fix: add pending code after apply cherry-pick

Reference:

#5626

Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>

Author: vitormattos

lib/Handler/CertificateEngine/AEngineHandler.php

@@ -325,20 +325,14 @@ public function getUID(): string {
 		return str_replace(' ', '+', $this->UID);
 	}
 
-	public function expirity(): int {
-		$expirity = $this->appConfig->getValueInt(Application::APP_ID, 'expiry_in_days', 365);
-		if ($expirity < 0) {
-			return 365;
-		}
-		return $expirity;
-	}
-
-	public function isSetupOk(): bool {
-		return strlen($this->appConfig->getValueString(Application::APP_ID, 'authkey', '')) > 0;
+	public function getLeafExpiryInDays(): int {
+		$exp = $this->appConfig->getValueInt(Application::APP_ID, 'expiry_in_days', 365);
+		return $exp > 0 ? $exp : 365;
 	}
 
-	public function configureCheck(): array {
-		throw new \Exception('Necessary to implement configureCheck method');
+	public function getCaExpiryInDays(): int {
+		$exp = $this->appConfig->getValueInt(Application::APP_ID, 'ca_expiry_in_days', 3650); // 10 years
+		return $exp > 0 ? $exp : 3650;
 	}
 
 	private function getCertificatePolicy(): array {
@@ -354,6 +348,136 @@ private function getCertificatePolicy(): array {
 		return $return;
 	}
 
+	abstract protected function getConfigureCheckResourceName(): string;
+
+	abstract protected function getCertificateRegenerationTip(): string;
+
+	abstract protected function getEngineSpecificChecks(): array;
+
+	abstract protected function getSetupSuccessMessage(): string;
+
+	abstract protected function getSetupErrorMessage(): string;
+
+	abstract protected function getSetupErrorTip(): string;
+
+	public function configureCheck(): array {
+		$checks = $this->getEngineSpecificChecks();
+
+		if (!$this->isSetupOk()) {
+			return array_merge($checks, [
+				(new ConfigureCheckHelper())
+					->setErrorMessage($this->getSetupErrorMessage())
+					->setResource($this->getConfigureCheckResourceName())
+					->setTip($this->getSetupErrorTip())
+			]);
+		}
+
+		$checks[] = (new ConfigureCheckHelper())
+			->setSuccessMessage($this->getSetupSuccessMessage())
+			->setResource($this->getConfigureCheckResourceName());
+
+		$modernFeaturesCheck = $this->checkRootCertificateModernFeatures();
+		if ($modernFeaturesCheck) {
+			$checks[] = $modernFeaturesCheck;
+		}
+
+		return $checks;
+	}
+
+	protected function checkRootCertificateModernFeatures(): ?ConfigureCheckHelper {
+		$configPath = $this->getConfigPath();
+		$caCertPath = $configPath . DIRECTORY_SEPARATOR . 'ca.pem';
+
+		try {
+			$certContent = file_get_contents($caCertPath);
+			if (!$certContent) {
+				return (new ConfigureCheckHelper())
+					->setErrorMessage('Failed to read root certificate file')
+					->setResource($this->getConfigureCheckResourceName())
+					->setTip('Check file permissions and disk space');
+			}
+
+			$x509Resource = openssl_x509_read($certContent);
+			if (!$x509Resource) {
+				return (new ConfigureCheckHelper())
+					->setErrorMessage('Failed to parse root certificate')
+					->setResource($this->getConfigureCheckResourceName())
+					->setTip('Root certificate file may be corrupted or invalid');
+			}
+
+			$parsed = openssl_x509_parse($x509Resource);
+			if (!$parsed) {
+				return (new ConfigureCheckHelper())
+					->setErrorMessage('Failed to extract root certificate information')
+					->setResource($this->getConfigureCheckResourceName())
+					->setTip('Root certificate may be in an unsupported format');
+			}
+
+			$criticalIssues = [];
+			$minorIssues = [];
+
+			if (isset($parsed['serialNumber'])) {
+				$serialNumber = $parsed['serialNumber'];
+				$serialDecimal = hexdec($serialNumber);
+				if ($serialDecimal <= 1) {
+					$minorIssues[] = 'Serial number is simple (zero or one)';
+				}
+			} else {
+				$criticalIssues[] = 'Serial number is missing';
+			}
+
+			$missingExtensions = [];
+			if (!isset($parsed['extensions']['subjectKeyIdentifier'])) {
+				$missingExtensions[] = 'Subject Key Identifier (SKI)';
+			}
+
+			$isSelfSigned = (isset($parsed['issuer']) && isset($parsed['subject'])
+							&& $parsed['issuer'] === $parsed['subject']);
+
+			/**
+			 * @todo workarround for missing AKI at certificates generated by CFSSL.
+			 *
+			 * CFSSL does not add Authority Key Identifier (AKI) to self-signed root certificates.
+			 */
+			if (!$isSelfSigned && !isset($parsed['extensions']['authorityKeyIdentifier'])) {
+				$missingExtensions[] = 'Authority Key Identifier (AKI)';
+			}
+
+			if (!isset($parsed['extensions']['crlDistributionPoints'])) {
+				$missingExtensions[] = 'CRL Distribution Points';
+			}
+
+			if (!empty($missingExtensions)) {
+				$extensionsList = implode(', ', $missingExtensions);
+				$minorIssues[] = "Missing modern extensions: {$extensionsList}";
+			}
+
+			if (!empty($criticalIssues)) {
+				$issuesList = implode(', ', $criticalIssues);
+				return (new ConfigureCheckHelper())
+					->setErrorMessage("Root certificate has critical issues: {$issuesList}")
+					->setResource($this->getConfigureCheckResourceName())
+					->setTip($this->getCertificateRegenerationTip());
+			}
+
+			if (!empty($minorIssues)) {
+				$issuesList = implode(', ', $minorIssues);
+				return (new ConfigureCheckHelper())
+					->setInfoMessage("Root certificate could benefit from modern features: {$issuesList}")
+					->setResource($this->getConfigureCheckResourceName())
+					->setTip($this->getCertificateRegenerationTip() . ' (recommended but not required)');
+			}
+
+			return null;
+
+		} catch (\Exception $e) {
+			return (new ConfigureCheckHelper())
+				->setErrorMessage('Failed to analyze root certificate: ' . $e->getMessage())
+				->setResource($this->getConfigureCheckResourceName())
+				->setTip('Check if the root certificate file is valid');
+		}
+	}
+
 	public function toArray(): array {
 		$return = [
 			'configPath' => $this->getConfigPath(),

lib/Handler/CertificateEngine/CfsslHandler.php

@@ -109,24 +109,28 @@ public function isSetupOk(): bool {
 		return false;
 	}
 
-	public function configureCheck(): array {
-		$return = $this->checkBinaries();
-		$configPath = $this->getConfigPath();
-		if (is_dir($configPath)) {
-			return array_merge(
-				$return,
-				[(new ConfigureCheckHelper())
-					->setSuccessMessage('Root certificate config files found.')
-					->setResource('cfssl-configure')]
-			);
-		}
-		return array_merge(
-			$return,
-			[(new ConfigureCheckHelper())
-				->setErrorMessage('CFSSL (root certificate) not configured.')
-				->setResource('cfssl-configure')
-				->setTip('Run occ libresign:configure:cfssl --help')]
-		);
+	protected function getConfigureCheckResourceName(): string {
+		return 'cfssl-configure';
+	}
+
+	protected function getCertificateRegenerationTip(): string {
+		return 'Consider regenerating the root certificate with: occ libresign:configure:cfssl --cn="Your CA Name"';
+	}
+
+	protected function getEngineSpecificChecks(): array {
+		return $this->checkBinaries();
+	}
+
+	protected function getSetupSuccessMessage(): string {
+		return 'Root certificate config files found.';
+	}
+
+	protected function getSetupErrorMessage(): string {
+		return 'CFSSL (root certificate) not configured.';
+	}
+
+	protected function getSetupErrorTip(): string {
+		return 'Run occ libresign:configure:cfssl --help';
 	}
 
 	public function toArray(): array {
@@ -447,7 +451,6 @@ private function checkBinaries(): array {
 		return $return;
 	}
 
-	#[\Override]
 	public function generateCrlDer(array $revokedCertificates): string {
 		try {
 			$queryParams = [];

lib/Handler/CertificateEngine/NoneHandler.php

@@ -9,6 +9,30 @@
 namespace OCA\Libresign\Handler\CertificateEngine;
 
 class NoneHandler extends AEngineHandler implements IEngineHandler {
+	protected function getConfigureCheckResourceName(): string {
+		return 'none-configure';
+	}
+
+	protected function getCertificateRegenerationTip(): string {
+		return 'Switch to a proper certificate engine: occ libresign:configure:openssl or occ libresign:configure:cfssl';
+	}
+
+	protected function getEngineSpecificChecks(): array {
+		return [];
+	}
+
+	protected function getSetupSuccessMessage(): string {
+		return 'None handler is active (no certificates required).';
+	}
+
+	protected function getSetupErrorMessage(): string {
+		return 'None handler configuration error.';
+	}
+
+	protected function getSetupErrorTip(): string {
+		return 'Switch to a proper certificate engine: occ libresign:configure:openssl or occ libresign:configure:cfssl';
+	}
+
 	public function generateRootCert(
 		string $commonName,
 		array $names = [],
@@ -23,11 +47,6 @@ public function isSetupOk(): bool {
 		return true;
 	}
 
-	public function configureCheck(): array {
-		return [];
-	}
-
-	#[\Override]
 	public function generateCrlDer(array $revokedCertificates): string {
 		throw new \RuntimeException('CRL generation is not supported by None handler');
 	}

lib/Handler/CertificateEngine/OpenSslHandler.php

@@ -331,16 +331,28 @@ public function isSetupOk(): bool {
 		return $certificate && $privateKey;
 	}
 
-	public function configureCheck(): array {
-		if ($this->isSetupOk()) {
-			return [(new ConfigureCheckHelper())
-				->setSuccessMessage('Root certificate setup is working fine.')
-				->setResource('openssl-configure')];
-		}
-		return [(new ConfigureCheckHelper())
-			->setErrorMessage('OpenSSL (root certificate) not configured.')
-			->setResource('openssl-configure')
-			->setTip('Run occ libresign:configure:openssl --help')];
+	protected function getConfigureCheckResourceName(): string {
+		return 'openssl-configure';
+	}
+
+	protected function getCertificateRegenerationTip(): string {
+		return 'Consider regenerating the root certificate with: occ libresign:configure:openssl --cn="Your CA Name"';
+	}
+
+	protected function getEngineSpecificChecks(): array {
+		return [];
+	}
+
+	protected function getSetupSuccessMessage(): string {
+		return 'Root certificate setup is working fine.';
+	}
+
+	protected function getSetupErrorMessage(): string {
+		return 'OpenSSL (root certificate) not configured.';
+	}
+
+	protected function getSetupErrorTip(): string {
+		return 'Run occ libresign:configure:openssl --help';
 	}
 
 	#[\Override]