alexandru matei schrieb:
>
> The diff is attached
I modified it and attached the new script. We still must change listReqs
and listCerts too!
> A new question: If a client want a server certificate but he's unable to make a
> PKCS#10 request (correct request) how can he obtain one? Because on generic request
> he can make such request. But when the cert is issued, he can download just the
> certificate (not the private key associated). I understand there is a good reason
> for this (else anybody can download it too, and a btute force attack on private key
> password is possible). How could we overcome this limitation, but preserving the
> security? I thought that receiving the private key in a encrypted mail can be the
> answer... ?
Actually a RA Operator downloads the private key and then he can send or
bring the key to the user (e.g. a webserver-admin). If the webadmin has
a personal certificate then the operator should send an encrypted mail
but that's not the job of the software. This is a problem of the policy.
Michael
--
-------------------------------------------------------------------
Michael Bell Email (private): [EMAIL PROTECTED]
Rechenzentrum - Datacenter Email: [EMAIL PROTECTED]
Humboldt-University of Berlin Tel.: +49 (0)30-2093 2482
Unter den Linden 6 Fax: +49 (0)30-2093 2959
10099 Berlin
Germany http://www.openca.org
## OpenCA - Command
## (c) 1998-2001 by Massimiliano Pala and OpenCA Group
##
## File Name: lists
## Brief: lists objects
## Description: lists requests and certificates
## Parameters: action (type of list)
if ( $cmd !~ /lists/i ) {
configError( "Wrong Command Usage ($cmd/lists)!" );
exit 1;
}
my $action = $query->param('action');
if ( "$action" eq "" ) {
configError("Command Error (Command Missing)");
exit 1;
}
## Variables Definition
my $getID_url = 'pki?cmd=viewCert;';
my $from = ( $query->param( 'viewFrom' ) or 0 );
my $matched = $query->param( 'rows' );
## Set the column titles
my ( $dbItem, $listType, @list, @cols, $newCMD );
## Differentiate the list parameters
if( $action =~ /^certsList/i) {
$dataType = 'VALID_CERTIFICATE';
$listType = '<FONT COLOR="#FF7000">V</FONT>alid ';
$listType .= '<FONT COLOR="#FF7000">C</FONT>ertificates';
$newCMD = $getID_url;
push( @cols, "Serial" );
push( @cols, "Common Name" );
push( @cols, "Issued on" );
push( @cols, "E-Mail" );
push( @cols, "Role" );
} elsif( $action =~ /^certsExpiredList/i) {
$dataType = 'EXPIRED_CERTIFICATE';
$listType = '<FONT COLOR="#FF7000">E</FONT>xpired ';
$listType .= '<FONT COLOR="#FF7000">C</FONT>ertificates';
$newCMD = $getID_url;
push( @cols, "Serial" );
push( @cols, "Common Name" );
push( @cols, "Issued on" );
push( @cols, "E-Mail" );
push( @cols, "Role" );
} elsif( $action =~ /^pendingReqs/i) {
$dataType = 'PENDING_REQUEST';
$listType = '<FONT COLOR="#FF7000">P</FONT>ending ';
$listType .= '<FONT COLOR="#FF7000">R</FONT>equests';
push( @cols, "Serial" );
push( @cols, "Requested By" );
push( @cols, "Requested on" );
push( @cols, "Requested Role" );
} elsif ( $action =~ /^revokedList/i ) {
$dataType = 'REVOKED_CERTIFICATE';
$listType = '<FONT COLOR="#FF7000">R</FONT>evoked ';
$listType .= '<FONT COLOR="#FF7000">C</FONT>ertificates';
$newCMD = $getID_url;
push( @cols, "Serial" );
push( @cols, "Common Name" );
push( @cols, "Revoked On" );
push( @cols, "E-Mail" );
push( @cols, "Role" );
} elsif ( $action =~ /^suspendedList/i ) {
$dataType = 'SUSPENDED_CERTIFICATE';
$listType = '<FONT COLOR="#FF7000">S</FONT>uspended ';
$listType .= '<FONT COLOR="#FF7000">C</FONT>ertificates';
$newCMD = $getID_url;
push( @cols, "Serial" );
push( @cols, "Common Name" );
push( @cols, "Suspended On" );
push( @cols, "E-Mail" );
push( @cols, "Role" );
} elsif( $action =~ /^pendingCrrs/i) {
$dataType = 'PENDING_CRR';
$listType = '<FONT COLOR="#FF7000">P</FONT>ending ';
$listType .= '<FONT COLOR="#FF7000">R</FONT>equests';
push( @cols, "Serial" );
push( @cols, "Requested By" );
push( @cols, "Requested on" );
push( @cols, "Affected Role" );
} else {
configError("Requested List NOT available");
}
## Get required parameters ( return only the value string )
my $sheet = getRequired( 'PendingList' );
my $maxItems = getRequired( "maxReturnedItems" );
## Get the base Page ( got in $page variable )
my $page = $query->getFile( "$sheet" );
my $uptime = $tools->getDate();
configError ( "Error loading Page $sheet" ) if ( not $page);
if ( not $matched ) {
$matched = $db->elements( DATATYPE=>$dataType );
};
@list = $db->listItems( DATATYPE=>$dataType, FROM=>$from, ITEMS=>$maxItems );
$table = $query->buildRefs( ELEMENTS=>$matched, ITEMS=>$maxItems );
$table .= $query->startTable( COLS=>[ @cols ],
WIDTH=>"100%",
TITLE_BGCOLOR=>"#DDCCFF" );
## Process all Files
foreach $dbItem ( @list ) {
## Common Variables
my ( $format, $key, $ser_col, $op_col, $email, $email_col, $role_col );
my ( $lnk, $parsed, $head );
my @vals;
$parsed = $dbItem->getParsed();
$head = $parsed->{HEADER};
$key = $dbItem->getSerial();
$submit = $parsed->{CN};
$notBefore = ( $parsed->{NOTBEFORE} or $head->{NOTBEFORE}
or $parsed->{SUBMIT_DATE} );
if( $dataType =~ /CRR/ ) {
if ($parsed->{SIGNATURE}) {
## signature-based revocation
if (my $sig = libGetSignatureObject ( OBJECT => $dbItem )) {
if (my $cert = libGetSignerCertificateDB( SIGNATURE=>
$sig )) {
$submit = $cert->getParsed()->{DN};
} else {
$submit = "Cannot determine certificate from
signature!";
print STDERR "Cannot determine certificate
from signature (CRR: $key)";
}
} else {
$submit = "Cannot build object from signature!";
print STDERR "Cannot build object from signature (CRR:
$key)";
}
} elsif ($parsed->{REVOKE_CERTIFICATE_DN}) {
## pin-based revocation
$submit = $parsed->{REVOKE_CERTIFICATE_DN};
} else {
## last chance by strong ssl-authentication
$submit = $parsed->{HEADER}->{SSL_CERT_DN};
print STDERR "submitter of CRR not determinable (CRR: $key)";
}
}
if( $dataType =~ /CERTIFICATE/i ) {
$ser_col = "<a href=\"$newCMD&dataType=$dataType" .
"&key=$key\">". $key ."</a>";
} else {
$ser_col = $key;
}
if( (not $head->{OPERATOR}) or ($head->{OPERATOR} eq "n/a") ) {
$op_col = "n/a";
} else {
my $tmpOp = $head->{OPERATOR};
$op_col = "<a href=\"$self?cmd=searchCert&dataType=" .
"CERTIFICATE&key=$tmpOp\">" .
$tmpOp ."</a>";
}
if ($dataType =~ /CRR/) {
my $cert = $db->getItem (
DATATYPE => "CERTIFICATE",
KEY => $parsed->{REVOKE_CERTIFICATE_SERIAL} );
if ($cert) {
$role_col = $cert->getParsed()->{HEADER}->{ROLE};
} else {
$role_col = "<font color=#ff0000>".
"Cannot load the affected certificate!</font>";
}
} else {
$role_col = $head->{ROLE};
}
push( @vals, $ser_col );
push( @vals, ( $submit or "n/a" ) );
push( @vals, ( $notBefore or "n/a" ) );
if( $dataType =~ /CERTIFICATE/ ) {
if( $parsed->{EMAIL} ) {
$email = ( $parsed->{EMAIL} or "n/a" );
$lnk = new CGI({
subject=>"Certificate Serial $key"});
$email_col = $lnk->a({-href=>"mailto:$email"},
$email );
} else {
$email_col = "<CENTER>---</CENTER>";
};
push( @vals, $email_col );
}
push( @vals, $role_col );
$table .= $query->addTableLine( DATA =>[ @vals ]);
}
## Close the Table
$table .= $query->endTable();
$table .= getCopyRight();
## Substitute the Variables in the $page
$page = $query->subVar( $page, '@UPTIME@', $uptime );
$page = $query->subVar( $page, '@TABLE@', $table );
$page = $query->subVar( $page, '@LISTTYPE@', $listType );
print "$page";
exit 0;
