Extend PKCS certificate generation routines

This breaks the ABI
pull/1/head
Timothy Pearson 9 years ago
parent c6eab472be
commit 07d094fd32

@ -4108,6 +4108,7 @@ TQDateTime LDAPManager::getCertificateExpiration(TQByteArray certfileContents) {
KSSLCertificate* cert = NULL; KSSLCertificate* cert = NULL;
TQCString ssldata(certfileContents); TQCString ssldata(certfileContents);
if (certfileContents.size() > 0) {
ssldata[certfileContents.size()] = 0; ssldata[certfileContents.size()] = 0;
ssldata.replace("\n", ""); ssldata.replace("\n", "");
if (ssldata.contains("-----BEGIN CERTIFICATE-----")) { if (ssldata.contains("-----BEGIN CERTIFICATE-----")) {
@ -4128,6 +4129,7 @@ TQDateTime LDAPManager::getCertificateExpiration(TQByteArray certfileContents) {
delete cert; delete cert;
} }
} }
}
return ret; return ret;
} }
@ -4275,28 +4277,27 @@ int LDAPManager::generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPReal
return 0; return 0;
} }
int LDAPManager::generateClientCertificatePair(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, TQString *errstr) { int LDAPManager::generateClientCertificatePair(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, int clientKeyBitLength, TQString autoLoginPIN, TQString *errstr) {
int ret; int ret;
ret = generateClientCertificatePrivateKey(privateKeyFile, errstr); ret = generateClientCertificatePrivateKey(privateKeyFile, clientKeyBitLength, errstr);
if (ret == 0) { if (ret == 0) {
ret = generateClientCertificatePublicCertificate(expirydays, user, realmcfg, signingPrivateKeyFile, privateKeyFile, publicCertFile, errstr); ret = generateClientCertificatePublicCertificate(expirydays, user, realmcfg, signingPrivateKeyFile, privateKeyFile, publicCertFile, autoLoginPIN, errstr);
} }
return ret; return ret;
} }
int LDAPManager::generateClientCertificatePrivateKey(TQString privateKeyFile, TQString *errstr) { int LDAPManager::generateClientCertificatePrivateKey(TQString privateKeyFile, int clientKeyBitLength, TQString *errstr) {
TQString command; TQString command;
TQString subject; TQString subject;
TQString client_keyfile = privateKeyFile; TQString client_keyfile = privateKeyFile;
TQString client_reqfile = privateKeyFile + ".req"; TQString client_reqfile = privateKeyFile + ".req";
TQString client_cfgfile = privateKeyFile + ".cfg"; TQString client_cfgfile = privateKeyFile + ".cfg";
unsigned int client_key_bit_length = 2048;
// Create private key // Create private key
command = TQString("openssl genrsa -out %1 %2").arg(client_keyfile).arg(client_key_bit_length); command = TQString("openssl genrsa -out %1 %2").arg(client_keyfile).arg(clientKeyBitLength);
if (system(command) < 0) { if (system(command) < 0) {
if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(command); if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(command);
return -1; return -1;
@ -4323,7 +4324,7 @@ int LDAPManager::generateClientCertificatePrivateKey(TQString privateKeyFile, TQ
return 0; return 0;
} }
int LDAPManager::generateClientCertificatePublicCertificate(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, TQString *errstr) { int LDAPManager::generateClientCertificatePublicCertificate(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, TQString autoLoginPIN, TQString *errstr) {
TQString command; TQString command;
TQString subject; TQString subject;
@ -4339,7 +4340,7 @@ int LDAPManager::generateClientCertificatePublicCertificate(int expirydays, LDAP
signing_public_certfile = KERBEROS_PKI_PEM_FILE; signing_public_certfile = KERBEROS_PKI_PEM_FILE;
} }
if (writeOpenSSLConfigurationFile(realmcfg, user, client_cfgfile, TQString::null, TQString::null, TQString::null, errstr) != 0) { if (writeOpenSSLConfigurationFile(realmcfg, user, client_cfgfile, TQString::null, TQString::null, TQString::null, autoLoginPIN, errstr) != 0) {
return -1; return -1;
} }
@ -4405,7 +4406,7 @@ int LDAPManager::generatePKICRL(int expirydays, LDAPRealmConfig realmcfg, TQStri
} }
// Set up OpenSSL environment // Set up OpenSSL environment
if (writeOpenSSLConfigurationFile(realmcfg, LDAPUserInfo(), OPENSSL_EXTENSIONS_FILE, signingPrivateKeyFile, signing_public_certfile, revocationDatabaseFile, errstr) != 0) { if (writeOpenSSLConfigurationFile(realmcfg, LDAPUserInfo(), OPENSSL_EXTENSIONS_FILE, signingPrivateKeyFile, signing_public_certfile, revocationDatabaseFile, TQString::null, errstr) != 0) {
return -1; return -1;
} }
command = TQString("rm -f %1").arg(revocationDatabaseFile); command = TQString("rm -f %1").arg(revocationDatabaseFile);
@ -4867,10 +4868,10 @@ int LDAPManager::writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr) {
} }
int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, TQString *errstr) { int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, TQString *errstr) {
return writeOpenSSLConfigurationFile(realmcfg, LDAPUserInfo(), TQString::fromLatin1(OPENSSL_EXTENSIONS_FILE), TQString::null, TQString::null, TQString::null, errstr); return writeOpenSSLConfigurationFile(realmcfg, LDAPUserInfo(), TQString::fromLatin1(OPENSSL_EXTENSIONS_FILE), TQString::null, TQString::null, TQString::null, TQString::null, errstr);
} }
int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUserInfo user, TQString opensslConfigFile, TQString caRootKeyFile, TQString caRootCertFile, TQString caRootDatabaseFile, TQString *errstr) { int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUserInfo user, TQString opensslConfigFile, TQString caRootKeyFile, TQString caRootCertFile, TQString caRootDatabaseFile, TQString autoLoginPIN, TQString *errstr) {
TQString ca_public_crl_certfile = KERBEROS_PKI_PUBLICDIR + realmcfg.admin_server + ".ldap.crl"; TQString ca_public_crl_certfile = KERBEROS_PKI_PUBLICDIR + realmcfg.admin_server + ".ldap.crl";
TQString crl_url; TQString crl_url;
@ -5040,6 +5041,17 @@ int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUse
stream << TQString("realm = EXP:0,GeneralString:%1").arg(realmcfg.name.upper()) << "\n"; stream << TQString("realm = EXP:0,GeneralString:%1").arg(realmcfg.name.upper()) << "\n";
stream << "principal_name = EXP:1,SEQUENCE:pkinitc_principal_seq" << "\n"; stream << "principal_name = EXP:1,SEQUENCE:pkinitc_principal_seq" << "\n";
stream << "\n"; stream << "\n";
if (autoLoginPIN != TQString::null) {
stream << "[tde_autopin_login_data]" << "\n";
stream << TQString("realm = EXP:0,GeneralString:%1").arg(autoLoginPIN) << "\n";
stream << "\n";
}
stream << "[pkinit_client_cert_alt_names]" << "\n";
stream << "otherName.1=1.3.6.1.5.2.2;SEQUENCE:pkinitc_princ_name" << "\n";
if (autoLoginPIN != TQString::null) {
stream << "otherName.2=1.3.6.1.4.1.40364.1.2.1;SEQUENCE:tde_autopin_login_data" << "\n";
}
stream << "\n";
stream << "[pkinit_client_cert]" << "\n"; stream << "[pkinit_client_cert]" << "\n";
stream << "basicConstraints = CA:FALSE" << "\n"; stream << "basicConstraints = CA:FALSE" << "\n";
stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n"; stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
@ -5047,7 +5059,7 @@ int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUse
stream << "subjectKeyIdentifier = hash" << "\n"; stream << "subjectKeyIdentifier = hash" << "\n";
stream << "authorityKeyIdentifier = keyid,issuer" << "\n"; stream << "authorityKeyIdentifier = keyid,issuer" << "\n";
stream << "issuerAltName = issuer:copy" << "\n"; stream << "issuerAltName = issuer:copy" << "\n";
stream << "subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:pkinitc_princ_name" << "\n"; stream << "subjectAltName = @pkinit_client_cert_alt_names" << "\n";
stream << "\n"; stream << "\n";
stream << "[https_cert]" << "\n"; stream << "[https_cert]" << "\n";
stream << "basicConstraints = CA:FALSE" << "\n"; stream << "basicConstraints = CA:FALSE" << "\n";

@ -554,9 +554,9 @@ class LDAPManager : public TQObject {
static int generatePublicKerberosCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg); static int generatePublicKerberosCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg);
static int generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg, uid_t ldap_uid, gid_t ldap_gid); static int generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg, uid_t ldap_uid, gid_t ldap_gid);
static int generateClientCertificatePair(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, TQString *errstr=0); static int generateClientCertificatePair(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, int clientKeyBitLength=2048, TQString autoLoginPIN=TQString::null, TQString *errstr=0);
static int generateClientCertificatePrivateKey(TQString privateKeyFile, TQString *errstr=0); static int generateClientCertificatePrivateKey(TQString privateKeyFile, int clientKeyBitLength=2048, TQString *errstr=0);
static int generateClientCertificatePublicCertificate(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, TQString *errstr=0); static int generateClientCertificatePublicCertificate(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, TQString autoLoginPIN=TQString::null, TQString *errstr=0);
int generatePKICRL(int expirydays, LDAPRealmConfig realmcfg, TQString crlFile, TQString signingPrivateKeyFile, TQString revocationDatabaseFile, TQString *errstr=0); int generatePKICRL(int expirydays, LDAPRealmConfig realmcfg, TQString crlFile, TQString signingPrivateKeyFile, TQString revocationDatabaseFile, TQString *errstr=0);
@ -579,7 +579,7 @@ class LDAPManager : public TQObject {
static int writeLDAPConfFile(LDAPRealmConfig realmcfg, LDAPMachineRole machineRole, TQString *errstr=0); static int writeLDAPConfFile(LDAPRealmConfig realmcfg, LDAPMachineRole machineRole, TQString *errstr=0);
static int writeNSSwitchFile(TQString *errstr=0); static int writeNSSwitchFile(TQString *errstr=0);
static int writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, TQString *errstr=0); static int writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, TQString *errstr=0);
static int writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUserInfo user, TQString opensslConfigFile, TQString caRootKeyFile=TQString::null, TQString caRootCertFile=TQString::null, TQString caRootDatabaseFile=TQString::null, TQString *errstr=0); static int writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUserInfo user, TQString opensslConfigFile, TQString caRootKeyFile=TQString::null, TQString caRootCertFile=TQString::null, TQString caRootDatabaseFile=TQString::null, TQString autoLoginPIN=TQString::null, TQString *errstr=0);
static int writeClientCronFiles(TQString *errstr=0); static int writeClientCronFiles(TQString *errstr=0);
static int rehashClientPKCSCertificates(TQString *errstr=0); static int rehashClientPKCSCertificates(TQString *errstr=0);
static int writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr=0); static int writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr=0);

Loading…
Cancel
Save