|
|
|
|
/***************************************************************************
|
|
|
|
|
* Copyright (C) 2012 - 2015 by Timothy Pearson *
|
|
|
|
|
* kb9vqf@pearsoncomputing.net *
|
|
|
|
|
* *
|
|
|
|
|
* This program is free software; you can redistribute it and/or modify *
|
|
|
|
|
* it under the terms of the GNU General Public License as published by *
|
|
|
|
|
* the Free Software Foundation; either version 2 of the License, or *
|
|
|
|
|
* (at your option) any later version. *
|
|
|
|
|
* *
|
|
|
|
|
* This program is distributed in the hope that it will be useful, *
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of *
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
|
|
|
|
|
* GNU General Public License for more details. *
|
|
|
|
|
* *
|
|
|
|
|
* You should have received a copy of the GNU General Public License *
|
|
|
|
|
* along with this program; if not, write to the *
|
|
|
|
|
* Free Software Foundation, Inc., *
|
|
|
|
|
* 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. *
|
|
|
|
|
***************************************************************************/
|
|
|
|
|
|
|
|
|
|
#include <sys/types.h>
|
|
|
|
|
#include <sys/socket.h>
|
|
|
|
|
#include <netdb.h>
|
|
|
|
|
#include <pwd.h>
|
|
|
|
|
|
|
|
|
|
#include <tdeapplication.h>
|
|
|
|
|
#include <tdestartupinfo.h>
|
|
|
|
|
#include <tdecmdlineargs.h>
|
|
|
|
|
#include <tdeaboutdata.h>
|
|
|
|
|
|
|
|
|
|
#include <ksimpleconfig.h>
|
|
|
|
|
|
|
|
|
|
#include <tqdatetime.h>
|
|
|
|
|
#include <tqfile.h>
|
|
|
|
|
|
|
|
|
|
#include <libtdeldap.h>
|
|
|
|
|
|
|
|
|
|
#ifndef KDE_CONFDIR
|
|
|
|
|
#define KDE_CONFDIR "/etc/trinity"
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
static const char description[] =
|
|
|
|
|
I18N_NOOP("TDE utility for updating realm certificates");
|
|
|
|
|
|
|
|
|
|
static const char version[] = "v0.0.1";
|
|
|
|
|
|
|
|
|
|
static const TDECmdLineOptions options[] =
|
|
|
|
|
{
|
|
|
|
|
{ "force", I18N_NOOP("Force certificate update"), 0 },
|
|
|
|
|
TDECmdLineLastOption // End of options.
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
void chown_safe(const char * file, uid_t user, gid_t group) {
|
|
|
|
|
if (chown(file, user, group) < 0) {
|
|
|
|
|
printf("[ERROR] Chown call to '%s' for %d:%d failed!\n\r", file, user, group);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int uploadKerberosCAFileToLDAP(LDAPManager* ldap_mgr, TQString* errstr) {
|
|
|
|
|
// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
|
|
|
|
|
TQFile cafile(KERBEROS_PKI_PEM_FILE);
|
|
|
|
|
if (cafile.open(IO_ReadOnly)) {
|
|
|
|
|
TQByteArray cafiledata = cafile.readAll();
|
|
|
|
|
if (ldap_mgr->writeCertificateFileIntoDirectory(cafiledata, "publicRootCertificate", errstr) != 0) {
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int main(int argc, char *argv[])
|
|
|
|
|
{
|
|
|
|
|
TDEAboutData aboutData( "primaryrccertupdater", I18N_NOOP("Realm Certificate Updater"),
|
|
|
|
|
version, description, TDEAboutData::License_GPL,
|
|
|
|
|
"(c) 2012-2015, Timothy Pearson");
|
|
|
|
|
aboutData.addAuthor("Timothy Pearson",0, "kb9vqf@pearsoncomputing.net");
|
|
|
|
|
TDECmdLineArgs::init( argc, argv, &aboutData );
|
|
|
|
|
TDECmdLineArgs::addCmdLineOptions(options);
|
|
|
|
|
TDEApplication::disableAutoDcopRegistration();
|
|
|
|
|
|
|
|
|
|
TDEApplication app(false, false);
|
|
|
|
|
|
|
|
|
|
TDEStartupInfo::appStarted();
|
|
|
|
|
|
|
|
|
|
TDECmdLineArgs *args = TDECmdLineArgs::parsedArgs();
|
|
|
|
|
|
|
|
|
|
bool force_update = false;
|
|
|
|
|
if (args->isSet("force")) {
|
|
|
|
|
force_update = true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool ca_modified = false;
|
|
|
|
|
|
|
|
|
|
//======================================================================================================================================================
|
|
|
|
|
//
|
|
|
|
|
// Updater code follows
|
|
|
|
|
//
|
|
|
|
|
//======================================================================================================================================================
|
|
|
|
|
|
|
|
|
|
// FIXME
|
|
|
|
|
// This assumes Debian!
|
|
|
|
|
TQString m_ldapUserName = "openldap";
|
|
|
|
|
TQString m_ldapGroupName = "openldap";
|
|
|
|
|
|
|
|
|
|
KSimpleConfig* m_systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" ));
|
|
|
|
|
LDAPRealmConfigList m_realmconfig = LDAPManager::readTDERealmList(m_systemconfig, false);
|
|
|
|
|
// Load cert config
|
|
|
|
|
m_systemconfig->setGroup("Certificates");
|
|
|
|
|
LDAPCertConfig m_certconfig;
|
|
|
|
|
m_certconfig.countryName = m_systemconfig->readEntry("countryName");
|
|
|
|
|
m_certconfig.stateOrProvinceName = m_systemconfig->readEntry("stateOrProvinceName");
|
|
|
|
|
m_certconfig.localityName = m_systemconfig->readEntry("localityName");
|
|
|
|
|
m_certconfig.organizationName = m_systemconfig->readEntry("organizationName");
|
|
|
|
|
m_certconfig.orgUnitName = m_systemconfig->readEntry("orgUnitName");
|
|
|
|
|
m_certconfig.commonName = m_systemconfig->readEntry("commonName");
|
|
|
|
|
m_certconfig.emailAddress = m_systemconfig->readEntry("emailAddress");
|
|
|
|
|
// Load other defaults
|
|
|
|
|
m_systemconfig->setGroup(NULL);
|
|
|
|
|
TQString m_defaultRealm = m_systemconfig->readEntry("DefaultRealm");
|
|
|
|
|
|
|
|
|
|
TQDateTime certExpiry;
|
|
|
|
|
TQDateTime now = TQDateTime::currentDateTime();
|
|
|
|
|
TQDateTime soon = now.addDays(7); // Keep in sync with src/ldapcontroller.cpp
|
|
|
|
|
|
|
|
|
|
TQString kdc_certfile = KERBEROS_PKI_KDC_FILE;
|
|
|
|
|
kdc_certfile.replace("@@@KDCSERVER@@@", m_realmconfig[m_defaultRealm].name.lower());
|
|
|
|
|
TQString ldap_certfile = LDAP_CERT_FILE;
|
|
|
|
|
ldap_certfile.replace("@@@ADMINSERVER@@@", m_realmconfig[m_defaultRealm].name.lower());
|
|
|
|
|
|
|
|
|
|
// Certificate Authority
|
|
|
|
|
TQString fqdn = LDAPManager::getMachineFQDN();
|
|
|
|
|
TQString defaultRealm = m_systemconfig->readEntry("DefaultRealm");
|
|
|
|
|
|
|
|
|
|
// Connect to LDAP
|
|
|
|
|
TQString realmname = defaultRealm.upper();
|
|
|
|
|
LDAPCredentials* credentials = new LDAPCredentials;
|
|
|
|
|
credentials->username = "";
|
|
|
|
|
credentials->password = "";
|
|
|
|
|
credentials->realm = realmname;
|
|
|
|
|
LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
|
|
|
|
|
TQString errorstring;
|
|
|
|
|
|
|
|
|
|
TQString basedn = ldap_mgr->basedn();
|
|
|
|
|
|
|
|
|
|
// Get certificate settings from LDAP
|
|
|
|
|
TQString realmCAMaster = ldap_mgr->getRealmCAMaster(&errorstring);
|
|
|
|
|
|
|
|
|
|
delete ldap_mgr;
|
|
|
|
|
delete credentials;
|
|
|
|
|
|
|
|
|
|
if (realmCAMaster == "") {
|
|
|
|
|
printf("[WARNING] Unable to determine the realm CA master! CA will not be updated\n"); fflush(stdout);
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
if (realmCAMaster == fqdn) {
|
|
|
|
|
printf("This server is the realm CA master\n"); fflush(stdout);
|
|
|
|
|
|
|
|
|
|
TQString realmname = m_defaultRealm.upper();
|
|
|
|
|
LDAPCredentials* credentials = new LDAPCredentials;
|
|
|
|
|
credentials->username = "";
|
|
|
|
|
credentials->password = "";
|
|
|
|
|
credentials->realm = realmname;
|
|
|
|
|
LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
|
|
|
|
|
|
|
|
|
|
if (TQFile::exists(KERBEROS_PKI_PEM_FILE)) {
|
|
|
|
|
certExpiry = LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE);
|
|
|
|
|
if (certExpiry >= now) {
|
|
|
|
|
printf("Certificate %s expires %s\n", TQString(KERBEROS_PKI_PEM_FILE).ascii(), certExpiry.toString().ascii()); fflush(stdout);
|
|
|
|
|
}
|
|
|
|
|
if (force_update || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
|
|
|
|
|
printf("Regenerating certificate %s...\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout);
|
|
|
|
|
LDAPManager::generatePublicKerberosCACertificate(m_certconfig, m_realmconfig[m_defaultRealm]);
|
|
|
|
|
|
|
|
|
|
// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
|
|
|
|
|
TQString errorstring;
|
|
|
|
|
if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) {
|
|
|
|
|
printf("[ERROR] Unable to upload new certificate to LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ca_modified = true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Set permissions
|
|
|
|
|
chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR);
|
|
|
|
|
chown_safe(KERBEROS_PKI_PEMKEY_FILE, 0, 0);
|
|
|
|
|
chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
|
|
|
|
|
chown_safe(KERBEROS_PKI_PEM_FILE, 0, 0);
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
printf("[WARNING] Certificate file %s not found!\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check CRL expiry
|
|
|
|
|
TQByteArray certificateContents;
|
|
|
|
|
if (ldap_mgr->getTDECertificate("publicRootCertificateRevocationList", &certificateContents, NULL) == 0) {
|
|
|
|
|
certExpiry = LDAPManager::getCertificateExpiration(certificateContents);
|
|
|
|
|
if (certExpiry >= now) {
|
|
|
|
|
printf("CRL expires %s\n", certExpiry.toString().ascii()); fflush(stdout);
|
|
|
|
|
}
|
|
|
|
|
if (force_update || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
|
|
|
|
|
printf("Regenerating CRL...\n"); fflush(stdout);
|
|
|
|
|
LDAPManager::generatePublicKerberosCACertificate(m_certconfig, m_realmconfig[m_defaultRealm]);
|
|
|
|
|
|
|
|
|
|
// Upload the new CRL to the LDAP server
|
|
|
|
|
if (ldap_mgr->generatePKICRL(m_certconfig.caCrlExpiryDays, m_realmconfig[m_defaultRealm], KERBEROS_PKI_CRL_FILE, KERBEROS_PKI_PEMKEY_FILE, KERBEROS_PKI_CRLDB_FILE, &errorstring) != 0) {
|
|
|
|
|
printf("[ERROR] Unable to generate CRL!\n%s\n", errorstring.ascii()); fflush(stdout);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ca_modified = true;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
delete ldap_mgr;
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
printf("This server is a realm CA slave\n"); fflush(stdout);
|
|
|
|
|
|
|
|
|
|
// Connect to LDAP
|
|
|
|
|
TQString realmname = defaultRealm.upper();
|
|
|
|
|
LDAPCredentials* credentials = new LDAPCredentials;
|
|
|
|
|
credentials->username = "cn=admin," + basedn;
|
|
|
|
|
m_systemconfig->setGroup("Replication");
|
|
|
|
|
credentials->password = m_systemconfig->readEntry("Password");
|
|
|
|
|
m_systemconfig->setGroup(NULL);
|
|
|
|
|
credentials->realm = realmname;
|
|
|
|
|
LDAPManager* ldap_mgr = new LDAPManager(realmname, TQString("ldaps://%1/").arg(realmCAMaster), credentials);
|
|
|
|
|
TQString errorstring;
|
|
|
|
|
|
|
|
|
|
if (ldap_mgr->getTDECertificate("privateRootCertificateKey", KERBEROS_PKI_PEMKEY_FILE ".tmp", &errorstring) != 0) {
|
|
|
|
|
printf("[ERROR] Unable to get private CA certificate key from LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout);
|
|
|
|
|
}
|
|
|
|
|
if (ldap_mgr->getTDECertificate("publicRootCertificate", KERBEROS_PKI_PEM_FILE ".tmp", &errorstring) != 0) {
|
|
|
|
|
printf("[ERROR] Unable to get public CA certificate from LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
delete ldap_mgr;
|
|
|
|
|
delete credentials;
|
|
|
|
|
|
|
|
|
|
TQByteArray originalPemKeyFile;
|
|
|
|
|
TQByteArray originalPemFile;
|
|
|
|
|
TQByteArray newPemKeyFile;
|
|
|
|
|
TQByteArray newPemFile;
|
|
|
|
|
|
|
|
|
|
TQFile* cafile;
|
|
|
|
|
cafile = new TQFile(KERBEROS_PKI_PEMKEY_FILE);
|
|
|
|
|
if (cafile->open(IO_ReadOnly)) {
|
|
|
|
|
originalPemKeyFile = cafile->readAll();
|
|
|
|
|
}
|
|
|
|
|
delete cafile;
|
|
|
|
|
cafile = new TQFile(KERBEROS_PKI_PEM_FILE);
|
|
|
|
|
if (cafile->open(IO_ReadOnly)) {
|
|
|
|
|
originalPemFile = cafile->readAll();
|
|
|
|
|
}
|
|
|
|
|
delete cafile;
|
|
|
|
|
cafile = new TQFile(KERBEROS_PKI_PEMKEY_FILE ".tmp");
|
|
|
|
|
if (cafile->open(IO_ReadOnly)) {
|
|
|
|
|
newPemKeyFile = cafile->readAll();
|
|
|
|
|
}
|
|
|
|
|
delete cafile;
|
|
|
|
|
cafile = new TQFile(KERBEROS_PKI_PEM_FILE ".tmp");
|
|
|
|
|
if (cafile->open(IO_ReadOnly)) {
|
|
|
|
|
newPemFile = cafile->readAll();
|
|
|
|
|
}
|
|
|
|
|
delete cafile;
|
|
|
|
|
|
|
|
|
|
if ((originalPemKeyFile == newPemKeyFile) && (originalPemFile == newPemFile)) {
|
|
|
|
|
unlink(KERBEROS_PKI_PEMKEY_FILE ".tmp");
|
|
|
|
|
unlink(KERBEROS_PKI_PEM_FILE ".tmp");
|
|
|
|
|
printf("Certificates have not changed since last update\n");
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
unlink(KERBEROS_PKI_PEMKEY_FILE);
|
|
|
|
|
unlink(KERBEROS_PKI_PEM_FILE);
|
|
|
|
|
rename(KERBEROS_PKI_PEMKEY_FILE ".tmp", KERBEROS_PKI_PEMKEY_FILE);
|
|
|
|
|
rename(KERBEROS_PKI_PEM_FILE ".tmp", KERBEROS_PKI_PEM_FILE);
|
|
|
|
|
force_update = true;
|
|
|
|
|
printf("Certificates have changed, forcing certificate regeneration\n");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Set permissions
|
|
|
|
|
chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR);
|
|
|
|
|
chown_safe(KERBEROS_PKI_PEMKEY_FILE, 0, 0);
|
|
|
|
|
chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
|
|
|
|
|
chown_safe(KERBEROS_PKI_PEM_FILE, 0, 0);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ca_modified) {
|
|
|
|
|
force_update = true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Kerberos
|
|
|
|
|
if (TQFile::exists(kdc_certfile)) {
|
|
|
|
|
certExpiry = LDAPManager::getCertificateExpiration(kdc_certfile);
|
|
|
|
|
if (certExpiry >= now) {
|
|
|
|
|
printf("Certificate %s expires %s\n", kdc_certfile.ascii(), certExpiry.toString().ascii()); fflush(stdout);
|
|
|
|
|
}
|
|
|
|
|
if (force_update || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
|
|
|
|
|
printf("Regenerating certificate %s...\n", kdc_certfile.ascii()); fflush(stdout);
|
|
|
|
|
LDAPManager::generatePublicKerberosCertificate(m_certconfig, m_realmconfig[m_defaultRealm]);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
printf("[WARNING] Certificate file %s not found!\n", kdc_certfile.ascii()); fflush(stdout);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// LDAP
|
|
|
|
|
if (TQFile::exists(ldap_certfile)) {
|
|
|
|
|
certExpiry = LDAPManager::getCertificateExpiration(ldap_certfile);
|
|
|
|
|
if (certExpiry >= now) {
|
|
|
|
|
printf("Certificate %s expires %s\n", ldap_certfile.ascii(), certExpiry.toString().ascii()); fflush(stdout);
|
|
|
|
|
}
|
|
|
|
|
if (force_update || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
|
|
|
|
|
printf("Regenerating certificate %s...\n", ldap_certfile.ascii()); fflush(stdout);
|
|
|
|
|
uid_t slapd_uid = 0;
|
|
|
|
|
gid_t slapd_gid = 0;
|
|
|
|
|
|
|
|
|
|
// Get LDAP user uid/gid
|
|
|
|
|
struct passwd *pwd;
|
|
|
|
|
pwd = getpwnam(m_ldapUserName.local8Bit());
|
|
|
|
|
slapd_uid = pwd->pw_uid;
|
|
|
|
|
slapd_gid = pwd->pw_gid;
|
|
|
|
|
|
|
|
|
|
LDAPManager::generatePublicLDAPCertificate(m_certconfig, m_realmconfig[m_defaultRealm], slapd_uid, slapd_gid);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
printf("[WARNING] Certificate file %s not found!\n", ldap_certfile.ascii()); fflush(stdout);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
delete m_systemconfig;
|
|
|
|
|
|
|
|
|
|
//======================================================================================================================================================
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
