Dear OpenCA Developers,
I have added the possibility to send another verification mail from the
RA interface.
By default, a new CSR for which the email is not verified yet, is not
displayed at all (TEMPNEW in the database). Some time ago, I have sent a
patch which makes "unverified" requests visible in the CA interface.
That patch is included in the one attached to this mail.
Now, I can access such CSR's and I can edit them and eventually sign
them. But, if the user had a typo in the email-address, and I correct
it, I might want to have that one verified (it is PENDING now). So, I
have added a command that allows to send the verification mail again.
Other use cases are:
Sending mail is impossible due to server misconfiguration, and after
fixing that, the operator wants to send out the verification mails again
for the requests that have been entered into the database in the meantime,
or:
After upgrade from earlier versions of OpenCA, which did not yet support
email verification, all archived requests have un-verified
email-address. When renewing them, it should be possible to send out the
verification message from the (upgraded) Ca.
or:
When adding a new email-Address or changing the email-contact when a CSR
is renewed, one should be able to verify the new contact again.
Please have a look at my patch and consider adding this feature to
future releases of OpenCA.
best regards,
Martin
diff -ruN openca-base-1.5.1.orig/src/common/etc/rbac/acl.xml openca-base-1.5.1/src/common/etc/rbac/acl.xml
--- openca-base-1.5.1.orig/src/common/etc/rbac/acl.xml 2012-04-05 02:17:54.000000000 +0200
+++ openca-base-1.5.1/src/common/etc/rbac/acl.xml 2014-04-02 14:29:06.665621429 +0200
@@ -494,6 +494,12 @@
<owner>.*</owner>
</permission>
<permission>
+ <module>(0|@ra_module_id@|@batch_module_id@)</module>
+ <role>.*</role>
+ <operation>send verify message</operation>
+ <owner>.*</owner>
+ </permission>
+ <permission>
<module>@node_module_id@</module>
<role>.*</role>
<operation>database update</operation>
diff -ruN openca-base-1.5.1.orig/src/common/etc/rbac/cmds/Makefile openca-base-1.5.1/src/common/etc/rbac/cmds/Makefile
--- openca-base-1.5.1.orig/src/common/etc/rbac/cmds/Makefile 2012-04-05 02:17:54.000000000 +0200
+++ openca-base-1.5.1/src/common/etc/rbac/cmds/Makefile 2014-04-02 14:42:15.368889823 +0200
@@ -133,6 +133,7 @@
send_cert_key_pkcs8.xml \
send_email_cert.xml \
sendcert.xml \
+ sendVerifyMessage.xml \
serverInfo.xml \
setLanguage.xml \
setPasswd.xml \
diff -ruN openca-base-1.5.1.orig/src/common/etc/rbac/cmds/sendVerifyMessage.xml openca-base-1.5.1/src/common/etc/rbac/cmds/sendVerifyMessage.xml
--- openca-base-1.5.1.orig/src/common/etc/rbac/cmds/sendVerifyMessage.xml 1970-01-01 01:00:00.000000000 +0100
+++ openca-base-1.5.1/src/common/etc/rbac/cmds/sendVerifyMessage.xml 2014-04-02 14:25:50.769824593 +0200
@@ -0,0 +1,10 @@
+<openca>
+ <command_config>
+ <command>
+ <name>sendVerifyMessage</name>
+ <operation>send verify message</operation>
+ <owner_method>CSR_SERIAL</owner_method>
+ <owner_argument>key</owner_argument>
+ </command>
+ </command_config>
+</openca>
diff -ruN openca-base-1.5.1.orig/src/common/lib/cmds/listCSR openca-base-1.5.1/src/common/lib/cmds/listCSR
--- openca-base-1.5.1.orig/src/common/lib/cmds/listCSR 2010-12-13 21:06:06.000000000 +0100
+++ openca-base-1.5.1/src/common/lib/cmds/listCSR 2014-04-02 16:19:51.197714948 +0200
@@ -47,6 +47,14 @@
$item_list->{HEAD}->[$colNum++] = gettext ("Submitted On");
$item_list->{HEAD}->[$colNum++] = gettext ("Role");
$item_list->{HEAD}->[$colNum++] = gettext ("LOA");
+ } elsif( $dataType eq "TEMPNEW_REQUEST" ) {
+ $name = "New Certificate Signing Requests";
+ $item_list->{HEAD}->[$colNum++] = gettext ("Sel");;
+ $item_list->{HEAD}->[$colNum++] = gettext ("Serial");
+ $item_list->{HEAD}->[$colNum++] = gettext ("Submit Name");
+ $item_list->{HEAD}->[$colNum++] = gettext ("Submitted On");
+ $item_list->{HEAD}->[$colNum++] = gettext ("Role");
+ $item_list->{HEAD}->[$colNum++] = gettext ("LOA");
} elsif ( $dataType eq "RENEW_REQUEST" ) {
$name = "Renewed Certificate Signing Requests";
$item_list->{HEAD}->[$colNum++] = gettext ("Sel");;
diff -ruN openca-base-1.5.1.orig/src/common/lib/cmds/Makefile openca-base-1.5.1/src/common/lib/cmds/Makefile
--- openca-base-1.5.1.orig/src/common/lib/cmds/Makefile 2012-04-05 02:17:55.000000000 +0200
+++ openca-base-1.5.1/src/common/lib/cmds/Makefile 2014-04-02 14:41:14.839718948 +0200
@@ -130,6 +130,7 @@
send_cert_key_pkcs8 \
send_email_cert \
sendcert \
+ sendVerifyMessage \
serverInfo \
setLanguage \
setPasswd \
diff -ruN openca-base-1.5.1.orig/src/common/lib/cmds/sendVerifyMessage openca-base-1.5.1/src/common/lib/cmds/sendVerifyMessage
--- openca-base-1.5.1.orig/src/common/lib/cmds/sendVerifyMessage 1970-01-01 01:00:00.000000000 +0100
+++ openca-base-1.5.1/src/common/lib/cmds/sendVerifyMessage 2014-04-02 16:05:32.025218984 +0200
@@ -0,0 +1,111 @@
+## OpenCA - Command
+## (c) 1998-2001 by Massimiliano Pala and OpenCA Group
+## (c) Copyright 2002-2004 The OpenCA Project
+##
+## File Name: sendVerifyMessage
+## Brief: send verify message
+## Description: Manually trigger sending the verify message to user
+## Version: $Revision: 1.9 $
+## Parameters: dataType, key
+
+
+use strict;
+
+sub cmdSendVerifyMessage {
+
+ our ($db, $query, $errno, $errval, $self);
+
+ my ( $info_list, $hidden_list, $cmd_panel);
+
+ my $verifyEmailAddress = getRequired('verifyEmailAddress');
+ my $reqStatus = undef;
+
+ my $dataType = $query->param('dataType' );
+ my $key = $query->param('key');
+
+ configError( gettext ("Error, needed dB key!") ) if ( not $key );
+
+ if ( $dataType eq "PENDING_REQUEST" ) {
+ $reqStatus = gettext("Waiting for Approval");
+ } elsif ( $dataType eq "NEW_REQUEST" ) {
+ $reqStatus = gettext("New Request Waiting for Approval");
+ } elsif ( $dataType eq "RENEW_REQUEST" ) {
+ $reqStatus = gettext("Renewal Request Waiting for Approval");
+ } elsif ( $dataType eq "DELETED_REQUEST" ) {
+ $reqStatus = gettext("Deleted Request");
+ } elsif ( $dataType eq "SIGNED_REQUEST" ) {
+ $reqStatus = gettext("Signed Request Waiting for Additional Signature");
+ } elsif ( $dataType eq "APPROVED_REQUEST" ) {
+ $reqStatus = gettext("Approved Request");
+ } elsif ( $dataType eq "ARCHIVED_REQUEST" ) {
+ $reqStatus = gettext("Archived Request");
+ } elsif ( $dataType eq "REQUEST" ) {
+ ## try to determine the datatype
+ if ($db->getItem ( DATATYPE => "ARCHIVED_REQUEST", KEY => $key )) {
+ $dataType = "ARCHIVED_REQUEST";
+ $reqStatus = gettext ("Archived Request");
+ } elsif ($db->getItem ( DATATYPE => "APPROVED_REQUEST", KEY => $key )) {
+ $dataType = "APPROVED_REQUEST";
+ $reqStatus = gettext("Approved Request");
+ } elsif ($db->getItem ( DATATYPE => "SIGNED_REQUEST", KEY => $key )) {
+ $dataType = "SIGNED_REQUEST";
+ $reqStatus = gettext("Signed Request Waiting for Additional Signature");
+ } elsif ($db->getItem ( DATATYPE => "DELETED_REQUEST", KEY => $key )) {
+ $dataType = "DELETED_REQUEST";
+ $reqStatus = gettext("Deleted Request");
+ } elsif ($db->getItem ( DATATYPE => "RENEW_REQUEST", KEY => $key )) {
+ $dataType = "RENEW_REQUEST";
+ $reqStatus = gettext("Renewal Request Waiting for Approval");
+ } elsif ($db->getItem ( DATATYPE => "NEW_REQUEST", KEY => $key )) {
+ $dataType = "NEW_REQUEST";
+ $reqStatus = gettext("New Request Waiting for Approval");
+ } elsif ($db->getItem ( DATATYPE => "PENDING_REQUEST", KEY => $key )) {
+ $dataType = "PENDING_REQUEST";
+ $reqStatus = gettext("Waiting for Approval");
+ } else {
+ configError ( gettext("Cannot determine status of this request!"));
+ }
+ } else {
+ configError ( i18nGettext ("Invalid dataType (__DATATYPE__)!", "__DATATYPE__", $dataType));
+ }
+
+ my $req = $db->getItem( DATATYPE=>$dataType, KEY=>$key );
+
+ configError ( i18nGettext ("Request __KEY__ not present in DB or the status of the request was changed!",
+ "__KEY__", $key) ) if ( not $req );
+
+
+ ## Send out the Email verification Email
+ if( $verifyEmailAddress =~ /Y/i ) {
+ libSendEmailVerifyMessage( $key );
+ };
+
+
+ return libSendReply (
+ "NAME" => i18nGettext ("Email verificattion"),
+ "EXPLANATION" => i18nGettext ("Verification mail for CSR __CSR_SERIAL__ sent.",
+ "__CSR_SERIAL__", $req->getSerial()),
+ "TIMESTAMP" => 0,
+ );
+ $info_list->{HEAD}->[0] = gettext ("Success");
+
+ $hidden_list->{"cmd"} = "getStaticPage";
+ $hidden_list->{"name"} = "homePage";
+
+ $cmd_panel->[0] = '<input type=submit value="'.gettext ("Continue").'">';
+
+
+ return libSendReply (
+ "NAME" => i18nGettext ("Email verification"),
+ "EXPLANATION" => i18nGettext (
+ "Verification mail for CSR __CSR_SERIAL__ sent.",
+ "__CSR_SERIAL__", $req->getSerial()),
+ "TIMESTAMP" => 0,
+ "INFO_LIST" => $info_list,
+ "HIDDEN_LIST" => $hidden_list,
+ "CMD_PANEL" => $cmd_panel,
+ "MENU" => 1,
+ );
+}
+
+1;
diff -ruN openca-base-1.5.1.orig/src/common/lib/cmds/viewCSR openca-base-1.5.1/src/common/lib/cmds/viewCSR
--- openca-base-1.5.1.orig/src/common/lib/cmds/viewCSR 2013-08-03 16:56:00.000000000 +0200
+++ openca-base-1.5.1/src/common/lib/cmds/viewCSR 2014-04-02 16:19:51.197714948 +0200
@@ -70,6 +70,8 @@
$reqStatus = gettext("Waiting for Approval");
} elsif ( $dataType eq "NEW_REQUEST" ) {
$reqStatus = gettext("New Request Waiting for Approval");
+ } elsif ( $dataType eq "TEMPNEW_REQUEST" ) {
+ $reqStatus = gettext("New Unverified Request Waiting for Approval");
} elsif ( $dataType eq "RENEW_REQUEST" ) {
$reqStatus = gettext("Renewal Request Waiting for Approval");
} elsif ( $dataType eq "DELETED_REQUEST" ) {
@@ -100,6 +102,9 @@
} elsif ($db->getItem ( DATATYPE => "NEW_REQUEST", KEY => $key )) {
$dataType = "NEW_REQUEST";
$reqStatus = gettext("New Request Waiting for Approval");
+ } elsif ($db->getItem ( DATATYPE => "TEMPNEW_REQUEST", KEY => $key )) {
+ $dataType = "TEMPNEW_REQUEST";
+ $reqStatus = gettext("New Unverified Request Waiting for Approval");
} elsif ($db->getItem ( DATATYPE => "PENDING_REQUEST", KEY => $key )) {
$dataType = "PENDING_REQUEST";
$reqStatus = gettext("Waiting for Approval");
@@ -419,7 +424,7 @@
my $use_cert_serial = getRequired ('SET_CERTIFICATE_SERIAL_IN_DN');
if ( ($use_cert_serial !~ /^(Y|YES|ON)$/i) and
($use_request_serial !~ /^(Y|YES|ON)$/i) and
- ($dataType =~ /^(NEW|PENDING|SIGNED|APPROVED)_REQUEST$/i) ) {
+ ($dataType =~ /^(TEMPNEW|NEW|PENDING|SIGNED|APPROVED)_REQUEST$/i) ) {
my @list = $db->searchItems( DATATYPE=>"VALID_CERTIFICATE",
DN=>$cert_subject);
if( $#list > -1 ) {
@@ -597,7 +602,7 @@
## edit CSR
if ( $allow->{EDIT} and
- ($dataType =~ /(NEW|PENDING|RENEW)/i)) {
+ ($dataType =~ /(TEMPNEW|NEW|PENDING|RENEW)/i)) {
$cmd_list->{BODY}->[$cmd_pos]->[0] = gettext("Edit the request");
$cmd_list->{BODY}->[$cmd_pos]->[1] = '<input type="submit" value="'.
gettext("Edit Request").
@@ -608,7 +613,7 @@
## generate key for header csr
if ( $allow->{GENERATE_KEY} and
($parsed_req->{HEADER}->{TYPE} =~ /HEADER/i) and
- ($dataType =~ /NEW|PENDING/i)
+ ($dataType =~ /TEMPNEW|NEW|PENDING/i)
) {
$cmd_list->{BODY}->[$cmd_pos]->[0] = gettext("Generate private key");
$cmd_list->{BODY}->[$cmd_pos]->[1] = '<input type="button" value="'.
@@ -619,14 +624,28 @@
$cmd_pos++;
}
+ ## re-send verification mail
+ if ( $allow->{SEND_VERIFY_MAIL} and
+ ($dataType =~ /NEW|PENDING|RENEW/i)
+ ) {
+ $cmd_list->{BODY}->[$cmd_pos]->[0] = gettext("Send Verification Mail");
+ $cmd_list->{BODY}->[$cmd_pos]->[1] = '<input type="button" value="'.
+ gettext("Send Verification Mail").
+ '" onClick="cmd.value='."'sendVerifyMessage';if (confirm ('".
+ gettext("Do you want to send another verification mail?").
+ "')) {this.form.submit();}\">";
+ $cmd_pos++;
+ }
+
+
## verify PIN
if ( ( $allow->{APPROVE} and
($parsed_req->{HEADER}->{TYPE} !~ /HEADER/i) and
- ($dataType =~ /(NEW|PENDING|RENEW|SIGNED)/i)
+ ($dataType =~ /(TEMPNEW|NEW|PENDING|RENEW|SIGNED)/i)
) or
( $allow->{APPROVE_WITHOUT_SIGNING} and
($parsed_req->{HEADER}->{TYPE} !~ /HEADER/i) and
- ($dataType =~ /(NEW|PENDING|RENEW)/i)
+ ($dataType =~ /(TEMPNEW|NEW|PENDING|RENEW)/i)
) or
( $allow->{RENEW} and
($dataType =~ /(ARCHIVED|DELETED)/i)
@@ -644,7 +663,7 @@
## approve CSR
if ( $allow->{APPROVE} and
($parsed_req->{HEADER}->{TYPE} !~ /HEADER/i) and
- ($dataType =~ /(NEW|PENDING|RENEW|SIGNED)/i)
+ ($dataType =~ /(TEMPNEW|NEW|PENDING|RENEW|SIGNED)/i)
) {
$cmd_list->{BODY}->[$cmd_pos]->[0] = gettext("Approve and sign the request");
$cmd_list->{BODY}->[$cmd_pos]->[1] = '<input type="button" value="'.
@@ -657,7 +676,7 @@
## approve CSR without signing
if ( $allow->{APPROVE_WITHOUT_SIGNING} and
($parsed_req->{HEADER}->{TYPE} !~ /HEADER/i) and
- ($dataType =~ /(NEW|PENDING|RENEW)/i)
+ ($dataType =~ /(TEMPNEW|NEW|PENDING|RENEW)/i)
) {
$cmd_list->{BODY}->[$cmd_pos]->[0] = gettext("Approve Request without Signing");
$cmd_list->{BODY}->[$cmd_pos]->[1] = '<input type="button" value="'.
@@ -670,7 +689,7 @@
## issue certificate
if ( ( $allow->{ISSUE_CERT} and
- ($dataType =~ /(NEW|PENDING|RENEW|SIGNED|APPROVED)/i)
+ ($dataType =~ /(TEMPNEW|NEW|PENDING|RENEW|SIGNED|APPROVED)/i)
) or
( $allow->{ISSUE_CERT_NEW} and
($dataType =~ /NEW/i)
@@ -697,7 +716,7 @@
## delete pending or approved CSR
if ( ( $allow->{DELETE} and
- ($dataType =~ /(NEW|PENDING|RENEW|SIGNED|APPROVED)/i)
+ ($dataType =~ /(TEMPNEW|NEW|PENDING|RENEW|SIGNED|APPROVED)/i)
) or
( $allow->{DELETE_NEW} and
($dataType =~ /NEW/i)
diff -ruN openca-base-1.5.1.orig/src/web-interfaces/ca/ca-menu.xml openca-base-1.5.1/src/web-interfaces/ca/ca-menu.xml
--- openca-base-1.5.1.orig/src/web-interfaces/ca/ca-menu.xml 2013-10-17 00:15:23.000000000 +0200
+++ openca-base-1.5.1/src/web-interfaces/ca/ca-menu.xml 2014-04-02 16:19:51.201715029 +0200
@@ -35,6 +35,7 @@
<menu name="CA Operations" img="">
<submenu name="Certification Requests" img="">
<item name="New" img="" lnk="?cmd=listCSR;dataType=NEW_REQUEST" />
+ <item name="Unverified" img="" lnk="?cmd=listCSR;dataType=TEMPNEW_REQUEST" />
<item name="Pending" img="" lnk="?cmd=listCSR;dataType=PENDING_REQUEST" />
<item />
<item name="Signing Required" img="" lnk="?cmd=listCSR;dataType=SIGNED_REQUEST"/>
diff -ruN openca-base-1.5.1.orig/src/web-interfaces/ca/ca-menu.xml.in openca-base-1.5.1/src/web-interfaces/ca/ca-menu.xml.in
--- openca-base-1.5.1.orig/src/web-interfaces/ca/ca-menu.xml.in 2012-04-05 02:17:55.000000000 +0200
+++ openca-base-1.5.1/src/web-interfaces/ca/ca-menu.xml.in 2014-04-02 16:19:51.201715029 +0200
@@ -35,6 +35,7 @@
<menu name="CA Operations" img="">
<submenu name="Certification Requests" img="">
<item name="New" img="" lnk="?cmd=listCSR;dataType=NEW_REQUEST" />
+ <item name="Unverified" img="" lnk="?cmd=listCSR;dataType=TEMPNEW_REQUEST" />
<item name="Pending" img="" lnk="?cmd=listCSR;dataType=PENDING_REQUEST" />
<item />
<item name="Signing Required" img="" lnk="?cmd=listCSR;dataType=SIGNED_REQUEST"/>
diff -ruN openca-base-1.5.1.orig/src/web-interfaces/ra/ra.conf.in openca-base-1.5.1/src/web-interfaces/ra/ra.conf.in
--- openca-base-1.5.1.orig/src/web-interfaces/ra/ra.conf.in 2012-04-08 02:14:50.000000000 +0200
+++ openca-base-1.5.1/src/web-interfaces/ra/ra.conf.in 2014-04-02 14:33:33.890797592 +0200
@@ -31,10 +31,17 @@
## "Y" or "1".
EnableLogin "N"
+## This is used to generate secure tokens for email verification
+## purposes
+webSecret "@default_web_password@"
+
## Allows for automatic Email verification - Usually not used in the
## CA interface (if enabled verify that the CA can send Email messages)
verifyEmailAddress "Y"
+## Body of the default email for email address verification
+verifyemailfile "@lib_prefix@/mails/__LANGUAGE__/verifyMail.msg"
+
## The Page body is included to generate the HomePage for the server
## to support internationalization, we look for the file with the
## suffix for the supported language (eg., if the filename is
------------------------------------------------------------------------------
_______________________________________________
OpenCA-Devel mailing list
OpenCA-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-devel
