summaryrefslogtreecommitdiffstats
path: root/src/userconfigdlg.cpp
diff options
context:
space:
mode:
authorTimothy Pearson <[email protected]>2015-09-01 19:26:00 -0500
committerTimothy Pearson <[email protected]>2015-09-01 19:26:00 -0500
commitf4141d45b69e068fb8ed23d325402790b98a1ca6 (patch)
treea62eeffc0d463212ab58067f4eebaba3b9776fb2 /src/userconfigdlg.cpp
parent1ad8bf94dfd2f4d3a5d7ed89eae309d1f6bc8d06 (diff)
downloadkcmldapmanager-f4141d45b69e068fb8ed23d325402790b98a1ca6.tar.gz
kcmldapmanager-f4141d45b69e068fb8ed23d325402790b98a1ca6.zip
Add ability to generate user PKI keys and certificates
Diffstat (limited to 'src/userconfigdlg.cpp')
-rw-r--r--src/userconfigdlg.cpp66
1 files changed, 66 insertions, 0 deletions
diff --git a/src/userconfigdlg.cpp b/src/userconfigdlg.cpp
index 8f23ed5..55c5d90 100644
--- a/src/userconfigdlg.cpp
+++ b/src/userconfigdlg.cpp
@@ -22,6 +22,9 @@
#include <klineedit.h>
#include <ktextedit.h>
#include <knuminput.h>
+#include <tdetempfile.h>
+#include <kstandarddirs.h>
+#include <tdemessagebox.h>
#include <tdeactionselector.h>
#include <tqlistbox.h>
#include <kpushbutton.h>
@@ -32,6 +35,7 @@
#include <kcombobox.h>
#include <tqradiobutton.h>
#include <tqcheckbox.h>
+#include <kdatewidget.h>
#include <kdatetimewidget.h>
#include <kpassdlg.h>
#include <kiconloader.h>
@@ -60,6 +64,7 @@ UserConfigDialog::UserConfigDialog(LDAPUserInfo user, LDAPConfig* parent, const
m_base->userIcon->setPixmap(SmallIcon("personal.png"));
m_base->groupsIcon->setPixmap(SmallIcon("tdmconfig.png"));
m_base->passwordIcon->setPixmap(SmallIcon("password.png"));
+ m_base->certificateIcon->setPixmap(SmallIcon("password.png"));
connect(m_base->loginName, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(processLockouts()));
connect(m_base->realName, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(processLockouts()));
@@ -70,6 +75,10 @@ UserConfigDialog::UserConfigDialog(LDAPUserInfo user, LDAPConfig* parent, const
connect(m_base->requirePasswordAging, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts()));
connect(m_base->requirePasswordMinAge, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts()));
connect(m_base->primaryGroup, TQT_SIGNAL(activated(const TQString&)), this, TQT_SLOT(processLockouts()));
+ connect(m_base->certGenPrivateKey, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts()));
+ connect(m_base->certPrivateKeyFileName, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(processLockouts()));
+ connect(m_base->certPublicCertFileName, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(processLockouts()));
+ connect(m_base->createCertificate, TQT_SIGNAL(clicked()), this, TQT_SLOT(createPKICertificate()));
if (m_user.status == KRB5_DISABLED_ACCOUNT) {
m_base->userStatusEnabled->setChecked(false);
@@ -128,6 +137,10 @@ UserConfigDialog::UserConfigDialog(LDAPUserInfo user, LDAPConfig* parent, const
m_base->faxNumber->setText(m_user.faxNumber);
m_base->email->setText(m_user.email);
+ // Certificate generation information
+ TQDateTime suggestedExpiration = TQDateTime::currentDateTime().addDays(KERBEROS_PKI_KRB_EXPIRY_DAYS);
+ m_base->certificateExpirationDate->setDate(suggestedExpiration.date());
+
processLockouts();
}
@@ -252,9 +265,62 @@ void UserConfigDialog::processLockouts() {
}
enableButton(KDialogBase::Ok, ok_enabled);
+ if (m_base->certPrivateKeyFileName->url() == "") {
+ ok_enabled = false;
+ }
+ if (m_base->certPublicCertFileName->url() == "") {
+ ok_enabled = false;
+ }
+ if (!m_base->certGenPrivateKey->isChecked()) {
+ if (!TQFile(m_base->certPrivateKeyFileName->url()).exists()) {
+ ok_enabled = false;
+ }
+ }
+ m_base->createCertificate->setEnabled(ok_enabled);
+
m_prevPrimaryGroup = m_base->primaryGroup->currentText();
}
+void UserConfigDialog::createPKICertificate() {
+ TQString errorstring;
+ LDAPCertConfig certinfo;
+ LDAPRealmConfigList realms = LDAPManager::fetchAndReadTDERealmList();
+
+ certinfo.kerberosExpiryDays = TQDate::currentDate().daysTo(m_base->certificateExpirationDate->date());
+
+ if (m_base->certGenPrivateKey->isChecked()) {
+ // Generate new private key
+ if (LDAPManager::generateClientCertificatePrivateKey(m_user, realms[m_ldapconfig->m_ldapmanager->realm()], m_base->certPrivateKeyFileName->url(), &errorstring) != 0) {
+ KMessageBox::sorry(this, i18n("<qt><b>Unable to generate new private key</b><p>Details: %1</qt>").arg(errorstring), i18n("Unable to Obtain Certificate"));
+ return;
+ }
+ }
+
+ // Get the CA root private key from LDAP
+ // WARNING
+ // Anyone with access to this key would be able to create accounts that could access any resource on the realm!
+ // Secure the key file accordingly...
+ KTempFile caPrivateKeyTempFile(locateLocal("tmp", "krbcakey"), ".key.pem", 0600);
+ caPrivateKeyTempFile.setAutoDelete(true);
+ TQFile* caPrivateKeyFile = caPrivateKeyTempFile.file();
+ if (!caPrivateKeyFile) {
+ KMessageBox::sorry(this, i18n("<qt><b>Unable to obtain root certificate for realm %1!</b><p>Details: %2</qt>").arg(realms[m_ldapconfig->m_ldapmanager->realm()].name.upper()).arg(i18n("Unable to create or open temporary file '%s'").arg(caPrivateKeyTempFile.name())), i18n("Unable to Obtain Certificate"));
+ return;
+ }
+ if (m_ldapconfig->m_ldapmanager->getTDECertificate("privateRootCertificateKey", caPrivateKeyFile, &errorstring) != 0) {
+ KMessageBox::sorry(this, i18n("<qt><b>Unable to obtain root certificate for realm %1!</b><p>Details: %2</qt>").arg(realms[m_ldapconfig->m_ldapmanager->realm()].name.upper()).arg(errorstring), i18n("Unable to Obtain Certificate"));
+ return;
+ }
+ caPrivateKeyTempFile.sync();
+
+ if (LDAPManager::generateClientCertificatePublicCertificate(certinfo, m_user, realms[m_ldapconfig->m_ldapmanager->realm()], caPrivateKeyTempFile.name(), m_base->certPrivateKeyFileName->url(), m_base->certPublicCertFileName->url()) != 0) {
+ KMessageBox::sorry(this, i18n("<qt><b>Unable to generate or sign certificate</b><p>Details: %1</qt>").arg(errorstring), i18n("Unable to Create Certificate"));
+ }
+
+ // Delete the private key as soon as possible after certificate signing
+ caPrivateKeyTempFile.unlink();
+}
+
LDAPUserInfo UserConfigDialog::userProperties() {
return m_user;
}