Add additional CRL manipulation methods

pull/1/head
Timothy Pearson 9 years ago
parent 0fce8b42b6
commit 521c4ed590

@ -75,6 +75,11 @@
#define CRON_UPDATE_NSS_FILE "/etc/cron.daily/upd-local-nss-db"
#define CRON_UPDATE_NSS_COMMAND "/usr/sbin/nss_updatedb ldap"
// FIXME
// This assumes Debian!
#define SYSTEM_CA_STORE_CERT_LOCATION "/usr/local/share/ca-certificates/"
#define SYSTEM_CA_STORE_REGENERATE_COMMAND "update-ca-certificates"
// FIXME
// This assumes Debian!
#define CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_OPENLDAP_RELOAD_COMMAND "/etc/init.d/slapd force-reload"
@ -3887,6 +3892,63 @@ int LDAPManager::writePrimaryRealmCertificateUpdateCronFile(TQString *errstr) {
return 0;
}
int LDAPManager::installCACertificateInHostCAStore(TQString *errstr) {
TQString command;
if (!TQDir(SYSTEM_CA_STORE_CERT_LOCATION "ldap-trinity").exists()) {
command = TQString("ln -s %1 %2").arg(KERBEROS_PKI_PUBLICDIR).arg(SYSTEM_CA_STORE_CERT_LOCATION "ldap-trinity");
if (system(command) < 0) {
if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(command);
return -1;
}
if (system(SYSTEM_CA_STORE_REGENERATE_COMMAND) < 0) {
if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(SYSTEM_CA_STORE_REGENERATE_COMMAND);
return -1;
}
}
return 0;
}
int LDAPManager::retrieveAndInstallCaCrl(LDAPManager* manager, TQString *errstr) {
int retcode = 0;
LDAPManager* ldap_mgr = manager;
KSimpleConfig* systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" ));
LDAPRealmConfigList realms = LDAPManager::readTDERealmList(systemconfig, false);
if (!ldap_mgr) {
// Get default settings
TQString defaultRealm = systemconfig->readEntry("DefaultRealm");
if (defaultRealm == "") {
delete systemconfig;
return 0;
}
// Bind anonymously to LDAP
LDAPCredentials* credentials = new LDAPCredentials;
credentials->username = "";
credentials->password = "";
credentials->realm = defaultRealm.upper();
credentials->use_tls = true;
ldap_mgr = new LDAPManager(defaultRealm.upper(), TQString("ldaps://%1").arg(realms[defaultRealm].admin_server).ascii(), credentials);
}
// Get and install the CA root CRL from LDAP
mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
if (ldap_mgr->getTDECertificate("publicRootCertificateRevocationList", KERBEROS_PKI_PUBLICDIR + realms[ldap_mgr->realm()].admin_server + ".ldap.crl", errstr) != 0) {
retcode = -1;
}
if (!manager) {
delete ldap_mgr;
}
delete systemconfig;
return retcode;
}
LDAPRealmConfigList LDAPManager::readTDERealmList(KSimpleConfig* config, bool disableAllBonds) {
LDAPRealmConfigList realms;
@ -3917,7 +3979,6 @@ LDAPRealmConfigList LDAPManager::readTDERealmList(KSimpleConfig* config, bool di
realmcfg.pkinit_require_krbtgt_otherName = config->readBoolEntry("pkinit_require_krbtgt_otherName");
realmcfg.win2k_pkinit = config->readBoolEntry("win2k_pkinit");
realmcfg.win2k_pkinit_require_binding = config->readBoolEntry("win2k_pkinit_require_binding");
realmcfg.certificate_revocation_list_url = config->readBoolEntry("certificate_revocation_list_url");
// Add realm to list
realms.insert(realmName, realmcfg);
}
@ -3949,7 +4010,6 @@ int LDAPManager::writeTDERealmList(LDAPRealmConfigList realms, KSimpleConfig* co
config->writeEntry("pkinit_require_krbtgt_otherName", realmcfg.pkinit_require_krbtgt_otherName);
config->writeEntry("win2k_pkinit", realmcfg.win2k_pkinit);
config->writeEntry("win2k_pkinit_require_binding", realmcfg.win2k_pkinit_require_binding);
config->writeEntry("certificate_revocation_list_url", realmcfg.certificate_revocation_list_url);
}
// Delete any realms that do not exist in the realms database
@ -3971,17 +4031,27 @@ int LDAPManager::writeTDERealmList(LDAPRealmConfigList realms, KSimpleConfig* co
TQDateTime LDAPManager::getCertificateExpiration(TQByteArray certfileContents) {
TQDateTime ret;
KSSLCertificate* cert = NULL;
TQCString ssldata(certfileContents);
ssldata[certfileContents.size()] = 0;
ssldata.replace("-----BEGIN CERTIFICATE-----", "");
ssldata.replace("-----END CERTIFICATE-----", "");
ssldata.replace("-----BEGIN X509 CRL-----", "");
ssldata.replace("-----END X509 CRL-----", "");
ssldata.replace("\n", "");
KSSLCertificate* cert = KSSLCertificate::fromString(ssldata);
if (cert) {
ret = cert->getQDTNotAfter();
delete cert;
if (ssldata.contains("-----BEGIN CERTIFICATE-----")) {
ssldata.replace("-----BEGIN CERTIFICATE-----", "");
ssldata.replace("-----END CERTIFICATE-----", "");
cert = KSSLCertificate::fromString(ssldata);
if (cert) {
ret = cert->getQDTNotAfter();
delete cert;
}
}
else if (ssldata.contains("-----BEGIN X509 CRL-----")) {
ssldata.replace("-----BEGIN X509 CRL-----", "");
ssldata.replace("-----END X509 CRL-----", "");
cert = KSSLCertificate::crlFromString(ssldata);
if (cert) {
ret = cert->getQDTNextUpdate();
delete cert;
}
}
return ret;
@ -4133,7 +4203,7 @@ int LDAPManager::generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPReal
int LDAPManager::generateClientCertificatePair(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, TQString *errstr) {
int ret;
ret = generateClientCertificatePrivateKey(user, realmcfg, privateKeyFile, errstr);
ret = generateClientCertificatePrivateKey(privateKeyFile, errstr);
if (ret == 0) {
ret = generateClientCertificatePublicCertificate(expirydays, user, realmcfg, signingPrivateKeyFile, privateKeyFile, publicCertFile, errstr);
}
@ -4141,7 +4211,7 @@ int LDAPManager::generateClientCertificatePair(int expirydays, LDAPUserInfo user
return ret;
}
int LDAPManager::generateClientCertificatePrivateKey(LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString privateKeyFile, TQString *errstr) {
int LDAPManager::generateClientCertificatePrivateKey(TQString privateKeyFile, TQString *errstr) {
TQString command;
TQString subject;
@ -4150,10 +4220,6 @@ int LDAPManager::generateClientCertificatePrivateKey(LDAPUserInfo user, LDAPReal
TQString client_cfgfile = privateKeyFile + ".cfg";
unsigned int client_key_bit_length = 2048;
if (writeOpenSSLConfigurationFile(realmcfg, user, client_cfgfile, TQString::null, TQString::null, TQString::null, errstr) != 0) {
return -1;
}
// Create private key
command = TQString("openssl genrsa -out %1 %2").arg(client_keyfile).arg(client_key_bit_length);
if (system(command) < 0) {
@ -4213,7 +4279,7 @@ int LDAPManager::generateClientCertificatePublicCertificate(int expirydays, LDAP
if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(command);
return -1;
}
command = TQString("openssl x509 -req -days %1 -in %2 -CAkey %3 -CA %4 -out %5 -extfile %6 -extensions pkinit_client_cert -CAcreateserial").arg(expirydays).arg(client_reqfile).arg(signingPrivateKeyFile).arg(signing_public_certfile).arg(client_certfile).arg(OPENSSL_EXTENSIONS_FILE);
command = TQString("openssl x509 -req -days %1 -in %2 -CAkey %3 -CA %4 -out %5 -extfile %6 -extensions pkinit_client_cert -CAcreateserial").arg(expirydays).arg(client_reqfile).arg(signingPrivateKeyFile).arg(signing_public_certfile).arg(client_certfile).arg(client_cfgfile);
if (system(command) < 0) {
if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(command);
return -1;
@ -4246,15 +4312,15 @@ int LDAPManager::generateClientCertificatePublicCertificate(int expirydays, LDAP
return 0;
}
int LDAPManager::generatePKICRL(int expirydays, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString revocationDatabaseFile, TQString *errstr) {
int LDAPManager::generatePKICRL(int expirydays, LDAPRealmConfig realmcfg, TQString crlFile, TQString signingPrivateKeyFile, TQString revocationDatabaseFile, TQString *errstr) {
int retcode;
TQString command;
LDAPUserInfoList userList = this->users(&retcode, errstr);
if (retcode == 0) {
// Generate base CRL
TQString crl_certfile = KERBEROS_PKI_CRL_FILE ".new";
TQString revoked_certfile = KERBEROS_PKI_CRL_FILE ".rev";
TQString crl_certfile = crlFile;
TQString revoked_certfile = crlFile + ".rev";
// The public certificate location varies based on the machine role
// Prefer the bonded realm's certificate if available
@ -4351,6 +4417,12 @@ int LDAPManager::generatePKICRL(int expirydays, LDAPRealmConfig realmcfg, TQStri
return -1;
}
}
if (fileExists(revocationDatabaseFile.ascii())) {
if (unlink(revocationDatabaseFile.ascii()) < 0) {
if (errstr) *errstr = TQString("Unable to unlink \"%1\"").arg(revocationDatabaseFile);
return -1;
}
}
}
return retcode;
@ -4619,11 +4691,10 @@ int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, TQStrin
}
int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUserInfo user, TQString opensslConfigFile, TQString caRootKeyFile, TQString caRootCertFile, TQString caRootDatabaseFile, TQString *errstr) {
TQString crl_url = realmcfg.certificate_revocation_list_url;
if (crl_url == "") {
// Use a default to preserve certificate validity
// crl_url = TQString("http://%1/%2.crl").arg(realmcfg.name).arg(realmcfg.kdc);
}
TQString ca_public_crl_certfile = KERBEROS_PKI_PUBLICDIR + realmcfg.admin_server + ".ldap.crl";
TQString crl_url;
crl_url = TQString("URI:file://%1,URI:file://%2").arg(KERBEROS_PKI_CRL_FILE).arg(ca_public_crl_certfile);
if (caRootKeyFile == "") {
caRootKeyFile = KERBEROS_PKI_PEMKEY_FILE;
@ -4760,19 +4831,19 @@ int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUse
stream << "[usr_cert]" << "\n";
stream << "basicConstraints = CA:FALSE" << "\n";
stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n";
stream << "subjectKeyIdentifier = hash" << "\n";
stream << "\n";
stream << "[usr_cert_ke]" << "\n";
stream << "basicConstraints = CA:FALSE" << "\n";
stream << "keyUsage = critical, nonRepudiation, keyEncipherment" << "\n";
stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n";
stream << "subjectKeyIdentifier = hash" << "\n";
stream << "\n";
stream << "[proxy_cert]" << "\n";
stream << "basicConstraints = CA:FALSE" << "\n";
stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n";
stream << "subjectKeyIdentifier = hash" << "\n";
// stream << "proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:0,policy:text:foo" << "\n";
stream << "\n";
@ -4792,7 +4863,7 @@ int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUse
stream << "[pkinit_client_cert]" << "\n";
stream << "basicConstraints = CA:FALSE" << "\n";
stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n";
stream << "subjectKeyIdentifier = hash" << "\n";
stream << "authorityKeyIdentifier = keyid,issuer" << "\n";
stream << "issuerAltName=issuer:copy" << "\n";
@ -4801,14 +4872,14 @@ int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUse
stream << "[https_cert]" << "\n";
stream << "basicConstraints = CA:FALSE" << "\n";
stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n";
// stream << "extendedKeyUsage = https-server XXX" << "\n";
stream << "subjectKeyIdentifier = hash" << "\n";
stream << "\n";
stream << "[pkinit_kdc_cert]" << "\n";
stream << "basicConstraints = CA:FALSE" << "\n";
stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n";
stream << "extendedKeyUsage = 1.3.6.1.5.2.3.5" << "\n";
stream << "subjectKeyIdentifier = hash" << "\n";
stream << "authorityKeyIdentifier = keyid,issuer" << "\n";
@ -4830,20 +4901,20 @@ int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUse
stream << "[proxy10_cert]" << "\n";
stream << "basicConstraints = CA:FALSE" << "\n";
stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n";
stream << "subjectKeyIdentifier = hash" << "\n";
// stream << "proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:10,policy:text:foo" << "\n";
stream << "\n";
stream << "[usr_cert_ds]" << "\n";
stream << "basicConstraints = CA:FALSE" << "\n";
stream << "keyUsage = critical, nonRepudiation, digitalSignature" << "\n";
stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n";
stream << "subjectKeyIdentifier = hash" << "\n";
stream << "\n";
stream << "[ocsp_cert]" << "\n";
stream << "basicConstraints = CA:FALSE" << "\n";
stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n";
// stream << "ocsp-nocheck and kp-OCSPSigning" << "\n";
stream << "extendedKeyUsage = 1.3.6.1.5.5.7.48.1.5, 1.3.6.1.5.5.7.3.9" << "\n";
stream << "subjectKeyIdentifier = hash" << "\n";

@ -538,6 +538,8 @@ class LDAPManager : public TQObject {
int setPasswordForUser(LDAPUserInfo user, TQString *errstr);
static int writePrimaryRealmCertificateUpdateCronFile(TQString *errstr=0);
static int installCACertificateInHostCAStore(TQString *errstr=0);
static int retrieveAndInstallCaCrl(LDAPManager* manager=0, TQString *errstr=0);
static TQString getMachineFQDN();
static int writeTDERealmList(LDAPRealmConfigList realms, KSimpleConfig* config, TQString *errstr=0);
static LDAPRealmConfigList fetchAndReadTDERealmList(TQString *defaultRealm=0);
@ -550,10 +552,10 @@ class LDAPManager : public TQObject {
static int generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg, uid_t ldap_uid, gid_t ldap_gid);
static int generateClientCertificatePair(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, TQString *errstr=0);
static int generateClientCertificatePrivateKey(LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString privateKeyFile, TQString *errstr=0);
static int generateClientCertificatePrivateKey(TQString privateKeyFile, TQString *errstr=0);
static int generateClientCertificatePublicCertificate(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, TQString *errstr=0);
int generatePKICRL(int expirydays, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString revocationDatabaseFile, TQString *errstr=0);
int generatePKICRL(int expirydays, LDAPRealmConfig realmcfg, TQString crlFile, TQString signingPrivateKeyFile, TQString revocationDatabaseFile, TQString *errstr=0);
static TQString ldapdnForRealm(TQString realm);
static TQString openssldcForRealm(TQString realm);

Loading…
Cancel
Save