From d21c8923134c61fc9312767cedd76f67898a33e8 Mon Sep 17 00:00:00 2001 From: Timothy Pearson Date: Thu, 3 Sep 2015 05:03:36 +0000 Subject: Add CRL support --- cert-updater/main.cpp | 12 +++++ confskel/openldap/ldif/olcDatabase.ldif | 2 +- confskel/openldap/ldif/tde-core.ldif | 7 ++- src/ldapcontroller.cpp | 71 +++++++++++++++++++++++++++ src/ldapcontroller.h | 2 + src/ldapcontrollerconfigbase.ui | 86 +++++++++++++++++++++++++-------- 6 files changed, 158 insertions(+), 22 deletions(-) diff --git a/cert-updater/main.cpp b/cert-updater/main.cpp index 0dc3a27..3466eaf 100644 --- a/cert-updater/main.cpp +++ b/cert-updater/main.cpp @@ -90,6 +90,8 @@ int main(int argc, char *argv[]) force_update = true; } + bool ca_modified = false; + //====================================================================================================================================================== // // Updater code follows @@ -174,6 +176,13 @@ int main(int argc, char *argv[]) if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) { printf("[ERROR] Unable to upload new certificate to LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout); } + + // CRL + if (ldap_mgr->generatePKICRL(m_certconfig.caExpiryDays, m_realmconfig[m_defaultRealm], &errorstring) != 0) { + printf("[ERROR] Unable to generate CRL!\n%s\n", errorstring.ascii()); fflush(stdout); + } + + ca_modified = true; delete ldap_mgr; } @@ -261,6 +270,9 @@ int main(int argc, char *argv[]) } } + if (ca_modified) + force_update = true; + // Kerberos if (TQFile::exists(kdc_certfile)) { certExpiry = LDAPManager::getCertificateExpiration(kdc_certfile); diff --git a/confskel/openldap/ldif/olcDatabase.ldif b/confskel/openldap/ldif/olcDatabase.ldif index 12ee550..29b107d 100644 --- a/confskel/openldap/ldif/olcDatabase.ldif +++ b/confskel/openldap/ldif/olcDatabase.ldif @@ -4,7 +4,7 @@ objectClass: olcHdbConfig olcDatabase: {@@@LDIFSCHEMANUMBER@@@}hdb olcDbDirectory: /var/lib/ldap olcSuffix: @@@REALM_DCNAME@@@ -olcAccess: {0}to attrs=userPassword,shadowLastChange,krb5Key,krb5PrincipalName,krb5KeyVersionNumber,krb5MaxLife,krb5MaxRenew,krb5KDCFlags,privateRootCertificateKey +olcAccess: {0}to attrs=userPassword,shadowLastChange,krb5Key,krb5PrincipalName,krb5KeyVersionNumber,krb5MaxLife,krb5MaxRenew,krb5KDCFlags,privateRootCertificateKey,pkiCertificate by group/groupOfNames/member.exact="cn=@@@ADMINGROUP@@@,ou=groups,ou=core,ou=realm,@@@REALM_DCNAME@@@" write by dn.base="uid=@@@ADMINUSER@@@,ou=users,ou=core,ou=realm,@@@REALM_DCNAME@@@" by sockurl.regex="^ldapi:///$" write diff --git a/confskel/openldap/ldif/tde-core.ldif b/confskel/openldap/ldif/tde-core.ldif index 8a72c00..d2647c6 100644 --- a/confskel/openldap/ldif/tde-core.ldif +++ b/confskel/openldap/ldif/tde-core.ldif @@ -26,10 +26,13 @@ olcAttributeTypes: {17} ( 1.3.6.1.4.1.40364.1.1.18 NAME 'builtinMachineAdminGrou olcAttributeTypes: {18} ( 1.3.6.1.4.1.40364.1.1.19 NAME 'builtinStandardUserGroup' DESC 'Built-in standard user group distinguished name' SUP name ) # Used for storing certificate management settings olcAttributeTypes: {19} ( 1.3.6.1.4.1.40364.1.1.20 NAME 'publicRootCertificateOriginServer' DESC 'Certificate authority root certificate origin server' SUP name ) +# Used for storing PKI user certificates and certificate status +olcAttributeTypes: {20} ( 1.3.6.1.4.1.40364.1.1.21 NAME 'pkiCertificate' DESC 'User PKI certificate and status encoded with text mode TQDataStream TQPair' SUP name ) +olcAttributeTypes: {21} ( 1.3.6.1.4.1.40364.1.1.22 NAME 'publicRootCertificateRevocationList' DESC 'Certificate authority root certificate revocation list' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE ) olcObjectClasses: {0} ( 1.3.6.1.4.1.40364.1.2.1 NAME 'tdeExtendedUserData' SUP top AUXILIARY MAY ( website URL $ managerName $ secretaryName $ teletexId $ preferredDelivery $ locallyUniqueID $ notes $ pwdLastSet $ badPwdCount $ badPasswordTime $ lastLogon $ lastLogoff ) ) -olcObjectClasses: {1} ( 1.3.6.1.4.1.40364.1.2.2 NAME 'tdeAccountObject' SUP top AUXILIARY MAY tdeBuiltinAccount ) -olcObjectClasses: {2} ( 1.3.6.1.4.1.40364.1.2.3 NAME 'tdeCertificateStore' SUP top AUXILIARY MAY ( tdeBuiltinAccount $ publicRootCertificate $ privateRootCertificateKey $ publicRootCertificateOriginServer ) ) +olcObjectClasses: {1} ( 1.3.6.1.4.1.40364.1.2.2 NAME 'tdeAccountObject' SUP top AUXILIARY MAY ( tdeBuiltinAccount $ pkiCertificate ) ) +olcObjectClasses: {2} ( 1.3.6.1.4.1.40364.1.2.3 NAME 'tdeCertificateStore' SUP top AUXILIARY MAY ( tdeBuiltinAccount $ publicRootCertificate $ privateRootCertificateKey $ publicRootCertificateRevocationList $ publicRootCertificateOriginServer ) ) olcObjectClasses: {3} ( 1.3.6.1.4.1.40364.1.2.4 NAME 'tdeBuiltinStore' SUP top AUXILIARY MAY ( tdeBuiltinAccount $ builtinRealmAdminAccount $ builtinRealmAdminGroup $ builtinMachineAdminGroup $ builtinStandardUserGroup ) ) structuralObjectClass: olcSchemaConfig creatorsName: cn=config diff --git a/src/ldapcontroller.cpp b/src/ldapcontroller.cpp index 092fe71..ceb4c52 100644 --- a/src/ldapcontroller.cpp +++ b/src/ldapcontroller.cpp @@ -130,6 +130,8 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin connect(m_base->ldapExportKey, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnldapExportKey())); connect(m_base->ldapExportCert, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnldapExportCert())); + connect(m_base->crlRegenerate, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncrlRegenerate())); + connect(m_base->btnChangeLDAPRootPassword, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnChangeLDAPRootPassword())); connect(m_base->btnChangeRealmAdminPassword, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnChangeRealmAdminPassword())); @@ -145,6 +147,7 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin connect(m_base->multiMasterReplicationMappings, TQT_SIGNAL(executed(TQListViewItem*)), this, TQT_SLOT(modifySelectedMultiMasterReplication())); connect(m_base->advancedCaCertExpiry, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(caCertExpiryChanged())); + connect(m_base->advancedCaCrlExpiry, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(caCrlCertExpiryChanged())); connect(m_base->advancedKerberosCertExpiry, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(kerberosCertExpiryChanged())); connect(m_base->advancedLdapCertExpiry, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(ldapCertExpiryChanged())); @@ -384,6 +387,7 @@ void LDAPController::load() { // Load cert config m_systemconfig->setGroup("Certificates"); m_certconfig.caExpiryDays = m_systemconfig->readNumEntry("caExpiryDays", KERBEROS_PKI_PEMKEY_EXPIRY_DAYS); + m_certconfig.caCrlExpiryDays = m_systemconfig->readNumEntry("caCrlExpiryDays", KERBEROS_PKI_CRL_EXPIRY_DAYS); m_certconfig.kerberosExpiryDays = m_systemconfig->readNumEntry("kerberosExpiryDays", KERBEROS_PKI_KRB_EXPIRY_DAYS); m_certconfig.ldapExpiryDays = m_systemconfig->readNumEntry("ldapExpiryDays", KERBEROS_PKI_LDAP_EXPIRY_DAYS); m_certconfig.countryName = m_systemconfig->readEntry("countryName"); @@ -470,6 +474,7 @@ void LDAPController::load() { } m_base->advancedCaCertExpiry->setValue(m_certconfig.caExpiryDays); + m_base->advancedCaCrlExpiry->setValue(m_certconfig.caCrlExpiryDays); m_base->advancedKerberosCertExpiry->setValue(m_certconfig.kerberosExpiryDays); m_base->advancedLdapCertExpiry->setValue(m_certconfig.ldapExpiryDays); @@ -505,6 +510,13 @@ void LDAPController::updateCertDisplay() { TQString ldap_certfile = LDAP_CERT_FILE; ldap_certfile.replace("@@@ADMINSERVER@@@", m_realmconfig[m_defaultRealm].name.lower()); + TQString realmname = m_defaultRealm.upper(); + LDAPCredentials* credentials = new LDAPCredentials; + credentials->username = ""; + credentials->password = ""; + credentials->realm = realmname; + LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials); + // Certificate Authority if (TQFile::exists(KERBEROS_PKI_PEM_FILE)) { certExpiry = LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE); @@ -570,6 +582,38 @@ void LDAPController::updateCertDisplay() { m_base->ldapExpiryString->setText("File not found"); m_base->ldapExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_NOTFOUND); } + + // Certificate Revocation List +// FIXME +// KSSLCertificate does not appear to understand the CRL format +// Debug and reactivate this code +#if 0 + TQByteArray certificateContents; + if (ldap_mgr->getTDECertificate("publicRootCertificateRevocationList", &certificateContents, NULL) == 0) { + certExpiry = LDAPManager::getCertificateExpiration(certificateContents); + if (certExpiry >= now) { + m_base->crlExpiryString->setText("Expires " + certExpiry.toString()); + if (certExpiry >= soon) { + m_base->crlExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_ACTIVE); + } + else { + m_base->crlExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_STALE); + } + } + else { + m_base->crlExpiryString->setText("Expired " + certExpiry.toString()); + m_base->crlExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_EXPIRED); + } + } + else { + m_base->crlExpiryString->setText("File not found"); + m_base->crlExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_NOTFOUND); + } +#else + m_base->crlExpiryString->setText("Unknown"); +#endif + + delete ldap_mgr; } void LDAPController::btncaSetMaster() { @@ -712,6 +756,26 @@ void LDAPController::btnldapExportCert() { } } +void LDAPController::btncrlRegenerate() { + TQString errstr; + + // Bind to realm + TQString realmname = m_defaultRealm.upper(); + LDAPCredentials* credentials = new LDAPCredentials; + credentials->username = ""; + credentials->password = ""; + credentials->realm = realmname; + LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials); + + if (ldap_mgr->generatePKICRL(m_certconfig.caCrlExpiryDays, m_realmconfig[m_defaultRealm], KERBEROS_PKI_PEMKEY_FILE, KERBEROS_PKI_CRLDB_FILE, &errstr) != 0) { + KMessageBox::error(this, i18n("Unable to regenerate CRL

Details: %1").arg(errstr), i18n("Unable to Regenerate CRL")); + } + + delete ldap_mgr; + + load(); +} + void LDAPController::slotCertCopyResult(TDEIO::Job* job) { if (job->error()) { job->showErrorDialog(this); @@ -927,6 +991,12 @@ void LDAPController::caCertExpiryChanged() { emit(changed()); } +void LDAPController::caCrlExpiryChanged() { + m_certconfig.caCrlExpiryDays = m_base->advancedCaCrlExpiry->value(); + + emit(changed()); +} + void LDAPController::kerberosCertExpiryChanged() { m_certconfig.kerberosExpiryDays = m_base->advancedKerberosCertExpiry->value(); @@ -954,6 +1024,7 @@ void LDAPController::save() { // Write cert config m_systemconfig->setGroup("Certificates"); m_systemconfig->writeEntry("caExpiryDays", m_certconfig.caExpiryDays); + m_systemconfig->writeEntry("caCrlExpiryDays", m_certconfig.caCrlExpiryDays); m_systemconfig->writeEntry("kerberosExpiryDays", m_certconfig.kerberosExpiryDays); m_systemconfig->writeEntry("ldapExpiryDays", m_certconfig.ldapExpiryDays); m_systemconfig->writeEntry("countryName", m_certconfig.countryName); diff --git a/src/ldapcontroller.h b/src/ldapcontroller.h index 84bfc7c..9beb7c0 100644 --- a/src/ldapcontroller.h +++ b/src/ldapcontroller.h @@ -78,6 +78,7 @@ class LDAPController: public TDECModule void btnldapRegenerate(); void btnldapExportKey(); void btnldapExportCert(); + void btncrlRegenerate(); void slotCertCopyResult(TDEIO::Job*); void btnChangeLDAPRootPassword(); @@ -91,6 +92,7 @@ class LDAPController: public TDECModule void modifySelectedMultiMasterReplication(); void caCertExpiryChanged(); + void caCrlExpiryChanged(); void kerberosCertExpiryChanged(); void ldapCertExpiryChanged(); diff --git a/src/ldapcontrollerconfigbase.ui b/src/ldapcontrollerconfigbase.ui index 85a4a00..8fa2cde 100644 --- a/src/ldapcontrollerconfigbase.ui +++ b/src/ldapcontrollerconfigbase.ui @@ -215,15 +215,36 @@ unnamed - Certificate Authority: + Certificate Revocation List: + + crlExpiryString + + + + + crlRegenerate + + + Regenerate + + + + + unnamed + + + Certificate Authority: + + + caExpiryString - + caRegenerate @@ -231,7 +252,7 @@ Regenerate Certificate - + caExportKey @@ -239,7 +260,7 @@ Export Private Key - + caExportCert @@ -247,7 +268,7 @@ Export Public Certificate - + unnamed @@ -255,12 +276,12 @@ Kerberos: - + krbExpiryString - + krbRegenerate @@ -268,7 +289,7 @@ Regenerate Certificate - + krbExportKey @@ -276,7 +297,7 @@ Export Private Key - + krbExportCert @@ -284,7 +305,7 @@ Export Public Certificate - + unnamed @@ -292,12 +313,12 @@ LDAP TLS: - + ldapExpiryString - + ldapRegenerate @@ -305,7 +326,7 @@ Regenerate Certificate - + ldapExportKey @@ -313,7 +334,7 @@ Export Private Key - + ldapExportCert @@ -468,12 +489,12 @@ unnamed - Certificate Authority: + Certificate Revocation List: - advancedCaCertExpiry + advancedCaCrlExpiry 1 @@ -495,12 +516,12 @@ unnamed - Kerberos: + Certificate Authority: - advancedKerberosCertExpiry + advancedCaCertExpiry 1 @@ -522,10 +543,37 @@ unnamed - LDAP TLS: + Kerberos: + + advancedKerberosCertExpiry + + + 1 + + + 7200 + + + + 0 + 0 + 0 + 0 + + + + + + unnamed + + + LDAP TLS: + + + advancedLdapCertExpiry -- cgit v1.2.3