1package OpenXPKI::Server::Workflow::Condition::KeyParams;
2
3use strict;
4use warnings;
5use base qw( OpenXPKI::Server::Workflow::Condition );
6use Workflow::Exception qw( condition_error configuration_error );
7use OpenXPKI::Server::Context qw( CTX );
8use OpenXPKI::DateTime;
9use OpenXPKI::Debug;
10use Data::Dumper;
11use English;
12
13sub _evaluate
14{
15    ##! 64: 'start'
16    my ( $self, $wf ) = @_;
17
18    my $key_alg = $self->param('key_alg');
19    my $key_params = $self->param('key_params');
20    my $cert_profile = $self->param('cert_profile');
21    my $key_rules = $self->param('key_rules');
22
23
24    if (!$key_alg || !$key_params || ref $key_params ne 'HASH') {
25        configuration_error('Key algorithm and/or key parameter not found!');
26    }
27
28    ##! 16: "Alg: $key_alg"
29    ##! 16: 'Params ' . Dumper $key_params
30
31    if ($key_rules) {
32
33        # for explicit key rules we expect the algorithms on the first level
34        if (!$key_rules->{$key_alg}) {
35            condition_error('Used key algorithm is not allowed');
36        }
37        $key_rules = $key_rules->{$key_alg};
38
39    } else {
40
41        if (!$cert_profile) {
42            configuration_error('You must pass either the profile name or the key_rules directly');
43        }
44
45        # get the list of allowed algorithms from the config
46        my $algs = CTX('api2')->get_key_algs( profile => $cert_profile, nohide => 1 );
47
48        ##! 32: 'Alg expected ' . Dumper $algs
49
50        if (!grep(/\A$key_alg\z/, @{$algs})) {
51            ##! 8: "KeyParam validation failed on algo $key_alg"
52            CTX('log')->application()->debug("KeyParam validation failed on algo $key_alg");
53            condition_error('Used key algorithm is not allowed');
54        }
55
56        $key_rules = CTX('api2')->get_key_params( profile => $cert_profile, alg => $key_alg, showall => 1 );
57
58    }
59
60    ##! 32: 'Params expected ' . Dumper $params
61
62    my $result = CTX('api2')->validate_ruleset(
63        input => $key_params,
64        ruleset => $key_rules,
65    );
66
67    if (@{$result}) {
68        my $err = '';
69        map { $err .=  $_.': '.($key_params->{$_} // '?') } @{$result};
70        CTX('log')->application()->debug("KeyParam validation failed: $err");
71        condition_error("Invalid key parameters used: $err");
72    }
73
74    ##! 1: 'Validation succeeded'
75    CTX('log')->application()->debug("KeyParam validation succeeded");
76
77
78    return 1;
79}
80
811;
82
83__END__
84
85=head1 NAME
86
87OpenXPKI::Server::Workflow::Condition::KeyParams
88
89=head1 Description
90
91Validate the given key parameters against the definitions read from
92the profile or from the key_rules parameter.
93
94=head1 Configuration
95
96  is_key_param_valid:
97      class: OpenXPKI::Server::Workflow::Condition::KeyParams
98      param:
99       _map_cert_profile: $cert_profile
100       _map_key_params: $csr_key_params
101       _map_key_alg: $csr_key_alg
102
103=head2 Arguments
104
105=over
106
107=item key_alg
108
109The algorithm of the key, must match a key on the top level of
110the key_rules.
111
112=item key_params
113
114The parameters of the key to validate as hashref.
115
116=item key_rules
117
118Ruleset to validate against, if not given the paramter I<cert_profile>
119is mandatory and the rules are read from the profile definition.
120
121=item cert_profile
122
123Name of the certificate profile, only used if I<key_rules> is not set.
124
125=back
126