From 757f88553563584cc73c6c34fdbf593d9ce01dc9 Mon Sep 17 00:00:00 2001 From: Vitor Mattos Date: Wed, 1 Jan 2025 14:33:56 -0300 Subject: [PATCH] feat: Make possible customize default expirity Signed-off-by: Vitor Mattos --- .../CertificateEngine/AEngineHandler.php | 8 +++ .../CertificateEngine/CfsslHandler.php | 9 ++-- .../CertificateEngine/IEngineHandler.php | 2 + .../CertificateEngine/OpenSslHandler.php | 2 +- lib/Handler/CfsslServerHandler.php | 51 +++++++++++++++---- src/views/Settings/ExpirationRules.vue | 30 ++++++++++- 6 files changed, 85 insertions(+), 17 deletions(-) diff --git a/lib/Handler/CertificateEngine/AEngineHandler.php b/lib/Handler/CertificateEngine/AEngineHandler.php index b4894e7e09..804fa760b2 100644 --- a/lib/Handler/CertificateEngine/AEngineHandler.php +++ b/lib/Handler/CertificateEngine/AEngineHandler.php @@ -288,6 +288,14 @@ protected function getNames(): array { return $names; } + public function expirity(): int { + $expirity = $this->appConfig->getAppValueInt('expiry_in_days', 365); + if ($expirity < 0) { + return 365; + } + return $expirity; + } + public function isSetupOk(): bool { return $this->appConfig->getAppValue('authkey') ? true : false; } diff --git a/lib/Handler/CertificateEngine/CfsslHandler.php b/lib/Handler/CertificateEngine/CfsslHandler.php index 7b70667d27..fa2c8d0122 100644 --- a/lib/Handler/CertificateEngine/CfsslHandler.php +++ b/lib/Handler/CertificateEngine/CfsslHandler.php @@ -36,17 +36,20 @@ class CfsslHandler extends AEngineHandler implements IEngineHandler { protected $client; protected $cfsslUri; private string $binary = ''; + private CfsslServerHandler $cfsslServerHandler; public function __construct( protected IConfig $config, protected IAppConfig $appConfig, private SystemConfig $systemConfig, - private CfsslServerHandler $cfsslServerHandler, protected IAppDataFactory $appDataFactory, protected IDateTimeFormatter $dateTimeFormatter, protected ITempManager $tempManager, ) { parent::__construct($config, $appConfig, $appDataFactory, $dateTimeFormatter, $tempManager); + $this->cfsslServerHandler = new CfsslServerHandler( + $this->getConfigPath(), + ); } public function generateRootCert( @@ -55,12 +58,11 @@ public function generateRootCert( ): string { $key = bin2hex(random_bytes(16)); - $configPath = $this->getConfigPath(); $this->cfsslServerHandler->createConfigServer( $commonName, $names, $key, - $configPath + $this->expirity() ); $this->genkey(); @@ -235,6 +237,7 @@ private function wakeUp(): void { if (!$configPath) { throw new LibresignException('CFSSL not configured.'); } + $this->cfsslServerHandler->updateExpirity($this->expirity()); $cmd = 'nohup ' . $binary . ' serve -address=127.0.0.1 ' . '-ca-key ' . $configPath . DIRECTORY_SEPARATOR . 'ca-key.pem ' . '-ca ' . $configPath . DIRECTORY_SEPARATOR . 'ca.pem ' . diff --git a/lib/Handler/CertificateEngine/IEngineHandler.php b/lib/Handler/CertificateEngine/IEngineHandler.php index 1433a0c57a..df7336c97f 100644 --- a/lib/Handler/CertificateEngine/IEngineHandler.php +++ b/lib/Handler/CertificateEngine/IEngineHandler.php @@ -43,6 +43,8 @@ public function isSetupOk(): bool; public function setConfigPath(string $configPath): void; + public function expirity(): int; + public function configureCheck(): array; public function toArray(): array; diff --git a/lib/Handler/CertificateEngine/OpenSslHandler.php b/lib/Handler/CertificateEngine/OpenSslHandler.php index e445c6cbe1..3686a71885 100644 --- a/lib/Handler/CertificateEngine/OpenSslHandler.php +++ b/lib/Handler/CertificateEngine/OpenSslHandler.php @@ -82,7 +82,7 @@ public function generateCertificate(): string { # certificatePolicies = CPS: http://url/with/policy/informations.pdf CONFIG); $csr = openssl_csr_new($this->getCsrNames(), $privateKey); - $x509 = openssl_csr_sign($csr, $rootCertificate, $rootPrivateKey, 365, [ + $x509 = openssl_csr_sign($csr, $rootCertificate, $rootPrivateKey, $this->expirity(), [ 'config' => $temporaryFile, // This will set "basicConstraints" to CA:FALSE, the default is CA:TRUE // The signer certificate is not a Certificate Authority diff --git a/lib/Handler/CfsslServerHandler.php b/lib/Handler/CfsslServerHandler.php index 525254a0ba..873bed97b7 100644 --- a/lib/Handler/CfsslServerHandler.php +++ b/lib/Handler/CfsslServerHandler.php @@ -11,26 +11,32 @@ use OCA\Libresign\Exception\LibresignException; class CfsslServerHandler { + private string $csrServerFile; + private string $configServerFile; + private string $configServerFileHash; + public function __construct(string $configPath) { + $this->csrServerFile = $configPath . DIRECTORY_SEPARATOR . 'csr_server.json'; + $this->configServerFile = $configPath . DIRECTORY_SEPARATOR . 'config_server.json'; + $this->configServerFileHash = $configPath . DIRECTORY_SEPARATOR . 'hashes.sha256'; + } + public function createConfigServer( string $commonName, array $names, string $key, - string $configPath, + int $expirity, ): void { $this->putCsrServer( $commonName, $names, - $configPath ); - $this->putConfigServer($key, $configPath); + $this->saveNewConfig($key, $expirity); } private function putCsrServer( string $commonName, array $names, - string $configPath, ): void { - $filename = $configPath . DIRECTORY_SEPARATOR . 'csr_server.json'; $content = [ 'CN' => $commonName, 'key' => [ @@ -41,7 +47,7 @@ private function putCsrServer( foreach ($names as $id => $name) { $content['names'][0][$id] = $name['value']; } - $response = file_put_contents($filename, json_encode($content)); + $response = file_put_contents($this->csrServerFile, json_encode($content)); if ($response === false) { throw new LibresignException( "Error while writing CSR server file.\n" . @@ -51,14 +57,13 @@ private function putCsrServer( } } - private function putConfigServer(string $key, string $configPath): void { - $filename = $configPath . DIRECTORY_SEPARATOR . 'config_server.json'; - $content = [ + private function saveNewConfig(string $key, int $expirity): void { + $config = [ 'signing' => [ 'profiles' => [ 'CA' => [ 'auth_key' => 'key1', - 'expiry' => '8760h', + 'expiry' => ($expirity * 24) . 'h', 'usages' => [ 'signing', 'digital signature', @@ -77,10 +82,34 @@ private function putConfigServer(string $key, string $configPath): void { ], ], ]; + $this->saveConfig($config); + } - $response = file_put_contents($filename, json_encode($content)); + private function saveConfig(array $config): void { + $jsonConfig = json_encode($config); + $response = file_put_contents($this->configServerFile, $jsonConfig); if ($response === false) { throw new LibresignException('Error while writing config server file!', 500); } + $hash = hash('sha256', $jsonConfig) . ' config_server.json'; + file_put_contents($this->configServerFileHash, $hash); + } + + public function updateExpirity(int $expirity): void { + if (file_exists($this->configServerFileHash)) { + $hashes = file_get_contents($this->configServerFileHash); + preg_match('/(?\w*) +config_server.json/', $hashes, $matches); + $savedHash = $matches['hash']; + } else { + $savedHash = ''; + } + $jsonConfig = file_get_contents($this->configServerFile); + $currentHash = hash('sha256', $jsonConfig); + if ($currentHash === $savedHash) { + return; + } + $config = json_decode($jsonConfig, true); + $config['signing']['profiles']['CA']['expiry'] = ($expirity * 24) . 'h'; + $this->saveConfig($config); } } diff --git a/src/views/Settings/ExpirationRules.vue b/src/views/Settings/ExpirationRules.vue index f0da38bc5d..22db8d757b 100644 --- a/src/views/Settings/ExpirationRules.vue +++ b/src/views/Settings/ExpirationRules.vue @@ -12,7 +12,7 @@ @update:checked="saveMaximumValidity"> {{ t('libresign', 'Maximum validity') }} -