Skip to content

Commit

Permalink
Add workflow to publish ca certs and crls, add sanity checks to crl p…
Browse files Browse the repository at this point in the history 
…ublishing

Tools::PublishCRL now checks if the given serial matches realm and issuer.
Provides functionality requested by #240
  • Loading branch information
@oliwel
oliwel committed Jan 28, 2015
1 parent 6f60f1b commit 7408f7c
Show file tree
Hide file tree
Showing 6 changed files with 465 additions and 58 deletions.
12 changes: 11 additions & 1 deletion config/openxpki/config.d/realm/ca-one/publishing.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,10 @@ entity:

crl:
crl@: connector:publishing.connectors.cdp


cacert:
disk@: connector:publishing.connectors.cacert

connectors:
ldap-ext:
class: Connector::Proxy::Net::LDAP::Single
Expand Down Expand Up @@ -52,3 +55,10 @@ connectors:
file: "[% ARGS.0 %].crl"
content: "[% pem %]"


cacert:
class: Connector::Builtin::File::Path
LOCATION: /tmp/
file: "[% ARGS.0 %].pem"
content: "[% pem %]"

115 changes: 115 additions & 0 deletions config/openxpki/config.d/realm/ca-one/workflow/def/ca_publish.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,115 @@
head:
prefix: capub
label: I18N_OPENXPKI_WF_TYPE_CA_ISSUANCE
description: I18N_OPENXPKI_WF_TYPE_CA_ISSUANCE_DESC


state:
CREATE_QUEUE:
autorun: 1
label: I18N_OPENXPKI_UI_WORKFLOW_STATE_CRL_ISSUE_CREATE_QUEUE_LABEL
description: I18N_OPENXPKI_UI_WORKFLOW_STATE_CRL_ISSUE_CREATE_QUEUE_DESC
action:
- create_ca_list > LOAD_NEXT_CA

INITIAL:
label: I18N_OPENXPKI_UI_WORKFLOW_STATE_CRL_ISSUE_INITIAL_LABEL
description: I18N_OPENXPKI_UI_WORKFLOW_STATE_CRL_ISSUE_INITIAL_DESC
action:
- initialize > CREATE_QUEUE

PUBLISH_CACERT:
autorun: 1
label: I18N_OPENXPKI_UI_WORKFLOW_STATE_CA_PUBLISH_CACERT_LABEL
description: I18N_OPENXPKI_UI_WORKFLOW_STATE_CA_PUBLISH_CACERT_DESC
action:
- publish_cacert > PUBLISH_CRL

LOAD_NEXT_CA:
autorun: 1
label: I18N_OPENXPKI_UI_WORKFLOW_STATE_CRL_ISSUE_LOAD_NEXT_CA_LABEL
description: I18N_OPENXPKI_UI_WORKFLOW_STATE_CRL_ISSUE_LOAD_NEXT_CA_DESC
action:
- get_next_ca > PUBLISH_CACERT ? !is_ca_list_empty
- global_noop > SUCCESS ? is_ca_list_empty

PUBLISH_CRL:
autorun: 1
label: I18N_OPENXPKI_UI_WORKFLOW_STATE_CRL_ISSUE_PUBLISH_CRL_LABEL
description: I18N_OPENXPKI_UI_WORKFLOW_STATE_CRL_ISSUE_PUBLISH_CRL_DESC
action:
- publish_crl > LOAD_NEXT_CA

SUCCESS:
label: I18N_OPENXPKI_UI_WORKFLOW_STATE_CRL_ISSUE_SUCCESS_LABEL
description: I18N_OPENXPKI_UI_WORKFLOW_STATE_CRL_ISSUE_SUCCESS_DESC


action:
initialize:
class: OpenXPKI::Server::Workflow::Activity::Noop
label: I18N_OPENXPKI_UI_WORKFLOW_ACTION_INIT_PUBLISH_CA_LABEL
description: I18N_OPENXPKI_UI_WORKFLOW_ACTION_INIT_PUBLISH_CA_DESC

create_ca_list:
class: OpenXPKI::Server::Workflow::Activity::Tools::ListActiveToken
label: I18N_OPENXPKI_UI_WORKFLOW_ACTION_CREATE_CA_LIST_LABEL
description: I18N_OPENXPKI_UI_WORKFLOW_ACTION_CREATE_CA_LIST_DESC
param:
group: ca-one-signer

publish_cacert:
class: OpenXPKI::Server::Workflow::Activity::Tools::PublishCA
label: I18N_OPENXPKI_UI_WORKFLOW_ACTION_CA_PUBLISH_PUBLISH_CA_LABEL
description: I18N_OPENXPKI_UI_WORKFLOW_ACTION_CA_PUBLISH_PUBLISH_CA_DESC
input:
- ca_alias
param:
prefix: publishing.cacert

publish_crl:
class: OpenXPKI::Server::Workflow::Activity::Tools::PublishCRL
label: I18N_OPENXPKI_UI_WORKFLOW_ACTION_CRL_ISSUANCE_PUBLISH_CRL_LABEL
description: I18N_OPENXPKI_UI_WORKFLOW_ACTION_CRL_ISSUANCE_PUBLISH_CRL_DESC
input:
- ca_alias
param:
prefix: publishing.crl
crl_serial: latest

get_next_ca:
class: OpenXPKI::Server::Workflow::Activity::Tools::WFArray
param:
array_name: token_alias_list
context_key: ca_alias
function: shift

condition:
is_ca_list_empty:
class: OpenXPKI::Server::Workflow::Condition::WFArray
param:
array_name: token_alias_list
condition: is_empty


field:
ca_alias:
name: ca_alias
type: text

acl:
Anonymous:
creator: self

CA Operator:
creator: any

RA Operator:
creator: any

System:
creator: self

User:
creator: self

6 changes: 4 additions & 2 deletions core/server/MANIFEST
View file
Original file line number Diff line number Diff line change
Expand Up @@ -240,8 +240,6 @@ OpenXPKI/Server/Workflow/Activity/Noop.pm
OpenXPKI/Server/Workflow/Activity/Test.pm
OpenXPKI/Server/Workflow/Activity/WorkflowTest.pm

OpenXPKI/Server/Workflow/Activity/CertIssuance/PublishCertificate.pm

OpenXPKI/Server/Workflow/Activity/CertRenewal/FetchOrgCertData.pm

OpenXPKI/Server/Workflow/Activity/CSR/PersistRequest.pm
Expand All @@ -262,6 +260,8 @@ OpenXPKI/Server/Workflow/Activity/Tools/SetSource.pm
OpenXPKI/Server/Workflow/Activity/Tools/SetErrorCode.pm
OpenXPKI/Server/Workflow/Activity/Tools/Notify.pm

OpenXPKI/Server/Workflow/Activity/Tools/ListActiveToken.pm

OpenXPKI/Server/Workflow/Activity/Tools/GenerateKey.pm
OpenXPKI/Server/Workflow/Activity/Tools/GeneratePassword.pm
OpenXPKI/Server/Workflow/Activity/Tools/RetrieveCertificate.pm
Expand All @@ -270,6 +270,8 @@ OpenXPKI/Server/Workflow/Activity/Tools/ParseCertificate.pm
OpenXPKI/Server/Workflow/Activity/Tools/Pause.pm
OpenXPKI/Server/Workflow/Activity/Tools/PublishCertificate.pm
OpenXPKI/Server/Workflow/Activity/Tools/PublishCRL.pm
OpenXPKI/Server/Workflow/Activity/Tools/PublishCA.pm

OpenXPKI/Server/Workflow/Activity/Tools/RevokeCertificate.pm
OpenXPKI/Server/Workflow/Activity/Tools/TriggerCertificatePublish.pm

Expand Down
88 changes: 88 additions & 0 deletions core/server/OpenXPKI/Server/Workflow/Activity/Tools/ListActiveToken.pm
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
# OpenXPKI::Server::Workflow::Activity::Tools::ListActiveToken
# Copyright (c) 2015 by The OpenXPKI Project

package OpenXPKI::Server::Workflow::Activity::Tools::ListActiveToken;

use strict;
use base qw( OpenXPKI::Server::Workflow::Activity );

use OpenXPKI::Server::Context qw( CTX );
use OpenXPKI::Exception;
use OpenXPKI::Debug;
use Data::Dumper;
use OpenXPKI::Serialization::Simple;

use OpenXPKI::Server::Workflow::WFObject::WFArray;

sub execute {
##! 1: 'execute'
my $self = shift;
my $workflow = shift;
my $serializer = OpenXPKI::Serialization::Simple->new();
my $pki_realm = CTX('api')->get_pki_realm();
my $context = $workflow->context();

my $config = CTX('config');

my $token_alias_list = OpenXPKI::Server::Workflow::WFObject::WFArray->new({
workflow => $workflow,
context_key => 'token_alias_list',
});

my $token_list;
my $group_name;

# get group name from type
if ($self->param('token')) {
# Determine the name of the key group for cert signing
$group_name = $config->get(['crypto','type', $self->param('token') ]);
OpenXPKI::Exception->throw (
message => "I18N_OPENXPKI_SERVER_WORKFLOW_ACTIVITY_LIST_ACTIVE_TOKEN_NO_GROUP_FOUND_FOR_TYPE",
params => { TOKEN => $self->param('token') }
) unless ($group_name);

# explicit group name
} elsif ($self->param('group')) {
$group_name = $self->param('group');

# oops
} else {
OpenXPKI::Exception->throw (
message => "I18N_OPENXPKI_SERVER_WORKFLOW_ACTIVITY_LIST_ACTIVE_TOKEN_NO_GROUP_OR_TYPE_GIVEN",
);
}

my $token_list = CTX('api')->list_active_aliases( { GROUP => $group_name } );

if (!@{$token_list} && !$self->param('empty_ok')) {
OpenXPKI::Exception->throw (
message => "I18N_OPENXPKI_SERVER_WORKFLOW_ACTIVITY_LIST_ACTIVE_TOKEN_DID_NOT_FIND_ANY_TOKEN",
params => { GROUP => $group_name }
);
}

##! 32: "Active tokens found " . Dumper $token_list
foreach my $alias (@{$token_list}) {
$token_alias_list->push($alias->{ALIAS});
}

return 1;
}

1;

__END__
=head1 Name
OpenXPKI::Server::Workflow::Activity::Tools::ListActiveToken
=head1 Description
Load the alias names of all active tokens in the given token group (parameter
I<group>) or with the given token type (paramater I<token>).
The list of token names will be in the context with key token_alias_list as
array, sorted by notbefore data, most current first.
The class will throw an exception if no items are found unless the "empty_ok"
parameter is set to a true value.

0 comments on commit 7408f7c

Please sign in to comment.