summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTimothy Pearson <kb9vqf@pearsoncomputing.net>2015-09-03 05:03:36 +0000
committerTimothy Pearson <kb9vqf@pearsoncomputing.net>2015-09-03 05:03:36 +0000
commitd21c8923134c61fc9312767cedd76f67898a33e8 (patch)
tree14446f90d1673da1ab31edefc7f9a4f5ecf964be
parent75a61a29a31f0dcfceeb964204b50ea00dbc2d58 (diff)
downloadkcmldapcontroller-d21c8923.tar.gz
kcmldapcontroller-d21c8923.zip
Add CRL support
-rw-r--r--cert-updater/main.cpp12
-rw-r--r--confskel/openldap/ldif/olcDatabase.ldif2
-rw-r--r--confskel/openldap/ldif/tde-core.ldif7
-rw-r--r--src/ldapcontroller.cpp71
-rw-r--r--src/ldapcontroller.h2
-rw-r--r--src/ldapcontrollerconfigbase.ui86
6 files changed, 158 insertions, 22 deletions
diff --git a/cert-updater/main.cpp b/cert-updater/main.cpp
index 0dc3a27..3466eaf 100644
--- a/cert-updater/main.cpp
+++ b/cert-updater/main.cpp
@@ -90,6 +90,8 @@ int main(int argc, char *argv[])
force_update = true;
}
+ bool ca_modified = false;
+
//======================================================================================================================================================
//
// Updater code follows
@@ -174,6 +176,13 @@ int main(int argc, char *argv[])
if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) {
printf("[ERROR] Unable to upload new certificate to LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout);
}
+
+ // CRL
+ if (ldap_mgr->generatePKICRL(m_certconfig.caExpiryDays, m_realmconfig[m_defaultRealm], &errorstring) != 0) {
+ printf("[ERROR] Unable to generate CRL!\n%s\n", errorstring.ascii()); fflush(stdout);
+ }
+
+ ca_modified = true;
delete ldap_mgr;
}
@@ -261,6 +270,9 @@ int main(int argc, char *argv[])
}
}
+ if (ca_modified)
+ force_update = true;
+
// Kerberos
if (TQFile::exists(kdc_certfile)) {
certExpiry = LDAPManager::getCertificateExpiration(kdc_certfile);
diff --git a/confskel/openldap/ldif/olcDatabase.ldif b/confskel/openldap/ldif/olcDatabase.ldif
index 12ee550..29b107d 100644
--- a/confskel/openldap/ldif/olcDatabase.ldif
+++ b/confskel/openldap/ldif/olcDatabase.ldif
@@ -4,7 +4,7 @@ objectClass: olcHdbConfig
olcDatabase: {@@@LDIFSCHEMANUMBER@@@}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: @@@REALM_DCNAME@@@
-olcAccess: {0}to attrs=userPassword,shadowLastChange,krb5Key,krb5PrincipalName,krb5KeyVersionNumber,krb5MaxLife,krb5MaxRenew,krb5KDCFlags,privateRootCertificateKey
+olcAccess: {0}to attrs=userPassword,shadowLastChange,krb5Key,krb5PrincipalName,krb5KeyVersionNumber,krb5MaxLife,krb5MaxRenew,krb5KDCFlags,privateRootCertificateKey,pkiCertificate
by group/groupOfNames/member.exact="cn=@@@ADMINGROUP@@@,ou=groups,ou=core,ou=realm,@@@REALM_DCNAME@@@" write
by dn.base="uid=@@@ADMINUSER@@@,ou=users,ou=core,ou=realm,@@@REALM_DCNAME@@@"
by sockurl.regex="^ldapi:///$" write
diff --git a/confskel/openldap/ldif/tde-core.ldif b/confskel/openldap/ldif/tde-core.ldif
index 8a72c00..d2647c6 100644
--- a/confskel/openldap/ldif/tde-core.ldif
+++ b/confskel/openldap/ldif/tde-core.ldif
@@ -26,10 +26,13 @@ olcAttributeTypes: {17} ( 1.3.6.1.4.1.40364.1.1.18 NAME 'builtinMachineAdminGrou
olcAttributeTypes: {18} ( 1.3.6.1.4.1.40364.1.1.19 NAME 'builtinStandardUserGroup' DESC 'Built-in standard user group distinguished name' SUP name )
# Used for storing certificate management settings
olcAttributeTypes: {19} ( 1.3.6.1.4.1.40364.1.1.20 NAME 'publicRootCertificateOriginServer' DESC 'Certificate authority root certificate origin server' SUP name )
+# Used for storing PKI user certificates and certificate status
+olcAttributeTypes: {20} ( 1.3.6.1.4.1.40364.1.1.21 NAME 'pkiCertificate' DESC 'User PKI certificate and status encoded with text mode TQDataStream TQPair<uint32_t, TQByteArray>' SUP name )
+olcAttributeTypes: {21} ( 1.3.6.1.4.1.40364.1.1.22 NAME 'publicRootCertificateRevocationList' DESC 'Certificate authority root certificate revocation list' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE )
olcObjectClasses: {0} ( 1.3.6.1.4.1.40364.1.2.1 NAME 'tdeExtendedUserData' SUP top AUXILIARY MAY ( website
URL $ managerName $ secretaryName $ teletexId $ preferredDelivery $ locallyUniqueID $ notes $ pwdLastSet $ badPwdCount $ badPasswordTime $ lastLogon $ lastLogoff ) )
-olcObjectClasses: {1} ( 1.3.6.1.4.1.40364.1.2.2 NAME 'tdeAccountObject' SUP top AUXILIARY MAY tdeBuiltinAccount )
-olcObjectClasses: {2} ( 1.3.6.1.4.1.40364.1.2.3 NAME 'tdeCertificateStore' SUP top AUXILIARY MAY ( tdeBuiltinAccount $ publicRootCertificate $ privateRootCertificateKey $ publicRootCertificateOriginServer ) )
+olcObjectClasses: {1} ( 1.3.6.1.4.1.40364.1.2.2 NAME 'tdeAccountObject' SUP top AUXILIARY MAY ( tdeBuiltinAccount $ pkiCertificate ) )
+olcObjectClasses: {2} ( 1.3.6.1.4.1.40364.1.2.3 NAME 'tdeCertificateStore' SUP top AUXILIARY MAY ( tdeBuiltinAccount $ publicRootCertificate $ privateRootCertificateKey $ publicRootCertificateRevocationList $ publicRootCertificateOriginServer ) )
olcObjectClasses: {3} ( 1.3.6.1.4.1.40364.1.2.4 NAME 'tdeBuiltinStore' SUP top AUXILIARY MAY ( tdeBuiltinAccount $ builtinRealmAdminAccount $ builtinRealmAdminGroup $ builtinMachineAdminGroup $ builtinStandardUserGroup ) )
structuralObjectClass: olcSchemaConfig
creatorsName: cn=config
diff --git a/src/ldapcontroller.cpp b/src/ldapcontroller.cpp
index 092fe71..ceb4c52 100644
--- a/src/ldapcontroller.cpp
+++ b/src/ldapcontroller.cpp
@@ -130,6 +130,8 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin
connect(m_base->ldapExportKey, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnldapExportKey()));
connect(m_base->ldapExportCert, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnldapExportCert()));
+ connect(m_base->crlRegenerate, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncrlRegenerate()));
+
connect(m_base->btnChangeLDAPRootPassword, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnChangeLDAPRootPassword()));
connect(m_base->btnChangeRealmAdminPassword, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnChangeRealmAdminPassword()));
@@ -145,6 +147,7 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin
connect(m_base->multiMasterReplicationMappings, TQT_SIGNAL(executed(TQListViewItem*)), this, TQT_SLOT(modifySelectedMultiMasterReplication()));
connect(m_base->advancedCaCertExpiry, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(caCertExpiryChanged()));
+ connect(m_base->advancedCaCrlExpiry, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(caCrlCertExpiryChanged()));
connect(m_base->advancedKerberosCertExpiry, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(kerberosCertExpiryChanged()));
connect(m_base->advancedLdapCertExpiry, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(ldapCertExpiryChanged()));
@@ -384,6 +387,7 @@ void LDAPController::load() {
// Load cert config
m_systemconfig->setGroup("Certificates");
m_certconfig.caExpiryDays = m_systemconfig->readNumEntry("caExpiryDays", KERBEROS_PKI_PEMKEY_EXPIRY_DAYS);
+ m_certconfig.caCrlExpiryDays = m_systemconfig->readNumEntry("caCrlExpiryDays", KERBEROS_PKI_CRL_EXPIRY_DAYS);
m_certconfig.kerberosExpiryDays = m_systemconfig->readNumEntry("kerberosExpiryDays", KERBEROS_PKI_KRB_EXPIRY_DAYS);
m_certconfig.ldapExpiryDays = m_systemconfig->readNumEntry("ldapExpiryDays", KERBEROS_PKI_LDAP_EXPIRY_DAYS);
m_certconfig.countryName = m_systemconfig->readEntry("countryName");
@@ -470,6 +474,7 @@ void LDAPController::load() {
}
m_base->advancedCaCertExpiry->setValue(m_certconfig.caExpiryDays);
+ m_base->advancedCaCrlExpiry->setValue(m_certconfig.caCrlExpiryDays);
m_base->advancedKerberosCertExpiry->setValue(m_certconfig.kerberosExpiryDays);
m_base->advancedLdapCertExpiry->setValue(m_certconfig.ldapExpiryDays);
@@ -505,6 +510,13 @@ void LDAPController::updateCertDisplay() {
TQString ldap_certfile = LDAP_CERT_FILE;
ldap_certfile.replace("@@@ADMINSERVER@@@", m_realmconfig[m_defaultRealm].name.lower());
+ TQString realmname = m_defaultRealm.upper();
+ LDAPCredentials* credentials = new LDAPCredentials;
+ credentials->username = "";
+ credentials->password = "";
+ credentials->realm = realmname;
+ LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
+
// Certificate Authority
if (TQFile::exists(KERBEROS_PKI_PEM_FILE)) {
certExpiry = LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE);
@@ -570,6 +582,38 @@ void LDAPController::updateCertDisplay() {
m_base->ldapExpiryString->setText("File not found");
m_base->ldapExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_NOTFOUND);
}
+
+ // Certificate Revocation List
+// FIXME
+// KSSLCertificate does not appear to understand the CRL format
+// Debug and reactivate this code
+#if 0
+ TQByteArray certificateContents;
+ if (ldap_mgr->getTDECertificate("publicRootCertificateRevocationList", &certificateContents, NULL) == 0) {
+ certExpiry = LDAPManager::getCertificateExpiration(certificateContents);
+ if (certExpiry >= now) {
+ m_base->crlExpiryString->setText("Expires " + certExpiry.toString());
+ if (certExpiry >= soon) {
+ m_base->crlExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_ACTIVE);
+ }
+ else {
+ m_base->crlExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_STALE);
+ }
+ }
+ else {
+ m_base->crlExpiryString->setText("Expired " + certExpiry.toString());
+ m_base->crlExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_EXPIRED);
+ }
+ }
+ else {
+ m_base->crlExpiryString->setText("File not found");
+ m_base->crlExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_NOTFOUND);
+ }
+#else
+ m_base->crlExpiryString->setText("Unknown");
+#endif
+
+ delete ldap_mgr;
}
void LDAPController::btncaSetMaster() {
@@ -712,6 +756,26 @@ void LDAPController::btnldapExportCert() {
}
}
+void LDAPController::btncrlRegenerate() {
+ TQString errstr;
+
+ // Bind to realm
+ TQString realmname = m_defaultRealm.upper();
+ LDAPCredentials* credentials = new LDAPCredentials;
+ credentials->username = "";
+ credentials->password = "";
+ credentials->realm = realmname;
+ LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
+
+ if (ldap_mgr->generatePKICRL(m_certconfig.caCrlExpiryDays, m_realmconfig[m_defaultRealm], KERBEROS_PKI_PEMKEY_FILE, KERBEROS_PKI_CRLDB_FILE, &errstr) != 0) {
+ KMessageBox::error(this, i18n("<qt><b>Unable to regenerate CRL</b><p>Details: %1</qt>").arg(errstr), i18n("Unable to Regenerate CRL"));
+ }
+
+ delete ldap_mgr;
+
+ load();
+}
+
void LDAPController::slotCertCopyResult(TDEIO::Job* job) {
if (job->error()) {
job->showErrorDialog(this);
@@ -927,6 +991,12 @@ void LDAPController::caCertExpiryChanged() {
emit(changed());
}
+void LDAPController::caCrlExpiryChanged() {
+ m_certconfig.caCrlExpiryDays = m_base->advancedCaCrlExpiry->value();
+
+ emit(changed());
+}
+
void LDAPController::kerberosCertExpiryChanged() {
m_certconfig.kerberosExpiryDays = m_base->advancedKerberosCertExpiry->value();
@@ -954,6 +1024,7 @@ void LDAPController::save() {
// Write cert config
m_systemconfig->setGroup("Certificates");
m_systemconfig->writeEntry("caExpiryDays", m_certconfig.caExpiryDays);
+ m_systemconfig->writeEntry("caCrlExpiryDays", m_certconfig.caCrlExpiryDays);
m_systemconfig->writeEntry("kerberosExpiryDays", m_certconfig.kerberosExpiryDays);
m_systemconfig->writeEntry("ldapExpiryDays", m_certconfig.ldapExpiryDays);
m_systemconfig->writeEntry("countryName", m_certconfig.countryName);
diff --git a/src/ldapcontroller.h b/src/ldapcontroller.h
index 84bfc7c..9beb7c0 100644
--- a/src/ldapcontroller.h
+++ b/src/ldapcontroller.h
@@ -78,6 +78,7 @@ class LDAPController: public TDECModule
void btnldapRegenerate();
void btnldapExportKey();
void btnldapExportCert();
+ void btncrlRegenerate();
void slotCertCopyResult(TDEIO::Job*);
void btnChangeLDAPRootPassword();
@@ -91,6 +92,7 @@ class LDAPController: public TDECModule
void modifySelectedMultiMasterReplication();
void caCertExpiryChanged();
+ void caCrlExpiryChanged();
void kerberosCertExpiryChanged();
void ldapCertExpiryChanged();
diff --git a/src/ldapcontrollerconfigbase.ui b/src/ldapcontrollerconfigbase.ui
index 85a4a00..8fa2cde 100644
--- a/src/ldapcontrollerconfigbase.ui
+++ b/src/ldapcontrollerconfigbase.ui
@@ -215,15 +215,36 @@
<cstring>unnamed</cstring>
</property>
<property name="text">
- <cstring>Certificate Authority:</cstring>
+ <cstring>Certificate Revocation List:</cstring>
</property>
</widget>
<widget class="TQLabel" row="2" column="0" colspan="1">
<property name="name">
+ <cstring>crlExpiryString</cstring>
+ </property>
+ </widget>
+ <widget class="TQPushButton" row="1" column="3" colspan="2" rowspan="2">
+ <property name="name">
+ <cstring>crlRegenerate</cstring>
+ </property>
+ <property name="text">
+ <cstring>Regenerate</cstring>
+ </property>
+ </widget>
+ <widget class="TQLabel" row="3" column="0" colspan="1">
+ <property name="name">
+ <cstring>unnamed</cstring>
+ </property>
+ <property name="text">
+ <cstring>Certificate Authority:</cstring>
+ </property>
+ </widget>
+ <widget class="TQLabel" row="4" column="0" colspan="1">
+ <property name="name">
<cstring>caExpiryString</cstring>
</property>
</widget>
- <widget class="TQPushButton" row="1" column="2" colspan="1" rowspan="2">
+ <widget class="TQPushButton" row="3" column="2" colspan="1" rowspan="2">
<property name="name">
<cstring>caRegenerate</cstring>
</property>
@@ -231,7 +252,7 @@
<cstring>Regenerate Certificate</cstring>
</property>
</widget>
- <widget class="TQPushButton" row="1" column="3" colspan="1" rowspan="2">
+ <widget class="TQPushButton" row="3" column="3" colspan="1" rowspan="2">
<property name="name">
<cstring>caExportKey</cstring>
</property>
@@ -239,7 +260,7 @@
<cstring>Export Private Key</cstring>
</property>
</widget>
- <widget class="TQPushButton" row="1" column="4" colspan="1" rowspan="2">
+ <widget class="TQPushButton" row="3" column="4" colspan="1" rowspan="2">
<property name="name">
<cstring>caExportCert</cstring>
</property>
@@ -247,7 +268,7 @@
<cstring>Export Public Certificate</cstring>
</property>
</widget>
- <widget class="TQLabel" row="3" column="0" colspan="1">
+ <widget class="TQLabel" row="5" column="0" colspan="1">
<property name="name">
<cstring>unnamed</cstring>
</property>
@@ -255,12 +276,12 @@
<cstring>Kerberos:</cstring>
</property>
</widget>
- <widget class="TQLabel" row="4" column="0" colspan="1">
+ <widget class="TQLabel" row="6" column="0" colspan="1">
<property name="name">
<cstring>krbExpiryString</cstring>
</property>
</widget>
- <widget class="TQPushButton" row="3" column="2" colspan="1" rowspan="2">
+ <widget class="TQPushButton" row="5" column="2" colspan="1" rowspan="2">
<property name="name">
<cstring>krbRegenerate</cstring>
</property>
@@ -268,7 +289,7 @@
<cstring>Regenerate Certificate</cstring>
</property>
</widget>
- <widget class="TQPushButton" row="3" column="3" colspan="1" rowspan="2">
+ <widget class="TQPushButton" row="5" column="3" colspan="1" rowspan="2">
<property name="name">
<cstring>krbExportKey</cstring>
</property>
@@ -276,7 +297,7 @@
<cstring>Export Private Key</cstring>
</property>
</widget>
- <widget class="TQPushButton" row="3" column="4" colspan="1" rowspan="2">
+ <widget class="TQPushButton" row="5" column="4" colspan="1" rowspan="2">
<property name="name">
<cstring>krbExportCert</cstring>
</property>
@@ -284,7 +305,7 @@
<cstring>Export Public Certificate</cstring>
</property>
</widget>
- <widget class="TQLabel" row="5" column="0" colspan="1">
+ <widget class="TQLabel" row="7" column="0" colspan="1">
<property name="name">
<cstring>unnamed</cstring>
</property>
@@ -292,12 +313,12 @@
<cstring>LDAP TLS:</cstring>
</property>
</widget>
- <widget class="TQLabel" row="6" column="0" colspan="1">
+ <widget class="TQLabel" row="8" column="0" colspan="1">
<property name="name">
<cstring>ldapExpiryString</cstring>
</property>
</widget>
- <widget class="TQPushButton" row="5" column="2" colspan="1" rowspan="2">
+ <widget class="TQPushButton" row="7" column="2" colspan="1" rowspan="2">
<property name="name">
<cstring>ldapRegenerate</cstring>
</property>
@@ -305,7 +326,7 @@
<cstring>Regenerate Certificate</cstring>
</property>
</widget>
- <widget class="TQPushButton" row="5" column="3" colspan="1" rowspan="2">
+ <widget class="TQPushButton" row="7" column="3" colspan="1" rowspan="2">
<property name="name">
<cstring>ldapExportKey</cstring>
</property>
@@ -313,7 +334,7 @@
<cstring>Export Private Key</cstring>
</property>
</widget>
- <widget class="TQPushButton" row="5" column="4" colspan="1" rowspan="2">
+ <widget class="TQPushButton" row="7" column="4" colspan="1" rowspan="2">
<property name="name">
<cstring>ldapExportCert</cstring>
</property>
@@ -468,12 +489,12 @@
<cstring>unnamed</cstring>
</property>
<property name="text">
- <string>Certificate Authority:</string>
+ <string>Certificate Revocation List:</string>
</property>
</widget>
<widget class="KIntNumInput" row="0" column="1" >
<property name="name">
- <cstring>advancedCaCertExpiry</cstring>
+ <cstring>advancedCaCrlExpiry</cstring>
</property>
<property name="minValue">
<number>1</number>
@@ -495,12 +516,12 @@
<cstring>unnamed</cstring>
</property>
<property name="text">
- <string>Kerberos:</string>
+ <string>Certificate Authority:</string>
</property>
</widget>
<widget class="KIntNumInput" row="1" column="1" >
<property name="name">
- <cstring>advancedKerberosCertExpiry</cstring>
+ <cstring>advancedCaCertExpiry</cstring>
</property>
<property name="minValue">
<number>1</number>
@@ -522,11 +543,38 @@
<cstring>unnamed</cstring>
</property>
<property name="text">
- <string>LDAP TLS:</string>
+ <string>Kerberos:</string>
</property>
</widget>
<widget class="KIntNumInput" row="2" column="1" >
<property name="name">
+ <cstring>advancedKerberosCertExpiry</cstring>
+ </property>
+ <property name="minValue">
+ <number>1</number>
+ </property>
+ <property name="maxValue">
+ <number>7200</number>
+ </property>
+ <property name="sizePolicy">
+ <sizepolicy>
+ <hsizetype>0</hsizetype>
+ <vsizetype>0</vsizetype>
+ <horstretch>0</horstretch>
+ <verstretch>0</verstretch>
+ </sizepolicy>
+ </property>
+ </widget>
+ <widget class="TQLabel" row="3" column="0">
+ <property name="name">
+ <cstring>unnamed</cstring>
+ </property>
+ <property name="text">
+ <string>LDAP TLS:</string>
+ </property>
+ </widget>
+ <widget class="KIntNumInput" row="3" column="1" >
+ <property name="name">
<cstring>advancedLdapCertExpiry</cstring>
</property>
<property name="minValue">