[Fedora-directory-commits] windowsautoenroll/proxy proxy.cpp, 1.2, 1.3 registry.cpp, 1.1, 1.2 service.cpp, 1.1, 1.2 submit.cpp, 1.2, 1.3 util.cpp, 1.1, 1.2
Steven W Parkinson (sparkins)
fedora-directory-commits at redhat.com
Thu Mar 29 23:55:53 UTC 2007
Author: sparkins
Update of /cvs/dirsec/windowsautoenroll/proxy
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv11713
Modified Files:
proxy.cpp registry.cpp service.cpp submit.cpp util.cpp
Log Message:
Add Licence. Improve logging. Detect Bad PKCS10 request earlier. Enable failover.
Index: proxy.cpp
===================================================================
RCS file: /cvs/dirsec/windowsautoenroll/proxy/proxy.cpp,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- proxy.cpp 13 Mar 2007 01:36:10 -0000 1.2
+++ proxy.cpp 29 Mar 2007 23:55:51 -0000 1.3
@@ -1,4 +1,38 @@
/** BEGIN COPYRIGHT BLOCK
+ * This Program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free Software
+ * Foundation; version 2 of the License.
+ *
+ * This Program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this Program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place, Suite 330, Boston, MA 02111-1307 USA.
+ *
+ * In addition, as a special exception, Red Hat, Inc. gives You the additional
+ * right to link the code of this Program with code not covered under the GNU
+ * General Public License ("Non-GPL Code") and to distribute linked combinations
+ * including the two, subject to the limitations in this paragraph. Non-GPL Code
+ * permitted under this exception must only link to the code of this Program
+ * through those well defined interfaces identified in the file named EXCEPTION
+ * found in the source code files (the "Approved Interfaces"). The files of
+ * Non-GPL Code may instantiate templates or use macros or inline functions from
+ * the Approved Interfaces without causing the resulting work to be covered by
+ * the GNU General Public License. Only Red Hat, Inc. may make changes or
+ * additions to the list of Approved Interfaces. You must obey the GNU General
+ * Public License in all respects for all of the Program code and other code used
+ * in conjunction with the Program except the Non-GPL Code covered by this
+ * exception. If you modify this file, you may extend this exception to your
+ * version of the file, but you are not obligated to do so. If you do not wish to
+ * provide this exception without modification, you must delete this exception
+ * statement from your version and license this file solely under the GPL without
+ * exception.
+ *
+ *
+ * Copyright (C) 2006 Red Hat, Inc.
+ * All rights reserved.
* END COPYRIGHT BLOCK */
@@ -173,17 +207,25 @@
//_asm int 3;
+ pctbDispositionMessage->cb = 0;
debugt(LOG_D_FUNC,"Request2()");
if (pctbRequest->cb >7) {
+ int q = pctbRequest->cb - 7;
debugt(LOG_D_DETAIL,"---- Request2(flags=%hx, authority=%ws, requestid=%hd, attributes=%ws,"
- " serial=%ws request[0..6]=%02x:%02x:%02x:%02x:%02x:%02x:%02x",
+ " serial=%ws request[0..6]=%02x:%02x:%02x:%02x:%02x:%02x:%02x "
+ " request[%d..%d]=%02x:%02x:%02x:%02x:%02x:%02x:%02x" ,
dwFlags, pwszAuthority, pdwRequestId, pwszAttributes,
pwszSerialNumber,
pctbRequest->pb[0], pctbRequest->pb[1],
pctbRequest->pb[2], pctbRequest->pb[3],
pctbRequest->pb[4], pctbRequest->pb[5],
- pctbRequest->pb[6]
+ pctbRequest->pb[6],
+ q, q+6,
+ pctbRequest->pb[q+0], pctbRequest->pb[q+1],
+ pctbRequest->pb[q+2], pctbRequest->pb[q+3],
+ pctbRequest->pb[q+4], pctbRequest->pb[q+5],
+ pctbRequest->pb[q+6]
);
}
IServerSecurity *iss = NULL;
@@ -228,19 +270,26 @@
username,
caps );
+ *pdwDisposition = CR_DISP_ERROR;
+
configvars *vars = reg->getvars();
+ context cx(vars);
+
requestinfo req;
/* Pull apart PKCS#10, putting pieces into request object */
- req.parseRequest(pctbRequest);
-
+ r = req.parseRequest(pctbRequest);
+ if (!SUCCEEDED(r)) {
+ debugt(LOG_REQ,"failed to parse PKCS#10 - error: %lx",r);
+ goto loser;
+ }
+ {
/* Pull apart attribute strings into request object */
req.parseAttributes(pwszAttributes);
/* Figure out which type of cert the requestor wants */
req.determineCertificateTemplate();
-
- context cx(vars);
+
cx.request = &req;
/* if a profile map exists, convert the windows cert template
@@ -253,7 +302,6 @@
// Copies pieces of the of the request into http name/value pairs
req.populateRequestForTemplate(csprofile);
-
vector<cainfo*> candidatecas = cx.makeCandidateCAList();
if (candidatecas.size() == 0) {
@@ -267,13 +315,16 @@
}
- *pdwDisposition = CR_DISP_ERROR;
+
string cert, certchain;
for (unsigned int j=0; j<respondingcas.size(); j++) {
cx.selectedca = respondingcas[j];
- debug("Request: submitting to CA");
+ debug("Request: submitting to CA (%d/%d): %s:%d",
+ (j+1), respondingcas.size(),
+ cx.selectedca->host, cx.selectedca->port);
+
r = cx.submitRequestToCA(cert, certchain);
debug("submitRequestToCA returned %lx",r);
@@ -281,23 +332,27 @@
GetSystemTimeAsFileTime(&cx.selectedca->last_success);
} else {
GetSystemTimeAsFileTime(&cx.selectedca->last_failure);
- }
-
- size_t errors_size = cx.errors.size();
- if (errors_size>0) {
- string e = cx.errors[0];
- if (errors_size > 1) {
- for (unsigned int k=1; k < errors_size; k++) {
- e = " >> "+ cx.errors[k];
- }
- }
-
debugt(LOG_GENERAL, "%s error was encountered while "
"submitting the certificate request to CA "
- "%s:%d. \nFull error details: %s",
+ "%s:%d. ",
cx.fatalerror ? "A fatal" : "A nonfatal",
- cx.selectedca->host, cx.selectedca->port,
- e.c_str());
+ cx.selectedca->host, cx.selectedca->port
+ );
+
+
+
+ size_t errors_size = cx.errors.size();
+ if (errors_size>0) {
+ string e = cx.errors[0];
+ if (errors_size > 1) {
+ for (unsigned int k=1; k < errors_size; k++) {
+ e = " >> "+ cx.errors[k];
+ }
+ }
+
+
+ debugt(LOG_GENERAL, "Full error details: %s", e.c_str());
+ }
}
/* If we got a certificate, break */
@@ -323,6 +378,7 @@
}
}
+
if (r == 0) { // success
decodeToBlob(cert.c_str(), pctbEncodedCert);
@@ -361,7 +417,8 @@
#endif
}
-
+ }
+loser:
return S_OK;
}
@@ -938,7 +995,7 @@
* SubjectAltName extension in the request, which means I have to
* figure out the DC GUID through other means. sigh.
*/
-void requestinfo::parseRequest(const CERTTRANSBLOB *p10)
+HRESULT requestinfo::parseRequest(const CERTTRANSBLOB *p10)
{
CERT_REQUEST_INFO *b;
DWORD b_size = 0;
@@ -947,6 +1004,13 @@
this->PKCS10Request = encode_base64(p10->cb, p10->pb);
+//#define DUMPREQUESTTOFILE
+#ifdef DUMPREQUESTTOFILE
+ debugt(LOG_D_FUNC,"parseRequest: writing %d bytes",p10->cb);
+ FILE *fp = fopen("c:\\dc_p10.der","wb");
+ fwrite(p10->pb,1,p10->cb,fp);
+ fclose(fp);
+#endif
// Pull apart the PKCS#10 cert request.
if (! CryptDecodeObjectEx(
X509_ASN_ENCODING,
@@ -960,7 +1024,7 @@
) )
{
debugt(LOG_D_DETAIL,"failed to parse PKCS#10 - error: %lx:",GetLastError());
- return;
+ return GetLastError();
}
/* For each attribute: */
@@ -1031,6 +1095,7 @@
}
}
debugt(LOG_D_FUNC,"parseRequest (returning)");
+ return 0;
}
@@ -1074,6 +1139,7 @@
cas.push_back(config->all_cas[i]);
}
}
+ debugt(LOG_D_FUNC,"findRespondingCAs - found %d CA's", cas.size());
debugt(LOG_D_FUNC,"findRespondingCAs (returning)");
return cas;
@@ -1084,12 +1150,14 @@
debugt(LOG_D_FUNC,"makeCandidateCAList");
// make a list of all the CAs which can service the request
vector<cainfo*> cas;
+ debugt(LOG_D_FUNC,"makeCandidateCAList - looking at %d CA's", config->all_cas.size());
for (unsigned int i=0;i <config->all_cas.size(); i++) {
if ( config->all_cas[i]->canService(request->windowsCertTemplateName))
{
cas.push_back(config->all_cas[i]);
}
}
+ debugt(LOG_D_FUNC,"makeCandidateCAList - found %d CA's", cas.size());
debugt(LOG_D_FUNC,"makeCandidateCAList (returning)");
return cas;
}
Index: registry.cpp
===================================================================
RCS file: /cvs/dirsec/windowsautoenroll/proxy/registry.cpp,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- registry.cpp 13 Mar 2007 01:36:10 -0000 1.1
+++ registry.cpp 29 Mar 2007 23:55:51 -0000 1.2
@@ -1,3 +1,41 @@
+/** BEGIN COPYRIGHT BLOCK
+ * This Program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free Software
+ * Foundation; version 2 of the License.
+ *
+ * This Program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this Program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place, Suite 330, Boston, MA 02111-1307 USA.
+ *
+ * In addition, as a special exception, Red Hat, Inc. gives You the additional
+ * right to link the code of this Program with code not covered under the GNU
+ * General Public License ("Non-GPL Code") and to distribute linked combinations
+ * including the two, subject to the limitations in this paragraph. Non-GPL Code
+ * permitted under this exception must only link to the code of this Program
+ * through those well defined interfaces identified in the file named EXCEPTION
+ * found in the source code files (the "Approved Interfaces"). The files of
+ * Non-GPL Code may instantiate templates or use macros or inline functions from
+ * the Approved Interfaces without causing the resulting work to be covered by
+ * the GNU General Public License. Only Red Hat, Inc. may make changes or
+ * additions to the list of Approved Interfaces. You must obey the GNU General
+ * Public License in all respects for all of the Program code and other code used
+ * in conjunction with the Program except the Non-GPL Code covered by this
+ * exception. If you modify this file, you may extend this exception to your
+ * version of the file, but you are not obligated to do so. If you do not wish to
+ * provide this exception without modification, you must delete this exception
+ * statement from your version and license this file solely under the GPL without
+ * exception.
+ *
+ *
+ * Copyright (C) 2006 Red Hat, Inc.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK */
+
+
#define _WIN32_DCOM
#include <windows.h>
#include <winhttp.h>
@@ -213,8 +251,6 @@
v->all_cas.push_back(ca);
RegCloseKey(cainfokey);
-
- break; // just take the first one for now
}
}
Index: service.cpp
===================================================================
RCS file: /cvs/dirsec/windowsautoenroll/proxy/service.cpp,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- service.cpp 13 Mar 2007 01:36:10 -0000 1.1
+++ service.cpp 29 Mar 2007 23:55:51 -0000 1.2
@@ -1,4 +1,38 @@
/** BEGIN COPYRIGHT BLOCK
+ * This Program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free Software
+ * Foundation; version 2 of the License.
+ *
+ * This Program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this Program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place, Suite 330, Boston, MA 02111-1307 USA.
+ *
+ * In addition, as a special exception, Red Hat, Inc. gives You the additional
+ * right to link the code of this Program with code not covered under the GNU
+ * General Public License ("Non-GPL Code") and to distribute linked combinations
+ * including the two, subject to the limitations in this paragraph. Non-GPL Code
+ * permitted under this exception must only link to the code of this Program
+ * through those well defined interfaces identified in the file named EXCEPTION
+ * found in the source code files (the "Approved Interfaces"). The files of
+ * Non-GPL Code may instantiate templates or use macros or inline functions from
+ * the Approved Interfaces without causing the resulting work to be covered by
+ * the GNU General Public License. Only Red Hat, Inc. may make changes or
+ * additions to the list of Approved Interfaces. You must obey the GNU General
+ * Public License in all respects for all of the Program code and other code used
+ * in conjunction with the Program except the Non-GPL Code covered by this
+ * exception. If you modify this file, you may extend this exception to your
+ * version of the file, but you are not obligated to do so. If you do not wish to
+ * provide this exception without modification, you must delete this exception
+ * statement from your version and license this file solely under the GPL without
+ * exception.
+ *
+ *
+ * Copyright (C) 2006 Red Hat, Inc.
+ * All rights reserved.
* END COPYRIGHT BLOCK */
Index: submit.cpp
===================================================================
RCS file: /cvs/dirsec/windowsautoenroll/proxy/submit.cpp,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- submit.cpp 13 Mar 2007 01:36:10 -0000 1.2
+++ submit.cpp 29 Mar 2007 23:55:51 -0000 1.3
@@ -1,4 +1,38 @@
/** BEGIN COPYRIGHT BLOCK
+ * This Program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free Software
+ * Foundation; version 2 of the License.
+ *
+ * This Program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this Program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place, Suite 330, Boston, MA 02111-1307 USA.
+ *
+ * In addition, as a special exception, Red Hat, Inc. gives You the additional
+ * right to link the code of this Program with code not covered under the GNU
+ * General Public License ("Non-GPL Code") and to distribute linked combinations
+ * including the two, subject to the limitations in this paragraph. Non-GPL Code
+ * permitted under this exception must only link to the code of this Program
+ * through those well defined interfaces identified in the file named EXCEPTION
+ * found in the source code files (the "Approved Interfaces"). The files of
+ * Non-GPL Code may instantiate templates or use macros or inline functions from
+ * the Approved Interfaces without causing the resulting work to be covered by
+ * the GNU General Public License. Only Red Hat, Inc. may make changes or
+ * additions to the list of Approved Interfaces. You must obey the GNU General
+ * Public License in all respects for all of the Program code and other code used
+ * in conjunction with the Program except the Non-GPL Code covered by this
+ * exception. If you modify this file, you may extend this exception to your
+ * version of the file, but you are not obligated to do so. If you do not wish to
+ * provide this exception without modification, you must delete this exception
+ * statement from your version and license this file solely under the GPL without
+ * exception.
+ *
+ *
+ * Copyright (C) 2006 Red Hat, Inc.
+ * All rights reserved.
* END COPYRIGHT BLOCK */
#define _WIN32_DCOM
@@ -25,6 +59,7 @@
#include <iostream>
#include <iterator>
#include <sstream>
+#include <strstream>
#include <string>
#include <vector>
@@ -511,6 +546,11 @@
if (!bResults) {
r = GetLastError();
+
+ strstream ss;
+ ss << r << '\0';
+ string s = ss.str();
+ errors.push_back( string("WinHTTP reported: ") + s );
r = (r &0xffff) | 0x8C060000;
goto loser;
}
Index: util.cpp
===================================================================
RCS file: /cvs/dirsec/windowsautoenroll/proxy/util.cpp,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- util.cpp 13 Mar 2007 01:36:10 -0000 1.1
+++ util.cpp 29 Mar 2007 23:55:51 -0000 1.2
@@ -1,3 +1,41 @@
+/** BEGIN COPYRIGHT BLOCK
+ * This Program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free Software
+ * Foundation; version 2 of the License.
+ *
+ * This Program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this Program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place, Suite 330, Boston, MA 02111-1307 USA.
+ *
+ * In addition, as a special exception, Red Hat, Inc. gives You the additional
+ * right to link the code of this Program with code not covered under the GNU
+ * General Public License ("Non-GPL Code") and to distribute linked combinations
+ * including the two, subject to the limitations in this paragraph. Non-GPL Code
+ * permitted under this exception must only link to the code of this Program
+ * through those well defined interfaces identified in the file named EXCEPTION
+ * found in the source code files (the "Approved Interfaces"). The files of
+ * Non-GPL Code may instantiate templates or use macros or inline functions from
+ * the Approved Interfaces without causing the resulting work to be covered by
+ * the GNU General Public License. Only Red Hat, Inc. may make changes or
+ * additions to the list of Approved Interfaces. You must obey the GNU General
+ * Public License in all respects for all of the Program code and other code used
+ * in conjunction with the Program except the Non-GPL Code covered by this
+ * exception. If you modify this file, you may extend this exception to your
+ * version of the file, but you are not obligated to do so. If you do not wish to
+ * provide this exception without modification, you must delete this exception
+ * statement from your version and license this file solely under the GPL without
+ * exception.
+ *
+ *
+ * Copyright (C) 2006 Red Hat, Inc.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK */
+
+
/* printcertnames() will print out, to the console, a list of all certificate names
which are available in the MY certificate store, so you can figure out which to use
for client-auth. This isn't useful any more, since:
More information about the Fedora-directory-commits
mailing list