Fossil

Check-in [1156ad25]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Added a 'cert' subcommand to manage certificate groups, and added a certificate table to the global db. Minor code formatting change.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | jan-clientcert
Files: files | file ages | folders
SHA1:1156ad25dbb67cefd5c8c5bb244edb3e620ad551
User & Date: jan 2011-03-30 15:40:51
Context
2011-03-30
18:49
Use the new certificate bundle management for https connections, and deactivate the old environment variable code. Added support for specifying certificate/key bundle to clone/push/pull/sync commands. check-in: 1a1aa98a user: jan tags: jan-clientcert
15:40
Added a 'cert' subcommand to manage certificate groups, and added a certificate table to the global db. Minor code formatting change. check-in: 1156ad25 user: jan tags: jan-clientcert
10:53
Minor code formatting changes in http_ssl.c. check-in: 662c8351 user: drh tags: jan-clientcert
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/http_ssl.c.

356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
...
377
378
379
380
381
382
383
384























































































































































































385
}

/*
** Get SSL authentication file reference from environment variable. If set,
** then store varaible in global config. If environment variable was not set,
** attempt to get variable from global config.
**/
char *ssl_get_and_set_file_ref(const char *envvar, const char *dbvar)
{
  char *zVar;
  char *zTmp;

  zTmp = mprintf("%s:%s", dbvar, g.urlName);

  zVar = getenv(envvar);
  if( zVar ){
................................................................................
  }else{
    zVar = db_get(zTmp, NULL);
  }
  free(zTmp);

  return zVar;
}
























































































































































































#endif /* FOSSIL_ENABLE_SSL */







|
<







 








>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

356
357
358
359
360
361
362
363

364
365
366
367
368
369
370
...
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
}

/*
** Get SSL authentication file reference from environment variable. If set,
** then store varaible in global config. If environment variable was not set,
** attempt to get variable from global config.
**/
char *ssl_get_and_set_file_ref(const char *envvar, const char *dbvar){

  char *zVar;
  char *zTmp;

  zTmp = mprintf("%s:%s", dbvar, g.urlName);

  zVar = getenv(envvar);
  if( zVar ){
................................................................................
  }else{
    zVar = db_get(zTmp, NULL);
  }
  free(zTmp);

  return zVar;
}

/*
** COMMAND: cert
**
** Usage: %fossil cert SUBCOMMAND ...
**
** Manage/group PKI keys/certificates to be able to use client
** certificates and register CA certificates for SSL verifications.
**
**    %fossil cert add NAME ?--key KEYFILE? ?--cert CERTFILE?
**           ?--cafile CAFILE? ?--capath CAPATH?
**
**        Create a certificate group NAME with the associated
**        certificates/keys. If a client certificate is specified but no
**        key, it is assumed that the key is located in the client
**        certificate file. The file format must be PEM.
**
**    %fossil cert list
**
**        List all credential groups, their values and their URL
**        associations.
**
**    %fossil cert disassociate URL
**
**        Disassociate URL from any credential group(s).
**
**    %fossil cert delete NAME
**
**        Remove the credential group NAME and all it's associated URL
**        associations.
*/
void cert_cmd(void){
  int n;
  const char *zCmd = "list";
  if( g.argc>=3 ){
    zCmd = g.argv[2];
  }
  n = strlen(zCmd);
  if( strncmp(zCmd, "add", n)==0 ){
    const char *zContainer;
    const char *zCKey;
    const char *zCCert;
    const char *zCAFile;
    const char *zCAPath;
    if( g.argc<5 ){
      usage("add NAME ?--key CLIENTKEY? ?--cert CLIENTCERT? ?--cafile CAFILE? "
          "?--capath CAPATH?");
    }
    zContainer = g.argv[3];
    zCKey = find_option("key",0,1);
    zCCert = find_option("cert",0,1);
    zCAFile = find_option("cafile",0,1);
    zCAPath = find_option("capath",0,1);

    /* If a client certificate was specified, but a key was not, assume the
     * key is stored in the same file as the certificate.
     */
    if( !zCKey && zCCert ){
      zCKey = zCCert;
    }

    db_open_config(0);
    db_swap_connections();
    if( db_exists(
        "SELECT 1 FROM certs"
        " WHERE name='%s'",
        zContainer)!=0 ){
      fossil_fatal("certificate group \"%s\" already exists", zContainer);
    }
    db_begin_transaction();
    if( zCKey ){
      db_multi_exec("INSERT INTO certs (name,type,filepath) "
          "VALUES(%Q,'ckey',%Q)",
          zContainer, zCKey);
    }
    if( zCCert ){
      db_multi_exec("INSERT INTO certs (name,type,filepath) "
          "VALUES(%Q,'ccert',%Q)",
          zContainer, zCCert);
    }
    if( zCAFile ){
      db_multi_exec("INSERT INTO certs (name,type,filepath) "
          "VALUES(%Q,'cafile',%Q)",
          zContainer, zCAFile);
    }
    if( zCAPath ){
      db_multi_exec("INSERT INTO certs (name,type,filepath) "
          "VALUES(%Q,'capath',%Q)",
          zContainer, zCAPath);
    }
    db_end_transaction(0);
    db_swap_connections();
  }else if(strncmp(zCmd, "list", n)==0){
    Stmt q;
    char *grp = NULL;

    db_open_config(0);
    db_swap_connections();

    db_prepare(&q, "SELECT name,type,filepath FROM certs"
                   " WHERE type NOT IN ('server')"
                   " ORDER BY name,type");
    while( db_step(&q)==SQLITE_ROW ){
      const char *zCont = db_column_text(&q, 0);
      const char *zType = db_column_text(&q, 1);
      const char *zFilePath = db_column_text(&q, 2);
      if( fossil_strcmp(zCont, grp)!=0 ){
        free(grp);
        grp = strdup(zCont);
        puts(zCont);
      }
      printf("\t%s=%s\n", zType, zFilePath);
    }
    db_finalize(&q);

    /* List the URL associations. */
    db_prepare(&q, "SELECT name FROM global_config"
                   " WHERE name LIKE 'certgroup:%%' AND value=%Q"
                   " ORDER BY name", grp);
    free(grp);

    while( db_step(&q)==SQLITE_ROW ){
      const char *zName = db_column_text(&q, 0);
      static int first = 1;
      if( first ) {
        puts("\tAssociations");
        first = 0;
      }
      printf("\t\t%s\n", zName+10);
    }

    db_swap_connections();
  }else if(strncmp(zCmd, "disassociate", n)==0){
    const char *zURL;
    if( g.argc<4 ){
      usage("disassociate URL");
    }
    zURL = g.argv[3];

    db_open_config(0);
    db_swap_connections();
    db_begin_transaction();

    db_multi_exec("DELETE FROM global_config WHERE name='certgroup:%s'",
        zURL);
    if( db_changes() == 0 ){
      fossil_warning("No certificate group associated with URL \"%s\".",
          zURL);
    }else{
      printf("%s disassociated from its certificate group.\n", zURL);
    }
    db_end_transaction(0);
    db_swap_connections();

  }else if(strncmp(zCmd, "delete", n)==0){
    const char *zContainer;
    if( g.argc<4 ){
      usage("delete NAME");
    }
    zContainer = g.argv[3];

    db_open_config(0);
    db_swap_connections();
    db_begin_transaction();
    db_multi_exec("DELETE FROM certs WHERE name=%Q", zContainer);
    if( db_changes() == 0 ){
      fossil_warning("No certificate group named \"%s\" found",
          zContainer);
    }else{
      printf("%d entries removed\n", db_changes());
    }
    db_multi_exec("DELETE FROM global_config WHERE name LIKE 'certgroup:%%'"
        " AND value=%Q", zContainer);
    if( db_changes() > 0 ){
      printf("%d associations removed\n", db_changes());
    }
    db_end_transaction(0);
    db_swap_connections();
  }else{
    fossil_panic("cert subcommand should be one of: "
                 "add list disassociate delete");
  }
}

#endif /* FOSSIL_ENABLE_SSL */

Changes to src/schema.c.

27
28
29
30
31
32
33







34
35
36
37
38
39
40
@ -- This file contains the schema for the database that is kept in the
@ -- ~/.fossil file and that stores information about the users setup.
@ --
@ CREATE TABLE global_config(
@   name TEXT PRIMARY KEY,
@   value TEXT
@ );







;

#if INTERFACE
/*
** The content tables have a content version number which rarely
** changes.  The aux tables have an arbitrary version number (typically
** a date) which can change frequently.  When the content schema changes,







>
>
>
>
>
>
>







27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
@ -- This file contains the schema for the database that is kept in the
@ -- ~/.fossil file and that stores information about the users setup.
@ --
@ CREATE TABLE global_config(
@   name TEXT PRIMARY KEY,
@   value TEXT
@ );
@ CREATE TABLE certs(
@   name TEXT NOT NULL,
@   type TEXT NOT NULL,
@   filepath TEXT NOT NULL,
@   PRIMARY KEY(name, type),
@   UNIQUE(name, type)
@ );
;

#if INTERFACE
/*
** The content tables have a content version number which rarely
** changes.  The aux tables have an arbitrary version number (typically
** a date) which can change frequently.  When the content schema changes,