Add CRL support

pull/1/head
Timothy Pearson 9 years ago
parent 3ca881c599
commit c14f2f4613

@ -1,5 +1,5 @@
/***************************************************************************
* Copyright (C) 2013 by Timothy Pearson *
* Copyright (C) 2013 - 2015 by Timothy Pearson *
* kb9vqf@pearsoncomputing.net *
* *
* This program is free software; you can redistribute it and/or modify *
@ -48,7 +48,12 @@
static const char description[] =
I18N_NOOP("TDE utility for updating realm certificates");
static const char version[] = "v0.0.1";
static const char version[] = "v0.0.2";
static TDECmdLineOptions options[] = {
{ "immediate", I18N_NOOP("Force immediate update"), 0 },
TDECmdLineLastOption
};
bool received_sighup = false;
@ -78,8 +83,8 @@ int get_certificate_from_server(TQString certificateName, TQString certificateFi
credentials->username = "";
credentials->password = "";
credentials->realm = realmcfg.name.upper();
credentials->use_tls = false;
LDAPManager* ldap_mgr = new LDAPManager(realmcfg.name.upper(), TQString("ldap://%1").arg(realmcfg.admin_server).ascii(), credentials);
credentials->use_tls = true;
LDAPManager* ldap_mgr = new LDAPManager(realmcfg.name.upper(), TQString("ldaps://%1").arg(realmcfg.admin_server).ascii(), credentials);
// Add the domain-wide computer local admin group to local sudoers
ldap_mgr->writeSudoersConfFile(&errorstring);
@ -125,15 +130,18 @@ int main(int argc, char *argv[])
// Initialize TDE application libraries
TDEAboutData aboutData( "tdeldapcertupdater", I18N_NOOP("Realm Certificate Updater"),
version, description, TDEAboutData::License_GPL,
"(c) 2013, Timothy Pearson");
"(c) 2013 - 2015, Timothy Pearson");
aboutData.addAuthor("Timothy Pearson",0, "kb9vqf@pearsoncomputing.net");
TDECmdLineArgs::init( argc, argv, &aboutData );
TDECmdLineArgs::addCmdLineOptions(options);
TDEApplication::disableAutoDcopRegistration();
TDEApplication app(false, false);
TDEStartupInfo::appStarted();
bool immediate = TDECmdLineArgs::parsedArgs()->isSet("immediate");
//======================================================================================================================================================
//
// Updater code follows
@ -155,6 +163,7 @@ int main(int argc, char *argv[])
for (it = realms.begin(); it != realms.end(); ++it) {
LDAPRealmConfig realmcfg = it.data();
TQString certificateFileName = KERBEROS_PKI_PUBLICDIR + realmcfg.admin_server + ".ldap.crt";
TQString crlFileName = KERBEROS_PKI_PUBLICDIR + realmcfg.admin_server + ".ldap.crl";
TQDateTime certExpiry;
TQDateTime soon = now.addDays(7); // Keep in sync with src/ldapcontroller.cpp
@ -164,7 +173,7 @@ int main(int argc, char *argv[])
if (certExpiry >= now) {
printf("[INFO] Certificate %s expires %s\n", certificateFileName.ascii(), certExpiry.toString().ascii()); fflush(stdout);
}
if ((certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
if (immediate || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
if (get_certificate_from_server("publicRootCertificate", certificateFileName, realmcfg) != 0) {
allDownloadsOK = false;
}
@ -180,7 +189,30 @@ int main(int argc, char *argv[])
allDownloadsOK = false;
}
}
if (TQFile::exists(crlFileName)) {
certExpiry = LDAPManager::getCertificateExpiration(crlFileName);
if (certExpiry >= now) {
printf("[INFO] CRL %s expires %s\n", crlFileName.ascii(), certExpiry.toString().ascii()); fflush(stdout);
}
if (immediate || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) != 0) {
allDownloadsOK = false;
}
}
if (certExpiry < earliestCertExpiry) {
earliestCertExpiry = certExpiry;
}
}
else {
mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) != 0) {
allDownloadsOK = false;
}
}
}
immediate = false;
earliestCertExpiry = earliestCertExpiry.addDays(-7); // Keep in sync with now.addDays above (use negative of value given above)
int secondsToExpiry = now.secsTo(earliestCertExpiry);
@ -204,6 +236,7 @@ int main(int argc, char *argv[])
}
unlink(TDE_LDAP_CERT_UPDATER_PID_FILE);
delete systemconfig;
//======================================================================================================================================================

@ -276,6 +276,14 @@ void LDAPConfig::save() {
if (ldap_mgr->getTDECertificate("publicRootCertificate", KERBEROS_PKI_PUBLICDIR + m_realms[m_clientRealmConfig.defaultRealm].admin_server + ".ldap.crt", &errorstring) != 0) {
KMessageBox::sorry(this, i18n("<qt><b>Unable to obtain root certificate for realm %1!</b><p>Details: %2</qt>").arg(m_clientRealmConfig.defaultRealm.upper()).arg(errorstring), i18n("Unable to Obtain Certificate"));
}
if (ldap_mgr->installCACertificateInHostCAStore(&errorstring) != 0) {
KMessageBox::sorry(this, i18n("<qt><b>Unable to install root CA certificate for realm %1!</b><p>Details: %2</qt>").arg(m_clientRealmConfig.defaultRealm.upper()).arg(errorstring), i18n("Unable to Install Root CA"));
}
// Get and install the CA root CRL from LDAP
if (ldap_mgr->retrieveAndInstallCaCrl(ldap_mgr, &errorstring) != 0) {
KMessageBox::sorry(this, i18n("<qt><b>Unable to obtain root CRL for realm %1!</b><p>Details: %2</qt>").arg(m_clientRealmConfig.defaultRealm.upper()).arg(errorstring), i18n("Unable to Obtain CRL"));
}
delete ldap_mgr;
delete credentials;

Loading…
Cancel
Save