certificateprovider.cpp

Pegasus is an open-source implementationof the DMTF CIM and WBEM standards. It is designed to be por

    //verify classname
    if (className == PEGASUS_CLASSNAME_CERTIFICATE)
    {
        // process request
        handler.processing();
    
        Array<CIMObjectPath> instanceNames =
            _repository->enumerateInstanceNamesForClass(
                cimObjectPath.getNameSpace(), PEGASUS_CLASSNAME_CERTIFICATE);
    
        for (Uint32 i = 0, n = instanceNames.size(); i < n; i++)
        {
            String truststoreType;
            Array<CIMKeyBinding> kb;
            Uint16 certType = 0;

            //
            // The truststore type key property is deprecated. To retain
            // backward compatibility, if there were instances of an earlier
            // version in the repository that specify a truststore type
            // other than cimserver, those instances will be ignored.
            // 
            kb = instanceNames[i].getKeyBindings();
            Uint32 count = kb.size();

            for (Uint32 j = 0; j < count; j++)
            {
                //
                // Retrieve the truststore type
                //
                PEG_TRACE_STRING ( TRC_CONTROLPROVIDER, Tracer::LEVEL4,
                    "Property name : " + kb[j].getName().getString());
                if ( kb[j].getName() == TRUSTSTORE_TYPE_PROPERTY )
                {
                    truststoreType = kb[j].getValue();
                    break;
                }
            }

            //
            // Filter instances whose truststore type is other than server truststore.
            //

            if ( truststoreType == PG_SSLCERTIFICATE_TSTYPE_VALUE_SERVER)
            {
                PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL4, 
                   "Delivering CIMObjectPath: " + instanceNames[i].toString());
    
                // deliver object path
                handler.deliver(instanceNames[i]);
            }
            else
            {
                PEG_TRACE_STRING(TRC_DISCARDED_DATA, Tracer::LEVEL3, 
                   "Ignoring CIMObjectPath: " + 
                   instanceNames[i].toString());
            }
        }
    
        // complete request
        handler.complete();

    } 
#ifdef PEGASUS_ENABLE_SSL_CRL_VERIFICATION
    else if (className == PEGASUS_CLASSNAME_CRL)
    {
         // process request
        handler.processing();

        FileSystem::translateSlashes(_crlStore); 
        if (FileSystem::isDirectory(_crlStore) && FileSystem::canWrite(_crlStore))
        {
            Array<String> crlFiles;
            if (FileSystem::getDirectoryContents(_crlStore, crlFiles))
            {
                Uint32 count = crlFiles.size();
                for (Uint32 i = 0; i < count; i++)
                {
                    String filename = crlFiles[i];

                    PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL3, "Filename " + filename);

                    CIMObjectPath cimObjectPath;

                    //ATTN: Is this a two-way hash?  If so, I don't need to read in the CRL just to determine the issuer name
                    BIO* inFile = BIO_new(BIO_s_file());
                    X509_CRL* xCrl = NULL;
                    char issuerName[1024];
                    char fullPathName[1024];

                    sprintf(fullPathName, "%s/%s", (const char*)_crlStore.getCString(), (const char*)filename.getCString());

                    if (BIO_read_filename(inFile, fullPathName))
                    {
                        PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL3, "Successfully read filename");

                         if (PEM_read_bio_X509_CRL(inFile, &xCrl, NULL, NULL))
                         {
                            PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL3, "Successfully read CRL file");
                            sprintf(issuerName, "%s", X509_NAME_oneline(X509_CRL_get_issuer(xCrl), NULL, 0));
    
                            // build object path
                            Array<CIMKeyBinding> keys;
                            CIMKeyBinding key;
                            key.setName(ISSUER_NAME_PROPERTY.getString());
                            key.setValue(issuerName);
                            key.setType(CIMKeyBinding::STRING);
                            keys.append(key);
                        
                            // set object path for instance
                            CIMObjectPath instanceName(cimObjectPath.getHost(), cimObjectPath.getNameSpace(), PEGASUS_CLASSNAME_CRL, keys);
                    
                            PEG_TRACE_STRING(TRC_CONTROLPROVIDER,Tracer::LEVEL4, "Instance Name: " + instanceName.toString());

                            handler.deliver(instanceName);
                         }

                    } else
                    {
                        //error
                        PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL3, "Error reading CRL file");
                    }

                    BIO_free_all(inFile);
                } //end for
            
                // complete request
                handler.complete();

            } else
            {
                PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL3, "Error: Could not read sslCRLStore directory.");
                MessageLoaderParms parms("ControlProviders.CertificateProvider.COULD_NOT_READ_DIRECTORY",
                                         "Cannot read directory $0.", _crlStore);
                throw CIMException(CIM_ERR_FAILED, parms);
            }
        } else
        {
            PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL3, "Error: sslCRLStore is not a valid directory.");
            MessageLoaderParms parms("ControlProviders.CertificateProvider.INVALID_DIRECTORY",
                                     "Invalid directory $0.", _crlStore);
            throw CIMException(CIM_ERR_FAILED, parms);
        }
    } 
#endif
    else
    {
        throw CIMException(CIM_ERR_INVALID_CLASS, className.getString());
    } 

    PEG_METHOD_EXIT();
}

/** Not supported.  Use invokeMethod to create a certificate or CRL
  */ 
void CertificateProvider::createInstance(
                                 const OperationContext & context,
                                 const CIMObjectPath & cimObjectPath,
                                 const CIMInstance & cimInstance,
                                 ObjectPathResponseHandler & handler)
{
    throw CIMException(CIM_ERR_NOT_SUPPORTED, "CertificateProvider::createInstance");
}

/** Not supported.
  */ 
void CertificateProvider::modifyInstance(
                                 const OperationContext & context,
                                 const CIMObjectPath & cimObjectPath,
                                 const CIMInstance & cimInstance,
                                 const Boolean includeQualifiers,
                                 const CIMPropertyList & propertyList,
                                 ResponseHandler & handler)
{
    throw CIMException(CIM_ERR_NOT_SUPPORTED, "CertificateProvider::modifyInstance");
}

/** Deletes the internal object denoted by the specified CIMObjectPath
 */ 
void CertificateProvider::deleteInstance(
                                 const OperationContext & context,
                                 const CIMObjectPath & cimObjectPath,
                                 ResponseHandler & handler)
{
    PEG_METHOD_ENTER(TRC_CONTROLPROVIDER, 
        "CertificateProvider::deleteInstance");

    //verify authorization
    const IdentityContainer container = context.get(IdentityContainer::NAME);
    if (!_verifyAuthorization(container.getUserName())) 
    {
        MessageLoaderParms parms(
           "ControlProviders.CertificateProvider.MUST_BE_PRIVILEGED_USER",
           "Superuser authority is required to run this CIM operation.");
        throw CIMException(CIM_ERR_ACCESS_DENIED, parms);
    }

    CIMName className(cimObjectPath.getClassName());

    //verify classname
    if (className == PEGASUS_CLASSNAME_CERTIFICATE)
    {
        // process request
        handler.processing();
    
        //
        // Check if the subjectName is passed.
        //
        Array<CIMInstance> cimInstances;
        Array<CIMKeyBinding> keys;
        CIMKeyBinding key;
        String certIssuer;
        String certSubject;
        String certSerialNum;
        Boolean subjectSet = true;
        Boolean issuerSet = true;
        Boolean serialNumSet = true;

        keys = cimObjectPath.getKeyBindings();

        if (keys.size() && String::equal(keys[0].getName().getString(), 
            ISSUER_NAME_PROPERTY.getString()))
        {
            certIssuer = keys[0].getValue();
        }
        else
        {
            issuerSet = false;
        }

        if (keys.size() && String::equal(keys[1].getName().getString(), 
            SUBJECT_NAME_PROPERTY.getString()))
        {
            certSubject = keys[1].getValue();
        }
        else
        {
            subjectSet = false;
        }

        if (keys.size() && String::equal(keys[1].getName().getString(), 
            SERIAL_NUMBER_PROPERTY.getString()))
        {
            certSerialNum = keys[1].getValue();
        }
        else
        {
            serialNumSet = false;
        }

        PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL3, 
            "issuerName :" + certIssuer);

        //
        // Check if the subject and issuer were specified.
        //
        if (subjectSet && issuerSet)
        {
            PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL3, 
               "Subject and issuer specified.");
            PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL3, 
                "subjectName :" + certSubject);

            Array<CIMInstance> certificateNamedInstances;

            //
            // get all the instances of class PG_SSLCertificate
            //
            certificateNamedInstances =
                _repository->enumerateInstancesForClass(
                    PEGASUS_NAMESPACENAME_CERTIFICATE,
                    PEGASUS_CLASSNAME_CERTIFICATE);

            //
            // Retrieve the instances for the specified subject & issuer
            // 
            Uint32 num = certificateNamedInstances.size();

            for (Uint32 i = 0; i < num; i++)
            {
                String issuer;
                String subject;
                Uint16 truststoreType = 0;

                CIMInstance& certificateInstance =
                    certificateNamedInstances[i];

                PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL4, 
                   "Comparing instance : " + certificateInstance.getPath().toString());
                
                //
                // Retrieve the truststore type
                //
                Uint32 pos = certificateInstance.findProperty(
                                TRUSTSTORE_TYPE_PROPERTY);
                CIMProperty prop = certificateInstance.getProperty(pos);
                prop.getValue().get(truststoreType);

                //
                // Filter instances whose truststore type is 
                // other than server truststore.
                //

                if ( truststoreType == PG_SSLCERTIFICATE_TSTYPE_VALUE_SERVER )
                {
                    //
                    // Check if issuer name and subject are specified
                    // and they match
                    //
                    Uint32 pos = certificateInstance.findProperty(
                                    ISSUER_NAME_PROPERTY);
                    CIMProperty prop = certificateInstance.getProperty(pos);
                    prop.getValue().get(issuer);

                    pos = 
                        certificateInstance.findProperty(SUBJECT_NAME_PROPERTY);
                    prop = certificateInstance.getProperty(pos);
                    prop.getValue().get(subject);

                   if ( issuer == certIssuer && subject == certSubject)
                   {
                       PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL3, 
                          "Found a matching instance.");
                       cimInstances.append(certificateInstance);
                   }
               }
               else
               {
                    PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL3, 
                        "Ignoring instance : " + 
                        certificateInstance.getPath().toString());
               }
           }

           // Check if the certificate was found
           if (cimInstances.size() == 0)
           {
               // Certificate does not exist, throw exception
               PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL3, 
                   "The certificate does not exist.");
               MessageLoaderParms parms(
                   "ControlProviders.CertificateProvider.CERT_DNE",
                   "The certificate does not exist.");
               throw CIMException(CIM_ERR_NOT_FOUND, parms);
           }
        } 
        else if (issuerSet && serialNumSet)
        {
            PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL3, 
                "issuer and serial number specified.");