d21c8923 | 2015-09-03 00:03:36 | Timothy Pearson |
Add CRL support |
||
M cert-updater/main.cpp M confskel/openldap/ldif/olcDatabase.ldif M confskel/openldap/ldif/tde-core.ldif M src/ldapcontroller.cpp M src/ldapcontroller.h M src/ldapcontrollerconfigbase.ui |
||
diff --git a/cert-updater/main.cpp b/cert-updater/main.cpp index 0dc3a27..3466eaf 100644 --- a/cert-updater/main.cpp +++ b/cert-updater/main.cpp @@ -90,6 +90,8 @@ force_update = true; } + bool ca_modified = false; + //====================================================================================================================================================== // // Updater code follows @@ -174,6 +176,13 @@ if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) { printf("[ERROR] Unable to upload new certificate to LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout); } + + // CRL + if (ldap_mgr->generatePKICRL(m_certconfig.caExpiryDays, m_realmconfig[m_defaultRealm], &errorstring) != 0) { + printf("[ERROR] Unable to generate CRL!\n%s\n", errorstring.ascii()); fflush(stdout); + } + + ca_modified = true; delete ldap_mgr; } @@ -261,6 +270,9 @@ } } + if (ca_modified) + force_update = true; + // Kerberos if (TQFile::exists(kdc_certfile)) { certExpiry = LDAPManager::getCertificateExpiration(kdc_certfile); diff --git a/confskel/openldap/ldif/olcDatabase.ldif b/confskel/openldap/ldif/olcDatabase.ldif index 12ee550..29b107d 100644 --- a/confskel/openldap/ldif/olcDatabase.ldif +++ b/confskel/openldap/ldif/olcDatabase.ldif @@ -4,7 +4,7 @@ olcDatabase: {@@@LDIFSCHEMANUMBER@@@}hdb olcDbDirectory: /var/lib/ldap olcSuffix: @@@REALM_DCNAME@@@ -olcAccess: {0}to attrs=userPassword,shadowLastChange,krb5Key,krb5PrincipalName,krb5KeyVersionNumber,krb5MaxLife,krb5MaxRenew,krb5KDCFlags,privateRootCertificateKey +olcAccess: {0}to attrs=userPassword,shadowLastChange,krb5Key,krb5PrincipalName,krb5KeyVersionNumber,krb5MaxLife,krb5MaxRenew,krb5KDCFlags,privateRootCertificateKey,pkiCertificate by group/groupOfNames/member.exact="cn=@@@ADMINGROUP@@@,ou=groups,ou=core,ou=realm,@@@REALM_DCNAME@@@" write by dn.base="uid=@@@ADMINUSER@@@,ou=users,ou=core,ou=realm,@@@REALM_DCNAME@@@" by sockurl.regex="^ldapi:///$" write diff --git a/confskel/openldap/ldif/tde-core.ldif b/confskel/openldap/ldif/tde-core.ldif index 8a72c00..d2647c6 100644 --- a/confskel/openldap/ldif/tde-core.ldif +++ b/confskel/openldap/ldif/tde-core.ldif @@ -26,10 +26,13 @@ olcAttributeTypes: {18} ( 1.3.6.1.4.1.40364.1.1.19 NAME 'builtinStandardUserGroup' DESC 'Built-in standard user group distinguished name' SUP name ) # Used for storing certificate management settings olcAttributeTypes: {19} ( 1.3.6.1.4.1.40364.1.1.20 NAME 'publicRootCertificateOriginServer' DESC 'Certificate authority root certificate origin server' SUP name ) +# Used for storing PKI user certificates and certificate status +olcAttributeTypes: {20} ( 1.3.6.1.4.1.40364.1.1.21 NAME 'pkiCertificate' DESC 'User PKI certificate and status encoded with text mode TQDataStream TQPair<uint32_t, TQByteArray>' SUP name ) +olcAttributeTypes: {21} ( 1.3.6.1.4.1.40364.1.1.22 NAME 'publicRootCertificateRevocationList' DESC 'Certificate authority root certificate revocation list' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE ) olcObjectClasses: {0} ( 1.3.6.1.4.1.40364.1.2.1 NAME 'tdeExtendedUserData' SUP top AUXILIARY MAY ( website URL $ managerName $ secretaryName $ teletexId $ preferredDelivery $ locallyUniqueID $ notes $ pwdLastSet $ badPwdCount $ badPasswordTime $ lastLogon $ lastLogoff ) ) -olcObjectClasses: {1} ( 1.3.6.1.4.1.40364.1.2.2 NAME 'tdeAccountObject' SUP top AUXILIARY MAY tdeBuiltinAccount ) -olcObjectClasses: {2} ( 1.3.6.1.4.1.40364.1.2.3 NAME 'tdeCertificateStore' SUP top AUXILIARY MAY ( tdeBuiltinAccount $ publicRootCertificate $ privateRootCertificateKey $ publicRootCertificateOriginServer ) ) +olcObjectClasses: {1} ( 1.3.6.1.4.1.40364.1.2.2 NAME 'tdeAccountObject' SUP top AUXILIARY MAY ( tdeBuiltinAccount $ pkiCertificate ) ) +olcObjectClasses: {2} ( 1.3.6.1.4.1.40364.1.2.3 NAME 'tdeCertificateStore' SUP top AUXILIARY MAY ( tdeBuiltinAccount $ publicRootCertificate $ privateRootCertificateKey $ publicRootCertificateRevocationList $ publicRootCertificateOriginServer ) ) olcObjectClasses: {3} ( 1.3.6.1.4.1.40364.1.2.4 NAME 'tdeBuiltinStore' SUP top AUXILIARY MAY ( tdeBuiltinAccount $ builtinRealmAdminAccount $ builtinRealmAdminGroup $ builtinMachineAdminGroup $ builtinStandardUserGroup ) ) structuralObjectClass: olcSchemaConfig creatorsName: cn=config diff --git a/src/ldapcontroller.cpp b/src/ldapcontroller.cpp index 092fe71..ceb4c52 100644 --- a/src/ldapcontroller.cpp +++ b/src/ldapcontroller.cpp @@ -130,6 +130,8 @@ connect(m_base->ldapExportKey, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnldapExportKey())); connect(m_base->ldapExportCert, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnldapExportCert())); + connect(m_base->crlRegenerate, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncrlRegenerate())); + connect(m_base->btnChangeLDAPRootPassword, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnChangeLDAPRootPassword())); connect(m_base->btnChangeRealmAdminPassword, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnChangeRealmAdminPassword())); @@ -145,6 +147,7 @@ connect(m_base->multiMasterReplicationMappings, TQT_SIGNAL(executed(TQListViewItem*)), this, TQT_SLOT(modifySelectedMultiMasterReplication())); connect(m_base->advancedCaCertExpiry, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(caCertExpiryChanged())); + connect(m_base->advancedCaCrlExpiry, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(caCrlCertExpiryChanged())); connect(m_base->advancedKerberosCertExpiry, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(kerberosCertExpiryChanged())); connect(m_base->advancedLdapCertExpiry, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(ldapCertExpiryChanged())); @@ -384,6 +387,7 @@ // Load cert config m_systemconfig->setGroup("Certificates"); m_certconfig.caExpiryDays = m_systemconfig->readNumEntry("caExpiryDays", KERBEROS_PKI_PEMKEY_EXPIRY_DAYS); + m_certconfig.caCrlExpiryDays = m_systemconfig->readNumEntry("caCrlExpiryDays", KERBEROS_PKI_CRL_EXPIRY_DAYS); m_certconfig.kerberosExpiryDays = m_systemconfig->readNumEntry("kerberosExpiryDays", KERBEROS_PKI_KRB_EXPIRY_DAYS); m_certconfig.ldapExpiryDays = m_systemconfig->readNumEntry("ldapExpiryDays", KERBEROS_PKI_LDAP_EXPIRY_DAYS); m_certconfig.countryName = m_systemconfig->readEntry("countryName"); @@ -470,6 +474,7 @@ } m_base->advancedCaCertExpiry->setValue(m_certconfig.caExpiryDays); + m_base->advancedCaCrlExpiry->setValue(m_certconfig.caCrlExpiryDays); m_base->advancedKerberosCertExpiry->setValue(m_certconfig.kerberosExpiryDays); m_base->advancedLdapCertExpiry->setValue(m_certconfig.ldapExpiryDays); @@ -504,6 +509,13 @@ kdc_certfile.replace("@@@KDCSERVER@@@", m_realmconfig[m_defaultRealm].name.lower()); TQString ldap_certfile = LDAP_CERT_FILE; ldap_certfile.replace("@@@ADMINSERVER@@@", m_realmconfig[m_defaultRealm].name.lower()); + + TQString realmname = m_defaultRealm.upper(); + LDAPCredentials* credentials = new LDAPCredentials; + credentials->username = ""; + credentials->password = ""; + credentials->realm = realmname; + LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials); // Certificate Authority if (TQFile::exists(KERBEROS_PKI_PEM_FILE)) { @@ -570,6 +582,38 @@ m_base->ldapExpiryString->setText("File not found"); m_base->ldapExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_NOTFOUND); } + + // Certificate Revocation List +// FIXME +// KSSLCertificate does not appear to understand the CRL format +// Debug and reactivate this code +#if 0 + TQByteArray certificateContents; + if (ldap_mgr->getTDECertificate("publicRootCertificateRevocationList", &certificateContents, NULL) == 0) { + certExpiry = LDAPManager::getCertificateExpiration(certificateContents); + if (certExpiry >= now) { + m_base->crlExpiryString->setText("Expires " + certExpiry.toString()); + if (certExpiry >= soon) { + m_base->crlExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_ACTIVE); + } + else { + m_base->crlExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_STALE); + } + } + else { + m_base->crlExpiryString->setText("Expired " + certExpiry.toString()); + m_base->crlExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_EXPIRED); + } + } + else { + m_base->crlExpiryString->setText("File not found"); + m_base->crlExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_NOTFOUND); + } +#else + m_base->crlExpiryString->setText("Unknown"); +#endif + + delete ldap_mgr; } void LDAPController::btncaSetMaster() { @@ -710,6 +754,26 @@ TDEIO::CopyJob* job = TDEIO::copy(src, dest, true); connect(job, TQT_SIGNAL(result(TDEIO::Job*)), this, TQT_SLOT(slotCertCopyResult(TDEIO::Job*))); } +} + +void LDAPController::btncrlRegenerate() { + TQString errstr; + + // Bind to realm + TQString realmname = m_defaultRealm.upper(); + LDAPCredentials* credentials = new LDAPCredentials; + credentials->username = ""; + credentials->password = ""; + credentials->realm = realmname; + LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials); + + if (ldap_mgr->generatePKICRL(m_certconfig.caCrlExpiryDays, m_realmconfig[m_defaultRealm], KERBEROS_PKI_PEMKEY_FILE, KERBEROS_PKI_CRLDB_FILE, &errstr) != 0) { + KMessageBox::error(this, i18n("<qt><b>Unable to regenerate CRL</b><p>Details: %1</qt>").arg(errstr), i18n("Unable to Regenerate CRL")); + } + + delete ldap_mgr; + + load(); } void LDAPController::slotCertCopyResult(TDEIO::Job* job) { @@ -927,6 +991,12 @@ emit(changed()); } +void LDAPController::caCrlExpiryChanged() { + m_certconfig.caCrlExpiryDays = m_base->advancedCaCrlExpiry->value(); + + emit(changed()); +} + void LDAPController::kerberosCertExpiryChanged() { m_certconfig.kerberosExpiryDays = m_base->advancedKerberosCertExpiry->value(); @@ -954,6 +1024,7 @@ // Write cert config m_systemconfig->setGroup("Certificates"); m_systemconfig->writeEntry("caExpiryDays", m_certconfig.caExpiryDays); + m_systemconfig->writeEntry("caCrlExpiryDays", m_certconfig.caCrlExpiryDays); m_systemconfig->writeEntry("kerberosExpiryDays", m_certconfig.kerberosExpiryDays); m_systemconfig->writeEntry("ldapExpiryDays", m_certconfig.ldapExpiryDays); m_systemconfig->writeEntry("countryName", m_certconfig.countryName); diff --git a/src/ldapcontroller.h b/src/ldapcontroller.h index 84bfc7c..9beb7c0 100644 --- a/src/ldapcontroller.h +++ b/src/ldapcontroller.h @@ -78,6 +78,7 @@ void btnldapRegenerate(); void btnldapExportKey(); void btnldapExportCert(); + void btncrlRegenerate(); void slotCertCopyResult(TDEIO::Job*); void btnChangeLDAPRootPassword(); @@ -91,6 +92,7 @@ void modifySelectedMultiMasterReplication(); void caCertExpiryChanged(); + void caCrlExpiryChanged(); void kerberosCertExpiryChanged(); void ldapCertExpiryChanged(); diff --git a/src/ldapcontrollerconfigbase.ui b/src/ldapcontrollerconfigbase.ui index 85a4a00..8fa2cde 100644 --- a/src/ldapcontrollerconfigbase.ui +++ b/src/ldapcontrollerconfigbase.ui @@ -215,36 +215,20 @@ <cstring>unnamed</cstring> </property> <property name="text"> - <cstring>Certificate Authority:</cstring> + <cstring>Certificate Revocation List:</cstring> </property> </widget> <widget class="TQLabel" row="2" column="0" colspan="1"> <property name="name"> - <cstring>caExpiryString</cstring> + <cstring>crlExpiryString</cstring> </property> </widget> - <widget class="TQPushButton" row="1" column="2" colspan="1" rowspan="2"> + <widget class="TQPushButton" row="1" column="3" colspan="2" rowspan="2"> <property name="name"> - <cstring>caRegenerate</cstring> ** Diff limit reached (max: 250 lines) ** |