App-CamelPKI
view release on metacpan or search on metacpan
lib/App/CamelPKI/Model/CA.pm view on Meta::CPAN
=over
=item I<db_dir>
The directory where the AC database and its cryptographic
material (certificates and keys) are to be installed.
=item I<keysize>
The size of keys used for the Key Ceremony.
=back
=cut
=head1 METHODS
=head2 new
Constuctor of the singleton called by Catalyst. Overloaded to use
L<App::CamelPKI::RestrictedClassMethod>, so that it cannot be called from
anywere, except from the application's initialization sequence.
=cut
sub new : Restricted { shift->SUPER::new(@_) }
=head2 set_brands($ca_brand, $cadb_brand)
Conveys authority to create instances of L<App::CamelPKI::CA> and
L<App::CamelPKI::CADB> to this class when the restricted class method
discipline is enabled (see L<App::CamelPKI::RestrictedClassMethod>). Called
by L<App::CamelPKI/setup> after restricting all the constructors in the
application . $ca_brand and $cadb_brand are the respective brands for
classes B<App::CamelPKI::CA> and B<App::CamelPKI::CADB>, as created by
L<App::CamelPKI::RestrictedClassMethod/grab>.
This class method is in turn restricted, so that only the application
initialization code may call it. By default (eg in tests),
B<App::CamelPKI::Model::CA> uses fake brands (see
L<App::CamelPKI::RestrictedClassMethod/fake_grab>).
=cut
{
my ($cabrand, $cadbbrand) =
map { App::CamelPKI::RestrictedClassMethod->fake_grab($_) }
qw(App::CamelPKI::CA App::CamelPKI::CADB);
sub set_brands : Restricted {
(undef, $cabrand, $cadbbrand) = @_;
}
sub _invoke_on_CA { $cabrand->invoke(@_) }
sub _invoke_on_CADB { $cadbbrand->invoke(@_) }
}
=head2 instance
Verify this CA has already undergone its Key Ceremony, or else throw an
exception; then create and returns an App::CamelPKI::CA instance which has
all privileges and represents the (unique) Operational CA installed on
this host.
Note that I<instance> is B<not> idempotent, and returns different
instances at each invocation. Were it not the case, constructors could
construct a covert channel using the shared instance, which is
mutable, and so a malicious controller could hide some information for
constructors that will later run in the same UNIX process.
=cut
sub instance {
my ($self) = @_;
my $ca = $self->_make_ca;
unless ($ca->is_operational) {
throw App::CamelPKI::Error::State(<<"MESSAGE");
The AC is not operational, please run
script/camel_pki_keyceremony.pl
MESSAGE
}
return $ca;
}
=head2 db_dir()
Returns the directory where are stored the App-PKI Certificate
Authority informations (certification chain, certificate, private
keys and AC database).
=cut
sub db_dir { shift->{db_dir} }
=head2 do_ceremony($privdir, $webserver)
Runs the B<Key Ceremony> for the Camel-PKI Certificate Authority. The
Operational CA and Root CA certificates are recorded in the private
directory configured with the I<db_dir> key (see L</CONFIGURATION>).
The Root CA certificate and key, and the administrator credentials are
written into $privdir, under the respective names C<ca0.key>,
C<ca0.crt>, C<admin.key> and C<admin.pem>. Last but not least, the Web
server certificate and key are installed in $webserver, an
L<App::CamelPKI::SysV::Apache> instance.
=cut
sub do_ceremony {
use File::Slurp;
use File::Spec::Functions qw(catfile);
use App::CamelPKI::CertTemplate::CA;
use App::CamelPKI::CertTemplate::PKI;
use Sys::Hostname ();
my ($self, $privdir, $webserver) = @_;
throw App::CamelPKI::Error::Internal("INCORRECT_ARGS")
unless (-d $privdir);
# REFACTORME: use a complete App::CamelPKI::CA instance for the
# Root CA
my $privKeyCA0 = App::CamelPKI::PrivateKey->genrsa($self->{keysize});
write_file(catfile($privdir, "ca0.key"),
$privKeyCA0->serialize(-format => "PEM"));
$privKeyCA0 = $privKeyCA0->as_crypt_openssl_ca_privatekey;
my $certCA0 = Crypt::OpenSSL::CA::X509->new
($privKeyCA0->get_public_key);
App::CamelPKI::CertTemplate::CA0->prepare_self_signed_certificate
($certCA0);
my $pemCA0 = $certCA0->sign($privKeyCA0,"sha256");
write_file(catfile($privdir, "ca0.crt"), $pemCA0);
write_file($self->_root_ca_cert_path, $pemCA0);
my $privKeyCA1 = App::CamelPKI::PrivateKey->genrsa($self->{keysize});
my $certCA1 = Crypt::OpenSSL::CA::X509->new
($privKeyCA1->as_crypt_openssl_ca_privatekey->get_public_key);
App::CamelPKI::CertTemplate::CA1->prepare_certificate($certCA0, $certCA1);
$certCA1->set_serial("0x2"); # RFC3280 § 4.1.2.2 forbids zero
my $pemCA1 = $certCA1->sign($privKeyCA0, "sha256");
my $CA0 = App::CamelPKI::Certificate->parse($pemCA0);
my $CA1 = App::CamelPKI::Certificate->parse($pemCA1);
my $ca = $self->_make_ca;
$ca->set_keys (-certificate => $CA1, -key => $privKeyCA1);
my $webserverkey = App::CamelPKI::PrivateKey->genrsa($self->{keysize});
my $web_dns = exists($self->{dns_webserver}) ?
$self->{dns_webserver} : "undef";
$ca->issue
("App::CamelPKI::CertTemplate::PKI1", $webserverkey->get_public_key,
dns => $web_dns);
my ($webservercert) = $ca->commit;
$webserver->set_keys
(-certificate => $webservercert,
-key => $webserverkey,
-certification_chain => [ $CA1, $CA0 ]);
my ($admincert, $adminkey) = $self->make_admin_credentials;
write_file(catfile($privdir, "admin.pem"), $admincert->serialize);
write_file(catfile($privdir, "admin.key"), $adminkey->serialize);
return $self;
}
=head2 make_admin_credentials
Regenerate an initial administrator certificate and private key, and
returns a pair ($cert, $key) which are respectively
L<App::CamelPKI::Certificate> and L<App::CamelPKI::PrivateKey> instances. Old
administrator certificates are revoked.
=cut
sub make_admin_credentials {
my ($self) = @_;
( run in 2.809 seconds using v1.01-cache-2.11-cpan-437f7b0c052 )