Roxen.git / server / etc / modules / CertDB.pmod

version» Context lines:

Roxen.git/server/etc/modules/CertDB.pmod:1:   /*    * $Id$    *    * Certificate Database API.    */      //! Certificate Database API      #ifdef SSL3_DEBUG - # define SSL3_WERR(X) report_debug("CertDB: %s\n", X) + # define SSL3_WERR(X ...) report_debug("CertDB: " + X)   #else - # define SSL3_WERR(X) + # define SSL3_WERR(X ...)   #endif         // Some convenience constants.   protected local constant Compound = Standards.ASN1.Types.Compound;   protected local constant Identifier = Standards.ASN1.Types.Identifier;   protected local constant Sequence = Standards.ASN1.Types.Sequence;      //!   array(mapping(string:int|string)) list_keys()
Roxen.git/server/etc/modules/CertDB.pmod:111:       if (!sizeof(pem_file)) return;       string raw_pem;    string pem_hash;       Stdio.Stat st = lfile_stat(pem_file);    if (st) {    // FIXME: Check if mtime hash changed before reading the file?    -  SSL3_WERR (sprintf ("Reading cert file %O", pem_file)); +  SSL3_WERR("Reading cert file %O\n", pem_file);    if( catch{ raw_pem = lopen(pem_file, "r")->read(); } )    { -  werror("Reading PEM file %O failed: %s\n", +  SSL3_WERR("Reading PEM file %O failed: %s\n",    pem_file, strerror(errno()));    } else {    pem_hash = Crypto.SHA256.hash(raw_pem);    if ((pem_info->hash == pem_hash) && !force) {    // No change. -  +  SSL3_WERR("PEM file not modified since last import.\n");    return;    }    }    }       if (!raw_pem) {    // Mark any old certs and keys as stale.    db->query("UPDATE certs "    " SET pem_id = NULL, "    " msg_no = NULL "
Roxen.git/server/etc/modules/CertDB.pmod:169:    ]);       string body = msg->body;       if (msg->headers["dek-info"] && pem_info->pass) {    mixed err = catch {    body = Standards.PEM.decrypt_body(msg->headers["dek-info"],    body, pem_info->pass);    };    if (err) { -  werror("Invalid decryption password for %O.\n", pem_file); +  SSL3_WERR("Invalid decryption password for %O.\n", pem_file);    }    }    -  +  SSL3_WERR("Got %s.\n", msg->pre); +     switch(msg->pre) {    case "CERTIFICATE":    case "X509 CERTIFICATE":    Standards.X509.TBSCertificate tbs =    Standards.X509.decode_certificate(body);    if (!tbs) continue;       entry->subject = tbs->subject->get_der();    entry->issuer = tbs->issuer->get_der();    entry->expires = tbs->not_after;
Roxen.git/server/etc/modules/CertDB.pmod:195:    entry->keyhash =    Crypto.SHA256.hash(tbs->public_key->pkc->    pkcs_public_key()->get_der());    certs += ({ entry });    break;       case "PRIVATE KEY":    case "RSA PRIVATE KEY":    case "DSA PRIVATE KEY":    case "ECDSA PRIVATE KEY": -  werror("CERTDB: Got %s.\n", msg->pre); +     Crypto.Sign.State private_key =    Standards.X509.parse_private_key(body);       entry->keyhash =    Crypto.SHA256.hash(private_key->    pkcs_public_key()->get_der());       Crypto.AES.CCM.State ccm = Crypto.AES.CCM();    // NB: Using the server salt as a straight encryption key    // is a BAD idea as CCM is a stream crypto.
Roxen.git/server/etc/modules/CertDB.pmod:218:    entry->data = ccm->crypt(body) + ccm->digest();       keys += ({ entry });    break;       case "CERTIFICATE REQUEST":    // Ignore CSRs for now.    break;       default: -  werror("Unsupported PEM message: %O\n", msg->pre); +  SSL3_WERR("Unsupported PEM message: %O\n", msg->pre);    break;    }    }    };    if (err) {    werror("Failed to handle PEM file:\n");    master()->handle_error(err);    }    -  werror("New keys: %d\n", sizeof(keys)); -  +     foreach(keys, mapping(string:string|int) key_info) {    tmp = db->typed_query("SELECT * "    " FROM cert_keys "    " WHERE keyhash = %s",    key_info->keyhash);    if (!sizeof(tmp)) {    db->query("INSERT INTO cert_keys "    " (pem_id, msg_no, keyhash, data) "    "VALUES (%d, %d, %s, %s)",    key_info->pem_id, key_info->msg_no,
Roxen.git/server/etc/modules/CertDB.pmod:347:    tmp = db->typed_query("UPDATE certs "    " SET parent = %d "    " WHERE issuer = %s "    " AND parent IS NULL "    " AND subject != issuer",    cert_info->id,    cert_info->subject);    } else if (tmp[0]->expires <= cert_info->expires) {    // NB: Keep more recent certificates unmodified (even if stale).    // NB: keyhash, subject and issuer are unmodified (cf above). +  SSL3_WERR("Updating cert #%d: %O\n", tmp[0]->id, cert_info);    db->query("UPDATE certs "    " SET pem_id = %d, "    " msg_no = %d, "    " expires = %d, "    " data = %s "    " WHERE id = %d",    cert_info->pem_id, cert_info->msg_no,    cert_info->expires, cert_info->data,    tmp[0]->id); -  +  } else { +  SSL3_WERR("Got certificate older than that in db: %d < %d\n", +  cert_info->expires, tmp[0]->expires);    }    }       // Mark any old certs and keys that are still update in progress as stale.    db->query("UPDATE certs "    " SET pem_id = NULL "    " WHERE pem_id = %d "    " AND msg_no IS NULL",    pem_id);    db->query("UPDATE cert_keys "
Roxen.git/server/etc/modules/CertDB.pmod:536:    key_id);    if (!sizeof(tmp)) return 0;       if (sizeof(tmp[0]->data) < Crypto.AES.CCM.digest_size()) return 0;    Crypto.AES.CCM.State ccm = Crypto.AES.CCM();    ccm->set_decrypt_key(Crypto.SHA256.hash(roxenp()->query("server_salt") +    "\0" + tmp[0]->key_hash));    string digest = tmp[0]->data[<Crypto.AES.CCM.digest_size()-1..];    string raw = ccm->crypt(tmp[0]->data[..<Crypto.AES.CCM.digest_size()]);    if (digest != ccm->digest()) { -  werror("Invalid key digest for key #%d. Has the server salt changed?\n", +  SSL3_WERR("Invalid key digest for key #%d. Has the server salt changed?\n",    key_id);    return 0;    }    Crypto.Sign.State private_key = Standards.X509.parse_private_key(raw);    raw = "";       array(string) certs = ({});    while (cert_id) {    tmp = db->typed_query("SELECT * "    " FROM certs "    " WHERE id = %d",    cert_id);    if (!sizeof(tmp)) break;    certs += ({ tmp[0]->data });    cert_id = tmp[0]->parent;    }    if (!sizeof(certs)) { -  werror("Missing certificate (#%d) for keypair %d.\n", cert_id, keypair_id); +  SSL3_WERR("Missing certificate (#%d) for keypair %d.\n", cert_id, keypair_id);    return 0;    }       return ({ private_key, certs });   }