19118950120

Committed 05 Nov 2025 10:58PM UTC coverage: 39.847%. First build

Build # 19118950120

Build Type

Pull #5754

github

Committed by

web-flow

Commit Message

Merge adfafab73 into 681cce019

Pull Request Pull Request #5754: feat: preserve previous root cert

Run Details

86 of 120 new or added lines in 10 files covered. (71.67%)

4633 of 11627 relevant lines covered (39.85%)

3.06 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

45.58

/lib/Handler/CertificateEngine/AEngineHandler.php

<?php

declare(strict_types=1);
/**
 * SPDX-FileCopyrightText: 2020-2024 LibreCode coop and contributors
 * SPDX-License-Identifier: AGPL-3.0-or-later
 */

namespace OCA\Libresign\Handler\CertificateEngine;

use OCA\Libresign\AppInfo\Application;
use OCA\Libresign\Exception\EmptyCertificateException;
use OCA\Libresign\Exception\InvalidPasswordException;
use OCA\Libresign\Exception\LibresignException;
use OCA\Libresign\Helper\ConfigureCheckHelper;
use OCA\Libresign\Helper\MagicGetterSetterTrait;
use OCA\Libresign\Service\CaIdentifierService;
use OCA\Libresign\Service\CertificatePolicyService;
use OCP\Files\AppData\IAppDataFactory;
use OCP\Files\IAppData;
use OCP\Files\SimpleFS\ISimpleFolder;
use OCP\IAppConfig;
use OCP\IConfig;
use OCP\IDateTimeFormatter;
use OCP\ITempManager;
use OCP\IURLGenerator;
use OpenSSLAsymmetricKey;
use OpenSSLCertificate;
use ReflectionClass;

/**
 * @method IEngineHandler setPassword(string $password)
 * @method string getPassword()
 * @method IEngineHandler setCommonName(string $commonName)
 * @method string getCommonName()
 * @method IEngineHandler setHosts(array $hosts)
 * @method array getHosts()
 * @method IEngineHandler setFriendlyName(string $friendlyName)
 * @method string getFriendlyName()
 * @method IEngineHandler setCountry(string $country)
 * @method string getCountry()
 * @method IEngineHandler setState(string $state)
 * @method string getState()
 * @method IEngineHandler setLocality(string $locality)
 * @method string getLocality()
 * @method IEngineHandler setOrganization(string $organization)
 * @method string getOrganization()
 * @method IEngineHandler setOrganizationalUnit(array $organizationalUnit)
 * @method array getOrganizationalUnit()
 * @method IEngineHandler setUID(string $UID)
 * @method string getName()
 */
abstract class AEngineHandler implements IEngineHandler {
        use MagicGetterSetterTrait;
        use OrderCertificatesTrait;

        protected string $commonName = '';
        protected array $hosts = [];
        protected string $friendlyName = '';
        protected string $country = '';
        protected string $state = '';
        protected string $locality = '';
        protected string $organization = '';
        protected array $organizationalUnit = [];
        protected string $UID = '';
        protected string $password = '';
        protected string $configPath = '';
        protected string $engine = '';
        protected string $certificate = '';
        protected string $currentCaId = '';
        protected IAppData $appData;

        public function __construct(
                protected IConfig $config,
                protected IAppConfig $appConfig,
                protected IAppDataFactory $appDataFactory,
                protected IDateTimeFormatter $dateTimeFormatter,
                protected ITempManager $tempManager,
                protected CertificatePolicyService $certificatePolicyService,
                protected IURLGenerator $urlGenerator,
                protected CaIdentifierService $caIdentifierService,
        ) {
                $this->appData = $appDataFactory->get('libresign');
        }

        protected function exportToPkcs12(
                OpenSSLCertificate|string $certificate,
                OpenSSLAsymmetricKey|OpenSSLCertificate|string $privateKey,
                array $options = [],
        ): string {
                if (empty($certificate) || empty($privateKey)) {
                        throw new EmptyCertificateException();
                }
                $certContent = null;
                try {
                        openssl_pkcs12_export(
                                $certificate,
                                $certContent,
                                $privateKey,
                                $this->getPassword(),
                                $options,
                        );
                        if (!$certContent) {
                                throw new \Exception();
                        }
                } catch (\Throwable) {
                        throw new LibresignException('Error while creating certificate file', 500);
                }

                return $certContent;
        }

        #[\Override]
        public function updatePassword(string $certificate, string $currentPrivateKey, string $newPrivateKey): string {
                if (empty($certificate) || empty($currentPrivateKey) || empty($newPrivateKey)) {
                        throw new EmptyCertificateException();
                }
                $certContent = $this->opensslPkcs12Read($certificate, $currentPrivateKey);
                $this->setPassword($newPrivateKey);
                $certContent = self::exportToPkcs12($certContent['cert'], $certContent['pkey']);
                return $certContent;
        }

        #[\Override]
        public function readCertificate(string $certificate, string $privateKey): array {
                if (empty($certificate) || empty($privateKey)) {
                        throw new EmptyCertificateException();
                }
                $certContent = $this->opensslPkcs12Read($certificate, $privateKey);

                $return = $this->parseX509($certContent['cert']);
                if (isset($certContent['extracerts'])) {
                        foreach ($certContent['extracerts'] as $extraCert) {
                                $return['extracerts'][] = $this->parseX509($extraCert);
                        }
                        $return['extracerts'] = $this->orderCertificates($return['extracerts']);
                }
                return $return;
        }

        public function getCaId(): string {
                $caId = $this->caIdentifierService->getCaId();
                if (empty($caId)) {
                        $caId = $this->caIdentifierService->generateCaId($this->getName());
                }
                return $caId;
        }

        private function parseX509(string $x509): array {
                $parsed = openssl_x509_parse(openssl_x509_read($x509));

                $return = self::convertArrayToUtf8($parsed);

                foreach (['subject', 'issuer'] as $actor) {
                        foreach ($return[$actor] as $part => $value) {
                                if (is_string($value) && str_contains($value, ', ')) {
                                        $return[$actor][$part] = explode(', ', $value);
                                } else {
                                        $return[$actor][$part] = $value;
                                }
                        }
                }

                $return['valid_from'] = $this->dateTimeFormatter->formatDateTime($parsed['validFrom_time_t']);
                $return['valid_to'] = $this->dateTimeFormatter->formatDateTime($parsed['validTo_time_t']);
                return $return;
        }

        private static function convertArrayToUtf8($array) {
                foreach ($array as $key => $value) {
                        if (is_array($value)) {
                                $array[$key] = self::convertArrayToUtf8($value);
                        } elseif (is_string($value)) {
                                $array[$key] = mb_convert_encoding($value, 'UTF-8', 'UTF-8');
                        }
                }
                return $array;
        }

        public function opensslPkcs12Read(string &$certificate, string $privateKey): array {
                openssl_pkcs12_read($certificate, $certContent, $privateKey);
                if (!empty($certContent)) {
                        return $certContent;
                }
                /**
                 * Reference:
                 *
                 * https://github.com/php/php-src/issues/12128
                 * https://www.php.net/manual/en/function.openssl-pkcs12-read.php#128992
                 */
                $msg = openssl_error_string();
                if ($msg === 'error:0308010C:digital envelope routines::unsupported') {
                        $tempPassword = $this->tempManager->getTemporaryFile();
                        $tempEncriptedOriginal = $this->tempManager->getTemporaryFile();
                        $tempEncriptedRepacked = $this->tempManager->getTemporaryFile();
                        $tempDecrypted = $this->tempManager->getTemporaryFile();
                        file_put_contents($tempPassword, $privateKey);
                        file_put_contents($tempEncriptedOriginal, $certificate);
                        shell_exec(<<<REPACK_COMMAND
                                cat $tempPassword | openssl pkcs12 -legacy -in $tempEncriptedOriginal -nodes -out $tempDecrypted -passin stdin &&
                                cat $tempPassword | openssl pkcs12 -in $tempDecrypted -export -out $tempEncriptedRepacked -passout stdin
                                REPACK_COMMAND
                        );
                        $certificateRepacked = file_get_contents($tempEncriptedRepacked);
                        openssl_pkcs12_read($certificateRepacked, $certContent, $privateKey);
                        if (!empty($certContent)) {
                                $certificate = $certificateRepacked;
                                return $certContent;
                        }
                }
                throw new InvalidPasswordException();
        }

        /**
         * @param (int|string) $name
         *
         * @psalm-param array-key $name
         */
        public function translateToLong($name): string {
                return match ($name) {
                        'CN' => 'CommonName',
                        'C' => 'Country',
                        'ST' => 'State',
                        'L' => 'Locality',
                        'O' => 'Organization',
                        'OU' => 'OrganizationalUnit',
                        'UID' => 'UserIdentifier',
                        default => '',
                };
        }

        public function setEngine(string $engine): void {
                $this->appConfig->setValueString(Application::APP_ID, 'certificate_engine', $engine);
                $this->engine = $engine;
        }

        #[\Override]
        public function getEngine(): string {
                if ($this->engine) {
                        return $this->engine;
                }
                $this->engine = $this->appConfig->getValueString(Application::APP_ID, 'certificate_engine', 'openssl');
                return $this->engine;
        }

        #[\Override]
        public function populateInstance(array $rootCert): IEngineHandler {
                if (empty($rootCert)) {
                        $rootCert = $this->appConfig->getValueArray(Application::APP_ID, 'rootCert');
                }
                if (!$rootCert) {
                        return $this;
                }
                if (!empty($rootCert['names'])) {
                        foreach ($rootCert['names'] as $id => $customName) {
                                $longCustomName = $this->translateToLong($id);
                                // Prevent to save a property that don't exists
                                if (!property_exists($this, lcfirst($longCustomName))) {
                                        continue;
                                }
                                $this->{'set' . ucfirst($longCustomName)}($customName['value']);
                        }
                }
                if (!$this->getCommonName()) {
                        $this->setCommonName($rootCert['commonName']);
                }
                return $this;
        }

        #[\Override]
        public function getConfigPath(): string {
                if ($this->configPath) {
                        return $this->configPath;
                }

                $customConfigPath = $this->appConfig->getValueString(Application::APP_ID, 'config_path');
                if ($customConfigPath && is_dir($customConfigPath)) {
                        $this->configPath = $customConfigPath;
                        return $this->configPath;
                }

                $this->configPath = $this->initializePkiConfigPath();
                if (!empty($this->configPath)) {
                        $this->appConfig->setValueString(Application::APP_ID, 'config_path', $this->configPath);
                }
                return $this->configPath;
        }

        private function initializePkiConfigPath(): string {
                $caId = $this->getCaId();
                if (empty($caId)) {
                        return '';
                }
                $pkiDirName = $this->caIdentifierService->generatePkiDirectoryName($caId);
                $dataDir = $this->config->getSystemValue('datadirectory', \OC::$SERVERROOT . '/data/');
                $instanceId = $this->config->getSystemValue('instanceid');
                $pkiPath = $dataDir . '/appdata_' . $instanceId . '/libresign/' . $pkiDirName;

                if (!is_dir($pkiPath)) {
                        $this->createDirectoryWithCorrectOwnership($pkiPath);
                }

                return $pkiPath;
        }

        private function createDirectoryWithCorrectOwnership(string $path): void {
                $ownerInfo = $this->getFilesOwnerInfo();
                $fullCommand = 'mkdir -p ' . escapeshellarg($path);

                if (posix_getuid() !== $ownerInfo['uid']) {
                        $fullCommand = 'runuser -u ' . $ownerInfo['name'] . ' -- ' . $fullCommand;
                }

                exec($fullCommand);
        }

        private function getFilesOwnerInfo(): array {
                $currentFile = realpath(__DIR__);
                $owner = fileowner($currentFile);
                if ($owner === false) {
                        throw new \RuntimeException('Unable to get file information');
                }
                $ownerInfo = posix_getpwuid($owner);
                if ($ownerInfo === false) {
                        throw new \RuntimeException('Unable to get file owner information');
                }

                return $ownerInfo;
        }

        /**
         * @todo check a best solution to don't use reflection
         */
        private function getInternalPathOfFolder(ISimpleFolder $node): string {
                $reflection = new \ReflectionClass($node);
                $reflectionProperty = $reflection->getProperty('folder');
                $folder = $reflectionProperty->getValue($node);
                $path = $folder->getInternalPath();
                return $path;
        }

        #[\Override]
        public function setConfigPath(string $configPath): IEngineHandler {
                if (!$configPath) {
                        $this->appConfig->deleteKey(Application::APP_ID, 'config_path');
                } else {
                        if (!is_dir($configPath)) {
                                mkdir(
                                        directory: $configPath,
                                        recursive: true,
                                );
                        }
                        $this->appConfig->setValueString(Application::APP_ID, 'config_path', $configPath);
                }
                $this->configPath = $configPath;
                return $this;
        }

        public function getName(): string {
                $reflect = new ReflectionClass($this);
                $className = $reflect->getShortName();
                $name = strtolower(substr($className, 0, -7));
                return $name;
        }

        protected function getNames(): array {
                $names = [
                        'C' => $this->getCountry(),
                        'ST' => $this->getState(),
                        'L' => $this->getLocality(),
                        'O' => $this->getOrganization(),
                        'OU' => $this->getOrganizationalUnit(),
                ];
                if ($uid = $this->getUID()) {
                        $names['UID'] = $uid;
                }
                $names = array_filter($names, fn ($v) => !empty($v));
                return $names;
        }

        public function getUID(): string {
                return str_replace(' ', '+', $this->UID);
        }

        #[\Override]
        public function getLeafExpiryInDays(): int {
                $exp = $this->appConfig->getValueInt(Application::APP_ID, 'expiry_in_days', 365);
                return $exp > 0 ? $exp : 365;
        }

        #[\Override]
        public function getCaExpiryInDays(): int {
                $exp = $this->appConfig->getValueInt(Application::APP_ID, 'ca_expiry_in_days', 3650); // 10 years
                return $exp > 0 ? $exp : 3650;
        }

        private function getCertificatePolicy(): array {
                $return = ['policySection' => []];
                $oid = $this->certificatePolicyService->getOid();
                $cps = $this->certificatePolicyService->getCps();
                if ($oid && $cps) {
                        $return['policySection'][] = [
                                'OID' => $oid,
                                'CPS' => $cps,
                        ];
                }
                return $return;
        }

        abstract protected function getConfigureCheckResourceName(): string;

        abstract protected function getCertificateRegenerationTip(): string;

        abstract protected function getEngineSpecificChecks(): array;

        abstract protected function getSetupSuccessMessage(): string;

        abstract protected function getSetupErrorMessage(): string;

        abstract protected function getSetupErrorTip(): string;

        #[\Override]
        public function configureCheck(): array {
                $checks = $this->getEngineSpecificChecks();

                if (!$this->isSetupOk()) {
                        return array_merge($checks, [
                                (new ConfigureCheckHelper())
                                        ->setErrorMessage($this->getSetupErrorMessage())
                                        ->setResource($this->getConfigureCheckResourceName())
                                        ->setTip($this->getSetupErrorTip())
                        ]);
                }

                $checks[] = (new ConfigureCheckHelper())
                        ->setSuccessMessage($this->getSetupSuccessMessage())
                        ->setResource($this->getConfigureCheckResourceName());

                $modernFeaturesCheck = $this->checkRootCertificateModernFeatures();
                if ($modernFeaturesCheck) {
                        $checks[] = $modernFeaturesCheck;
                }

                return $checks;
        }

        protected function checkRootCertificateModernFeatures(): ?ConfigureCheckHelper {
                $configPath = $this->getConfigPath();
                $caCertPath = $configPath . DIRECTORY_SEPARATOR . 'ca.pem';

                try {
                        $certContent = file_get_contents($caCertPath);
                        if (!$certContent) {
                                return (new ConfigureCheckHelper())
                                        ->setErrorMessage('Failed to read root certificate file')
                                        ->setResource($this->getConfigureCheckResourceName())
                                        ->setTip('Check file permissions and disk space');
                        }

                        $x509Resource = openssl_x509_read($certContent);
                        if (!$x509Resource) {
                                return (new ConfigureCheckHelper())
                                        ->setErrorMessage('Failed to parse root certificate')
                                        ->setResource($this->getConfigureCheckResourceName())
                                        ->setTip('Root certificate file may be corrupted or invalid');
                        }

                        $parsed = openssl_x509_parse($x509Resource);
                        if (!$parsed) {
                                return (new ConfigureCheckHelper())
                                        ->setErrorMessage('Failed to extract root certificate information')
                                        ->setResource($this->getConfigureCheckResourceName())
                                        ->setTip('Root certificate may be in an unsupported format');
                        }

                        $criticalIssues = [];
                        $minorIssues = [];

                        if (isset($parsed['serialNumber'])) {
                                $serialNumber = $parsed['serialNumber'];
                                $serialDecimal = hexdec($serialNumber);
                                if ($serialDecimal <= 1) {
                                        $minorIssues[] = 'Serial number is simple (zero or one)';
                                }
                        } else {
                                $criticalIssues[] = 'Serial number is missing';
                        }

                        $missingExtensions = [];
                        if (!isset($parsed['extensions']['subjectKeyIdentifier'])) {
                                $missingExtensions[] = 'Subject Key Identifier (SKI)';
                        }

                        $isSelfSigned = (isset($parsed['issuer']) && isset($parsed['subject'])
                                                        && $parsed['issuer'] === $parsed['subject']);

                        /**
                         * @todo workarround for missing AKI at certificates generated by CFSSL.
                         *
                         * CFSSL does not add Authority Key Identifier (AKI) to self-signed root certificates.
                         */
                        if (!$isSelfSigned && !isset($parsed['extensions']['authorityKeyIdentifier'])) {
                                $missingExtensions[] = 'Authority Key Identifier (AKI)';
                        }

                        if (!isset($parsed['extensions']['crlDistributionPoints'])) {
                                $missingExtensions[] = 'CRL Distribution Points';
                        }

                        if (!empty($missingExtensions)) {
                                $extensionsList = implode(', ', $missingExtensions);
                                $minorIssues[] = "Missing modern extensions: {$extensionsList}";
                        }

                        $hasLibresignCaUuid = $this->validateLibresignCaUuidInCertificate($parsed);
                        if (!$hasLibresignCaUuid) {
                                $minorIssues[] = 'LibreSign CA UUID not found in Organizational Unit';
                        }

                        if (!empty($criticalIssues)) {
                                $issuesList = implode(', ', $criticalIssues);
                                return (new ConfigureCheckHelper())
                                        ->setErrorMessage("Root certificate has critical issues: {$issuesList}")
                                        ->setResource($this->getConfigureCheckResourceName())
                                        ->setTip($this->getCertificateRegenerationTip());
                        }

                        if (!empty($minorIssues)) {
                                $issuesList = implode(', ', $minorIssues);
                                return (new ConfigureCheckHelper())
                                        ->setInfoMessage("Root certificate could benefit from modern features: {$issuesList}")
                                        ->setResource($this->getConfigureCheckResourceName())
                                        ->setTip($this->getCertificateRegenerationTip() . ' (recommended but not required)');
                        }

                        return null;

                } catch (\Exception $e) {
                        return (new ConfigureCheckHelper())
                                ->setErrorMessage('Failed to analyze root certificate: ' . $e->getMessage())
                                ->setResource($this->getConfigureCheckResourceName())
                                ->setTip('Check if the root certificate file is valid');
                }
        }

        private function validateLibresignCaUuidInCertificate(array $parsed): bool {
                if (!isset($parsed['subject']['OU'])) {
                        return false;
                }

                $instanceId = $this->getLibreSignInstanceId();
                if (empty($instanceId)) {
                        return false;
                }

                $organizationalUnits = $parsed['subject']['OU'];

                if (is_string($organizationalUnits)) {
                        if (str_contains($organizationalUnits, ', ')) {
                                $organizationalUnits = explode(', ', $organizationalUnits);
                        } else {
                                $organizationalUnits = [$organizationalUnits];
                        }
                }

                foreach ($organizationalUnits as $ou) {
                        $ou = trim($ou);
                        if ($this->caIdentifierService->isValidCaId($ou, $instanceId)) {
                                return true;
                        }
                }

                return false;
        }

        private function getLibreSignInstanceId(): string {
                $instanceId = $this->appConfig->getValueString(Application::APP_ID, 'instance_id', '');
                if (strlen($instanceId) === 10) {
                        return $instanceId;
                }
                return '';
        }

        #[\Override]
        public function toArray(): array {
                $return = [
                        'configPath' => $this->getConfigPath(),
                        'generated' => $this->isSetupOk(),
                        'rootCert' => [
                                'commonName' => $this->getCommonName(),
                                'names' => [],
                        ],
                ];
                $return = array_merge(
                        $return,
                        $this->getCertificatePolicy(),
                );
                $names = $this->getNames();
                foreach ($names as $name => $value) {
                        $return['rootCert']['names'][] = [
                                'id' => $name,
                                'value' => $value,
                        ];
                }
                return $return;
        }

        protected function getCrlDistributionUrl(): string {
                return $this->urlGenerator->linkToRouteAbsolute('libresign.crl.getRevocationList');
        }
}

1	<?php
2
3	declare(strict_types=1);
4	/**
5	* SPDX-FileCopyrightText: 2020-2024 LibreCode coop and contributors
6	* SPDX-License-Identifier: AGPL-3.0-or-later
7	*/
8
9	namespace OCA\Libresign\Handler\CertificateEngine;
10
11	use OCA\Libresign\AppInfo\Application;
12	use OCA\Libresign\Exception\EmptyCertificateException;
13	use OCA\Libresign\Exception\InvalidPasswordException;
14	use OCA\Libresign\Exception\LibresignException;
15	use OCA\Libresign\Helper\ConfigureCheckHelper;
16	use OCA\Libresign\Helper\MagicGetterSetterTrait;
17	use OCA\Libresign\Service\CaIdentifierService;
18	use OCA\Libresign\Service\CertificatePolicyService;
19	use OCP\Files\AppData\IAppDataFactory;
20	use OCP\Files\IAppData;
21	use OCP\Files\SimpleFS\ISimpleFolder;
22	use OCP\IAppConfig;
23	use OCP\IConfig;
24	use OCP\IDateTimeFormatter;
25	use OCP\ITempManager;
26	use OCP\IURLGenerator;
27	use OpenSSLAsymmetricKey;
28	use OpenSSLCertificate;
29	use ReflectionClass;
30
31	/**
32	* @method IEngineHandler setPassword(string $password)
33	* @method string getPassword()
34	* @method IEngineHandler setCommonName(string $commonName)
35	* @method string getCommonName()
36	* @method IEngineHandler setHosts(array $hosts)
37	* @method array getHosts()
38	* @method IEngineHandler setFriendlyName(string $friendlyName)
39	* @method string getFriendlyName()
40	* @method IEngineHandler setCountry(string $country)
41	* @method string getCountry()
42	* @method IEngineHandler setState(string $state)
43	* @method string getState()
44	* @method IEngineHandler setLocality(string $locality)
45	* @method string getLocality()
46	* @method IEngineHandler setOrganization(string $organization)
47	* @method string getOrganization()
48	* @method IEngineHandler setOrganizationalUnit(array $organizationalUnit)
49	* @method array getOrganizationalUnit()
50	* @method IEngineHandler setUID(string $UID)
51	* @method string getName()
52	*/
53	abstract class AEngineHandler implements IEngineHandler {
54	use MagicGetterSetterTrait;
55	use OrderCertificatesTrait;
56
57	protected string $commonName = '';
58	protected array $hosts = [];
59	protected string $friendlyName = '';
60	protected string $country = '';
61	protected string $state = '';
62	protected string $locality = '';
63	protected string $organization = '';
64	protected array $organizationalUnit = [];
65	protected string $UID = '';
66	protected string $password = '';
67	protected string $configPath = '';
68	protected string $engine = '';
69	protected string $certificate = '';
70	protected string $currentCaId = '';
71	protected IAppData $appData;
72
73	public function __construct(
74	protected IConfig $config,
75	protected IAppConfig $appConfig,
76	protected IAppDataFactory $appDataFactory,
77	protected IDateTimeFormatter $dateTimeFormatter,
78	protected ITempManager $tempManager,
79	protected CertificatePolicyService $certificatePolicyService,
80	protected IURLGenerator $urlGenerator,
81	protected CaIdentifierService $caIdentifierService,
82	) {
83	$this->appData = $appDataFactory->get('libresign');	64✔
84	}
85
86	protected function exportToPkcs12(
87	OpenSSLCertificate\|string $certificate,
88	OpenSSLAsymmetricKey\|OpenSSLCertificate\|string $privateKey,
89	array $options = [],
90	): string {
91	if (empty($certificate) \|\| empty($privateKey)) {	7✔
92	throw new EmptyCertificateException();	×
93	}
94	$certContent = null;	7✔
95	try {
96	openssl_pkcs12_export(	7✔
97	$certificate,	7✔
98	$certContent,	7✔
99	$privateKey,	7✔
100	$this->getPassword(),	7✔
101	$options,	7✔
102	);	7✔
103	if (!$certContent) {	7✔
104	throw new \Exception();	7✔
105	}
106	} catch (\Throwable) {	×
107	throw new LibresignException('Error while creating certificate file', 500);	×
108	}
109
110	return $certContent;	7✔
111	}
112
113	#[\Override]
114	public function updatePassword(string $certificate, string $currentPrivateKey, string $newPrivateKey): string {
115	if (empty($certificate) \|\| empty($currentPrivateKey) \|\| empty($newPrivateKey)) {	×
116	throw new EmptyCertificateException();	×
117	}
118	$certContent = $this->opensslPkcs12Read($certificate, $currentPrivateKey);	×
119	$this->setPassword($newPrivateKey);	×
120	$certContent = self::exportToPkcs12($certContent['cert'], $certContent['pkey']);	×
121	return $certContent;	×
122	}
123
124	#[\Override]
125	public function readCertificate(string $certificate, string $privateKey): array {
126	if (empty($certificate) \|\| empty($privateKey)) {	9✔
127	throw new EmptyCertificateException();	1✔
128	}
129	$certContent = $this->opensslPkcs12Read($certificate, $privateKey);	8✔
130
131	$return = $this->parseX509($certContent['cert']);	6✔
132	if (isset($certContent['extracerts'])) {	6✔
133	foreach ($certContent['extracerts'] as $extraCert) {	6✔
134	$return['extracerts'][] = $this->parseX509($extraCert);	6✔
135	}
136	$return['extracerts'] = $this->orderCertificates($return['extracerts']);	6✔
137	}
138	return $return;	6✔
139	}
140
141	public function getCaId(): string {
142	$caId = $this->caIdentifierService->getCaId();	9✔
143	if (empty($caId)) {	9✔
144	$caId = $this->caIdentifierService->generateCaId($this->getName());	3✔
145	}
146	return $caId;	9✔
147	}
148
149	private function parseX509(string $x509): array {
150	$parsed = openssl_x509_parse(openssl_x509_read($x509));	6✔
151
152	$return = self::convertArrayToUtf8($parsed);	6✔
153
154	foreach (['subject', 'issuer'] as $actor) {	6✔
155	foreach ($return[$actor] as $part => $value) {	6✔
156	if (is_string($value) && str_contains($value, ', ')) {	6✔
157	$return[$actor][$part] = explode(', ', $value);	×
158	} else {
159	$return[$actor][$part] = $value;	6✔
160	}
161	}
162	}
163
164	$return['valid_from'] = $this->dateTimeFormatter->formatDateTime($parsed['validFrom_time_t']);	6✔
165	$return['valid_to'] = $this->dateTimeFormatter->formatDateTime($parsed['validTo_time_t']);	6✔
166	return $return;	6✔
167	}
168
169	private static function convertArrayToUtf8($array) {
170	foreach ($array as $key => $value) {	6✔
171	if (is_array($value)) {	6✔
172	$array[$key] = self::convertArrayToUtf8($value);	6✔
173	} elseif (is_string($value)) {	6✔
174	$array[$key] = mb_convert_encoding($value, 'UTF-8', 'UTF-8');	6✔
175	}
176	}
177	return $array;	6✔
178	}
179
180	public function opensslPkcs12Read(string &$certificate, string $privateKey): array {
181	openssl_pkcs12_read($certificate, $certContent, $privateKey);	8✔
182	if (!empty($certContent)) {	8✔
183	return $certContent;	6✔
184	}
185	/**
186	* Reference:
187	*
188	* https://github.com/php/php-src/issues/12128
189	* https://www.php.net/manual/en/function.openssl-pkcs12-read.php#128992
190	*/
191	$msg = openssl_error_string();	2✔
192	if ($msg === 'error:0308010C:digital envelope routines::unsupported') {	2✔
193	$tempPassword = $this->tempManager->getTemporaryFile();	×
194	$tempEncriptedOriginal = $this->tempManager->getTemporaryFile();	×
195	$tempEncriptedRepacked = $this->tempManager->getTemporaryFile();	×
196	$tempDecrypted = $this->tempManager->getTemporaryFile();	×
197	file_put_contents($tempPassword, $privateKey);	×
198	file_put_contents($tempEncriptedOriginal, $certificate);	×
199	shell_exec(<<<REPACK_COMMAND	×
200	cat $tempPassword \| openssl pkcs12 -legacy -in $tempEncriptedOriginal -nodes -out $tempDecrypted -passin stdin &&	×
201	cat $tempPassword \| openssl pkcs12 -in $tempDecrypted -export -out $tempEncriptedRepacked -passout stdin	×
202	REPACK_COMMAND	×
203	);	×
204	$certificateRepacked = file_get_contents($tempEncriptedRepacked);	×
205	openssl_pkcs12_read($certificateRepacked, $certContent, $privateKey);	×
206	if (!empty($certContent)) {	×
207	$certificate = $certificateRepacked;	×
208	return $certContent;	×
209	}
210	}
211	throw new InvalidPasswordException();	2✔
212	}
213
214	/**
215	* @param (int\|string) $name
216	*
217	* @psalm-param array-key $name
218	*/
219	public function translateToLong($name): string {
220	return match ($name) {	3✔
221	'CN' => 'CommonName',	×
222	'C' => 'Country',	3✔
223	'ST' => 'State',	×
224	'L' => 'Locality',	×
225	'O' => 'Organization',	3✔
226	'OU' => 'OrganizationalUnit',	2✔
227	'UID' => 'UserIdentifier',	×
228	default => '',	3✔
229	};	3✔
230	}
231
232	public function setEngine(string $engine): void {
233	$this->appConfig->setValueString(Application::APP_ID, 'certificate_engine', $engine);	×
234	$this->engine = $engine;	×
235	}
236
237	#[\Override]
238	public function getEngine(): string {
239	if ($this->engine) {	×
240	return $this->engine;	×
241	}
242	$this->engine = $this->appConfig->getValueString(Application::APP_ID, 'certificate_engine', 'openssl');	×
243	return $this->engine;	×
244	}
245
246	#[\Override]
247	public function populateInstance(array $rootCert): IEngineHandler {
248	if (empty($rootCert)) {	9✔
249	$rootCert = $this->appConfig->getValueArray(Application::APP_ID, 'rootCert');	9✔
250	}
251	if (!$rootCert) {	9✔
252	return $this;	9✔
253	}
254	if (!empty($rootCert['names'])) {	×
255	foreach ($rootCert['names'] as $id => $customName) {	×
256	$longCustomName = $this->translateToLong($id);	×
257	// Prevent to save a property that don't exists
258	if (!property_exists($this, lcfirst($longCustomName))) {	×
259	continue;	×
260	}
261	$this->{'set' . ucfirst($longCustomName)}($customName['value']);	×
262	}
263	}
264	if (!$this->getCommonName()) {	×
265	$this->setCommonName($rootCert['commonName']);	×
266	}
267	return $this;	×
268	}
269
270	#[\Override]
271	public function getConfigPath(): string {
272	if ($this->configPath) {	16✔
273	return $this->configPath;	15✔
274	}
275
276	$customConfigPath = $this->appConfig->getValueString(Application::APP_ID, 'config_path');	16✔
277	if ($customConfigPath && is_dir($customConfigPath)) {	16✔
278	$this->configPath = $customConfigPath;	8✔
279	return $this->configPath;	8✔
280	}
281
282	$this->configPath = $this->initializePkiConfigPath();	9✔
283	if (!empty($this->configPath)) {	9✔
284	$this->appConfig->setValueString(Application::APP_ID, 'config_path', $this->configPath);	9✔
285	}
286	return $this->configPath;	9✔
287	}
288
289	private function initializePkiConfigPath(): string {
290	$caId = $this->getCaId();	9✔
291	if (empty($caId)) {	9✔
NEW 292	return '';	×
293	}
294	$pkiDirName = $this->caIdentifierService->generatePkiDirectoryName($caId);	9✔
295	$dataDir = $this->config->getSystemValue('datadirectory', \OC::$SERVERROOT . '/data/');	9✔
296	$instanceId = $this->config->getSystemValue('instanceid');	9✔
297	$pkiPath = $dataDir . '/appdata_' . $instanceId . '/libresign/' . $pkiDirName;	9✔
298
299	if (!is_dir($pkiPath)) {	9✔
300	$this->createDirectoryWithCorrectOwnership($pkiPath);	9✔
301	}
302
303	return $pkiPath;	9✔
304	}
305
306	private function createDirectoryWithCorrectOwnership(string $path): void {
307	$ownerInfo = $this->getFilesOwnerInfo();	9✔
308	$fullCommand = 'mkdir -p ' . escapeshellarg($path);	9✔
309
310	if (posix_getuid() !== $ownerInfo['uid']) {	9✔
NEW 311	$fullCommand = 'runuser -u ' . $ownerInfo['name'] . ' -- ' . $fullCommand;	×
312	}
313
314	exec($fullCommand);	9✔
315	}
316
317	private function getFilesOwnerInfo(): array {
318	$currentFile = realpath(__DIR__);	9✔
319	$owner = fileowner($currentFile);	9✔
320	if ($owner === false) {	9✔
NEW 321	throw new \RuntimeException('Unable to get file information');	×
322	}
323	$ownerInfo = posix_getpwuid($owner);	9✔
324	if ($ownerInfo === false) {	9✔
NEW 325	throw new \RuntimeException('Unable to get file owner information');	×
326	}
327
328	return $ownerInfo;	9✔
329	}
330
331	/**
332	* @todo check a best solution to don't use reflection
333	*/
334	private function getInternalPathOfFolder(ISimpleFolder $node): string {
335	$reflection = new \ReflectionClass($node);	×
336	$reflectionProperty = $reflection->getProperty('folder');	×
337	$folder = $reflectionProperty->getValue($node);	×
338	$path = $folder->getInternalPath();	×
339	return $path;	×
340	}
341
342	#[\Override]
343	public function setConfigPath(string $configPath): IEngineHandler {
344	if (!$configPath) {	×
345	$this->appConfig->deleteKey(Application::APP_ID, 'config_path');	×
346	} else {
347	if (!is_dir($configPath)) {	×
348	mkdir(	×
349	directory: $configPath,	×
350	recursive: true,	×
351	);	×
352	}
353	$this->appConfig->setValueString(Application::APP_ID, 'config_path', $configPath);	×
354	}
355	$this->configPath = $configPath;	×
356	return $this;	×
357	}
358
359	public function getName(): string {
360	$reflect = new ReflectionClass($this);	3✔
361	$className = $reflect->getShortName();	3✔
362	$name = strtolower(substr($className, 0, -7));	3✔
363	return $name;	3✔
364	}
365
366	protected function getNames(): array {
367	$names = [	15✔
368	'C' => $this->getCountry(),	15✔
369	'ST' => $this->getState(),	15✔
370	'L' => $this->getLocality(),	15✔
371	'O' => $this->getOrganization(),	15✔
372	'OU' => $this->getOrganizationalUnit(),	15✔
373	];	15✔
374	if ($uid = $this->getUID()) {	15✔
375	$names['UID'] = $uid;	×
376	}
377	$names = array_filter($names, fn ($v) => !empty($v));	15✔
378	return $names;	15✔
379	}
380
381	public function getUID(): string {
382	return str_replace(' ', '+', $this->UID);	15✔
383	}
384
385	#[\Override]
386	public function getLeafExpiryInDays(): int {
387	$exp = $this->appConfig->getValueInt(Application::APP_ID, 'expiry_in_days', 365);	7✔
388	return $exp > 0 ? $exp : 365;	7✔
389	}
390
391	#[\Override]
392	public function getCaExpiryInDays(): int {
393	$exp = $this->appConfig->getValueInt(Application::APP_ID, 'ca_expiry_in_days', 3650); // 10 years	14✔
394	return $exp > 0 ? $exp : 3650;	14✔
395	}
396
397	private function getCertificatePolicy(): array {
398	$return = ['policySection' => []];	1✔
399	$oid = $this->certificatePolicyService->getOid();	1✔
400	$cps = $this->certificatePolicyService->getCps();	1✔
401	if ($oid && $cps) {	1✔
402	$return['policySection'][] = [	×
403	'OID' => $oid,	×
404	'CPS' => $cps,	×
405	];	×
406	}
407	return $return;	1✔
408	}
409
410	abstract protected function getConfigureCheckResourceName(): string;
411
412	abstract protected function getCertificateRegenerationTip(): string;
413
414	abstract protected function getEngineSpecificChecks(): array;
415
416	abstract protected function getSetupSuccessMessage(): string;
417
418	abstract protected function getSetupErrorMessage(): string;
419
420	abstract protected function getSetupErrorTip(): string;
421
422	#[\Override]
423	public function configureCheck(): array {
424	$checks = $this->getEngineSpecificChecks();	1✔
425
426	if (!$this->isSetupOk()) {	1✔
427	return array_merge($checks, [	1✔
428	(new ConfigureCheckHelper())	1✔
429	->setErrorMessage($this->getSetupErrorMessage())	1✔
430	->setResource($this->getConfigureCheckResourceName())	1✔
431	->setTip($this->getSetupErrorTip())	1✔
432	]);	1✔
433	}
434
435	$checks[] = (new ConfigureCheckHelper())	×
436	->setSuccessMessage($this->getSetupSuccessMessage())	×
437	->setResource($this->getConfigureCheckResourceName());	×
438
439	$modernFeaturesCheck = $this->checkRootCertificateModernFeatures();	×
440	if ($modernFeaturesCheck) {	×
441	$checks[] = $modernFeaturesCheck;	×
442	}
443
444	return $checks;	×
445	}
446
447	protected function checkRootCertificateModernFeatures(): ?ConfigureCheckHelper {
448	$configPath = $this->getConfigPath();	×
449	$caCertPath = $configPath . DIRECTORY_SEPARATOR . 'ca.pem';	×
450
451	try {
452	$certContent = file_get_contents($caCertPath);	×
453	if (!$certContent) {	×
454	return (new ConfigureCheckHelper())	×
455	->setErrorMessage('Failed to read root certificate file')	×
456	->setResource($this->getConfigureCheckResourceName())	×
457	->setTip('Check file permissions and disk space');	×
458	}
459
460	$x509Resource = openssl_x509_read($certContent);	×
461	if (!$x509Resource) {	×
462	return (new ConfigureCheckHelper())	×
463	->setErrorMessage('Failed to parse root certificate')	×
464	->setResource($this->getConfigureCheckResourceName())	×
465	->setTip('Root certificate file may be corrupted or invalid');	×
466	}
467
468	$parsed = openssl_x509_parse($x509Resource);	×
469	if (!$parsed) {	×
470	return (new ConfigureCheckHelper())	×
471	->setErrorMessage('Failed to extract root certificate information')	×
472	->setResource($this->getConfigureCheckResourceName())	×
473	->setTip('Root certificate may be in an unsupported format');	×
474	}
475
476	$criticalIssues = [];	×
477	$minorIssues = [];	×
478
479	if (isset($parsed['serialNumber'])) {	×
480	$serialNumber = $parsed['serialNumber'];	×
481	$serialDecimal = hexdec($serialNumber);	×
482	if ($serialDecimal <= 1) {	×
483	$minorIssues[] = 'Serial number is simple (zero or one)';	×
484	}
485	} else {
486	$criticalIssues[] = 'Serial number is missing';	×
487	}
488
489	$missingExtensions = [];	×
490	if (!isset($parsed['extensions']['subjectKeyIdentifier'])) {	×
491	$missingExtensions[] = 'Subject Key Identifier (SKI)';	×
492	}
493
494	$isSelfSigned = (isset($parsed['issuer']) && isset($parsed['subject'])	×
495	&& $parsed['issuer'] === $parsed['subject']);	×
496
497	/**
498	* @todo workarround for missing AKI at certificates generated by CFSSL.
499	*
500	* CFSSL does not add Authority Key Identifier (AKI) to self-signed root certificates.
501	*/
502	if (!$isSelfSigned && !isset($parsed['extensions']['authorityKeyIdentifier'])) {	×
503	$missingExtensions[] = 'Authority Key Identifier (AKI)';	×
504	}
505
506	if (!isset($parsed['extensions']['crlDistributionPoints'])) {	×
507	$missingExtensions[] = 'CRL Distribution Points';	×
508	}
509
510	if (!empty($missingExtensions)) {	×
511	$extensionsList = implode(', ', $missingExtensions);	×
512	$minorIssues[] = "Missing modern extensions: {$extensionsList}";	×
513	}
514
515	$hasLibresignCaUuid = $this->validateLibresignCaUuidInCertificate($parsed);	×
516	if (!$hasLibresignCaUuid) {	×
517	$minorIssues[] = 'LibreSign CA UUID not found in Organizational Unit';	×
518	}
519
520	if (!empty($criticalIssues)) {	×
521	$issuesList = implode(', ', $criticalIssues);	×
522	return (new ConfigureCheckHelper())	×
523	->setErrorMessage("Root certificate has critical issues: {$issuesList}")	×
524	->setResource($this->getConfigureCheckResourceName())	×
525	->setTip($this->getCertificateRegenerationTip());	×
526	}
527
528	if (!empty($minorIssues)) {	×
529	$issuesList = implode(', ', $minorIssues);	×
530	return (new ConfigureCheckHelper())	×
531	->setInfoMessage("Root certificate could benefit from modern features: {$issuesList}")	×
532	->setResource($this->getConfigureCheckResourceName())	×
533	->setTip($this->getCertificateRegenerationTip() . ' (recommended but not required)');	×
534	}
535
536	return null;	×
537
538	} catch (\Exception $e) {	×
539	return (new ConfigureCheckHelper())	×
540	->setErrorMessage('Failed to analyze root certificate: ' . $e->getMessage())	×
541	->setResource($this->getConfigureCheckResourceName())	×
542	->setTip('Check if the root certificate file is valid');	×
543	}
544	}
545
546	private function validateLibresignCaUuidInCertificate(array $parsed): bool {
547	if (!isset($parsed['subject']['OU'])) {	×
548	return false;	×
549	}
550
551	$instanceId = $this->getLibreSignInstanceId();	×
552	if (empty($instanceId)) {	×
553	return false;	×
554	}
555
556	$organizationalUnits = $parsed['subject']['OU'];	×
557
558	if (is_string($organizationalUnits)) {	×
559	if (str_contains($organizationalUnits, ', ')) {	×
560	$organizationalUnits = explode(', ', $organizationalUnits);	×
561	} else {
562	$organizationalUnits = [$organizationalUnits];	×
563	}
564	}
565
566	foreach ($organizationalUnits as $ou) {	×
NEW 567	$ou = trim($ou);	×
NEW 568	if ($this->caIdentifierService->isValidCaId($ou, $instanceId)) {	×
569	return true;	×
570	}
571	}
572
573	return false;	×
574	}
575
576	private function getLibreSignInstanceId(): string {
577	$instanceId = $this->appConfig->getValueString(Application::APP_ID, 'instance_id', '');	×
578	if (strlen($instanceId) === 10) {	×
579	return $instanceId;	×
580	}
581	return '';	×
582	}
583
584	#[\Override]
585	public function toArray(): array {
586	$return = [	1✔
587	'configPath' => $this->getConfigPath(),	1✔
588	'generated' => $this->isSetupOk(),	1✔
589	'rootCert' => [	1✔
590	'commonName' => $this->getCommonName(),	1✔
591	'names' => [],	1✔
592	],	1✔
593	];	1✔
594	$return = array_merge(	1✔
595	$return,	1✔
596	$this->getCertificatePolicy(),	1✔
597	);	1✔
598	$names = $this->getNames();	1✔
599	foreach ($names as $name => $value) {	1✔
600	$return['rootCert']['names'][] = [	×
601	'id' => $name,	×
602	'value' => $value,	×
603	];	×
604	}
605	return $return;	1✔
606	}
607
608	protected function getCrlDistributionUrl(): string {
609	return $this->urlGenerator->linkToRouteAbsolute('libresign.crl.getRevocationList');	14✔
610	}
611	}

LibreSign / libresign / 19118950120

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous