diff options
-rw-r--r-- | src/libtdeldap.cpp | 139 | ||||
-rw-r--r-- | src/libtdeldap.h | 6 |
2 files changed, 109 insertions, 36 deletions
diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp index 950d653..156c372 100644 --- a/src/libtdeldap.cpp +++ b/src/libtdeldap.cpp @@ -77,6 +77,11 @@ // FIXME // This assumes Debian! +#define SYSTEM_CA_STORE_CERT_LOCATION "/usr/local/share/ca-certificates/" +#define SYSTEM_CA_STORE_REGENERATE_COMMAND "update-ca-certificates" + +// FIXME +// This assumes Debian! #define CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_OPENLDAP_RELOAD_COMMAND "/etc/init.d/slapd force-reload" int requested_ldap_version = LDAP_VERSION3; @@ -3887,6 +3892,63 @@ int LDAPManager::writePrimaryRealmCertificateUpdateCronFile(TQString *errstr) { return 0; } +int LDAPManager::installCACertificateInHostCAStore(TQString *errstr) { + TQString command; + + if (!TQDir(SYSTEM_CA_STORE_CERT_LOCATION "ldap-trinity").exists()) { + command = TQString("ln -s %1 %2").arg(KERBEROS_PKI_PUBLICDIR).arg(SYSTEM_CA_STORE_CERT_LOCATION "ldap-trinity"); + if (system(command) < 0) { + if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(command); + return -1; + } + + if (system(SYSTEM_CA_STORE_REGENERATE_COMMAND) < 0) { + if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(SYSTEM_CA_STORE_REGENERATE_COMMAND); + return -1; + } + } + + return 0; +} + +int LDAPManager::retrieveAndInstallCaCrl(LDAPManager* manager, TQString *errstr) { + int retcode = 0; + LDAPManager* ldap_mgr = manager; + KSimpleConfig* systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" )); + LDAPRealmConfigList realms = LDAPManager::readTDERealmList(systemconfig, false); + + if (!ldap_mgr) { + // Get default settings + TQString defaultRealm = systemconfig->readEntry("DefaultRealm"); + if (defaultRealm == "") { + delete systemconfig; + return 0; + } + + // Bind anonymously to LDAP + LDAPCredentials* credentials = new LDAPCredentials; + credentials->username = ""; + credentials->password = ""; + credentials->realm = defaultRealm.upper(); + credentials->use_tls = true; + ldap_mgr = new LDAPManager(defaultRealm.upper(), TQString("ldaps://%1").arg(realms[defaultRealm].admin_server).ascii(), credentials); + } + + // Get and install the CA root CRL from LDAP + mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); + mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); + if (ldap_mgr->getTDECertificate("publicRootCertificateRevocationList", KERBEROS_PKI_PUBLICDIR + realms[ldap_mgr->realm()].admin_server + ".ldap.crl", errstr) != 0) { + retcode = -1; + } + + if (!manager) { + delete ldap_mgr; + } + delete systemconfig; + + return retcode; +} + LDAPRealmConfigList LDAPManager::readTDERealmList(KSimpleConfig* config, bool disableAllBonds) { LDAPRealmConfigList realms; @@ -3917,7 +3979,6 @@ LDAPRealmConfigList LDAPManager::readTDERealmList(KSimpleConfig* config, bool di realmcfg.pkinit_require_krbtgt_otherName = config->readBoolEntry("pkinit_require_krbtgt_otherName"); realmcfg.win2k_pkinit = config->readBoolEntry("win2k_pkinit"); realmcfg.win2k_pkinit_require_binding = config->readBoolEntry("win2k_pkinit_require_binding"); - realmcfg.certificate_revocation_list_url = config->readBoolEntry("certificate_revocation_list_url"); // Add realm to list realms.insert(realmName, realmcfg); } @@ -3949,7 +4010,6 @@ int LDAPManager::writeTDERealmList(LDAPRealmConfigList realms, KSimpleConfig* co config->writeEntry("pkinit_require_krbtgt_otherName", realmcfg.pkinit_require_krbtgt_otherName); config->writeEntry("win2k_pkinit", realmcfg.win2k_pkinit); config->writeEntry("win2k_pkinit_require_binding", realmcfg.win2k_pkinit_require_binding); - config->writeEntry("certificate_revocation_list_url", realmcfg.certificate_revocation_list_url); } // Delete any realms that do not exist in the realms database @@ -3971,17 +4031,27 @@ int LDAPManager::writeTDERealmList(LDAPRealmConfigList realms, KSimpleConfig* co TQDateTime LDAPManager::getCertificateExpiration(TQByteArray certfileContents) { TQDateTime ret; + KSSLCertificate* cert = NULL; TQCString ssldata(certfileContents); ssldata[certfileContents.size()] = 0; - ssldata.replace("-----BEGIN CERTIFICATE-----", ""); - ssldata.replace("-----END CERTIFICATE-----", ""); - ssldata.replace("-----BEGIN X509 CRL-----", ""); - ssldata.replace("-----END X509 CRL-----", ""); ssldata.replace("\n", ""); - KSSLCertificate* cert = KSSLCertificate::fromString(ssldata); - if (cert) { - ret = cert->getQDTNotAfter(); - delete cert; + if (ssldata.contains("-----BEGIN CERTIFICATE-----")) { + ssldata.replace("-----BEGIN CERTIFICATE-----", ""); + ssldata.replace("-----END CERTIFICATE-----", ""); + cert = KSSLCertificate::fromString(ssldata); + if (cert) { + ret = cert->getQDTNotAfter(); + delete cert; + } + } + else if (ssldata.contains("-----BEGIN X509 CRL-----")) { + ssldata.replace("-----BEGIN X509 CRL-----", ""); + ssldata.replace("-----END X509 CRL-----", ""); + cert = KSSLCertificate::crlFromString(ssldata); + if (cert) { + ret = cert->getQDTNextUpdate(); + delete cert; + } } return ret; @@ -4133,7 +4203,7 @@ int LDAPManager::generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPReal int LDAPManager::generateClientCertificatePair(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, TQString *errstr) { int ret; - ret = generateClientCertificatePrivateKey(user, realmcfg, privateKeyFile, errstr); + ret = generateClientCertificatePrivateKey(privateKeyFile, errstr); if (ret == 0) { ret = generateClientCertificatePublicCertificate(expirydays, user, realmcfg, signingPrivateKeyFile, privateKeyFile, publicCertFile, errstr); } @@ -4141,7 +4211,7 @@ int LDAPManager::generateClientCertificatePair(int expirydays, LDAPUserInfo user return ret; } -int LDAPManager::generateClientCertificatePrivateKey(LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString privateKeyFile, TQString *errstr) { +int LDAPManager::generateClientCertificatePrivateKey(TQString privateKeyFile, TQString *errstr) { TQString command; TQString subject; @@ -4150,10 +4220,6 @@ int LDAPManager::generateClientCertificatePrivateKey(LDAPUserInfo user, LDAPReal TQString client_cfgfile = privateKeyFile + ".cfg"; unsigned int client_key_bit_length = 2048; - if (writeOpenSSLConfigurationFile(realmcfg, user, client_cfgfile, TQString::null, TQString::null, TQString::null, errstr) != 0) { - return -1; - } - // Create private key command = TQString("openssl genrsa -out %1 %2").arg(client_keyfile).arg(client_key_bit_length); if (system(command) < 0) { @@ -4213,7 +4279,7 @@ int LDAPManager::generateClientCertificatePublicCertificate(int expirydays, LDAP if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(command); return -1; } - command = TQString("openssl x509 -req -days %1 -in %2 -CAkey %3 -CA %4 -out %5 -extfile %6 -extensions pkinit_client_cert -CAcreateserial").arg(expirydays).arg(client_reqfile).arg(signingPrivateKeyFile).arg(signing_public_certfile).arg(client_certfile).arg(OPENSSL_EXTENSIONS_FILE); + command = TQString("openssl x509 -req -days %1 -in %2 -CAkey %3 -CA %4 -out %5 -extfile %6 -extensions pkinit_client_cert -CAcreateserial").arg(expirydays).arg(client_reqfile).arg(signingPrivateKeyFile).arg(signing_public_certfile).arg(client_certfile).arg(client_cfgfile); if (system(command) < 0) { if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(command); return -1; @@ -4246,15 +4312,15 @@ int LDAPManager::generateClientCertificatePublicCertificate(int expirydays, LDAP return 0; } -int LDAPManager::generatePKICRL(int expirydays, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString revocationDatabaseFile, TQString *errstr) { +int LDAPManager::generatePKICRL(int expirydays, LDAPRealmConfig realmcfg, TQString crlFile, TQString signingPrivateKeyFile, TQString revocationDatabaseFile, TQString *errstr) { int retcode; TQString command; LDAPUserInfoList userList = this->users(&retcode, errstr); if (retcode == 0) { // Generate base CRL - TQString crl_certfile = KERBEROS_PKI_CRL_FILE ".new"; - TQString revoked_certfile = KERBEROS_PKI_CRL_FILE ".rev"; + TQString crl_certfile = crlFile; + TQString revoked_certfile = crlFile + ".rev"; // The public certificate location varies based on the machine role // Prefer the bonded realm's certificate if available @@ -4351,6 +4417,12 @@ int LDAPManager::generatePKICRL(int expirydays, LDAPRealmConfig realmcfg, TQStri return -1; } } + if (fileExists(revocationDatabaseFile.ascii())) { + if (unlink(revocationDatabaseFile.ascii()) < 0) { + if (errstr) *errstr = TQString("Unable to unlink \"%1\"").arg(revocationDatabaseFile); + return -1; + } + } } return retcode; @@ -4619,11 +4691,10 @@ int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, TQStrin } int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUserInfo user, TQString opensslConfigFile, TQString caRootKeyFile, TQString caRootCertFile, TQString caRootDatabaseFile, TQString *errstr) { - TQString crl_url = realmcfg.certificate_revocation_list_url; - if (crl_url == "") { - // Use a default to preserve certificate validity - // crl_url = TQString("http://%1/%2.crl").arg(realmcfg.name).arg(realmcfg.kdc); - } + TQString ca_public_crl_certfile = KERBEROS_PKI_PUBLICDIR + realmcfg.admin_server + ".ldap.crl"; + TQString crl_url; + + crl_url = TQString("URI:file://%1,URI:file://%2").arg(KERBEROS_PKI_CRL_FILE).arg(ca_public_crl_certfile); if (caRootKeyFile == "") { caRootKeyFile = KERBEROS_PKI_PEMKEY_FILE; @@ -4760,19 +4831,19 @@ int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUse stream << "[usr_cert]" << "\n"; stream << "basicConstraints = CA:FALSE" << "\n"; stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n"; - stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n"; + stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n"; stream << "subjectKeyIdentifier = hash" << "\n"; stream << "\n"; stream << "[usr_cert_ke]" << "\n"; stream << "basicConstraints = CA:FALSE" << "\n"; stream << "keyUsage = critical, nonRepudiation, keyEncipherment" << "\n"; - stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n"; + stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n"; stream << "subjectKeyIdentifier = hash" << "\n"; stream << "\n"; stream << "[proxy_cert]" << "\n"; stream << "basicConstraints = CA:FALSE" << "\n"; stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n"; - stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n"; + stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n"; stream << "subjectKeyIdentifier = hash" << "\n"; // stream << "proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:0,policy:text:foo" << "\n"; stream << "\n"; @@ -4792,7 +4863,7 @@ int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUse stream << "[pkinit_client_cert]" << "\n"; stream << "basicConstraints = CA:FALSE" << "\n"; stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n"; - stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n"; + stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n"; stream << "subjectKeyIdentifier = hash" << "\n"; stream << "authorityKeyIdentifier = keyid,issuer" << "\n"; stream << "issuerAltName=issuer:copy" << "\n"; @@ -4801,14 +4872,14 @@ int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUse stream << "[https_cert]" << "\n"; stream << "basicConstraints = CA:FALSE" << "\n"; stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n"; - stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n"; + stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n"; // stream << "extendedKeyUsage = https-server XXX" << "\n"; stream << "subjectKeyIdentifier = hash" << "\n"; stream << "\n"; stream << "[pkinit_kdc_cert]" << "\n"; stream << "basicConstraints = CA:FALSE" << "\n"; stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n"; - stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n"; + stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n"; stream << "extendedKeyUsage = 1.3.6.1.5.2.3.5" << "\n"; stream << "subjectKeyIdentifier = hash" << "\n"; stream << "authorityKeyIdentifier = keyid,issuer" << "\n"; @@ -4830,20 +4901,20 @@ int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUse stream << "[proxy10_cert]" << "\n"; stream << "basicConstraints = CA:FALSE" << "\n"; stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n"; - stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n"; + stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n"; stream << "subjectKeyIdentifier = hash" << "\n"; // stream << "proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:10,policy:text:foo" << "\n"; stream << "\n"; stream << "[usr_cert_ds]" << "\n"; stream << "basicConstraints = CA:FALSE" << "\n"; stream << "keyUsage = critical, nonRepudiation, digitalSignature" << "\n"; - stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n"; + stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n"; stream << "subjectKeyIdentifier = hash" << "\n"; stream << "\n"; stream << "[ocsp_cert]" << "\n"; stream << "basicConstraints = CA:FALSE" << "\n"; stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n"; - stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n"; + stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n"; // stream << "ocsp-nocheck and kp-OCSPSigning" << "\n"; stream << "extendedKeyUsage = 1.3.6.1.5.5.7.48.1.5, 1.3.6.1.5.5.7.3.9" << "\n"; stream << "subjectKeyIdentifier = hash" << "\n"; diff --git a/src/libtdeldap.h b/src/libtdeldap.h index 0d08e59..c14a437 100644 --- a/src/libtdeldap.h +++ b/src/libtdeldap.h @@ -538,6 +538,8 @@ class LDAPManager : public TQObject { int setPasswordForUser(LDAPUserInfo user, TQString *errstr); static int writePrimaryRealmCertificateUpdateCronFile(TQString *errstr=0); + static int installCACertificateInHostCAStore(TQString *errstr=0); + static int retrieveAndInstallCaCrl(LDAPManager* manager=0, TQString *errstr=0); static TQString getMachineFQDN(); static int writeTDERealmList(LDAPRealmConfigList realms, KSimpleConfig* config, TQString *errstr=0); static LDAPRealmConfigList fetchAndReadTDERealmList(TQString *defaultRealm=0); @@ -550,10 +552,10 @@ class LDAPManager : public TQObject { static int generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg, uid_t ldap_uid, gid_t ldap_gid); static int generateClientCertificatePair(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, TQString *errstr=0); - static int generateClientCertificatePrivateKey(LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString privateKeyFile, TQString *errstr=0); + static int generateClientCertificatePrivateKey(TQString privateKeyFile, TQString *errstr=0); static int generateClientCertificatePublicCertificate(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, TQString *errstr=0); - int generatePKICRL(int expirydays, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString revocationDatabaseFile, TQString *errstr=0); + int generatePKICRL(int expirydays, LDAPRealmConfig realmcfg, TQString crlFile, TQString signingPrivateKeyFile, TQString revocationDatabaseFile, TQString *errstr=0); static TQString ldapdnForRealm(TQString realm); static TQString openssldcForRealm(TQString realm); |