The initializePkiConfigPath method was using a variable named
'instanceId' from getSystemValue('instanceid') which could be confused
with LibreSign's instance_id. Changed to 'systemInstanceId' for clarity
and consistency with getConfigPathByParams method.
This ensures the PKI directories are created in the correct appdata path
using Nextcloud's system instance ID, while the directory name itself
contains LibreSign's CA identifier with its own instance ID.
Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
The CA ID (libresign-ca-id:...) in OrganizationalUnit should only be
filtered out when the certificate is not generated (isSetupOk() returns
false). When the certificate is successfully generated, the CA ID must
be preserved in the API response.
This ensures:
- Generated certificates: CA ID is visible (expected behavior)
- Failed/not generated: CA ID is filtered to prevent stale data in form
Integration tests validated:
- features/account/signature.feature:2 (OpenSSL)
- features/account/signature.feature:23 (CFSSL)
- features/admin/certificate_openssl.feature:2
- features/admin/certificate_openssl.feature:35
Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
Filter configPath from API response when certificate is not generated to prevent
form pre-population with outdated generation numbers that cause validation errors.
Filter CA ID (libresign-ca-id:*) from OrganizationalUnit field to prevent users
from submitting stale generation values that conflict with certificate validation.
Refactor toArray() method by extracting logic into dedicated methods:
- getConfigPathForApi(): Returns empty string for non-generated certificates
- removeCaIdFromOrganizationalUnit(): Filters CA IDs from OU arrays
Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
Add setEngine() method to IEngineHandler interface and implement
in AEngineHandler to automatically configure identify methods based
on certificate engine selection.
When engine is 'none', only account identification is enabled since
no certificate infrastructure is available for other methods.
Related to #5145
Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
- Return early without throwing exception if ca.pem doesn't exist
- Return early if certificate file is empty
- Only validate when a proper root certificate is actually configured
- Fixes Pkcs7HandlerTest and Pkcs12HandlerTest that run without CA setup
Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
- Return early if configPath is empty (test environments without CA)
- Still throw exception if CA path exists but certificate is missing/empty
- Prevents validation errors in unit tests without breaking production validation
- Fixes Pkcs7HandlerTest and Pkcs12HandlerTest failures
Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
- Add validateRootCertificate() method to check certificate health
- Verify certificate is not revoked via CRL
- Verify certificate has not expired
- Check if renewal is needed based on remaining validity
- Calculate renewal timing: remaining_days <= leaf_expiry_days
- Log warnings when renewal is recommended
- Throw LibresignException with clear messages on critical issues
Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
