diff options
author | Timothy Pearson <[email protected]> | 2015-09-19 00:32:45 -0500 |
---|---|---|
committer | Timothy Pearson <[email protected]> | 2015-09-19 00:33:02 -0500 |
commit | 07d094fd32bc7b60a205afeb3bcc0c0b9bbb6a84 (patch) | |
tree | 5a51f5b5b3943656fe71ab28ec7e28da8fa96668 /src | |
parent | c6eab472be250f029f9558e9199b6c407198e41e (diff) | |
download | libtdeldap-07d094fd32bc7b60a205afeb3bcc0c0b9bbb6a84.tar.gz libtdeldap-07d094fd32bc7b60a205afeb3bcc0c0b9bbb6a84.zip |
Extend PKCS certificate generation routines
This breaks the ABI
Diffstat (limited to 'src')
-rw-r--r-- | src/libtdeldap.cpp | 76 | ||||
-rw-r--r-- | src/libtdeldap.h | 8 |
2 files changed, 48 insertions, 36 deletions
diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp index 15a0996..4d3cdc9 100644 --- a/src/libtdeldap.cpp +++ b/src/libtdeldap.cpp @@ -4108,24 +4108,26 @@ TQDateTime LDAPManager::getCertificateExpiration(TQByteArray certfileContents) { KSSLCertificate* cert = NULL; TQCString ssldata(certfileContents); - ssldata[certfileContents.size()] = 0; - ssldata.replace("\n", ""); - if (ssldata.contains("-----BEGIN CERTIFICATE-----")) { - ssldata.replace("-----BEGIN CERTIFICATE-----", ""); - ssldata.replace("-----END CERTIFICATE-----", ""); - cert = KSSLCertificate::fromString(ssldata); - if (cert) { - ret = cert->getQDTNotAfter(); - delete cert; + if (certfileContents.size() > 0) { + ssldata[certfileContents.size()] = 0; + ssldata.replace("\n", ""); + if (ssldata.contains("-----BEGIN CERTIFICATE-----")) { + ssldata.replace("-----BEGIN CERTIFICATE-----", ""); + ssldata.replace("-----END CERTIFICATE-----", ""); + cert = KSSLCertificate::fromString(ssldata); + if (cert) { + ret = cert->getQDTNotAfter(); + delete cert; + } } - } - else if (ssldata.contains("-----BEGIN X509 CRL-----")) { - ssldata.replace("-----BEGIN X509 CRL-----", ""); - ssldata.replace("-----END X509 CRL-----", ""); - cert = KSSLCertificate::crlFromString(ssldata); - if (cert) { - ret = cert->getQDTNextUpdate(); - delete cert; + else if (ssldata.contains("-----BEGIN X509 CRL-----")) { + ssldata.replace("-----BEGIN X509 CRL-----", ""); + ssldata.replace("-----END X509 CRL-----", ""); + cert = KSSLCertificate::crlFromString(ssldata); + if (cert) { + ret = cert->getQDTNextUpdate(); + delete cert; + } } } @@ -4275,28 +4277,27 @@ int LDAPManager::generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPReal return 0; } -int LDAPManager::generateClientCertificatePair(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, TQString *errstr) { +int LDAPManager::generateClientCertificatePair(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, int clientKeyBitLength, TQString autoLoginPIN, TQString *errstr) { int ret; - ret = generateClientCertificatePrivateKey(privateKeyFile, errstr); + ret = generateClientCertificatePrivateKey(privateKeyFile, clientKeyBitLength, errstr); if (ret == 0) { - ret = generateClientCertificatePublicCertificate(expirydays, user, realmcfg, signingPrivateKeyFile, privateKeyFile, publicCertFile, errstr); + ret = generateClientCertificatePublicCertificate(expirydays, user, realmcfg, signingPrivateKeyFile, privateKeyFile, publicCertFile, autoLoginPIN, errstr); } return ret; } -int LDAPManager::generateClientCertificatePrivateKey(TQString privateKeyFile, TQString *errstr) { +int LDAPManager::generateClientCertificatePrivateKey(TQString privateKeyFile, int clientKeyBitLength, TQString *errstr) { TQString command; TQString subject; TQString client_keyfile = privateKeyFile; TQString client_reqfile = privateKeyFile + ".req"; TQString client_cfgfile = privateKeyFile + ".cfg"; - unsigned int client_key_bit_length = 2048; // Create private key - command = TQString("openssl genrsa -out %1 %2").arg(client_keyfile).arg(client_key_bit_length); + command = TQString("openssl genrsa -out %1 %2").arg(client_keyfile).arg(clientKeyBitLength); if (system(command) < 0) { if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(command); return -1; @@ -4323,7 +4324,7 @@ int LDAPManager::generateClientCertificatePrivateKey(TQString privateKeyFile, TQ return 0; } -int LDAPManager::generateClientCertificatePublicCertificate(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, TQString *errstr) { +int LDAPManager::generateClientCertificatePublicCertificate(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, TQString autoLoginPIN, TQString *errstr) { TQString command; TQString subject; @@ -4339,7 +4340,7 @@ int LDAPManager::generateClientCertificatePublicCertificate(int expirydays, LDAP signing_public_certfile = KERBEROS_PKI_PEM_FILE; } - if (writeOpenSSLConfigurationFile(realmcfg, user, client_cfgfile, TQString::null, TQString::null, TQString::null, errstr) != 0) { + if (writeOpenSSLConfigurationFile(realmcfg, user, client_cfgfile, TQString::null, TQString::null, TQString::null, autoLoginPIN, errstr) != 0) { return -1; } @@ -4405,7 +4406,7 @@ int LDAPManager::generatePKICRL(int expirydays, LDAPRealmConfig realmcfg, TQStri } // Set up OpenSSL environment - if (writeOpenSSLConfigurationFile(realmcfg, LDAPUserInfo(), OPENSSL_EXTENSIONS_FILE, signingPrivateKeyFile, signing_public_certfile, revocationDatabaseFile, errstr) != 0) { + if (writeOpenSSLConfigurationFile(realmcfg, LDAPUserInfo(), OPENSSL_EXTENSIONS_FILE, signingPrivateKeyFile, signing_public_certfile, revocationDatabaseFile, TQString::null, errstr) != 0) { return -1; } command = TQString("rm -f %1").arg(revocationDatabaseFile); @@ -4867,10 +4868,10 @@ int LDAPManager::writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr) { } int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, TQString *errstr) { - return writeOpenSSLConfigurationFile(realmcfg, LDAPUserInfo(), TQString::fromLatin1(OPENSSL_EXTENSIONS_FILE), TQString::null, TQString::null, TQString::null, errstr); + return writeOpenSSLConfigurationFile(realmcfg, LDAPUserInfo(), TQString::fromLatin1(OPENSSL_EXTENSIONS_FILE), TQString::null, TQString::null, TQString::null, TQString::null, errstr); } -int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUserInfo user, TQString opensslConfigFile, TQString caRootKeyFile, TQString caRootCertFile, TQString caRootDatabaseFile, TQString *errstr) { +int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUserInfo user, TQString opensslConfigFile, TQString caRootKeyFile, TQString caRootCertFile, TQString caRootDatabaseFile, TQString autoLoginPIN, TQString *errstr) { TQString ca_public_crl_certfile = KERBEROS_PKI_PUBLICDIR + realmcfg.admin_server + ".ldap.crl"; TQString crl_url; @@ -5040,14 +5041,25 @@ int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUse stream << TQString("realm = EXP:0,GeneralString:%1").arg(realmcfg.name.upper()) << "\n"; stream << "principal_name = EXP:1,SEQUENCE:pkinitc_principal_seq" << "\n"; stream << "\n"; + if (autoLoginPIN != TQString::null) { + stream << "[tde_autopin_login_data]" << "\n"; + stream << TQString("realm = EXP:0,GeneralString:%1").arg(autoLoginPIN) << "\n"; + stream << "\n"; + } + stream << "[pkinit_client_cert_alt_names]" << "\n"; + stream << "otherName.1=1.3.6.1.5.2.2;SEQUENCE:pkinitc_princ_name" << "\n"; + if (autoLoginPIN != TQString::null) { + stream << "otherName.2=1.3.6.1.4.1.40364.1.2.1;SEQUENCE:tde_autopin_login_data" << "\n"; + } + stream << "\n"; stream << "[pkinit_client_cert]" << "\n"; stream << "basicConstraints = CA:FALSE" << "\n"; stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n"; stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n"; stream << "subjectKeyIdentifier = hash" << "\n"; stream << "authorityKeyIdentifier = keyid,issuer" << "\n"; - stream << "issuerAltName=issuer:copy" << "\n"; - stream << "subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:pkinitc_princ_name" << "\n"; + stream << "issuerAltName = issuer:copy" << "\n"; + stream << "subjectAltName = @pkinit_client_cert_alt_names" << "\n"; stream << "\n"; stream << "[https_cert]" << "\n"; stream << "basicConstraints = CA:FALSE" << "\n"; @@ -5063,8 +5075,8 @@ int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUse stream << "extendedKeyUsage = 1.3.6.1.5.2.3.5" << "\n"; stream << "subjectKeyIdentifier = hash" << "\n"; stream << "authorityKeyIdentifier = keyid,issuer" << "\n"; - stream << "issuerAltName=issuer:copy" << "\n"; - stream << "subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:pkinitkdc_princ_name" << "\n"; + stream << "issuerAltName = issuer:copy" << "\n"; + stream << "subjectAltName = otherName:1.3.6.1.5.2.2;SEQUENCE:pkinitkdc_princ_name" << "\n"; stream << "\n"; stream << "[pkinitkdc_princ_name]" << "\n"; stream << TQString("realm = EXP:0,GeneralString:%1").arg(realmcfg.name.upper()) << "\n"; diff --git a/src/libtdeldap.h b/src/libtdeldap.h index 5bd6173..ee70ad2 100644 --- a/src/libtdeldap.h +++ b/src/libtdeldap.h @@ -554,9 +554,9 @@ class LDAPManager : public TQObject { static int generatePublicKerberosCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg); static int generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg, uid_t ldap_uid, gid_t ldap_gid); - static int generateClientCertificatePair(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, TQString *errstr=0); - static int generateClientCertificatePrivateKey(TQString privateKeyFile, TQString *errstr=0); - static int generateClientCertificatePublicCertificate(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, TQString *errstr=0); + static int generateClientCertificatePair(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, int clientKeyBitLength=2048, TQString autoLoginPIN=TQString::null, TQString *errstr=0); + static int generateClientCertificatePrivateKey(TQString privateKeyFile, int clientKeyBitLength=2048, TQString *errstr=0); + static int generateClientCertificatePublicCertificate(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, TQString autoLoginPIN=TQString::null, TQString *errstr=0); int generatePKICRL(int expirydays, LDAPRealmConfig realmcfg, TQString crlFile, TQString signingPrivateKeyFile, TQString revocationDatabaseFile, TQString *errstr=0); @@ -579,7 +579,7 @@ class LDAPManager : public TQObject { static int writeLDAPConfFile(LDAPRealmConfig realmcfg, LDAPMachineRole machineRole, TQString *errstr=0); static int writeNSSwitchFile(TQString *errstr=0); static int writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, TQString *errstr=0); - static int writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUserInfo user, TQString opensslConfigFile, TQString caRootKeyFile=TQString::null, TQString caRootCertFile=TQString::null, TQString caRootDatabaseFile=TQString::null, TQString *errstr=0); + static int writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUserInfo user, TQString opensslConfigFile, TQString caRootKeyFile=TQString::null, TQString caRootCertFile=TQString::null, TQString caRootDatabaseFile=TQString::null, TQString autoLoginPIN=TQString::null, TQString *errstr=0); static int writeClientCronFiles(TQString *errstr=0); static int rehashClientPKCSCertificates(TQString *errstr=0); static int writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr=0); |