certificateprovider.cpp

Pegasus is an open-source implementationof the DMTF CIM and WBEM standards. It is designed to be por

            PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL3, 
                "serial number :" + certSerialNum);

            CIMObjectPath tmpPath = cimObjectPath;

            try
            {
                Array<CIMKeyBinding> keys;

                //
                // The truststore type key property is deprecated. To retain
                // backward compatibility, add the truststore type property
                // to the key bindings and set it to cimserver truststore.
                //
                CIMKeyBinding kb (TRUSTSTORE_TYPE_PROPERTY, 
                    PG_SSLCERTIFICATE_TSTYPE_VALUE_SERVER);
                keys.append (kb);

                keys = cimObjectPath.getKeyBindings();
                
                keys.append (kb);
 
                tmpPath.setKeyBindings(keys);

                cimInstances.append(_repository->getInstance(
                   cimObjectPath.getNameSpace(), tmpPath));

            } 
            catch (Exception& ex)
            {
                PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL3, 
                   "The certificate does not exist. " + tmpPath.toString() );
                MessageLoaderParms parms(
                    "ControlProviders.CertificateProvider.CERT_DNE",
                    "The certificate does not exist.");
                throw CIMException(CIM_ERR_NOT_FOUND, parms);
            }
        }
        else
        {
            throw CIMException(CIM_ERR_INVALID_PARAMETER, 
                cimObjectPath.toString());
        }

        // Check if there were certificates to be deleted.
        if (cimInstances.size() > 0)
        {
            // Delete the certificates
            _removeCert(cimInstances);
        }

        // complete request
        handler.complete();

    } 
#ifdef PEGASUS_ENABLE_SSL_CRL_VERIFICATION
    else if (className == PEGASUS_CLASSNAME_CRL)
    {
        Array<CIMKeyBinding> keys;
        CIMKeyBinding key;
        String issuerName;

        keys = cimObjectPath.getKeyBindings();
        if (keys.size() && String::equal(keys[0].getName().getString(), ISSUER_NAME_PROPERTY.getString()))
        {
            issuerName = keys[0].getValue();
        }

        PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL4, "CRL COP" + cimObjectPath.toString());
        PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL4, "Issuer Name " + issuerName);

        //ATTN: it would nice to be able to do this by getting the hash directly from the issuerName
        //unfortunately, there does not seem to be an easy way to achieve this
        //the closest I can get is to add the individual DN components using X509_NAME_add_entry_by_NID
        //which involves a lot of tedious parsing.
        //look in the do_subject method of apps.h for how this is done
        //X509_NAME* name = X509_name_new();

        char issuerChar[1024];
        sprintf(issuerChar, "%s", (const char*) issuerName.getCString());

        X509_NAME* name = getIssuerName(issuerChar, MBSTRING_ASC);

        AutoMutex lock(_crlStoreMutex);

        String crlFileName = _getCRLFileName(_crlStore, X509_NAME_hash(name));
        if (FileSystem::exists(crlFileName)) 
        {
            if (FileSystem::removeFile(crlFileName)) 
            {
                PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL3, "Successfully deleted CRL file " + crlFileName);

                //
                // reload the CRL store to refresh the cache
                //
                _sslContextMgr->reloadCRLStore();

                Logger::put(Logger::STANDARD_LOG, System::CIMSERVER, Logger::TRACE,
                            "The CRL from issuer $0 has been deleted.",
                            issuerName);

            } else
            {
                PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL3, "Could not delete file.");
                 MessageLoaderParms parms("ControlProviders.CertificateProvider.DELETE_FAILED",
                                          "Could not delete file $0.", FileSystem::extractFileName(crlFileName));
                 throw CIMException(CIM_ERR_FAILED, parms);
            }
        } else
        {
             PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL3, "File does not exist.");
             MessageLoaderParms parms("ControlProviders.CertificateProvider.FILE_DNE",
                                      "File does not exist $0.", FileSystem::extractFileName(crlFileName));
             throw CIMException(CIM_ERR_NOT_FOUND, parms);
        }
   
        X509_NAME_free(name);

    } 
#endif
    else
    {
        throw CIMException(CIM_ERR_INVALID_CLASS, className.getString());
    }

    PEG_METHOD_EXIT();
}


void CertificateProvider::_removeCert (Array<CIMInstance> cimInstances)
{
    Uint32 num = cimInstances.size();
    Tracer::trace(TRC_CONTROLPROVIDER, Tracer::LEVEL4, 
        "Number of certificate instances to be removed : %d " , num);


    for ( Uint32 i = 0; i < num ; i++)
    {
        String issuerName;
        String userName;
        String certificateFileName;
        String serialNumber;
        CIMProperty cimProperty;

        CIMInstance& certificateInstance = cimInstances[i];

        //certificate file name
        cimProperty = certificateInstance.getProperty(
                         certificateInstance.findProperty(FILE_NAME_PROPERTY));
        cimProperty.getValue().get(certificateFileName);

        PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL4, 
           "Certificate file name " + certificateFileName);

        //issuer name
        cimProperty = certificateInstance.getProperty(
                         certificateInstance.findProperty(ISSUER_NAME_PROPERTY));
        cimProperty.getValue().get(issuerName);

        //user name
        cimProperty = certificateInstance.getProperty(
                         certificateInstance.findProperty(USER_NAME_PROPERTY));
        cimProperty.getValue().get(userName);

        //serial number
        cimProperty = certificateInstance.getProperty(
                      certificateInstance.findProperty(SERIAL_NUMBER_PROPERTY));
        cimProperty.getValue().get(serialNumber);

        PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL4, 
           "Issuer name " + issuerName);
        
        PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL4, 
           "serial number " + serialNumber);

        if (userName == String::EMPTY)
        {
            PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL4, 
               "The certificate does not have a username associated with it");
        }
        else
        {
            PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL4, 
                "User name " + userName);
        }

        AutoMutex lock(_trustStoreMutex);

        if (!FileSystem::exists(certificateFileName)) 
        {
             //
             // In rare cases a certificate may have been
             // manually removed from the truststore, but the repositoty
             // entry still exists. Delete the Repository instance so that
             // the certificate can be re-added again if required.
             //
             // This is also valid for end-entity certificates as they
             // would not exist in the truststore.
             //

             PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL3, 
                "WARNING: Certificate file does not exist," 
                 "remove entry from repository anyway.");
        }
        else if (!FileSystem::removeFile(certificateFileName)) 
        {
            PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL3, 
                 "Could not delete file.");
            MessageLoaderParms parms(
                "ControlProviders.CertificateProvider.DELETE_FAILED",
                 "Could not delete file $0.", certificateFileName);
            throw CIMException(CIM_ERR_FAILED, parms);
        }

        PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL3, 
          "Successfully deleted certificate file " + certificateFileName);
                
        Array<CIMKeyBinding> kbArray;
        CIMKeyBinding        kb;

        kb.setName(ISSUER_NAME_PROPERTY);
        kb.setValue(issuerName);
        kb.setType(CIMKeyBinding::STRING);
        kbArray.append(kb);

        kb.setName(SERIAL_NUMBER_PROPERTY);
        kb.setValue(serialNumber);
        kb.setType(CIMKeyBinding::STRING);
        kbArray.append(kb);

        //
        // The truststore type key property is deprecated. To retain
        // backward compatibility, add the truststore type property
        // to the key bindings and set it to cimserver truststore.
        // 
        CIMKeyBinding key (TRUSTSTORE_TYPE_PROPERTY, PG_SSLCERTIFICATE_TSTYPE_VALUE_SERVER);
        kbArray.append (key);

        CIMObjectPath reference(
            String::EMPTY, PEGASUS_NAMESPACENAME_CERTIFICATE,
            PEGASUS_CLASSNAME_CERTIFICATE, kbArray);

        PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL3, 
          "keys are: " + reference.toString());

        // Delete from repository.
        _repository->deleteInstance(
            PEGASUS_NAMESPACENAME_CERTIFICATE,
            reference);

        if (userName == String::EMPTY)
        {
            Logger::put(Logger::STANDARD_LOG, System::CIMSERVER, 
               Logger::TRACE,
              "The certificate without an associated user" 
              "name from issuer $0 "
              "has been deleted from the truststore.",
               issuerName);
        }
        else
        {
            Logger::put(Logger::STANDARD_LOG, System::CIMSERVER, Logger::TRACE,
               "The certificate registered to $0 from issuer $1 "
               "has been deleted from the truststore.",
               userName,
               issuerName);
        }
    }

    //
    // Request SSLContextManager to delete the certificate from the cache
    //
    try
    {
        _sslContextMgr->reloadTrustStore();
    }
    catch (SSLException& ex)
    {
        PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL3, 
           "Trust store reload failed, " + ex.getMessage());

        MessageLoaderParms parms(
            "ControlProviders.CertificateProvider.TRUSTSTORE_RELOAD_FAILED",
            "Trust store reload failed, certificate deletion will" 
            " not be effective until cimserver restart.");
                throw CIMException(CIM_ERR_FAILED, parms);
    }
}

/** Returns the CRL filename associated with the hashvalue that represents the issuer name.  
 *  There is only one CRL per issuer so the file name will always end in .r0
 */ 
String CertificateProvider::_getCRLFileName(String crlStore, unsigned long hashVal)
{
    PEG_METHOD_ENTER(TRC_CONTROLPROVIDER, "CertificateProvider::_getCRLFileName");

    Uint32 index = 0;

    //The files are looked up by the CA issuer name hash value. 
    //Since only one CRL should exist for a given CA, the extension .r0 is appended to the CA hash
    char hashBuffer[32];
    sprintf(hashBuffer, "%08lx", hashVal);

    String hashString = "";
    for (int j = 0; j < 32; j++)
    {
        if (hashBuffer[j] != '\0')
        {
            hashString.append(hashBuffer[j]);
        } else
        {
            break; // end of hash string
        }
    }

    char filename[1024];
    sprintf(filename, "%s/%s.r0", 
            (const char*)crlStore.getCString(),
            (const char*)hashString.getCString());

    PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL4, "Searching for files like " + hashString + "in " + crlStore);

    FileSystem::translateSlashes(crlStore); 
    if (FileSystem::isDirectory(crlStore) && FileSystem::canWrite(crlStore))
    {
        if (FileSystem::exists(filename)) 
        {
            //overwrite
            PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL3, "CRL already exists, overwriting");

        } else
        {
            //create
            PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL3, "CRL does not exist, creating");
        }
    } else
    {
        PEG_TRACE_STRING(TRC_CONTROLPROVIDER, Tracer::LEVEL3, "Cannot add CRL to CRL store : CRL directory DNE or does not have write privileges");
        MessageLoaderParms parms("ControlProviders.CertificateProvider.INVALID_DIRECTORY",
                                 "Invalid directory $0.", crlStore);
        throw CIMException(CIM_ERR_FAILED, parms);
    }

    PEG_METHOD_EXIT();

    return (String(filename));
}

/** Returns the new certificate filename for the hashvalue that represents the subject name.
 */