Branch: master

efb81441 2015-09-03 00:03:15 Timothy Pearson 
Add CRL generation
M src/libtdeldap.cpp
M src/libtdeldap.h
 
diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp
index 6e965fb..8f6ad0c 100644
--- a/src/libtdeldap.cpp
+++ b/src/libtdeldap.cpp
@@ -2945,7 +2945,7 @@
 	// Create symbolic link to secondary LDAP configuration file
 	if (fileExists(LDAP_SECONDARY_FILE)) {
 		if (unlink(LDAP_SECONDARY_FILE) < 0) {
-			if (errstr) *errstr = TQString("Unable to unlink \"%s\"").arg(LDAP_SECONDARY_FILE);
+			if (errstr) *errstr = TQString("Unable to unlink \"%1\"").arg(LDAP_SECONDARY_FILE);
 			return -1;
 		}
 	}
@@ -2958,7 +2958,7 @@
 	// Create symbolic link to tertiary LDAP configuration file
 	if (fileExists(LDAP_TERTIARY_FILE)) {
 		if (unlink(LDAP_TERTIARY_FILE) < 0) {
-			if (errstr) *errstr = TQString("Unable to unlink \"%s\"").arg(LDAP_TERTIARY_FILE);
+			if (errstr) *errstr = TQString("Unable to unlink \"%1\"").arg(LDAP_TERTIARY_FILE);
 			return -1;
 		}
 	}
@@ -3643,15 +3643,15 @@
 	return -1;
 }
 
-int LDAPManager::getTDECertificate(TQString certificateName, TQFile *fileHandle, TQString *errstr) {
+int LDAPManager::getTDECertificate(TQString certificateName, TQByteArray *certificate, TQString *errstr) {
 	int retcode;
 	int returncode;
 	LDAPTDEBuiltinsInfo builtininfo;
 
 	TQString dn = TQString("cn=certificate store,o=tde,cn=tde realm data,ou=master services,ou=core,ou=realm,%1").arg(m_basedc);
 
-	if (!fileHandle) {
-		if (errstr) *errstr = i18n("Invalid file handle passed by host application");
+	if (!certificate) {
+		if (errstr) *errstr = i18n("Invalid certificate handle passed by host application");
 		return -1;
 	}
 
@@ -3685,9 +3685,7 @@
 					TQString ldap_field = attr;
 					i=0;
 					if (ldap_field == certificateName) {
-						TQByteArray ba;
-						ba.duplicate(vals[i]->bv_val, vals[i]->bv_len);
-						fileHandle->writeBlock(ba);
+						certificate->duplicate(vals[i]->bv_val, vals[i]->bv_len);
 						returncode = 0;
 					}
 					ldap_value_free_len(vals);
@@ -3711,6 +3709,23 @@
 	}
 
 	return -1;
+}
+
+int LDAPManager::getTDECertificate(TQString certificateName, TQFile *fileHandle, TQString *errstr) {
+	int returncode;
+
+	if (!fileHandle) {
+		if (errstr) *errstr = i18n("Invalid file handle passed by host application");
+		return -1;
+	}
+
+	TQByteArray ba;
+	returncode = getTDECertificate(certificateName, &ba, errstr);
+	if (returncode == 0) {
+		fileHandle->writeBlock(ba);
+	}
+
+	return returncode;
 }
 
 int LDAPManager::getTDECertificate(TQString certificateName, TQString fileName, TQString *errstr) {
@@ -3916,6 +3931,25 @@
 	return 0;
 }
 
+TQDateTime LDAPManager::getCertificateExpiration(TQByteArray certfileContents) {
+	TQDateTime ret;
+
+	TQCString ssldata(certfileContents);
+	ssldata[certfileContents.size()] = 0;
+	ssldata.replace("-----BEGIN CERTIFICATE-----", "");
+	ssldata.replace("-----END CERTIFICATE-----", "");
+	ssldata.replace("-----BEGIN X509 CRL-----", "");
+	ssldata.replace("-----END X509 CRL-----", "");
+	ssldata.replace("\n", "");
+	KSSLCertificate* cert = KSSLCertificate::fromString(ssldata);
+	if (cert) {
+		ret = cert->getQDTNotAfter();
+		delete cert;
+	}
+
+	return ret;
+}
+
 TQDateTime LDAPManager::getCertificateExpiration(TQString certfile) {
 	TQDateTime ret;
 
@@ -3924,16 +3958,7 @@
 		TQByteArray ba = file.readAll();
 		file.close();
 
-		TQCString ssldata(ba);
-		ssldata[ba.size()] = 0;
-		ssldata.replace("-----BEGIN CERTIFICATE-----", "");
-		ssldata.replace("-----END CERTIFICATE-----", "");
-		ssldata.replace("\n", "");
-		KSSLCertificate* cert = KSSLCertificate::fromString(ssldata);
-		if (cert) {
-			ret = cert->getQDTNotAfter();
-			delete cert;
-		}
+		ret = getCertificateExpiration(ba);
 	}
 
 	return ret;
@@ -4088,7 +4113,7 @@
 	TQString client_cfgfile = privateKeyFile + ".cfg";
 	unsigned int client_key_bit_length = 2048;
 
-	if (writeOpenSSLConfigurationFile(realmcfg, user, client_cfgfile, errstr) != 0) {
+	if (writeOpenSSLConfigurationFile(realmcfg, user, client_cfgfile, TQString::null, TQString::null, TQString::null, errstr) != 0) {
 		return -1;
 	}
 
@@ -4101,18 +4126,18 @@
 
 	// Secure keyfile
 	if (chmod(client_keyfile.ascii(), S_IRUSR|S_IWUSR) < 0) {
-		if (errstr) *errstr = TQString("Unable to change permissions of \"%s\"").arg(client_keyfile);
+		if (errstr) *errstr = TQString("Unable to change permissions of \"%1\"").arg(client_keyfile);
 		return -1;
 	}
 	if (chown(client_keyfile.ascii(), 0, 0) < 0) {
-		if (errstr) *errstr = TQString("Unable to change owner of \"%s\"").arg(client_keyfile);
+		if (errstr) *errstr = TQString("Unable to change owner of \"%1\"").arg(client_keyfile);
 		return -1;
 	}
 
 	// Clean up
 	if (fileExists(client_cfgfile.ascii())) {
 		if (unlink(client_cfgfile.ascii()) < 0) {
-			if (errstr) *errstr = TQString("Unable to unlink \"%s\"").arg(client_keyfile);
+			if (errstr) *errstr = TQString("Unable to unlink \"%1\"").arg(client_cfgfile);
 			return -1;
 		}
 	}
@@ -4136,7 +4161,7 @@
 		signing_public_certfile = KERBEROS_PKI_PEM_FILE;
 	}
 
-	if (writeOpenSSLConfigurationFile(realmcfg, user, client_cfgfile, errstr) != 0) {
+	if (writeOpenSSLConfigurationFile(realmcfg, user, client_cfgfile, TQString::null, TQString::null, TQString::null, errstr) != 0) {
 		return -1;
 	}
 
@@ -4159,29 +4184,139 @@
 
 	// Secure certificate
 	if (chmod(client_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) {
-		if (errstr) *errstr = TQString("Unable to change permissions of \"%s\"").arg(client_certfile);
+		if (errstr) *errstr = TQString("Unable to change permissions of \"%1\"").arg(client_certfile);
 		return -1;
 	}
 	if (chown(client_certfile.ascii(), 0, 0) < 0) {
-		if (errstr) *errstr = TQString("Unable to change owner of \"%s\"").arg(client_certfile);
+		if (errstr) *errstr = TQString("Unable to change owner of \"%1\"").arg(client_certfile);
 		return -1;
 	}
 
 	// Clean up
 	if (fileExists(client_cfgfile.ascii())) {
 		if (unlink(client_cfgfile.ascii()) < 0) {
-			if (errstr) *errstr = TQString("Unable to unlink \"%s\"").arg(client_certfile);
+			if (errstr) *errstr = TQString("Unable to unlink \"%1\"").arg(client_cfgfile);
 			return -1;
 		}
 	}
 	if (fileExists(client_reqfile.ascii())) {
 		if (unlink(client_reqfile.ascii()) < 0) {
-			if (errstr) *errstr = TQString("Unable to unlink \"%s\"").arg(client_reqfile);
+			if (errstr) *errstr = TQString("Unable to unlink \"%1\"").arg(client_reqfile);
 			return -1;
 		}
 	}
 
 	return 0;
+}
+
+int LDAPManager::generatePKICRL(int expirydays, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString revocationDatabaseFile, TQString *errstr) {
+	int retcode;
+	TQString command;
+
+	LDAPUserInfoList userList = this->users(&retcode, errstr);
+	if (retcode == 0) {
+		// Generate base CRL
+		TQString crl_certfile = KERBEROS_PKI_CRL_FILE ".new";
+		TQString revoked_certfile = KERBEROS_PKI_CRL_FILE ".rev";
+
+		// The public certificate location varies based on the machine role
+		// Prefer the bonded realm's certificate if available
+		TQString signing_public_certfile = KERBEROS_PKI_PUBLICDIR + realmcfg.admin_server + ".ldap.crt";
+		if (!TQFile(signing_public_certfile).exists()) {
+			signing_public_certfile = KERBEROS_PKI_PEM_FILE;
+		}
+
+		// Set up OpenSSL environment
+		if (writeOpenSSLConfigurationFile(realmcfg, LDAPUserInfo(), OPENSSL_EXTENSIONS_FILE, signingPrivateKeyFile, signing_public_certfile, revocationDatabaseFile, errstr) != 0) {
+			return -1;
+		}
+		command = TQString("rm -f %1").arg(revocationDatabaseFile);
+		if (system(command) < 0) {
+			if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(command);
+			return -1;
+		}
+		command = TQString("touch %1").arg(revocationDatabaseFile);
+		if (system(command) < 0) {
+			if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(command);
+			return -1;
+		}
+
+		command = TQString("openssl ca -days %1 -crldays %2 -crlhours 0 -gencrl -out %3 -config %4").arg(expirydays).arg(expirydays).arg(crl_certfile).arg(OPENSSL_EXTENSIONS_FILE);
+		if (system(command) < 0) {
+			if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(command);
+			return -1;
+		}
+
+		LDAPUserInfoList::Iterator it;
+		for (it = userList.begin(); it != userList.end(); ++it) {
+			LDAPUserInfo user = *it;
+
+			PKICertificateEntryList::Iterator it;
+			for (it = user.pkiCertificates.begin(); it != user.pkiCertificates.end(); ++it) {
+				PKICertificateEntry certificateData = *it;
+
+				TQCString ssldata(certificateData.second);
+				ssldata[certificateData.second.size()] = 0;
+				ssldata.replace("-----BEGIN CERTIFICATE-----", "");
+				ssldata.replace("-----END CERTIFICATE-----", "");
+				ssldata.replace("\n", "");
+				KSSLCertificate* cert = KSSLCertificate::fromString(ssldata);
+				if (cert) {
+					bool expired = false;
+					if (TQDate::currentDate().daysTo(cert->getQDTNotAfter().date()) < 0) {
+						expired = true;
+					}
 ** Diff limit reached (max: 250 lines) **