diff options
Diffstat (limited to 'src/libtdeldap.cpp')
-rw-r--r-- | src/libtdeldap.cpp | 273 |
1 files changed, 265 insertions, 8 deletions
diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp index f009297..e113114 100644 --- a/src/libtdeldap.cpp +++ b/src/libtdeldap.cpp @@ -24,6 +24,7 @@ #include <netdb.h> #include <pwd.h> +#include <tqdir.h> #include <tqfile.h> #include <tqcheckbox.h> #include <tdeapplication.h> @@ -124,6 +125,13 @@ TQString LDAPManager::ldapdnForRealm(TQString realm) { return basedc; } +TQString LDAPManager::openssldcForRealm(TQString realm) { + TQStringList domainChunks = TQStringList::split(".", realm.lower()); + TQString basedc = "DC=" + domainChunks.join("/DC="); + basedc = "/" + basedc; + return basedc; +} + TQString LDAPManager::cnFromDn(TQString dn) { int eqpos = dn.find("=")+1; int cmpos = dn.find(",", eqpos); @@ -3803,12 +3811,17 @@ TQDateTime LDAPManager::getCertificateExpiration(TQString certfile) { return ret; } -int LDAPManager::generatePublicKerberosCACertificate(LDAPCertConfig certinfo) { +int LDAPManager::generatePublicKerberosCACertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg) { + TQString errstr; TQString command; TQString subject; + if (writeOpenSSLConfigurationFile(realmcfg, &errstr) != 0) { + printf("ERROR: Unable to generate OpenSSL configuration file! Details: '%s'\n", errstr.ascii()); + return -1; + } subject = TQString("\"/C=%1/ST=%2/L=%3/O=%4/OU=%5/CN=%6/emailAddress=%7\"").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress); - command = TQString("openssl req -days %1 -key %2 -new -x509 -out %3 -subj %4").arg(certinfo.caExpiryDays).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(subject); + command = TQString("openssl req -days %1 -key %2 -new -x509 -out %3 -config %4 -subj %5").arg(certinfo.caExpiryDays).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(OPENSSL_EXTENSIONS_FILE).arg(subject); if (system(command) < 0) { printf("ERROR: Execution of \"%s\" failed!\n", command.ascii()); return -1; @@ -3826,9 +3839,15 @@ int LDAPManager::generatePublicKerberosCACertificate(LDAPCertConfig certinfo) { } int LDAPManager::generatePublicKerberosCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg) { + TQString errstr; TQString command; TQString subject; + if (writeOpenSSLConfigurationFile(realmcfg, &errstr) != 0) { + printf("ERROR: Unable to generate OpenSSL configuration file! Details: '%s'\n", errstr.ascii()); + return -1; + } + TQString kdc_certfile = KERBEROS_PKI_KDC_FILE; TQString kdc_keyfile = KERBEROS_PKI_KDCKEY_FILE; TQString kdc_reqfile = KERBEROS_PKI_KDCREQ_FILE; @@ -3836,13 +3855,18 @@ int LDAPManager::generatePublicKerberosCertificate(LDAPCertConfig certinfo, LDAP kdc_keyfile.replace("@@@KDCSERVER@@@", realmcfg.name.lower()); kdc_reqfile.replace("@@@KDCSERVER@@@", realmcfg.name.lower()); - subject = TQString("\"/C=%1/ST=%2/L=%3/O=%4/OU=%5/CN=%6/emailAddress=%7\"").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress); - command = TQString("openssl req -days %1 -new -out %2 -key %3 -subj %4").arg(certinfo.kerberosExpiryDays).arg(kdc_reqfile).arg(kdc_keyfile).arg(subject); + TQString common_name = TQString::null; + if (realmcfg.kdc != "") { + common_name = TQString("/CN=%1").arg(common_name); + } + + subject = TQString("\"/C=%1/ST=%2/L=%3/O=%4/OU=%5/%6%7\"").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(common_name).arg(openssldcForRealm(realmcfg.name)); + command = TQString("openssl req -days %1 -new -out %2 -key %3 -config %4 -subj %5").arg(certinfo.kerberosExpiryDays).arg(kdc_reqfile).arg(kdc_keyfile).arg(OPENSSL_EXTENSIONS_FILE).arg(subject); if (system(command) < 0) { printf("ERROR: Execution of \"%s\" failed!\n", command.ascii()); return -1; } - command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -extfile %5 -extensions kdc_cert -CAcreateserial").arg(kdc_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(kdc_certfile).arg(OPENSSL_EXTENSIONS_FILE); + command = TQString("openssl x509 -req -days %1 -in %2 -CAkey %3 -CA %4 -out %5 -extfile %6 -extensions pkinit_kdc_cert -CAcreateserial").arg(certinfo.kerberosExpiryDays).arg(kdc_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(kdc_certfile).arg(OPENSSL_EXTENSIONS_FILE); if (system(command) < 0) { printf("ERROR: Execution of \"%s\" failed!\n", command.ascii()); return -1; @@ -3866,9 +3890,15 @@ int LDAPManager::generatePublicKerberosCertificate(LDAPCertConfig certinfo, LDAP } int LDAPManager::generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg, uid_t ldap_uid, gid_t ldap_gid) { + TQString errstr; TQString command; TQString subject; + if (writeOpenSSLConfigurationFile(realmcfg, &errstr) != 0) { + printf("ERROR: Unable to generate OpenSSL configuration file! Details: '%s'\n", errstr.ascii()); + return -1; + } + TQString ldap_certfile = LDAP_CERT_FILE; TQString ldap_keyfile = LDAP_CERTKEY_FILE; TQString ldap_reqfile = LDAP_CERTREQ_FILE; @@ -3876,13 +3906,18 @@ int LDAPManager::generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPReal ldap_keyfile.replace("@@@ADMINSERVER@@@", realmcfg.name.lower()); ldap_reqfile.replace("@@@ADMINSERVER@@@", realmcfg.name.lower()); - subject = TQString("\"/C=%1/ST=%2/L=%3/O=%4/OU=%5/CN=%6/emailAddress=%7\"").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress); - command = TQString("openssl req -days %1 -new -out %2 -key %3 -subj %4").arg(certinfo.ldapExpiryDays).arg(ldap_reqfile).arg(ldap_keyfile).arg(subject); + TQString common_name = TQString::null; + if (realmcfg.kdc != "") { + common_name = TQString("/CN=%1").arg(common_name); + } + + subject = TQString("\"/C=%1/ST=%2/L=%3/O=%4/OU=%5/%6%7\"").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(common_name).arg(openssldcForRealm(realmcfg.name)); + command = TQString("openssl req -days %1 -new -out %2 -key %3 -config %4 -subj %5").arg(certinfo.ldapExpiryDays).arg(ldap_reqfile).arg(ldap_keyfile).arg(OPENSSL_EXTENSIONS_FILE).arg(subject); if (system(command) < 0) { printf("ERROR: Execution of \"%s\" failed!\n", command.ascii()); return -1; } - command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -CAcreateserial").arg(ldap_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(ldap_certfile); + command = TQString("openssl x509 -req -days %1 -in %2 -CAkey %3 -CA %4 -out %5 -CAcreateserial").arg(certinfo.ldapExpiryDays).arg(ldap_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(ldap_certfile); if (system(command) < 0) { printf("ERROR: Execution of \"%s\" failed!\n", command.ascii()); return -1; @@ -4163,6 +4198,228 @@ int LDAPManager::writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr) { return 0; } +int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, TQString *errstr) { + TQDir tde_cert_dir(TDE_CERTIFICATE_DIR); + if (!tde_cert_dir.exists()) { + TQString command = TQString("mkdir -p %1").arg(TDE_CERTIFICATE_DIR); + if (system(command) < 0) { + if (errstr) { + *errstr = i18n("Could not create directory '%1'").arg(TDE_CERTIFICATE_DIR); + } + return 1; + } + } + TQFile file(TQString::fromLatin1(OPENSSL_EXTENSIONS_FILE)); + if (file.open(IO_WriteOnly)) { + TQTextStream stream( &file ); + + stream << "# This file was automatically generated by TDE\n"; + stream << "# All changes will be lost!\n"; + stream << "\n"; + stream << "[ca]" << "\n"; + stream << "default_ca = user" << "\n"; + stream << "\n"; + stream << "[usr]" << "\n"; + // stream << "database = index.txt" << "\n"; + // stream << "serial = serial" << "\n"; + stream << "x509_extensions = usr_cert" << "\n"; + stream << "default_md = sha1" << "\n"; + stream << "policy = policy_match" << "\n"; + stream << "email_in_dn = no" << "\n"; + stream << "certs = ." << "\n"; + stream << "\n"; + stream << "[ocsp]" << "\n"; + // stream << "database = index.txt" << "\n"; + // stream << "serial = serial" << "\n"; + stream << "x509_extensions = ocsp_cert" << "\n"; + stream << "default_md = sha1" << "\n"; + stream << "policy = policy_match" << "\n"; + stream << "email_in_dn = no" << "\n"; + stream << "certs = ." << "\n"; + stream << "\n"; + stream << "[usr_ke]" << "\n"; + // stream << "database = index.txt" << "\n"; + // stream << "serial = serial" << "\n"; + stream << "x509_extensions = usr_cert_ke" << "\n"; + stream << "default_md = sha1" << "\n"; + stream << "policy = policy_match" << "\n"; + stream << "email_in_dn = no" << "\n"; + stream << "certs = ." << "\n"; + stream << "\n"; + stream << "[usr_ds]" << "\n"; + // stream << "database = index.txt" << "\n"; + // stream << "serial = serial" << "\n"; + stream << "x509_extensions = usr_cert_ds" << "\n"; + stream << "default_md = sha1" << "\n"; + stream << "policy = policy_match" << "\n"; + stream << "email_in_dn = no" << "\n"; + stream << "certs = ." << "\n"; + stream << "\n"; + stream << "[pkinit_client]" << "\n"; + // stream << "database = index.txt" << "\n"; + // stream << "serial = serial" << "\n"; + stream << "x509_extensions = pkinit_client_cert" << "\n"; + stream << "default_md = sha1" << "\n"; + stream << "policy = policy_match" << "\n"; + stream << "email_in_dn = no" << "\n"; + stream << "certs = ." << "\n"; + stream << "\n"; + stream << "[pkinit_kdc]" << "\n"; + // stream << "database = index.txt" << "\n"; + // stream << "serial = serial" << "\n"; + stream << "x509_extensions = pkinit_kdc_cert" << "\n"; + stream << "default_md = sha1" << "\n"; + stream << "policy = policy_match" << "\n"; + stream << "email_in_dn = no" << "\n"; + stream << "certs = ." << "\n"; + stream << "\n"; + stream << "[https]" << "\n"; + // stream << "database = index.txt" << "\n"; + // stream << "serial = serial" << "\n"; + stream << "x509_extensions = https_cert" << "\n"; + stream << "default_md = sha1" << "\n"; + stream << "policy = policy_match" << "\n"; + stream << "email_in_dn = no" << "\n"; + stream << "certs = ." << "\n"; + stream << "\n"; + stream << "[subca]" << "\n"; + // stream << "database = index.txt" << "\n"; + // stream << "serial = serial" << "\n"; + stream << "x509_extensions = v3_ca" << "\n"; + stream << "default_md = sha1" << "\n"; + stream << "policy = policy_match" << "\n"; + stream << "email_in_dn = no" << "\n"; + stream << "certs = ." << "\n"; + stream << "\n"; + stream << "[req]" << "\n"; + stream << "distinguished_name = req_distinguished_name" << "\n"; + stream << "x509_extensions = v3_ca" << "\n"; + stream << "string_mask = utf8only" << "\n"; + stream << "\n"; + stream << "[v3_ca]" << "\n"; + stream << "subjectKeyIdentifier=hash" << "\n"; + stream << "authorityKeyIdentifier=keyid:always,issuer:always" << "\n"; + stream << "basicConstraints = CA:true" << "\n"; + stream << "keyUsage = critical, cRLSign, keyCertSign, keyEncipherment, nonRepudiation, digitalSignature" << "\n"; + stream << "\n"; + stream << "[usr_cert]" << "\n"; + stream << "basicConstraints=CA:FALSE" << "\n"; + stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n"; + stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url); + stream << "subjectKeyIdentifier = hash" << "\n"; + stream << "\n"; + stream << "[usr_cert_ke]" << "\n"; + stream << "basicConstraints=CA:FALSE" << "\n"; + stream << "keyUsage = critical, nonRepudiation, keyEncipherment" << "\n"; + stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url); + stream << "subjectKeyIdentifier = hash" << "\n"; + stream << "\n"; + stream << "[proxy_cert]" << "\n"; + stream << "basicConstraints=CA:FALSE" << "\n"; + stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n"; + stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url); + stream << "subjectKeyIdentifier = hash" << "\n"; + // stream << "proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:0,policy:text:foo" << "\n"; + stream << "\n"; + stream << "[pkinitc_principals]" << "\n"; + // stream << "princ1 = GeneralString:bar" << "\n"; + stream << "\n"; + stream << "[pkinitc_principal_seq]" << "\n"; + stream << "name_type = EXP:0,INTEGER:1" << "\n"; + stream << "name_string = EXP:1,SEQUENCE:pkinitc_principals" << "\n"; + stream << "\n"; + stream << "[pkinitc_princ_name]" << "\n"; + stream << TQString("realm = EXP:0,GeneralString:%1").arg(realmcfg.name.upper()) << "\n"; + stream << "principal_name = EXP:1,SEQUENCE:pkinitc_principal_seq" << "\n"; + stream << "\n"; + stream << "[pkinit_client_cert]" << "\n"; + stream << "basicConstraints=CA:FALSE" << "\n"; + stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n"; + stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url); + stream << "subjectKeyIdentifier = hash" << "\n"; + stream << "authorityKeyIdentifier=keyid,issuer" << "\n"; + stream << "issuerAltName=issuer:copy" << "\n"; + stream << "subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:pkinitc_princ_name" << "\n"; + stream << "\n"; + stream << "[https_cert]" << "\n"; + stream << "basicConstraints=CA:FALSE" << "\n"; + stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n"; + stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url); + // stream << "extendedKeyUsage = https-server XXX" << "\n"; + stream << "subjectKeyIdentifier = hash" << "\n"; + stream << "\n"; + stream << "[pkinit_kdc_cert]" << "\n"; + stream << "basicConstraints=CA:FALSE" << "\n"; + stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n"; + stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url); + stream << "extendedKeyUsage = 1.3.6.1.5.2.3.5" << "\n"; + stream << "subjectKeyIdentifier = hash" << "\n"; + stream << "authorityKeyIdentifier=keyid,issuer" << "\n"; + stream << "issuerAltName=issuer:copy" << "\n"; + stream << "subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:pkinitkdc_princ_name" << "\n"; + stream << "\n"; + stream << "[pkinitkdc_princ_name]" << "\n"; + stream << TQString("realm = EXP:0,GeneralString:%1").arg(realmcfg.name.upper()) << "\n"; + stream << "principal_name = EXP:1,SEQUENCE:pkinitkdc_principal_seq" << "\n"; + stream << "\n"; + stream << "[pkinitkdc_principal_seq]" << "\n"; + stream << "name_type = EXP:0,INTEGER:1" << "\n"; + stream << "name_string = EXP:1,SEQUENCE:pkinitkdc_principals" << "\n"; + stream << "\n"; + stream << "[pkinitkdc_principals]" << "\n"; + stream << "princ1 = GeneralString:krbtgt" << "\n"; + stream << TQString("princ2 = GeneralString:%1").arg(realmcfg.name.upper()) << "\n"; + stream << "\n"; + stream << "[proxy10_cert]" << "\n"; + stream << "basicConstraints=CA:FALSE" << "\n"; + stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n"; + stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url); + stream << "subjectKeyIdentifier = hash" << "\n"; + // stream << "proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:10,policy:text:foo" << "\n"; + stream << "\n"; + stream << "[usr_cert_ds]" << "\n"; + stream << "basicConstraints=CA:FALSE" << "\n"; + stream << "keyUsage = critical, nonRepudiation, digitalSignature" << "\n"; + stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url); + stream << "subjectKeyIdentifier = hash" << "\n"; + stream << "\n"; + stream << "[ocsp_cert]" << "\n"; + stream << "basicConstraints=CA:FALSE" << "\n"; + stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n"; + stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url); + // stream << "ocsp-nocheck and kp-OCSPSigning" << "\n"; + stream << "extendedKeyUsage = 1.3.6.1.5.5.7.48.1.5, 1.3.6.1.5.5.7.3.9" << "\n"; + stream << "subjectKeyIdentifier = hash" << "\n"; + stream << "\n"; + stream << "[req_distinguished_name]" << "\n"; + stream << "countryName = Country Name (2 letter code)" << "\n"; + stream << "countryName_min = 2" << "\n"; + stream << "countryName_max = 2" << "\n"; + stream << "organizationalName = Organizational Unit Name (eg, section)" << "\n"; + stream << "commonName = Common Name (eg, YOUR name)" << "\n"; + stream << "commonName_max = 64" << "\n"; + stream << "\n"; + // stream << "[req_attributes]" << "\n"; + // stream << "challengePassword = A challenge password" << "\n"; + // stream << "challengePassword_min = 4" << "\n"; + // stream << "challengePassword_max = 20" << "\n"; + // stream << "\n"; + stream << "[policy_match]" << "\n"; + stream << "countryName = match" << "\n"; + stream << "commonName = supplied" << "\n"; + stream << "\n"; + file.close(); + } + else { + if (errstr) { + *errstr = i18n("Could not open file '%1' for writing").arg(file.name()); + } + return -1; + } + + return 0; +} + int LDAPManager::bondRealm(TQString adminUserName, const char * adminPassword, TQString adminRealm, TQString *errstr) { TQCString command = "kadmin"; QCStringList args; |