From c14f2f4613cc75a6dd5ec0d1eebff9c855e40c46 Mon Sep 17 00:00:00 2001 From: Timothy Pearson Date: Thu, 3 Sep 2015 15:09:38 -0500 Subject: [PATCH] Add CRL support --- cert-updater/main.cpp | 45 +++++++++++++++++++++++++++++++++++++------ src/ldapbonding.cpp | 8 ++++++++ 2 files changed, 47 insertions(+), 6 deletions(-) diff --git a/cert-updater/main.cpp b/cert-updater/main.cpp index 8c96f2e..78ad0dc 100644 --- a/cert-updater/main.cpp +++ b/cert-updater/main.cpp @@ -1,5 +1,5 @@ /*************************************************************************** - * Copyright (C) 2013 by Timothy Pearson * + * Copyright (C) 2013 - 2015 by Timothy Pearson * * kb9vqf@pearsoncomputing.net * * * * This program is free software; you can redistribute it and/or modify * @@ -48,7 +48,12 @@ static const char description[] = I18N_NOOP("TDE utility for updating realm certificates"); -static const char version[] = "v0.0.1"; +static const char version[] = "v0.0.2"; + +static TDECmdLineOptions options[] = { + { "immediate", I18N_NOOP("Force immediate update"), 0 }, + TDECmdLineLastOption +}; bool received_sighup = false; @@ -78,8 +83,8 @@ int get_certificate_from_server(TQString certificateName, TQString certificateFi credentials->username = ""; credentials->password = ""; credentials->realm = realmcfg.name.upper(); - credentials->use_tls = false; - LDAPManager* ldap_mgr = new LDAPManager(realmcfg.name.upper(), TQString("ldap://%1").arg(realmcfg.admin_server).ascii(), credentials); + credentials->use_tls = true; + LDAPManager* ldap_mgr = new LDAPManager(realmcfg.name.upper(), TQString("ldaps://%1").arg(realmcfg.admin_server).ascii(), credentials); // Add the domain-wide computer local admin group to local sudoers ldap_mgr->writeSudoersConfFile(&errorstring); @@ -125,15 +130,18 @@ int main(int argc, char *argv[]) // Initialize TDE application libraries TDEAboutData aboutData( "tdeldapcertupdater", I18N_NOOP("Realm Certificate Updater"), version, description, TDEAboutData::License_GPL, - "(c) 2013, Timothy Pearson"); + "(c) 2013 - 2015, Timothy Pearson"); aboutData.addAuthor("Timothy Pearson",0, "kb9vqf@pearsoncomputing.net"); TDECmdLineArgs::init( argc, argv, &aboutData ); + TDECmdLineArgs::addCmdLineOptions(options); TDEApplication::disableAutoDcopRegistration(); TDEApplication app(false, false); TDEStartupInfo::appStarted(); + bool immediate = TDECmdLineArgs::parsedArgs()->isSet("immediate"); + //====================================================================================================================================================== // // Updater code follows @@ -155,6 +163,7 @@ int main(int argc, char *argv[]) for (it = realms.begin(); it != realms.end(); ++it) { LDAPRealmConfig realmcfg = it.data(); TQString certificateFileName = KERBEROS_PKI_PUBLICDIR + realmcfg.admin_server + ".ldap.crt"; + TQString crlFileName = KERBEROS_PKI_PUBLICDIR + realmcfg.admin_server + ".ldap.crl"; TQDateTime certExpiry; TQDateTime soon = now.addDays(7); // Keep in sync with src/ldapcontroller.cpp @@ -164,7 +173,7 @@ int main(int argc, char *argv[]) if (certExpiry >= now) { printf("[INFO] Certificate %s expires %s\n", certificateFileName.ascii(), certExpiry.toString().ascii()); fflush(stdout); } - if ((certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) { + if (immediate || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) { if (get_certificate_from_server("publicRootCertificate", certificateFileName, realmcfg) != 0) { allDownloadsOK = false; } @@ -180,7 +189,30 @@ int main(int argc, char *argv[]) allDownloadsOK = false; } } + + if (TQFile::exists(crlFileName)) { + certExpiry = LDAPManager::getCertificateExpiration(crlFileName); + if (certExpiry >= now) { + printf("[INFO] CRL %s expires %s\n", crlFileName.ascii(), certExpiry.toString().ascii()); fflush(stdout); + } + if (immediate || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) { + if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) != 0) { + allDownloadsOK = false; + } + } + if (certExpiry < earliestCertExpiry) { + earliestCertExpiry = certExpiry; + } + } + else { + mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); + mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); + if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) != 0) { + allDownloadsOK = false; + } + } } + immediate = false; earliestCertExpiry = earliestCertExpiry.addDays(-7); // Keep in sync with now.addDays above (use negative of value given above) int secondsToExpiry = now.secsTo(earliestCertExpiry); @@ -204,6 +236,7 @@ int main(int argc, char *argv[]) } unlink(TDE_LDAP_CERT_UPDATER_PID_FILE); + delete systemconfig; //====================================================================================================================================================== diff --git a/src/ldapbonding.cpp b/src/ldapbonding.cpp index 85e1061..bf20050 100644 --- a/src/ldapbonding.cpp +++ b/src/ldapbonding.cpp @@ -276,6 +276,14 @@ void LDAPConfig::save() { if (ldap_mgr->getTDECertificate("publicRootCertificate", KERBEROS_PKI_PUBLICDIR + m_realms[m_clientRealmConfig.defaultRealm].admin_server + ".ldap.crt", &errorstring) != 0) { KMessageBox::sorry(this, i18n("Unable to obtain root certificate for realm %1!

Details: %2").arg(m_clientRealmConfig.defaultRealm.upper()).arg(errorstring), i18n("Unable to Obtain Certificate")); } + if (ldap_mgr->installCACertificateInHostCAStore(&errorstring) != 0) { + KMessageBox::sorry(this, i18n("Unable to install root CA certificate for realm %1!

Details: %2").arg(m_clientRealmConfig.defaultRealm.upper()).arg(errorstring), i18n("Unable to Install Root CA")); + } + + // Get and install the CA root CRL from LDAP + if (ldap_mgr->retrieveAndInstallCaCrl(ldap_mgr, &errorstring) != 0) { + KMessageBox::sorry(this, i18n("Unable to obtain root CRL for realm %1!

Details: %2").arg(m_clientRealmConfig.defaultRealm.upper()).arg(errorstring), i18n("Unable to Obtain CRL")); + } delete ldap_mgr; delete credentials;