From 18c4c3789722d6ebbf8b0bb8ce86a508d2aea2c5 Mon Sep 17 00:00:00 2001 From: Timothy Pearson Date: Mon, 31 Aug 2015 23:11:58 +0000 Subject: Use tdeldap library PKI certificate generation methods --- cert-updater/main.cpp | 6 ++-- confskel/Makefile.am | 3 -- confskel/openssl/pki_extensions | 61 ----------------------------------------- src/ldapcontroller.cpp | 8 +++--- 4 files changed, 7 insertions(+), 71 deletions(-) delete mode 100644 confskel/openssl/pki_extensions diff --git a/cert-updater/main.cpp b/cert-updater/main.cpp index e4042fb..0dc3a27 100644 --- a/cert-updater/main.cpp +++ b/cert-updater/main.cpp @@ -1,5 +1,5 @@ /*************************************************************************** - * Copyright (C) 2012 by Timothy Pearson * + * Copyright (C) 2012 - 2015 by Timothy Pearson * * kb9vqf@pearsoncomputing.net * * * * This program is free software; you can redistribute it and/or modify * @@ -73,7 +73,7 @@ int main(int argc, char *argv[]) { TDEAboutData aboutData( "primaryrccertupdater", I18N_NOOP("Realm Certificate Updater"), version, description, TDEAboutData::License_GPL, - "(c) 2012-2013, Timothy Pearson"); + "(c) 2012-2015, Timothy Pearson"); aboutData.addAuthor("Timothy Pearson",0, "kb9vqf@pearsoncomputing.net"); TDECmdLineArgs::init( argc, argv, &aboutData ); TDECmdLineArgs::addCmdLineOptions(options); @@ -160,7 +160,7 @@ int main(int argc, char *argv[]) } if (force_update || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) { printf("Regenerating certificate %s...\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout); - LDAPManager::generatePublicKerberosCACertificate(m_certconfig); + LDAPManager::generatePublicKerberosCACertificate(m_certconfig, m_realmconfig[m_defaultRealm]); TQString realmname = m_defaultRealm.upper(); LDAPCredentials* credentials = new LDAPCredentials; diff --git a/confskel/Makefile.am b/confskel/Makefile.am index 42f25a9..2f5fe92 100644 --- a/confskel/Makefile.am +++ b/confskel/Makefile.am @@ -14,6 +14,3 @@ ldapldifskel_DATA = openldap/ldif/* saslskeldir = $(confskeldir)/sasl saslskel_DATA = sasl/* - -sslskeldir = $(confskeldir)/openssl -sslskel_DATA = openssl/* \ No newline at end of file diff --git a/confskel/openssl/pki_extensions b/confskel/openssl/pki_extensions deleted file mode 100644 index d841890..0000000 --- a/confskel/openssl/pki_extensions +++ /dev/null @@ -1,61 +0,0 @@ -[ kdc_cert ] -basicConstraints=CA:FALSE - -# Here are some examples of the usage of nsCertType. If it is omitted -keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement - -#Pkinit EKU -extendedKeyUsage = 1.3.6.1.5.2.3.5 - -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer - -# Copy subject details - -issuerAltName=issuer:copy - -# Add id-pkinit-san (pkinit subjectAlternativeName) -subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name - -[kdc_princ_name] -realm = EXP:0, GeneralString:@@@REALM_UCNAME@@@ -principal_name = EXP:1, SEQUENCE:kdc_principal_seq - -[kdc_principal_seq] -name_type = EXP:0, INTEGER:1 -name_string = EXP:1, SEQUENCE:kdc_principals - -[kdc_principals] -princ1 = GeneralString:krbtgt -princ2 = GeneralString:@@@REALM_UCNAME@@@ - -[ client_cert ] - -# These extensions are added when 'ca' signs a request. - -basicConstraints=CA:FALSE - -keyUsage = digitalSignature, keyEncipherment, keyAgreement - -extendedKeyUsage = 1.3.6.1.5.2.3.4 -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer - - -subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name - - -# Copy subject details - -issuerAltName=issuer:copy - -[princ_name] -realm = EXP:0, GeneralString:@@@REALM_UCNAME@@@ -principal_name = EXP:1, SEQUENCE:principal_seq - -[principal_seq] -name_type = EXP:0, INTEGER:1 -name_string = EXP:1, SEQUENCE:principals - -[principals] -princ1 = GeneralString:@@@KDCSERVER@@@ diff --git a/src/ldapcontroller.cpp b/src/ldapcontroller.cpp index d88bd34..705ba2b 100644 --- a/src/ldapcontroller.cpp +++ b/src/ldapcontroller.cpp @@ -590,7 +590,7 @@ void LDAPController::btncaSetMaster() { return; } - LDAPManager::generatePublicKerberosCACertificate(m_certconfig); + LDAPManager::generatePublicKerberosCACertificate(m_certconfig, m_realmconfig[m_defaultRealm]); // Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) { @@ -604,7 +604,7 @@ void LDAPController::btncaSetMaster() { } void LDAPController::btncaRegenerate() { - LDAPManager::generatePublicKerberosCACertificate(m_certconfig); + LDAPManager::generatePublicKerberosCACertificate(m_certconfig, m_realmconfig[m_defaultRealm]); TQString realmname = m_defaultRealm.upper(); LDAPCredentials* credentials = new LDAPCredentials; @@ -1591,7 +1591,7 @@ int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmCo chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR); chown_safe(KERBEROS_PKI_PEMKEY_FILE, 0, 0); - LDAPManager::generatePublicKerberosCACertificate(certinfo); + LDAPManager::generatePublicKerberosCACertificate(certinfo, m_realmconfig[m_defaultRealm]); // KDC certificate TQString kdc_certfile = KERBEROS_PKI_KDC_FILE; @@ -1807,7 +1807,7 @@ int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig r replacePlaceholdersInFile(templateDir + "sasl/slapd.conf", SASL_CONTROL_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, standardUserGroupName, adminPassword, rootUserName, rootPassword); // OpenSSL - replacePlaceholdersInFile(templateDir + "openssl/pki_extensions", OPENSSL_EXTENSIONS_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, standardUserGroupName, adminPassword, rootUserName, rootPassword); + LDAPManager::writeOpenSSLConfigurationFile(realmconfig); // FIXME // This assumes Debian! -- cgit v1.2.3