Use tdeldap library PKI certificate generation methods

cert-updater/main.cpp

@@ -1,5 +1,5 @@
 /***************************************************************************
- *   Copyright (C) 2012 by Timothy Pearson                                 *
+ *   Copyright (C) 2012 - 2015 by Timothy Pearson                          *
  *   kb9vqf@pearsoncomputing.net                                           *
  *                                                                         *
  *   This program is free software; you can redistribute it and/or modify  *
@@ -73,7 +73,7 @@ int main(int argc, char *argv[])
 {
 	TDEAboutData aboutData( "primaryrccertupdater", I18N_NOOP("Realm Certificate Updater"),
 		version, description, TDEAboutData::License_GPL,
-		"(c) 2012-2013, Timothy Pearson");
+		"(c) 2012-2015, Timothy Pearson");
 		aboutData.addAuthor("Timothy Pearson",0, "kb9vqf@pearsoncomputing.net");
 	TDECmdLineArgs::init( argc, argv, &aboutData );
 	TDECmdLineArgs::addCmdLineOptions(options);
@@ -160,7 +160,7 @@ int main(int argc, char *argv[])
 				}
 				if (force_update || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
 					printf("Regenerating certificate %s...\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout);
-					LDAPManager::generatePublicKerberosCACertificate(m_certconfig);
+					LDAPManager::generatePublicKerberosCACertificate(m_certconfig, m_realmconfig[m_defaultRealm]);
 				
 					TQString realmname = m_defaultRealm.upper();
 					LDAPCredentials* credentials = new LDAPCredentials;

confskel/Makefile.am

@@ -14,6 +14,3 @@ ldapldifskel_DATA = openldap/ldif/*
 
 saslskeldir = $(confskeldir)/sasl
 saslskel_DATA = sasl/*
-
-sslskeldir = $(confskeldir)/openssl
-sslskel_DATA = openssl/*

confskel/openssl/pki_extensions

@@ -1,61 +0,0 @@
-[ kdc_cert ]
-basicConstraints=CA:FALSE
-
-# Here are some examples of the usage of nsCertType. If it is omitted
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
-
-#Pkinit EKU
-extendedKeyUsage = 1.3.6.1.5.2.3.5
-
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-
-# Copy subject details
-
-issuerAltName=issuer:copy
-
-# Add id-pkinit-san (pkinit subjectAlternativeName)
-subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
-
-[kdc_princ_name]
-realm = EXP:0, GeneralString:@@@REALM_UCNAME@@@
-principal_name = EXP:1, SEQUENCE:kdc_principal_seq
-
-[kdc_principal_seq]
-name_type = EXP:0, INTEGER:1
-name_string = EXP:1, SEQUENCE:kdc_principals
-
-[kdc_principals]
-princ1 = GeneralString:krbtgt
-princ2 = GeneralString:@@@REALM_UCNAME@@@
-
-[ client_cert ]
-
-# These extensions are added when 'ca' signs a request.
-
-basicConstraints=CA:FALSE
-
-keyUsage = digitalSignature, keyEncipherment, keyAgreement
-
-extendedKeyUsage =  1.3.6.1.5.2.3.4
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-
-
-subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
-
-
-# Copy subject details
-
-issuerAltName=issuer:copy
-
-[princ_name]
-realm = EXP:0, GeneralString:@@@REALM_UCNAME@@@
-principal_name = EXP:1, SEQUENCE:principal_seq
-
-[principal_seq]
-name_type = EXP:0, INTEGER:1
-name_string = EXP:1, SEQUENCE:principals
-
-[principals]
-princ1 = GeneralString:@@@KDCSERVER@@@

src/ldapcontroller.cpp

@@ -590,7 +590,7 @@ void LDAPController::btncaSetMaster() {
 			return;
 		}
 
-		LDAPManager::generatePublicKerberosCACertificate(m_certconfig);
+		LDAPManager::generatePublicKerberosCACertificate(m_certconfig, m_realmconfig[m_defaultRealm]);
 	
 		// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
 		if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) {
@@ -604,7 +604,7 @@ void LDAPController::btncaSetMaster() {
 }
 
 void LDAPController::btncaRegenerate() {
-	LDAPManager::generatePublicKerberosCACertificate(m_certconfig);
+	LDAPManager::generatePublicKerberosCACertificate(m_certconfig, m_realmconfig[m_defaultRealm]);
 
 	TQString realmname = m_defaultRealm.upper();
 	LDAPCredentials* credentials = new LDAPCredentials;
@@ -1591,7 +1591,7 @@ int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmCo
 	chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR);
 	chown_safe(KERBEROS_PKI_PEMKEY_FILE, 0, 0);
 
-	LDAPManager::generatePublicKerberosCACertificate(certinfo);
+	LDAPManager::generatePublicKerberosCACertificate(certinfo, m_realmconfig[m_defaultRealm]);
 
 	// KDC certificate
 	TQString kdc_certfile = KERBEROS_PKI_KDC_FILE;
@@ -1807,7 +1807,7 @@ int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig r
 	replacePlaceholdersInFile(templateDir + "sasl/slapd.conf", SASL_CONTROL_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, standardUserGroupName, adminPassword, rootUserName, rootPassword);
 
 	// OpenSSL
-	replacePlaceholdersInFile(templateDir + "openssl/pki_extensions", OPENSSL_EXTENSIONS_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, standardUserGroupName, adminPassword, rootUserName, rootPassword);
+	LDAPManager::writeOpenSSLConfigurationFile(realmconfig);
 
 	// FIXME
 	// This assumes Debian!