-
Notifications
You must be signed in to change notification settings - Fork 101
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add workflow to publish ca certs and crls, add sanity checks to crl p…
…ublishing Tools::PublishCRL now checks if the given serial matches realm and issuer. Provides functionality requested by #240
- Loading branch information
Showing
6 changed files
with
465 additions
and
58 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
115 changes: 115 additions & 0 deletions
115
config/openxpki/config.d/realm/ca-one/workflow/def/ca_publish.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,115 @@ | ||
head: | ||
prefix: capub | ||
label: I18N_OPENXPKI_WF_TYPE_CA_ISSUANCE | ||
description: I18N_OPENXPKI_WF_TYPE_CA_ISSUANCE_DESC | ||
|
||
|
||
state: | ||
CREATE_QUEUE: | ||
autorun: 1 | ||
label: I18N_OPENXPKI_UI_WORKFLOW_STATE_CRL_ISSUE_CREATE_QUEUE_LABEL | ||
description: I18N_OPENXPKI_UI_WORKFLOW_STATE_CRL_ISSUE_CREATE_QUEUE_DESC | ||
action: | ||
- create_ca_list > LOAD_NEXT_CA | ||
|
||
INITIAL: | ||
label: I18N_OPENXPKI_UI_WORKFLOW_STATE_CRL_ISSUE_INITIAL_LABEL | ||
description: I18N_OPENXPKI_UI_WORKFLOW_STATE_CRL_ISSUE_INITIAL_DESC | ||
action: | ||
- initialize > CREATE_QUEUE | ||
|
||
PUBLISH_CACERT: | ||
autorun: 1 | ||
label: I18N_OPENXPKI_UI_WORKFLOW_STATE_CA_PUBLISH_CACERT_LABEL | ||
description: I18N_OPENXPKI_UI_WORKFLOW_STATE_CA_PUBLISH_CACERT_DESC | ||
action: | ||
- publish_cacert > PUBLISH_CRL | ||
|
||
LOAD_NEXT_CA: | ||
autorun: 1 | ||
label: I18N_OPENXPKI_UI_WORKFLOW_STATE_CRL_ISSUE_LOAD_NEXT_CA_LABEL | ||
description: I18N_OPENXPKI_UI_WORKFLOW_STATE_CRL_ISSUE_LOAD_NEXT_CA_DESC | ||
action: | ||
- get_next_ca > PUBLISH_CACERT ? !is_ca_list_empty | ||
- global_noop > SUCCESS ? is_ca_list_empty | ||
|
||
PUBLISH_CRL: | ||
autorun: 1 | ||
label: I18N_OPENXPKI_UI_WORKFLOW_STATE_CRL_ISSUE_PUBLISH_CRL_LABEL | ||
description: I18N_OPENXPKI_UI_WORKFLOW_STATE_CRL_ISSUE_PUBLISH_CRL_DESC | ||
action: | ||
- publish_crl > LOAD_NEXT_CA | ||
|
||
SUCCESS: | ||
label: I18N_OPENXPKI_UI_WORKFLOW_STATE_CRL_ISSUE_SUCCESS_LABEL | ||
description: I18N_OPENXPKI_UI_WORKFLOW_STATE_CRL_ISSUE_SUCCESS_DESC | ||
|
||
|
||
action: | ||
initialize: | ||
class: OpenXPKI::Server::Workflow::Activity::Noop | ||
label: I18N_OPENXPKI_UI_WORKFLOW_ACTION_INIT_PUBLISH_CA_LABEL | ||
description: I18N_OPENXPKI_UI_WORKFLOW_ACTION_INIT_PUBLISH_CA_DESC | ||
|
||
create_ca_list: | ||
class: OpenXPKI::Server::Workflow::Activity::Tools::ListActiveToken | ||
label: I18N_OPENXPKI_UI_WORKFLOW_ACTION_CREATE_CA_LIST_LABEL | ||
description: I18N_OPENXPKI_UI_WORKFLOW_ACTION_CREATE_CA_LIST_DESC | ||
param: | ||
group: ca-one-signer | ||
|
||
publish_cacert: | ||
class: OpenXPKI::Server::Workflow::Activity::Tools::PublishCA | ||
label: I18N_OPENXPKI_UI_WORKFLOW_ACTION_CA_PUBLISH_PUBLISH_CA_LABEL | ||
description: I18N_OPENXPKI_UI_WORKFLOW_ACTION_CA_PUBLISH_PUBLISH_CA_DESC | ||
input: | ||
- ca_alias | ||
param: | ||
prefix: publishing.cacert | ||
|
||
publish_crl: | ||
class: OpenXPKI::Server::Workflow::Activity::Tools::PublishCRL | ||
label: I18N_OPENXPKI_UI_WORKFLOW_ACTION_CRL_ISSUANCE_PUBLISH_CRL_LABEL | ||
description: I18N_OPENXPKI_UI_WORKFLOW_ACTION_CRL_ISSUANCE_PUBLISH_CRL_DESC | ||
input: | ||
- ca_alias | ||
param: | ||
prefix: publishing.crl | ||
crl_serial: latest | ||
|
||
get_next_ca: | ||
class: OpenXPKI::Server::Workflow::Activity::Tools::WFArray | ||
param: | ||
array_name: token_alias_list | ||
context_key: ca_alias | ||
function: shift | ||
|
||
condition: | ||
is_ca_list_empty: | ||
class: OpenXPKI::Server::Workflow::Condition::WFArray | ||
param: | ||
array_name: token_alias_list | ||
condition: is_empty | ||
|
||
|
||
field: | ||
ca_alias: | ||
name: ca_alias | ||
type: text | ||
|
||
acl: | ||
Anonymous: | ||
creator: self | ||
|
||
CA Operator: | ||
creator: any | ||
|
||
RA Operator: | ||
creator: any | ||
|
||
System: | ||
creator: self | ||
|
||
User: | ||
creator: self | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
88 changes: 88 additions & 0 deletions
88
core/server/OpenXPKI/Server/Workflow/Activity/Tools/ListActiveToken.pm
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,88 @@ | ||
# OpenXPKI::Server::Workflow::Activity::Tools::ListActiveToken | ||
# Copyright (c) 2015 by The OpenXPKI Project | ||
|
||
package OpenXPKI::Server::Workflow::Activity::Tools::ListActiveToken; | ||
|
||
use strict; | ||
use base qw( OpenXPKI::Server::Workflow::Activity ); | ||
|
||
use OpenXPKI::Server::Context qw( CTX ); | ||
use OpenXPKI::Exception; | ||
use OpenXPKI::Debug; | ||
use Data::Dumper; | ||
use OpenXPKI::Serialization::Simple; | ||
|
||
use OpenXPKI::Server::Workflow::WFObject::WFArray; | ||
|
||
sub execute { | ||
##! 1: 'execute' | ||
my $self = shift; | ||
my $workflow = shift; | ||
my $serializer = OpenXPKI::Serialization::Simple->new(); | ||
my $pki_realm = CTX('api')->get_pki_realm(); | ||
my $context = $workflow->context(); | ||
|
||
my $config = CTX('config'); | ||
|
||
my $token_alias_list = OpenXPKI::Server::Workflow::WFObject::WFArray->new({ | ||
workflow => $workflow, | ||
context_key => 'token_alias_list', | ||
}); | ||
|
||
my $token_list; | ||
my $group_name; | ||
|
||
# get group name from type | ||
if ($self->param('token')) { | ||
# Determine the name of the key group for cert signing | ||
$group_name = $config->get(['crypto','type', $self->param('token') ]); | ||
OpenXPKI::Exception->throw ( | ||
message => "I18N_OPENXPKI_SERVER_WORKFLOW_ACTIVITY_LIST_ACTIVE_TOKEN_NO_GROUP_FOUND_FOR_TYPE", | ||
params => { TOKEN => $self->param('token') } | ||
) unless ($group_name); | ||
|
||
# explicit group name | ||
} elsif ($self->param('group')) { | ||
$group_name = $self->param('group'); | ||
|
||
# oops | ||
} else { | ||
OpenXPKI::Exception->throw ( | ||
message => "I18N_OPENXPKI_SERVER_WORKFLOW_ACTIVITY_LIST_ACTIVE_TOKEN_NO_GROUP_OR_TYPE_GIVEN", | ||
); | ||
} | ||
|
||
my $token_list = CTX('api')->list_active_aliases( { GROUP => $group_name } ); | ||
|
||
if (!@{$token_list} && !$self->param('empty_ok')) { | ||
OpenXPKI::Exception->throw ( | ||
message => "I18N_OPENXPKI_SERVER_WORKFLOW_ACTIVITY_LIST_ACTIVE_TOKEN_DID_NOT_FIND_ANY_TOKEN", | ||
params => { GROUP => $group_name } | ||
); | ||
} | ||
|
||
##! 32: "Active tokens found " . Dumper $token_list | ||
foreach my $alias (@{$token_list}) { | ||
$token_alias_list->push($alias->{ALIAS}); | ||
} | ||
|
||
return 1; | ||
} | ||
|
||
1; | ||
|
||
__END__ | ||
=head1 Name | ||
OpenXPKI::Server::Workflow::Activity::Tools::ListActiveToken | ||
=head1 Description | ||
Load the alias names of all active tokens in the given token group (parameter | ||
I<group>) or with the given token type (paramater I<token>). | ||
The list of token names will be in the context with key token_alias_list as | ||
array, sorted by notbefore data, most current first. | ||
The class will throw an exception if no items are found unless the "empty_ok" | ||
parameter is set to a true value. |
Oops, something went wrong.