TYPE_PROPERTY); CIMProperty prop = cimInstances[i].getProperty(pos); prop.getValue().get(truststoreType); // // Filter instances whose truststore type is other than server truststore. // if ( truststoreType == PG_SSLCERTIFICATE_TSTYPE_VALUE_SERVER ) { // // If the certificate type property does not have a value set, // set its type to "Unknown" // Uint32 pos = cimInstances[i].findProperty( CERTIFICATE_TYPE_PROPERTY); PEGASUS_ASSERT( pos != PEG_NOT_FOUND ); CIMProperty prop = cimInstances[i].getProperty(pos); if ( prop.getValue().isNull()) { PEG_TRACE_STRING(TRC_DISCARDED_DATA, Tracer::LEVEL3, "The instance does not have the certificate type set. " "Setting it to Unknown."); prop.setValue(CERT_TYPE_UNKNOWN); } // deliver instance PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL4, "Delivering CIMInstance " + cimInstances[i].getPath().toString()); handler.deliver(cimInstances[i]); } else { PEG_TRACE_STRING(TRC_DISCARDED_DATA, Tracer::LEVEL3, "Ignoring CIMInstance " + cimInstances[i].getPath().toString()); } } // complete request handler.complete(); } #ifdef PEGASUS_ENABLE_SSL_CRL_VERIFICATION else if (className == PEGASUS_CLASSNAME_CRL) { // process request handler.processing(); FileSystem::translateSlashes(_crlStore); if (FileSystem::isDirectory(_crlStore) && FileSystem::canWrite(_crlStore)) { Array<String> crlFiles; if (FileSystem::getDirectoryContents(_crlStore, crlFiles)) { Uint32 count = crlFiles.size(); for (Uint32 i = 0; i < count; i++) { String filename = crlFiles[i]; PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL4, "Filename " + filename); //ATTN: Is this a two-way hash? If so, I don't need to read in the CRL just to determine the issuer name BIO* inFile = BIO_new(BIO_s_file()); X509_CRL* xCrl = NULL; char fullPathName[1024]; sprintf(fullPathName, "%s/%s", (const char*)_crlStore.getCString(), (const char*)filename.getCString()); if (BIO_read_filename(inFile, fullPathName)) { PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL4, "Successfully read filename"); if (PEM_read_bio_X509_CRL(inFile, &xCrl, NULL, NULL)) { // build instance CIMInstance cimInstance = _getCRLInstance(xCrl, cimObjectPath.getHost(), cimObjectPath.getNameSpace()); PEG_TRACE_STRING(TRC_CONTROLPROVIDER,Tracer::LEVEL4, "Delivering CIMInstance: " + cimInstance.getPath().toString()); // deliver instance handler.deliver(cimInstance); } } else { //error PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL3, "Error reading CRL file"); } BIO_free_all(inFile); } //end for // complete request handler.complete(); } else { PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL3, "Error: Could not read sslCRLStore directory."); MessageLoaderParms parms("ControlProviders.CertificateProvider.COULD_NOT_READ_DIRECTORY", "Cannot read directory $0.", _crlStore); throw CIMException(CIM_ERR_FAILED, parms); } } else { PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL3, "Error: sslCRLStore is not a valid directory."); MessageLoaderParms parms("ControlProviders.CertificateProvider.INVALID_DIRECTORY", "Invalid directory $0.", _crlStore); throw CIMException(CIM_ERR_FAILED, parms); } } #endif else { throw CIMException(CIM_ERR_INVALID_CLASS, className.getString()); } PEG_METHOD_EXIT();}/** Delivers the complete collection of instance names (CIMObjectPaths) to the CIMOM */ void CertificateProvider::enumerateInstanceNames( const OperationContext & context, const CIMObjectPath & cimObjectPath, ObjectPathResponseHandler & handler){ PEG_METHOD_ENTER(TRC_CONTROLPROVIDER, "CertificateProvider::enumerateInstanceNames"); //verify authorization const IdentityContainer container = context.get(IdentityContainer::NAME); if (!_verifyAuthorization(container.getUserName())) { MessageLoaderParms parms("ControlProviders.CertificateProvider.MUST_BE_PRIVILEGED_USER", "Superuser authority is required to run this CIM operation."); throw CIMException(CIM_ERR_ACCESS_DENIED, parms); } CIMName className(cimObjectPath.getClassName());⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -