Add CRL support

cert-updater/main.cpp

@@ -1,5 +1,5 @@
 /***************************************************************************
- *   Copyright (C) 2013 by Timothy Pearson                                 *
+ *   Copyright (C) 2013 - 2015 by Timothy Pearson                          *
  *   kb9vqf@pearsoncomputing.net                                           *
  *                                                                         *
  *   This program is free software; you can redistribute it and/or modify  *
@@ -48,7 +48,12 @@
 static const char description[] =
 	I18N_NOOP("TDE utility for updating realm certificates");
 
-static const char version[] = "v0.0.1";
+static const char version[] = "v0.0.2";
+
+static TDECmdLineOptions options[] = {
+	{ "immediate", I18N_NOOP("Force immediate update"), 0 },
+	TDECmdLineLastOption
+};
 
 bool received_sighup = false;
 
@@ -78,8 +83,8 @@ int get_certificate_from_server(TQString certificateName, TQString certificateFi
 	credentials->username = "";
 	credentials->password = "";
 	credentials->realm = realmcfg.name.upper();
-	credentials->use_tls = false;
+	credentials->use_tls = true;
-	LDAPManager* ldap_mgr = new LDAPManager(realmcfg.name.upper(), TQString("ldap://%1").arg(realmcfg.admin_server).ascii(), credentials);
+	LDAPManager* ldap_mgr = new LDAPManager(realmcfg.name.upper(), TQString("ldaps://%1").arg(realmcfg.admin_server).ascii(), credentials);
 
 	// Add the domain-wide computer local admin group to local sudoers
 	ldap_mgr->writeSudoersConfFile(&errorstring);
@@ -125,15 +130,18 @@ int main(int argc, char *argv[])
 	// Initialize TDE application libraries
 	TDEAboutData aboutData( "tdeldapcertupdater", I18N_NOOP("Realm Certificate Updater"),
 		version, description, TDEAboutData::License_GPL,
-		"(c) 2013, Timothy Pearson");
+		"(c) 2013 - 2015, Timothy Pearson");
 		aboutData.addAuthor("Timothy Pearson",0, "kb9vqf@pearsoncomputing.net");
 	TDECmdLineArgs::init( argc, argv, &aboutData );
+	TDECmdLineArgs::addCmdLineOptions(options);
 	TDEApplication::disableAutoDcopRegistration();
 
 	TDEApplication app(false, false);
 
 	TDEStartupInfo::appStarted();
 
+	bool immediate = TDECmdLineArgs::parsedArgs()->isSet("immediate");
+
 	//======================================================================================================================================================
 	//
 	// Updater code follows
@@ -155,6 +163,7 @@ int main(int argc, char *argv[])
 		for (it = realms.begin(); it != realms.end(); ++it) {
 			LDAPRealmConfig realmcfg = it.data();
 			TQString certificateFileName = KERBEROS_PKI_PUBLICDIR + realmcfg.admin_server + ".ldap.crt";
+			TQString crlFileName = KERBEROS_PKI_PUBLICDIR + realmcfg.admin_server + ".ldap.crl";
 
 			TQDateTime certExpiry;
 			TQDateTime soon = now.addDays(7);		// Keep in sync with src/ldapcontroller.cpp
@@ -164,7 +173,7 @@ int main(int argc, char *argv[])
 				if (certExpiry >= now) {
 					printf("[INFO] Certificate %s expires %s\n", certificateFileName.ascii(), certExpiry.toString().ascii()); fflush(stdout);
 				}
-				if ((certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
+				if (immediate || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
 					if (get_certificate_from_server("publicRootCertificate", certificateFileName, realmcfg) != 0) {
 						allDownloadsOK = false;
 					}
@@ -180,7 +189,30 @@ int main(int argc, char *argv[])
 					allDownloadsOK = false;
 				}
 			}
+
+			if (TQFile::exists(crlFileName)) {
+				certExpiry = LDAPManager::getCertificateExpiration(crlFileName);
+				if (certExpiry >= now) {
+					printf("[INFO] CRL %s expires %s\n", crlFileName.ascii(), certExpiry.toString().ascii()); fflush(stdout);
+				}
+				if (immediate || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
+					if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) != 0) {
+						allDownloadsOK = false;
+					}
+				}
+				if (certExpiry < earliestCertExpiry) {
+					earliestCertExpiry = certExpiry;
+				}
+			}
+			else {
+				mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
+				mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
+				if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) != 0) {
+					allDownloadsOK = false;
+				}
+			}
 		}
+		immediate = false;
 
 		earliestCertExpiry = earliestCertExpiry.addDays(-7);	// Keep in sync with now.addDays above (use negative of value given above)
 		int secondsToExpiry = now.secsTo(earliestCertExpiry);
@@ -204,6 +236,7 @@ int main(int argc, char *argv[])
 	}
 
 	unlink(TDE_LDAP_CERT_UPDATER_PID_FILE);
+	delete systemconfig;
 
 	//======================================================================================================================================================
 

src/ldapbonding.cpp

@@ -276,6 +276,14 @@ void LDAPConfig::save() {
 			if (ldap_mgr->getTDECertificate("publicRootCertificate", KERBEROS_PKI_PUBLICDIR + m_realms[m_clientRealmConfig.defaultRealm].admin_server + ".ldap.crt", &errorstring) != 0) {
 				KMessageBox::sorry(this, i18n("<qt><b>Unable to obtain root certificate for realm %1!</b><p>Details: %2</qt>").arg(m_clientRealmConfig.defaultRealm.upper()).arg(errorstring), i18n("Unable to Obtain Certificate"));
 			}
+			if (ldap_mgr->installCACertificateInHostCAStore(&errorstring) != 0) {
+				KMessageBox::sorry(this, i18n("<qt><b>Unable to install root CA certificate for realm %1!</b><p>Details: %2</qt>").arg(m_clientRealmConfig.defaultRealm.upper()).arg(errorstring), i18n("Unable to Install Root CA"));
+			}
+
+			// Get and install the CA root CRL from LDAP
+			if (ldap_mgr->retrieveAndInstallCaCrl(ldap_mgr, &errorstring) != 0) {
+				KMessageBox::sorry(this, i18n("<qt><b>Unable to obtain root CRL for realm %1!</b><p>Details: %2</qt>").arg(m_clientRealmConfig.defaultRealm.upper()).arg(errorstring), i18n("Unable to Obtain CRL"));
+			}
 	
 			delete ldap_mgr;
 			delete credentials;