4c1d13f8f8
security updates: various commands that change or create account passwords now disallow the user name, display name or email from being contained in it. this will force users to not use public information inside the password, hardening password security a little. the root user name is now changeable and required to be changed on initial login. this harden security a little by giving host admins the option to not have a well known user name attached to a high privileged account. users can no longer re-use the old password and/or user name when required to change. however, this does not actually implement full password history because the user can then later change the password back to the old password after the required change. the host can longer block by ip addresses and the auto block threshold setting has been removed. something like this is best left up to firewalls, routers, switches or any other networking infrastructure. in the future i can consider adding event triggering that run certain admin defined external or internal commands when the host detects certain event thresholds. minor changes/bug fixes: all commands that change or create user names now no longer accept user names that looks like an mail address. this works out better for clients when differentiating logging in via user name or email address. the recover_acct command now also have cancel on blank text options making it more consistent with all other commands that take text input. resetting the root user's account password via command line now also unlocks it if locked. the -help and -about command line options no longer display the default password. a new -default_pw option was added for this purpose. the -status -addr or -stop command line options require super user privileges to run properly depending on how the host is installed. an error message like "permission denied" was addded on failure to make this requirement clear to the end user. fs_copy and fs_move now does implicit skip on error instead of stop on error. the IDLE frame type id now carry an integer return code that can be interpreted by clients to determine the result of the command that was sent to the host. house keeping: all documentation was updated to reflect the changes made in this commit. the module tester example is no longer relevant to this project so it was deleted.
268 lines
7.4 KiB
C++
268 lines
7.4 KiB
C++
#include "certs.h"
|
|
|
|
// This file is part of MRCI.
|
|
|
|
// MRCI is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU General Public License as published by
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
// (at your option) any later version.
|
|
|
|
// MRCI is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU General Public License for more details.
|
|
|
|
// You should have received a copy of the GNU General Public License
|
|
// along with MRCI under the LICENSE.md file. If not, see
|
|
// <http://www.gnu.org/licenses/>.
|
|
|
|
ListCerts::ListCerts(QObject *parent) : TableViewer(parent)
|
|
{
|
|
setParams(TABLE_CERT_DATA, false);
|
|
addTableColumn(TABLE_CERT_DATA, COLUMN_COMMON_NAME);
|
|
}
|
|
|
|
CertInfo::CertInfo(QObject *parent) : CmdObject(parent) {}
|
|
AddCert::AddCert(QObject *parent) : CmdObject(parent) {}
|
|
RemoveCert::RemoveCert(QObject *parent) : CmdObject(parent) {}
|
|
|
|
QString ListCerts::cmdName() {return "ls_certs";}
|
|
QString CertInfo::cmdName() {return "cert_info";}
|
|
QString AddCert::cmdName() {return "add_cert";}
|
|
QString RemoveCert::cmdName() {return "rm_cert";}
|
|
|
|
void CertInfo::procIn(const QByteArray &binIn, quint8 dType)
|
|
{
|
|
if (dType == TEXT)
|
|
{
|
|
auto args = parseArgs(binIn, 2);
|
|
auto coName = getParam("-name", args);
|
|
|
|
retCode = INVALID_PARAMS;
|
|
|
|
if (coName.isEmpty())
|
|
{
|
|
errTxt("err: The common name argument (-name) was not found or is empty.\n");
|
|
}
|
|
else if (!validCommonName(coName))
|
|
{
|
|
errTxt("err: Invalid common name. it must be less than 200 chars long and contain no spaces.\n");
|
|
}
|
|
else if (!certExists(coName))
|
|
{
|
|
errTxt("err: A cert with common name: '" + coName + "' does not exists.\n");
|
|
}
|
|
else
|
|
{
|
|
retCode = NO_ERRORS;
|
|
|
|
QString txt;
|
|
QTextStream txtOut(&txt);
|
|
|
|
Query db(this);
|
|
|
|
db.setType(Query::PULL, TABLE_CERT_DATA);
|
|
db.addColumn(COLUMN_CERT);
|
|
db.addCondition(COLUMN_COMMON_NAME, coName);
|
|
db.exec();
|
|
|
|
auto cert = toSSLCert(db.getData(COLUMN_CERT).toByteArray());
|
|
|
|
txtOut << "Self Signed: " << boolStr(cert.isSelfSigned()) << endl;
|
|
txtOut << "Black Listed: " << boolStr(cert.isBlacklisted()) << endl;
|
|
txtOut << "Effective Date: " << cert.effectiveDate().toString("MM/dd/yy") << endl;
|
|
txtOut << "Expiry Date: " << cert.expiryDate().toString("MM/dd/yy") << endl;
|
|
|
|
mainTxt(txt);
|
|
}
|
|
}
|
|
}
|
|
|
|
void AddCert::run()
|
|
{
|
|
Query db(this);
|
|
|
|
db.setType(qType, TABLE_CERT_DATA);
|
|
db.addColumn(COLUMN_COMMON_NAME, coName);
|
|
db.addColumn(COLUMN_CERT, certBa);
|
|
db.addColumn(COLUMN_PRIV_KEY, privBa);
|
|
db.exec();
|
|
|
|
flags &= ~MORE_INPUT;
|
|
}
|
|
|
|
void AddCert::ask()
|
|
{
|
|
flags |= MORE_INPUT;
|
|
|
|
mainTxt("Common name: '" + coName + "' already exists. do you want to replace it? (y/n): ");
|
|
}
|
|
|
|
void AddCert::procIn(const QByteArray &binIn, quint8 dType)
|
|
{
|
|
if ((dType == TEXT) && (flags & MORE_INPUT))
|
|
{
|
|
auto ans = fromTEXT(binIn);
|
|
|
|
if (noCaseMatch("n", ans))
|
|
{
|
|
retCode = ABORTED;
|
|
flags &= ~MORE_INPUT;
|
|
}
|
|
else if (noCaseMatch("y", ans))
|
|
{
|
|
run();
|
|
}
|
|
else
|
|
{
|
|
ask();
|
|
}
|
|
}
|
|
else if (dType == TEXT)
|
|
{
|
|
auto args = parseArgs(binIn, 7);
|
|
auto cert = getParam("-cert", args);
|
|
auto priv = getParam("-priv", args);
|
|
auto force = argExists("-force", args);
|
|
|
|
coName = getParam("-name", args);
|
|
retCode = INVALID_PARAMS;
|
|
|
|
QFile certFile(cert, this);
|
|
QFile privFile(priv, this);
|
|
|
|
if (coName.isEmpty())
|
|
{
|
|
errTxt("err: The common name (-name) argument was not found or empty.\n");
|
|
}
|
|
else if (cert.isEmpty())
|
|
{
|
|
errTxt("err: The cert file path (-cert) argument was not found or empty.\n");
|
|
}
|
|
else if (priv.isEmpty())
|
|
{
|
|
errTxt("err: The priv key file path (-priv) argument was not found or empty.\n");
|
|
}
|
|
else if (!certFile.exists())
|
|
{
|
|
errTxt("err: The given cert file: '" + cert + "' does not exists or is not a file.\n");
|
|
}
|
|
else if (!privFile.exists())
|
|
{
|
|
errTxt("err: The given priv key file: '" + priv + "' does not exists or is not a file.\n");
|
|
}
|
|
else if (!validCommonName(coName))
|
|
{
|
|
errTxt("err: The common name must be less than or equal to 136 chars long and contain no spaces.\n");
|
|
}
|
|
else if (!certFile.open(QFile::ReadOnly))
|
|
{
|
|
errTxt("err: Unable to open the cert file: '" + cert + "' for reading. reason: " + certFile.errorString() + "\n");
|
|
}
|
|
else if (!privFile.open(QFile::ReadOnly))
|
|
{
|
|
errTxt("err: Unable to open the priv key: '" + priv + "' for reading. reason: " + privFile.errorString() + "\n");
|
|
}
|
|
else if (toSSLCert(&certFile).isNull())
|
|
{
|
|
errTxt("err: The given cert file is not compatible.\n");
|
|
}
|
|
else if (toSSLKey(&privFile).isNull())
|
|
{
|
|
errTxt("err: The given private key is not compatible.\n");
|
|
}
|
|
else
|
|
{
|
|
retCode = NO_ERRORS;
|
|
certBa = certFile.readAll();
|
|
privBa = privFile.readAll();
|
|
|
|
if (certExists(coName))
|
|
{
|
|
qType = Query::UPDATE;
|
|
|
|
if (force) run();
|
|
else ask();
|
|
}
|
|
else
|
|
{
|
|
qType = Query::PUSH;
|
|
|
|
run();
|
|
}
|
|
}
|
|
|
|
certFile.close();
|
|
privFile.close();
|
|
}
|
|
}
|
|
|
|
void RemoveCert::run()
|
|
{
|
|
Query db(this);
|
|
|
|
db.setType(Query::DEL, TABLE_CERT_DATA);
|
|
db.addCondition(COLUMN_COMMON_NAME, coName);
|
|
db.exec();
|
|
|
|
flags &= ~MORE_INPUT;
|
|
}
|
|
|
|
void RemoveCert::ask()
|
|
{
|
|
flags |= MORE_INPUT;
|
|
|
|
mainTxt("Are you sure you want to remove the cert for common name: " + coName + "? (y/n): ");
|
|
}
|
|
|
|
void RemoveCert::procIn(const QByteArray &binIn, quint8 dType)
|
|
{
|
|
if ((dType == TEXT) && (flags & MORE_INPUT))
|
|
{
|
|
QString ans = fromTEXT(binIn);
|
|
|
|
if (noCaseMatch("n", ans))
|
|
{
|
|
retCode = ABORTED;
|
|
flags &= ~MORE_INPUT;
|
|
}
|
|
else if (noCaseMatch("y", ans))
|
|
{
|
|
run();
|
|
}
|
|
else
|
|
{
|
|
ask();
|
|
}
|
|
}
|
|
else if (dType == TEXT)
|
|
{
|
|
auto args = parseArgs(binIn, -1);
|
|
auto name = getParam("-name", args);
|
|
auto force = argExists("-force", args);
|
|
|
|
retCode = INVALID_PARAMS;
|
|
|
|
if (name.isEmpty())
|
|
{
|
|
errTxt("err: Common name (-name) argument not found or is empty.\n");
|
|
}
|
|
else if (!validCommonName(name))
|
|
{
|
|
errTxt("err: Invalid common name.\n");
|
|
}
|
|
else if (!certExists(name))
|
|
{
|
|
errTxt("err: The given common name '" + name + "' does not exists.\n");
|
|
}
|
|
else
|
|
{
|
|
retCode = NO_ERRORS;
|
|
coName = name;
|
|
|
|
if (force) run();
|
|
else ask();
|
|
}
|
|
}
|
|
}
|