Merge pull request #5731 from LibreSign/feat/add-multiple-ou

feat: add multiple ou

Author: vitormattos

lib/Command/Configure/Cfssl.php

@@ -28,8 +28,8 @@ protected function configure(): void {
 			->addOption(
 				name: 'ou',
 				shortcut: null,
-				mode: InputOption::VALUE_REQUIRED,
-				description: 'Organization unit'
+				mode: InputOption::VALUE_REQUIRED | InputOption::VALUE_IS_ARRAY,
+				description: 'Organization unit (can be specified multiple times)'
 			)
 			->addOption(
 				name: 'o',

lib/Command/Configure/OpenSsl.php

@@ -28,8 +28,8 @@ protected function configure(): void {
 			->addOption(
 				name: 'ou',
 				shortcut: null,
-				mode: InputOption::VALUE_REQUIRED,
-				description: 'Organization unit'
+				mode: InputOption::VALUE_REQUIRED | InputOption::VALUE_IS_ARRAY,
+				description: 'Organization unit (can be specified multiple times)'
 			)
 			->addOption(
 				name: 'o',

lib/Controller/AdminController.php

@@ -69,7 +69,7 @@ public function __construct(
 	/**
 	 * Generate certificate using CFSSL engine
 	 *
-	 * @param array{commonName: string, names: array<string, array{value:string}>} $rootCert fields of root certificate
+	 * @param array{commonName: string, names: array<string, array{value:string|array<string>}>} $rootCert fields of root certificate
 	 * @param string $cfsslUri URI of CFSSL API
 	 * @param string $configPath Path of config files of CFSSL
 	 * @return DataResponse<Http::STATUS_OK, array{data: LibresignEngineHandler}, array{}>|DataResponse<Http::STATUS_UNAUTHORIZED, array{message: string}, array{}>
@@ -106,7 +106,7 @@ public function generateCertificateCfssl(
 	/**
 	 * Generate certificate using OpenSSL engine
 	 *
-	 * @param array{commonName: string, names: array<string, array{value:string}>} $rootCert fields of root certificate
+	 * @param array{commonName: string, names: array<string, array{value:string|array<string>}>} $rootCert fields of root certificate
 	 * @param string $configPath Path of config files of CFSSL
 	 * @return DataResponse<Http::STATUS_OK, array{data: LibresignEngineHandler}, array{}>|DataResponse<Http::STATUS_UNAUTHORIZED, array{message: string}, array{}>
 	 *
@@ -145,7 +145,12 @@ private function generateCertificate(
 		if (isset($rootCert['names'])) {
 			$this->validateService->validateNames($rootCert['names']);
 			foreach ($rootCert['names'] as $item) {
-				$names[$item['id']]['value'] = trim((string)$item['value']);
+				if (is_array($item['value'])) {
+					$trimmedValues = array_map('trim', $item['value']);
+					$names[$item['id']]['value'] = array_filter($trimmedValues, fn ($val) => $val !== '');
+				} else {
+					$names[$item['id']]['value'] = trim((string)$item['value']);
+				}
 			}
 		}
 		$this->validateService->validate('CN', $rootCert['commonName']);

lib/Handler/CertificateEngine/AEngineHandler.php

@@ -44,8 +44,8 @@
  * @method string getLocality()
  * @method IEngineHandler setOrganization(string $organization)
  * @method string getOrganization()
- * @method IEngineHandler setOrganizationalUnit(string $organizationalUnit)
- * @method string getOrganizationalUnit()
+ * @method IEngineHandler setOrganizationalUnit(array $organizationalUnit)
+ * @method array getOrganizationalUnit()
  * @method IEngineHandler setUID(string $UID)
  * @method string getName()
  */
@@ -60,7 +60,7 @@ abstract class AEngineHandler implements IEngineHandler {
 	protected string $state = '';
 	protected string $locality = '';
 	protected string $organization = '';
-	protected string $organizationalUnit = '';
+	protected array $organizationalUnit = [];
 	protected string $UID = '';
 	protected string $password = '';
 	protected string $configPath = '';
@@ -140,6 +140,16 @@ private function parseX509(string $x509): array {
 
 		$return = self::convertArrayToUtf8($parsed);
 
+		foreach (['subject', 'issuer'] as $actor) {
+			foreach ($return[$actor] as $part => $value) {
+				if (is_string($value) && str_contains($value, ', ')) {
+					$return[$actor][$part] = explode(', ', $value);
+				} else {
+					$return[$actor][$part] = $value;
+				}
+			}
+		}
+
 		$return['valid_from'] = $this->dateTimeFormatter->formatDateTime($parsed['validFrom_time_t']);
 		$return['valid_to'] = $this->dateTimeFormatter->formatDateTime($parsed['validTo_time_t']);
 		return $return;
@@ -464,6 +474,11 @@ protected function checkRootCertificateModernFeatures(): ?ConfigureCheckHelper {
 				$minorIssues[] = "Missing modern extensions: {$extensionsList}";
 			}
 
+			$hasLibresignCaUuid = $this->validateLibresignCaUuidInCertificate($parsed);
+			if (!$hasLibresignCaUuid) {
+				$minorIssues[] = 'LibreSign CA UUID not found in Organizational Unit';
+			}
+
 			if (!empty($criticalIssues)) {
 				$issuesList = implode(', ', $criticalIssues);
 				return (new ConfigureCheckHelper())
@@ -490,6 +505,45 @@ protected function checkRootCertificateModernFeatures(): ?ConfigureCheckHelper {
 		}
 	}
 
+	private function validateLibresignCaUuidInCertificate(array $parsed): bool {
+		if (!isset($parsed['subject']['OU'])) {
+			return false;
+		}
+
+		$instanceId = $this->getInstanceId();
+		if (empty($instanceId)) {
+			return false;
+		}
+
+		$organizationalUnits = $parsed['subject']['OU'];
+
+		if (is_string($organizationalUnits)) {
+			if (str_contains($organizationalUnits, ', ')) {
+				$organizationalUnits = explode(', ', $organizationalUnits);
+			} else {
+				$organizationalUnits = [$organizationalUnits];
+			}
+		}
+
+		$expectedCaUuid = 'libresign-ca-id:' . $instanceId;
+
+		foreach ($organizationalUnits as $ou) {
+			if (trim($ou) === $expectedCaUuid) {
+				return true;
+			}
+		}
+
+		return false;
+	}
+
+	private function getInstanceId(): string {
+		$instanceId = $this->appConfig->getValueString(Application::APP_ID, 'instance_id', '');
+		if (strlen($instanceId) === 10) {
+			return $instanceId;
+		}
+		return '';
+	}
+
 	#[\Override]
 	public function toArray(): array {
 		$return = [

lib/Handler/CertificateEngine/CfsslHandler.php

@@ -177,6 +177,11 @@ private function newCert(): array {
 		];
 
 		$names = $this->getNames();
+		foreach ($names as $key => $value) {
+			if (!empty($value) && is_array($value)) {
+				$names[$key] = implode(', ', $value);
+			}
+		}
 		if (!empty($names)) {
 			$json['json']['request']['names'][] = $names;
 		}

lib/Handler/CertificateEngine/IEngineHandler.php

@@ -25,8 +25,8 @@
  * @method string getLocality()
  * @method IEngineHandler setOrganization(string $organization)
  * @method string getOrganization()
- * @method IEngineHandler setOrganizationalUnit(string $organizationalUnit)
- * @method string getOrganizationalUnit()
+ * @method IEngineHandler setOrganizationalUnit(array $organizationalUnit)
+ * @method array getOrganizationalUnit()
  * @method IEngineHandler setUID(string $UID)
  * @method string getUID()
  * @method string getName()

lib/Handler/CertificateEngine/OpenSslHandler.php

@@ -316,9 +316,17 @@ private function getCsrNames(): array {
 				$distinguishedNames['UID'] = $value;
 				continue;
 			}
+
 			$longName = $this->translateToLong($name);
 			$longName = lcfirst($longName) . 'Name';
-			$distinguishedNames[$longName] = $value;
+
+			if (is_array($value)) {
+				if (!empty($value)) {
+					$distinguishedNames[$longName] = implode(', ', $value);
+				}
+			} else {
+				$distinguishedNames[$longName] = $value;
+			}
 		}
 		if ($this->getCommonName()) {
 			$distinguishedNames['commonName'] = $this->getCommonName();
@@ -493,6 +501,4 @@ private function createCrlConfig(array $revokedCertificates): string {
 
 		return $configFile;
 	}
-
-
 }

lib/Handler/CfsslServerHandler.php

@@ -83,7 +83,7 @@ private function putCsrServer(
 			$content['crl_url'] = $crlUrl;
 		}
 		foreach ($names as $id => $name) {
-			$content['names'][0][$id] = $name['value'];
+			$content['names'][0][$id] = is_array($name['value']) ? implode(', ', $name['value']) : $name['value'];
 		}
 		($this->getConfigPath)();
 		$response = file_put_contents($this->csrServerFile, json_encode($content));

lib/Handler/SignEngine/Pkcs12Handler.php

@@ -168,7 +168,7 @@ private function extractCertificateChain(string $signature): array {
 					'label' => $this->l10n->t('Signature is valid.'),
 				];
 				if (!$isLibreSignRootCA) {
-					$isLibreSignRootCA = $this->isLibreSignRootCA($pemCertificate);
+					$isLibreSignRootCA = $this->isLibreSignRootCA($pemCertificate, $parsed);
 				}
 				$parsed['isLibreSignRootCA'] = $isLibreSignRootCA;
 				$chain[$index] = $parsed;
@@ -183,14 +183,35 @@ private function extractCertificateChain(string $signature): array {
 		return $chain;
 	}
 
-	private function isLibreSignRootCA(string $certificate): bool {
+	private function isLibreSignRootCA(string $certificate, array $parsed): bool {
 		$rootCertificatePem = $this->getRootCertificatePem();
 		if (empty($rootCertificatePem)) {
 			return false;
 		}
+
 		$rootFingerprint = openssl_x509_fingerprint($rootCertificatePem, 'sha256');
 		$fingerprint = openssl_x509_fingerprint($certificate, 'sha256');
-		return $rootFingerprint === $fingerprint;
+		if ($rootFingerprint === $fingerprint) {
+			return true;
+		}
+
+		return $this->hasLibreSignCaId($parsed);
+	}
+
+	private function hasLibreSignCaId(array $parsed): bool {
+		$instanceId = $this->appConfig->getValueString(Application::APP_ID, 'instance_id', '');
+		if (strlen($instanceId) !== 10 || !isset($parsed['subject']['OU'])) {
+			return false;
+		}
+
+		$expectedCaUuid = 'libresign-ca-id:' . $instanceId;
+		$organizationalUnits = $parsed['subject']['OU'];
+
+		if (is_string($organizationalUnits)) {
+			return str_contains($organizationalUnits, $expectedCaUuid);
+		}
+
+		return in_array($expectedCaUuid, array_map('trim', $organizationalUnits));
 	}
 
 	private function getRootCertificatePem(): string {

lib/Migration/Version13000Date20251031165700.php

@@ -46,6 +46,8 @@ public function changeSchema(IOutput $output, Closure $schemaClosure, array $opt
 			}
 		}
 
+		$this->convertRootCertOuStringToArray();
+
 		if ($schema->hasTable('libresign_crl')) {
 			$crlTable = $schema->getTable('libresign_crl');
 			if (!$crlTable->hasColumn('engine')) {
@@ -54,4 +56,18 @@ public function changeSchema(IOutput $output, Closure $schemaClosure, array $opt
 		}
 		return $schema;
 	}
+
+	private function convertRootCertOuStringToArray(): void {
+		$rootCert = $this->appConfig->getValueArray(Application::APP_ID, 'rootCert');
+		if (!$rootCert || !isset($rootCert['names']['OU']['value'])) {
+			return;
+		}
+
+		$ouValue = $rootCert['names']['OU']['value'];
+
+		if (is_string($ouValue)) {
+			$rootCert['names']['OU']['value'] = [$ouValue];
+			$this->appConfig->setValueArray(Application::APP_ID, 'rootCert', $rootCert);
+		}
+	}
 }