Finalize merge of new Crypt::X509 structured SAN method

Make new method avail under old accessor Keep old serialization format for scalar values Set minimum version for module
openxpki · May 7, 2020 · 46ab522 · 46ab522
1 parent 450802b
commit 46ab522
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 58 deletions.
diff --git a/core/server/Makefile.PL b/core/server/Makefile.PL
@@ -334,7 +334,7 @@ WriteMakefile(
         'CryptX' =>             => '0.1.2',        
         'Crypt::Cipher::AES'               => 0,           # replacement to support keysize > 128
         'Crypt::PKCS10'                 => '2.000',
-        'Crypt::X509'                   => 0,
+        'Crypt::X509'                   => '0.53',
         'Data::Password'                => '1.07',
         'Data::Serializer'              => '0.44',
         'Data::UUID'                    => 0,           # for OpenXPKI::Template::Plugin::Utils and CPAN

diff --git a/core/server/OpenXPKI/Client/UI/Certificate.pm b/core/server/OpenXPKI/Client/UI/Certificate.pm
@@ -12,6 +12,7 @@ use URI::Escape;
 use DateTime;
 use Digest::SHA qw(sha1_base64);
 use OpenXPKI::i18n qw( i18nGettext );
+use OpenXPKI::Serialization::Simple;
 
 
 has __default_grid_head => (
@@ -1278,12 +1279,18 @@ sub action_search {
     # Add san search to attributes
     if (my $val = $self->param('san')) {
         $input->{'san'} = $val;
+        # The serialization format was extended in v3.5 from a simple join
+        # to use OXI::Serialize - currently this is used only for dirName
+        # search needs to be fixed to find dirName items, see #755
+        # if the san type was given by the user, strip it
+        my $type = '%';
+        if ($val =~ m{\A(\w+):(.*)}) {
+            $type = $1;
+            $val = $2;
+        }
         $val =~ s{\*}{%}g;
         $val =~ s{\?}{_}g;
-        # SAN type is prefixed with a ":", do not expand query if a
-        # user already added the prefix
-        $val = "%:$val" unless ($val =~ m{\A\w+:});
-        $attr->{subject_alt_name} = { -like => $val };
+        $attr->{subject_alt_name} = { -like => "$type:$val" };
     }
 
     if ($attr) {

diff --git a/core/server/OpenXPKI/Crypt/X509.pm b/core/server/OpenXPKI/Crypt/X509.pm
@@ -10,7 +10,7 @@ use Digest::SHA qw(sha1_base64 sha1_hex);
 use OpenXPKI::DateTime;
 use MIME::Base64;
 use Moose;
-use Crypt::X509;
+use Crypt::X509 0.53;
 
 has data => (
     is => 'ro',
@@ -97,15 +97,6 @@ has subject_hash => (
     }
 );
 
-has subject_alt_name => (
-    is => 'ro',
-    init_arg => undef,
-    isa => 'ArrayRef',
-    reader => 'get_subject_alt_name',
-    lazy => 1,
-    builder => '_build_san'
-);
-
 =head2
 
 Returns a pointer to a list of SANs. Each SAN is represented as a pointer to a list
@@ -121,13 +112,13 @@ Example return value:
 
 =cut
 
-has structured_subject_alt_name => (
-	is => 'ro',
-	init_arg => undef,
-	isa => 'ArrayRef',
-	reader => 'get_structured_subject_alt_name',
-	lazy => 1,
-	builder => '_build_structured_san'
+has subject_alt_name => (
+    is => 'ro',
+    init_arg => undef,
+    isa => 'ArrayRef',
+    reader => 'get_subject_alt_name',
+    lazy => 1,
+    builder => '_build_san'
 );
 
 has issuer => (
@@ -275,38 +266,6 @@ sub _build_san {
         registeredID => 'RID',
     };
 
-    my @san_list;
-
-    # List where eacht item is a string with "type=value"
-    my $san_names = $self->_cert->SubjectAltName();
-
-    # Walk all san lines
-    foreach my $san (@$san_names) {
-        my ($type, $value) = $san =~ m{\A(\w+)=(.+)\z};
-        my $san_type = $san_map->{$type};
-        next unless($san_type);
-        push @san_list, [ $san_type, $value ];
-    }
-
-    return \@san_list;
-}
-
-sub _build_structured_san {
-
-    my $self = shift;
-
-    my $san_map = {
-        otherName => 'otherName',
-        rfc822Name => 'email',
-        dNSName => 'DNS',
-        x400Address => '', # not supported by openssl
-        directoryName => 'dirName',
-        ediPartyName => '', # not supported by openssl
-        uniformResourceIdentifier => 'URI',
-        iPAddress  => 'IP',
-        registeredID => 'RID',
-    };
-
     my @san_list;
     my $san_exts = $self->_cert->DecodedSubjectAltNames();
 

diff --git a/core/server/OpenXPKI/Server/NICE.pm b/core/server/OpenXPKI/Server/NICE.pm
@@ -176,17 +176,18 @@ sub __persistCertificateInformation {
         },
     );
 
-
-    my @structured_subject_alt_names = @{$x509->get_structured_subject_alt_name()};
+    my @structured_subject_alt_names = @{$x509->get_subject_alt_name()};
     ##! 32: 'sans (structured): ' . Dumper \@structured_subject_alt_names
     for my $san (@structured_subject_alt_names) {
+        # keep the old format for scalars as we need this to search in SAN
+        my $val = ((ref $san->[1]) ? $serializer->serialize($san) : join(":", @$san));
         CTX('dbi')->insert(
             into => 'certificate_attributes',
             values => {
                 attribute_key        => AUTO_ID,
                 identifier           => $identifier,
                 attribute_contentkey => 'subject_alt_name',
-                attribute_value      => $serializer->serialize($san),
+                attribute_value      => $val,
             },
         );
     }

diff --git a/core/server/t/25_crypto/36_object_x509.t b/core/server/t/25_crypto/36_object_x509.t
@@ -27,7 +27,7 @@ ok(1, 'certificate parsed');
 
 is($x509->pem, $example_certificate, 'certificate has not been mangled in any way');
 is($x509->get_subject, 'CN=Example certificate', 'subject is as expected');
-is_deeply($x509->get_structured_subject_alt_name,
+is_deeply($x509->get_subject_alt_name,
     [
         [ 
             'dirName',