From c64f2d2b15ea42ef4a99f74825c527b253626c72 Mon Sep 17 00:00:00 2001 From: Timothy Pearson Date: Fri, 4 Sep 2015 07:33:43 +0000 Subject: [PATCH] Update CRL independently of root CA --- cert-updater/main.cpp | 47 +++++++++++++++++++++++++++++-------------- 1 file changed, 32 insertions(+), 15 deletions(-) diff --git a/cert-updater/main.cpp b/cert-updater/main.cpp index 5656a5f..2933ba3 100644 --- a/cert-updater/main.cpp +++ b/cert-updater/main.cpp @@ -155,6 +155,14 @@ int main(int argc, char *argv[]) else { if (realmCAMaster == fqdn) { printf("This server is the realm CA master\n"); fflush(stdout); + + TQString realmname = m_defaultRealm.upper(); + LDAPCredentials* credentials = new LDAPCredentials; + credentials->username = ""; + credentials->password = ""; + credentials->realm = realmname; + LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials); + if (TQFile::exists(KERBEROS_PKI_PEM_FILE)) { certExpiry = LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE); if (certExpiry >= now) { @@ -164,27 +172,13 @@ int main(int argc, char *argv[]) printf("Regenerating certificate %s...\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout); LDAPManager::generatePublicKerberosCACertificate(m_certconfig, m_realmconfig[m_defaultRealm]); - TQString realmname = m_defaultRealm.upper(); - LDAPCredentials* credentials = new LDAPCredentials; - credentials->username = ""; - credentials->password = ""; - credentials->realm = realmname; - LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials); - // Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server TQString errorstring; if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) { printf("[ERROR] Unable to upload new certificate to LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout); } - // CRL - if (ldap_mgr->generatePKICRL(m_certconfig.caExpiryDays, m_realmconfig[m_defaultRealm], KERBEROS_PKI_CRL_FILE, KERBEROS_PKI_PEMKEY_FILE, KERBEROS_PKI_CRLDB_FILE, &errorstring) != 0) { - printf("[ERROR] Unable to generate CRL!\n%s\n", errorstring.ascii()); fflush(stdout); - } - ca_modified = true; - - delete ldap_mgr; } // Set permissions @@ -196,6 +190,28 @@ int main(int argc, char *argv[]) else { printf("[WARNING] Certificate file %s not found!\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout); } + + // Check CRL expiry + TQByteArray certificateContents; + if (ldap_mgr->getTDECertificate("publicRootCertificateRevocationList", &certificateContents, NULL) == 0) { + certExpiry = LDAPManager::getCertificateExpiration(certificateContents); + if (certExpiry >= now) { + printf("CRL expires %s\n", certExpiry.toString().ascii()); fflush(stdout); + } + if (force_update || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) { + printf("Regenerating CRL...\n"); fflush(stdout); + LDAPManager::generatePublicKerberosCACertificate(m_certconfig, m_realmconfig[m_defaultRealm]); + + // Upload the new CRL to the LDAP server + if (ldap_mgr->generatePKICRL(m_certconfig.caCrlExpiryDays, m_realmconfig[m_defaultRealm], KERBEROS_PKI_CRL_FILE, KERBEROS_PKI_PEMKEY_FILE, KERBEROS_PKI_CRLDB_FILE, &errorstring) != 0) { + printf("[ERROR] Unable to generate CRL!\n%s\n", errorstring.ascii()); fflush(stdout); + } + + ca_modified = true; + } + } + + delete ldap_mgr; } else { printf("This server is a realm CA slave\n"); fflush(stdout); @@ -270,8 +286,9 @@ int main(int argc, char *argv[]) } } - if (ca_modified) + if (ca_modified) { force_update = true; + } // Kerberos if (TQFile::exists(kdc_certfile)) {