From bc95fa92b04a4e372e9e0615def79b6458e5f673 Mon Sep 17 00:00:00 2001 From: Timothy Pearson Date: Mon, 31 Aug 2015 23:18:14 +0000 Subject: Properly set CRL URL and fix up a few other glitches --- src/libtdeldap.cpp | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) (limited to 'src/libtdeldap.cpp') diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp index 5be4ce6..66a1397 100644 --- a/src/libtdeldap.cpp +++ b/src/libtdeldap.cpp @@ -3859,10 +3859,10 @@ int LDAPManager::generatePublicKerberosCertificate(LDAPCertConfig certinfo, LDAP TQString common_name = TQString::null; if (realmcfg.kdc != "") { - common_name = TQString("/CN=%1").arg(common_name); + common_name = TQString("/CN=%1").arg(realmcfg.kdc); } - subject = TQString("\"/C=%1/ST=%2/L=%3/O=%4/OU=%5/%6%7\"").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(common_name).arg(openssldcForRealm(realmcfg.name)); + subject = TQString("\"/C=%1/ST=%2/L=%3/O=%4/OU=%5%6%7\"").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(common_name).arg(openssldcForRealm(realmcfg.name)); command = TQString("openssl req -days %1 -new -out %2 -key %3 -config %4 -subj %5").arg(certinfo.kerberosExpiryDays).arg(kdc_reqfile).arg(kdc_keyfile).arg(OPENSSL_EXTENSIONS_FILE).arg(subject); if (system(command) < 0) { printf("ERROR: Execution of \"%s\" failed!\n", command.ascii()); @@ -3910,10 +3910,10 @@ int LDAPManager::generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPReal TQString common_name = TQString::null; if (realmcfg.kdc != "") { - common_name = TQString("/CN=%1").arg(common_name); + common_name = TQString("/CN=%1").arg(realmcfg.kdc); } - subject = TQString("\"/C=%1/ST=%2/L=%3/O=%4/OU=%5/%6%7\"").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(common_name).arg(openssldcForRealm(realmcfg.name)); + subject = TQString("\"/C=%1/ST=%2/L=%3/O=%4/OU=%5%6%7\"").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(common_name).arg(openssldcForRealm(realmcfg.name)); command = TQString("openssl req -days %1 -new -out %2 -key %3 -config %4 -subj %5").arg(certinfo.ldapExpiryDays).arg(ldap_reqfile).arg(ldap_keyfile).arg(OPENSSL_EXTENSIONS_FILE).arg(subject); if (system(command) < 0) { printf("ERROR: Execution of \"%s\" failed!\n", command.ascii()); @@ -4201,6 +4201,12 @@ int LDAPManager::writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr) { } int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, TQString *errstr) { + TQString crl_url = realmcfg.certificate_revocation_list_url; + if (crl_url == "") { + // Use a default to preserve certificate validity + // crl_url = TQString("http://%1/%2.crl").arg(realmcfg.name).arg(realmcfg.kdc); + } + TQDir tde_cert_dir(TDE_CERTIFICATE_DIR); if (!tde_cert_dir.exists()) { TQString command = TQString("mkdir -p %1").arg(TDE_CERTIFICATE_DIR); @@ -4299,7 +4305,7 @@ int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, TQStrin stream << "string_mask = utf8only" << "\n"; stream << "\n"; stream << "[v3_ca]" << "\n"; - stream << "subjectKeyIdentifier=hash" << "\n"; + stream << "subjectKeyIdentifier = hash" << "\n"; stream << "authorityKeyIdentifier=keyid:always,issuer:always" << "\n"; stream << "basicConstraints = CA:true" << "\n"; stream << "keyUsage = critical, cRLSign, keyCertSign, keyEncipherment, nonRepudiation, digitalSignature" << "\n"; @@ -4307,19 +4313,19 @@ int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, TQStrin stream << "[usr_cert]" << "\n"; stream << "basicConstraints=CA:FALSE" << "\n"; stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n"; - stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url); + stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n"; stream << "subjectKeyIdentifier = hash" << "\n"; stream << "\n"; stream << "[usr_cert_ke]" << "\n"; stream << "basicConstraints=CA:FALSE" << "\n"; stream << "keyUsage = critical, nonRepudiation, keyEncipherment" << "\n"; - stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url); + stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n"; stream << "subjectKeyIdentifier = hash" << "\n"; stream << "\n"; stream << "[proxy_cert]" << "\n"; stream << "basicConstraints=CA:FALSE" << "\n"; stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n"; - stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url); + stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n"; stream << "subjectKeyIdentifier = hash" << "\n"; // stream << "proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:0,policy:text:foo" << "\n"; stream << "\n"; @@ -4337,7 +4343,7 @@ int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, TQStrin stream << "[pkinit_client_cert]" << "\n"; stream << "basicConstraints=CA:FALSE" << "\n"; stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n"; - stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url); + stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n"; stream << "subjectKeyIdentifier = hash" << "\n"; stream << "authorityKeyIdentifier=keyid,issuer" << "\n"; stream << "issuerAltName=issuer:copy" << "\n"; @@ -4346,14 +4352,14 @@ int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, TQStrin stream << "[https_cert]" << "\n"; stream << "basicConstraints=CA:FALSE" << "\n"; stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n"; - stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url); + stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n"; // stream << "extendedKeyUsage = https-server XXX" << "\n"; stream << "subjectKeyIdentifier = hash" << "\n"; stream << "\n"; stream << "[pkinit_kdc_cert]" << "\n"; stream << "basicConstraints=CA:FALSE" << "\n"; stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n"; - stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url); + stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n"; stream << "extendedKeyUsage = 1.3.6.1.5.2.3.5" << "\n"; stream << "subjectKeyIdentifier = hash" << "\n"; stream << "authorityKeyIdentifier=keyid,issuer" << "\n"; @@ -4375,20 +4381,20 @@ int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, TQStrin stream << "[proxy10_cert]" << "\n"; stream << "basicConstraints=CA:FALSE" << "\n"; stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n"; - stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url); + stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n"; stream << "subjectKeyIdentifier = hash" << "\n"; // stream << "proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:10,policy:text:foo" << "\n"; stream << "\n"; stream << "[usr_cert_ds]" << "\n"; stream << "basicConstraints=CA:FALSE" << "\n"; stream << "keyUsage = critical, nonRepudiation, digitalSignature" << "\n"; - stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url); + stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n"; stream << "subjectKeyIdentifier = hash" << "\n"; stream << "\n"; stream << "[ocsp_cert]" << "\n"; stream << "basicConstraints=CA:FALSE" << "\n"; stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n"; - stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url); + stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n"; // stream << "ocsp-nocheck and kp-OCSPSigning" << "\n"; stream << "extendedKeyUsage = 1.3.6.1.5.5.7.48.1.5, 1.3.6.1.5.5.7.3.9" << "\n"; stream << "subjectKeyIdentifier = hash" << "\n"; -- cgit v1.2.1