Add additional CRL manipulation methods

src/libtdeldap.cpp

@@ -75,6 +75,11 @@
 #define CRON_UPDATE_NSS_FILE "/etc/cron.daily/upd-local-nss-db"
 #define CRON_UPDATE_NSS_COMMAND "/usr/sbin/nss_updatedb ldap"
 
+// FIXME
+// This assumes Debian!
+#define SYSTEM_CA_STORE_CERT_LOCATION "/usr/local/share/ca-certificates/"
+#define SYSTEM_CA_STORE_REGENERATE_COMMAND "update-ca-certificates"
+
 // FIXME
 // This assumes Debian!
 #define CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_OPENLDAP_RELOAD_COMMAND "/etc/init.d/slapd force-reload"
@@ -3887,6 +3892,63 @@ int LDAPManager::writePrimaryRealmCertificateUpdateCronFile(TQString *errstr) {
 	return 0;
 }
 
+int LDAPManager::installCACertificateInHostCAStore(TQString *errstr) {
+	TQString command;
+
+	if (!TQDir(SYSTEM_CA_STORE_CERT_LOCATION "ldap-trinity").exists()) {
+		command = TQString("ln -s %1 %2").arg(KERBEROS_PKI_PUBLICDIR).arg(SYSTEM_CA_STORE_CERT_LOCATION "ldap-trinity");
+		if (system(command) < 0) {
+			if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(command);
+			return -1;
+		}
+
+		if (system(SYSTEM_CA_STORE_REGENERATE_COMMAND) < 0) {
+			if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(SYSTEM_CA_STORE_REGENERATE_COMMAND);
+			return -1;
+		}
+	}
+
+	return 0;
+}
+
+int LDAPManager::retrieveAndInstallCaCrl(LDAPManager* manager, TQString *errstr) {
+	int retcode = 0;
+	LDAPManager* ldap_mgr = manager;
+	KSimpleConfig* systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" ));
+	LDAPRealmConfigList realms = LDAPManager::readTDERealmList(systemconfig, false);
+
+	if (!ldap_mgr) {
+		// Get default settings
+		TQString defaultRealm = systemconfig->readEntry("DefaultRealm");
+		if (defaultRealm == "") {
+			delete systemconfig;
+			return 0;
+		}
+
+		// Bind anonymously to LDAP
+		LDAPCredentials* credentials = new LDAPCredentials;
+		credentials->username = "";
+		credentials->password = "";
+		credentials->realm = defaultRealm.upper();
+		credentials->use_tls = true;
+		ldap_mgr = new LDAPManager(defaultRealm.upper(), TQString("ldaps://%1").arg(realms[defaultRealm].admin_server).ascii(), credentials);
+	}
+
+	// Get and install the CA root CRL from LDAP
+	mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
+	mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
+	if (ldap_mgr->getTDECertificate("publicRootCertificateRevocationList", KERBEROS_PKI_PUBLICDIR + realms[ldap_mgr->realm()].admin_server + ".ldap.crl", errstr) != 0) {
+		retcode = -1;
+	}
+
+	if (!manager) {
+		delete ldap_mgr;
+	}
+	delete systemconfig;
+
+	return retcode;
+}
+
 LDAPRealmConfigList LDAPManager::readTDERealmList(KSimpleConfig* config, bool disableAllBonds) {
 	LDAPRealmConfigList realms;
 
@@ -3917,7 +3979,6 @@ LDAPRealmConfigList LDAPManager::readTDERealmList(KSimpleConfig* config, bool di
 				realmcfg.pkinit_require_krbtgt_otherName = config->readBoolEntry("pkinit_require_krbtgt_otherName");
 				realmcfg.win2k_pkinit = config->readBoolEntry("win2k_pkinit");
 				realmcfg.win2k_pkinit_require_binding = config->readBoolEntry("win2k_pkinit_require_binding");
-				realmcfg.certificate_revocation_list_url = config->readBoolEntry("certificate_revocation_list_url");
 				// Add realm to list
 				realms.insert(realmName, realmcfg);
 			}
@@ -3949,7 +4010,6 @@ int LDAPManager::writeTDERealmList(LDAPRealmConfigList realms, KSimpleConfig* co
 		config->writeEntry("pkinit_require_krbtgt_otherName", realmcfg.pkinit_require_krbtgt_otherName);
 		config->writeEntry("win2k_pkinit", realmcfg.win2k_pkinit);
 		config->writeEntry("win2k_pkinit_require_binding", realmcfg.win2k_pkinit_require_binding);
-		config->writeEntry("certificate_revocation_list_url", realmcfg.certificate_revocation_list_url);
 	}
 
 	// Delete any realms that do not exist in the realms database
@@ -3971,18 +4031,28 @@ int LDAPManager::writeTDERealmList(LDAPRealmConfigList realms, KSimpleConfig* co
 TQDateTime LDAPManager::getCertificateExpiration(TQByteArray certfileContents) {
 	TQDateTime ret;
 
+	KSSLCertificate* cert = NULL;
 	TQCString ssldata(certfileContents);
 	ssldata[certfileContents.size()] = 0;
+	ssldata.replace("\n", "");
+	if (ssldata.contains("-----BEGIN CERTIFICATE-----")) {
 		ssldata.replace("-----BEGIN CERTIFICATE-----", "");
 		ssldata.replace("-----END CERTIFICATE-----", "");
+		cert = KSSLCertificate::fromString(ssldata);
+		if (cert) {
+			ret = cert->getQDTNotAfter();
+			delete cert;
+		}
+	}
+	else if (ssldata.contains("-----BEGIN X509 CRL-----")) {
 		ssldata.replace("-----BEGIN X509 CRL-----", "");
 		ssldata.replace("-----END X509 CRL-----", "");
-	ssldata.replace("\n", "");
+		cert = KSSLCertificate::crlFromString(ssldata);
-	KSSLCertificate* cert = KSSLCertificate::fromString(ssldata);
 		if (cert) {
-		ret = cert->getQDTNotAfter();
+			ret = cert->getQDTNextUpdate();
 			delete cert;
 		}
+	}
 
 	return ret;
 }
@@ -4133,7 +4203,7 @@ int LDAPManager::generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPReal
 int LDAPManager::generateClientCertificatePair(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, TQString *errstr) {
 	int ret;
 
-	ret = generateClientCertificatePrivateKey(user, realmcfg, privateKeyFile, errstr);
+	ret = generateClientCertificatePrivateKey(privateKeyFile, errstr);
 	if (ret == 0) {
 		ret = generateClientCertificatePublicCertificate(expirydays, user, realmcfg, signingPrivateKeyFile, privateKeyFile, publicCertFile, errstr);
 	}
@@ -4141,7 +4211,7 @@ int LDAPManager::generateClientCertificatePair(int expirydays, LDAPUserInfo user
 	return ret;
 }
 
-int LDAPManager::generateClientCertificatePrivateKey(LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString privateKeyFile, TQString *errstr) {
+int LDAPManager::generateClientCertificatePrivateKey(TQString privateKeyFile, TQString *errstr) {
 	TQString command;
 	TQString subject;
 
@@ -4150,10 +4220,6 @@ int LDAPManager::generateClientCertificatePrivateKey(LDAPUserInfo user, LDAPReal
 	TQString client_cfgfile = privateKeyFile + ".cfg";
 	unsigned int client_key_bit_length = 2048;
 
-	if (writeOpenSSLConfigurationFile(realmcfg, user, client_cfgfile, TQString::null, TQString::null, TQString::null, errstr) != 0) {
-		return -1;
-	}
-
 	// Create private key
 	command = TQString("openssl genrsa -out %1 %2").arg(client_keyfile).arg(client_key_bit_length);
 	if (system(command) < 0) {
@@ -4213,7 +4279,7 @@ int LDAPManager::generateClientCertificatePublicCertificate(int expirydays, LDAP
 		if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(command);
 		return -1;
 	}
-	command = TQString("openssl x509 -req -days %1 -in %2 -CAkey %3 -CA %4 -out %5 -extfile %6 -extensions pkinit_client_cert -CAcreateserial").arg(expirydays).arg(client_reqfile).arg(signingPrivateKeyFile).arg(signing_public_certfile).arg(client_certfile).arg(OPENSSL_EXTENSIONS_FILE);
+	command = TQString("openssl x509 -req -days %1 -in %2 -CAkey %3 -CA %4 -out %5 -extfile %6 -extensions pkinit_client_cert -CAcreateserial").arg(expirydays).arg(client_reqfile).arg(signingPrivateKeyFile).arg(signing_public_certfile).arg(client_certfile).arg(client_cfgfile);
 	if (system(command) < 0) {
 		if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(command);
 		return -1;
@@ -4246,15 +4312,15 @@ int LDAPManager::generateClientCertificatePublicCertificate(int expirydays, LDAP
 	return 0;
 }
 
-int LDAPManager::generatePKICRL(int expirydays, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString revocationDatabaseFile, TQString *errstr) {
+int LDAPManager::generatePKICRL(int expirydays, LDAPRealmConfig realmcfg, TQString crlFile, TQString signingPrivateKeyFile, TQString revocationDatabaseFile, TQString *errstr) {
 	int retcode;
 	TQString command;
 
 	LDAPUserInfoList userList = this->users(&retcode, errstr);
 	if (retcode == 0) {
 		// Generate base CRL
-		TQString crl_certfile = KERBEROS_PKI_CRL_FILE ".new";
+		TQString crl_certfile = crlFile;
-		TQString revoked_certfile = KERBEROS_PKI_CRL_FILE ".rev";
+		TQString revoked_certfile = crlFile + ".rev";
 
 		// The public certificate location varies based on the machine role
 		// Prefer the bonded realm's certificate if available
@@ -4351,6 +4417,12 @@ int LDAPManager::generatePKICRL(int expirydays, LDAPRealmConfig realmcfg, TQStri
 				return -1;
 			}
 		}
+		if (fileExists(revocationDatabaseFile.ascii())) {
+			if (unlink(revocationDatabaseFile.ascii()) < 0) {
+				if (errstr) *errstr = TQString("Unable to unlink \"%1\"").arg(revocationDatabaseFile);
+				return -1;
+			}
+		}
 	}
 
 	return retcode;
@@ -4619,11 +4691,10 @@ int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, TQStrin
 }
 
 int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUserInfo user, TQString opensslConfigFile, TQString caRootKeyFile, TQString caRootCertFile, TQString caRootDatabaseFile, TQString *errstr) {
-	TQString crl_url = realmcfg.certificate_revocation_list_url;
+	TQString ca_public_crl_certfile = KERBEROS_PKI_PUBLICDIR + realmcfg.admin_server + ".ldap.crl";
-	if (crl_url == "") {
+	TQString crl_url;
-		// Use a default to preserve certificate validity
+	
-		// crl_url = TQString("http://%1/%2.crl").arg(realmcfg.name).arg(realmcfg.kdc);
+	crl_url = TQString("URI:file://%1,URI:file://%2").arg(KERBEROS_PKI_CRL_FILE).arg(ca_public_crl_certfile);
-	}
 
 	if (caRootKeyFile == "") {
 		caRootKeyFile = KERBEROS_PKI_PEMKEY_FILE;
@@ -4760,19 +4831,19 @@ int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUse
 		stream << "[usr_cert]" << "\n";
 		stream << "basicConstraints = CA:FALSE" << "\n";
 		stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
-		stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
+		stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n";
 		stream << "subjectKeyIdentifier = hash" << "\n";
 		stream << "\n";
 		stream << "[usr_cert_ke]" << "\n";
 		stream << "basicConstraints = CA:FALSE" << "\n";
 		stream << "keyUsage = critical, nonRepudiation, keyEncipherment" << "\n";
-		stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
+		stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n";
 		stream << "subjectKeyIdentifier = hash" << "\n";
 		stream << "\n";
 		stream << "[proxy_cert]" << "\n";
 		stream << "basicConstraints = CA:FALSE" << "\n";
 		stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
-		stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
+		stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n";
 		stream << "subjectKeyIdentifier = hash" << "\n";
 		// stream << "proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:0,policy:text:foo" << "\n";
 		stream << "\n";
@@ -4792,7 +4863,7 @@ int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUse
 		stream << "[pkinit_client_cert]" << "\n";
 		stream << "basicConstraints = CA:FALSE" << "\n";
 		stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
-		stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
+		stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n";
 		stream << "subjectKeyIdentifier = hash" << "\n";
 		stream << "authorityKeyIdentifier = keyid,issuer" << "\n";
 		stream << "issuerAltName=issuer:copy" << "\n";
@@ -4801,14 +4872,14 @@ int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUse
 		stream << "[https_cert]" << "\n";
 		stream << "basicConstraints = CA:FALSE" << "\n";
 		stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
-		stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
+		stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n";
 		// stream << "extendedKeyUsage = https-server XXX" << "\n";
 		stream << "subjectKeyIdentifier = hash" << "\n";
 		stream << "\n";
 		stream << "[pkinit_kdc_cert]" << "\n";
 		stream << "basicConstraints = CA:FALSE" << "\n";
 		stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
-		stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
+		stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n";
 		stream << "extendedKeyUsage = 1.3.6.1.5.2.3.5" << "\n";
 		stream << "subjectKeyIdentifier = hash" << "\n";
 		stream << "authorityKeyIdentifier = keyid,issuer" << "\n";
@@ -4830,20 +4901,20 @@ int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUse
 		stream << "[proxy10_cert]" << "\n";
 		stream << "basicConstraints = CA:FALSE" << "\n";
 		stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
-		stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
+		stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n";
 		stream << "subjectKeyIdentifier = hash" << "\n";
 		// stream << "proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:10,policy:text:foo" << "\n";
 		stream << "\n";
 		stream << "[usr_cert_ds]" << "\n";
 		stream << "basicConstraints = CA:FALSE" << "\n";
 		stream << "keyUsage = critical, nonRepudiation, digitalSignature" << "\n";
-		stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
+		stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n";
 		stream << "subjectKeyIdentifier = hash" << "\n";
 		stream << "\n";
 		stream << "[ocsp_cert]" << "\n";
 		stream << "basicConstraints = CA:FALSE" << "\n";
 		stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
-		stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
+		stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n";
 		// stream << "ocsp-nocheck and kp-OCSPSigning" << "\n";
 		stream << "extendedKeyUsage = 1.3.6.1.5.5.7.48.1.5, 1.3.6.1.5.5.7.3.9" << "\n";
 		stream << "subjectKeyIdentifier = hash" << "\n";

src/libtdeldap.h

@@ -538,6 +538,8 @@ class LDAPManager : public TQObject {
 		int setPasswordForUser(LDAPUserInfo user, TQString *errstr);
 
 		static int writePrimaryRealmCertificateUpdateCronFile(TQString *errstr=0);
+		static int installCACertificateInHostCAStore(TQString *errstr=0);
+		static int retrieveAndInstallCaCrl(LDAPManager* manager=0, TQString *errstr=0);
 		static TQString getMachineFQDN();
 		static int writeTDERealmList(LDAPRealmConfigList realms, KSimpleConfig* config, TQString *errstr=0);
 		static LDAPRealmConfigList fetchAndReadTDERealmList(TQString *defaultRealm=0);
@@ -550,10 +552,10 @@ class LDAPManager : public TQObject {
 		static int generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg, uid_t ldap_uid, gid_t ldap_gid);
 
 		static int generateClientCertificatePair(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, TQString *errstr=0);
-		static int generateClientCertificatePrivateKey(LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString privateKeyFile, TQString *errstr=0);
+		static int generateClientCertificatePrivateKey(TQString privateKeyFile, TQString *errstr=0);
 		static int generateClientCertificatePublicCertificate(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, TQString *errstr=0);
 
-		int generatePKICRL(int expirydays, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString revocationDatabaseFile, TQString *errstr=0);
+		int generatePKICRL(int expirydays, LDAPRealmConfig realmcfg, TQString crlFile, TQString signingPrivateKeyFile, TQString revocationDatabaseFile, TQString *errstr=0);
 
 		static TQString ldapdnForRealm(TQString realm);
 		static TQString openssldcForRealm(TQString realm);