From 2a0b3a4f1d16ad0afa36cf62ddce4f8eb44f287c Mon Sep 17 00:00:00 2001
From: Timothy Pearson <kb9vqf@pearsoncomputing.net>
Date: Mon, 1 Jul 2013 19:05:32 +0000
Subject: Add initial support for realm-wide certificate authority certificates

---
 cert-updater/main.cpp | 170 ++++++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 145 insertions(+), 25 deletions(-)

(limited to 'cert-updater')

diff --git a/cert-updater/main.cpp b/cert-updater/main.cpp
index adb21dd..e4acaa5 100644
--- a/cert-updater/main.cpp
+++ b/cert-updater/main.cpp
@@ -44,6 +44,18 @@ static const char description[] =
 
 static const char version[] = "v0.0.1";
 
+static const TDECmdLineOptions options[] =
+{
+	{ "force", I18N_NOOP("Force certificate update"), 0 },
+	TDECmdLineLastOption // End of options.
+};
+
+void chown_safe(const char * file, uid_t user, gid_t group) {
+	if (chown(file, user, group) < 0) {
+		printf("[ERROR] Chown call to '%s' for %d:%d failed!\n\r", file, user, group);
+	}
+}
+
 int uploadKerberosCAFileToLDAP(LDAPManager* ldap_mgr, TQString* errstr) {
 	// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
 	TQFile cafile(KERBEROS_PKI_PEM_FILE);
@@ -61,15 +73,23 @@ int main(int argc, char *argv[])
 {
 	TDEAboutData aboutData( "primaryrccertupdater", I18N_NOOP("Realm Certificate Updater"),
 		version, description, TDEAboutData::License_GPL,
-		"(c) 2012, Timothy Pearson");
+		"(c) 2012-2013, Timothy Pearson");
 		aboutData.addAuthor("Timothy Pearson",0, "kb9vqf@pearsoncomputing.net");
 	TDECmdLineArgs::init( argc, argv, &aboutData );
+	TDECmdLineArgs::addCmdLineOptions(options);
 	TDEApplication::disableAutoDcopRegistration();
 
 	TDEApplication app(false, false);
 
 	TDEStartupInfo::appStarted();
 
+	TDECmdLineArgs *args = TDECmdLineArgs::parsedArgs();
+
+	bool force_update = false;
+	if (args->isSet("force")) {
+		force_update = true;
+	}
+
 	//======================================================================================================================================================
 	//
 	// Updater code follows
@@ -107,33 +127,133 @@ int main(int argc, char *argv[])
 	ldap_certfile.replace("@@@ADMINSERVER@@@", m_realmconfig[m_defaultRealm].admin_server);
 
 	// Certificate Authority
-	if (TQFile::exists(KERBEROS_PKI_PEM_FILE)) {
-		certExpiry = LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE);
-		if (certExpiry >= now) {
-			printf("Certificate %s expires %s\n", TQString(KERBEROS_PKI_PEM_FILE).ascii(), certExpiry.toString().ascii()); fflush(stdout);
-		}
-		if ((certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
-			printf("Regenerating certificate %s...\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout);
-			LDAPManager::generatePublicKerberosCACertificate(m_certconfig);
-		
-			TQString realmname = m_defaultRealm.upper();
-			LDAPCredentials* credentials = new LDAPCredentials;
-			credentials->username = "";
-			credentials->password = "";
-			credentials->realm = realmname;
-			LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
-		
-			// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
-			TQString errorstring;
-			if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) {
-				printf("[ERROR] Unable to upload new certificate to LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout);
+	TQString fqdn = LDAPManager::getMachineFQDN();
+	TQString defaultRealm = m_systemconfig->readEntry("DefaultRealm");
+
+	// Connect to LDAP
+	TQString realmname = defaultRealm.upper();
+	LDAPCredentials* credentials = new LDAPCredentials;
+	credentials->username = "";
+	credentials->password = "";
+	credentials->realm = realmname;
+	LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
+	TQString errorstring;
+
+	TQString basedn = ldap_mgr->basedn();
+
+	// Get certificate settings from LDAP
+	TQString realmCAMaster = ldap_mgr->getRealmCAMaster(&errorstring);
+
+	delete ldap_mgr;
+	delete credentials;
+
+	if (realmCAMaster == fqdn) {
+		printf("This server is the realm CA master\n"); fflush(stdout);
+		if (TQFile::exists(KERBEROS_PKI_PEM_FILE)) {
+			certExpiry = LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE);
+			if (certExpiry >= now) {
+				printf("Certificate %s expires %s\n", TQString(KERBEROS_PKI_PEM_FILE).ascii(), certExpiry.toString().ascii()); fflush(stdout);
+			}
+			if (force_update || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
+				printf("Regenerating certificate %s...\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout);
+				LDAPManager::generatePublicKerberosCACertificate(m_certconfig);
+			
+				TQString realmname = m_defaultRealm.upper();
+				LDAPCredentials* credentials = new LDAPCredentials;
+				credentials->username = "";
+				credentials->password = "";
+				credentials->realm = realmname;
+				LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
+			
+				// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
+				TQString errorstring;
+				if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) {
+					printf("[ERROR] Unable to upload new certificate to LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout);
+				}
+	
+				delete ldap_mgr;
 			}
 
-			delete ldap_mgr;
+			// Set permissions
+			chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR);
+			chown_safe(KERBEROS_PKI_PEMKEY_FILE, 0, 0);
+			chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
+			chown_safe(KERBEROS_PKI_PEM_FILE, 0, 0);
+		}
+		else {
+			printf("[WARNING] Certificate file %s not found!\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout);
 		}
 	}
 	else {
-		printf("[WARNING] Certificate file %s not found!\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout);
+		printf("This server is a realm CA slave\n"); fflush(stdout);
+
+		// Connect to LDAP
+		TQString realmname = defaultRealm.upper();
+		LDAPCredentials* credentials = new LDAPCredentials;
+		credentials->username = "cn=admin," + basedn;
+		m_systemconfig->setGroup("Replication");
+		credentials->password = m_systemconfig->readEntry("Password");
+		m_systemconfig->setGroup(NULL);
+		credentials->realm = realmname;
+		LDAPManager* ldap_mgr = new LDAPManager(realmname, TQString("ldaps://%1/").arg(realmCAMaster), credentials);
+		TQString errorstring;
+
+		if (ldap_mgr->getTDECertificate("privateRootCertificateKey", KERBEROS_PKI_PEMKEY_FILE ".tmp", &errorstring) != 0) {
+			printf("[ERROR] Unable to get private CA certificate key from LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout);
+		}
+		if (ldap_mgr->getTDECertificate("publicRootCertificate", KERBEROS_PKI_PEM_FILE ".tmp", &errorstring) != 0) {
+			printf("[ERROR] Unable to get public CA certificate from LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout);
+		}
+
+		delete ldap_mgr;
+		delete credentials;
+
+		TQByteArray originalPemKeyFile;
+		TQByteArray originalPemFile;
+		TQByteArray newPemKeyFile;
+		TQByteArray newPemFile;
+
+		TQFile* cafile;
+		cafile = new TQFile(KERBEROS_PKI_PEMKEY_FILE);
+		if (cafile->open(IO_ReadOnly)) {
+			originalPemKeyFile = cafile->readAll();
+		}
+		delete cafile;
+		cafile = new TQFile(KERBEROS_PKI_PEM_FILE);
+		if (cafile->open(IO_ReadOnly)) {
+			originalPemFile = cafile->readAll();
+		}
+		delete cafile;
+		cafile = new TQFile(KERBEROS_PKI_PEMKEY_FILE ".tmp");
+		if (cafile->open(IO_ReadOnly)) {
+			newPemKeyFile = cafile->readAll();
+		}
+		delete cafile;
+		cafile = new TQFile(KERBEROS_PKI_PEM_FILE ".tmp");
+		if (cafile->open(IO_ReadOnly)) {
+			newPemFile = cafile->readAll();
+		}
+		delete cafile;
+
+		if ((originalPemKeyFile == newPemKeyFile) && (originalPemFile == newPemFile)) {
+			unlink(KERBEROS_PKI_PEMKEY_FILE ".tmp");
+			unlink(KERBEROS_PKI_PEM_FILE ".tmp");
+			printf("Certificates have not changed since last update\n");
+		}
+		else {
+			unlink(KERBEROS_PKI_PEMKEY_FILE);
+			unlink(KERBEROS_PKI_PEM_FILE);
+			rename(KERBEROS_PKI_PEMKEY_FILE ".tmp", KERBEROS_PKI_PEMKEY_FILE);
+			rename(KERBEROS_PKI_PEM_FILE ".tmp", KERBEROS_PKI_PEM_FILE);
+			force_update = true;
+			printf("Certificates have changed, forcing certificate regeneration\n");
+		}
+
+		// Set permissions
+		chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR);
+		chown_safe(KERBEROS_PKI_PEMKEY_FILE, 0, 0);
+		chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
+		chown_safe(KERBEROS_PKI_PEM_FILE, 0, 0);
 	}
 
 	// Kerberos
@@ -142,7 +262,7 @@ int main(int argc, char *argv[])
 		if (certExpiry >= now) {
 			printf("Certificate %s expires %s\n", kdc_certfile.ascii(), certExpiry.toString().ascii()); fflush(stdout);
 		}
-		if ((certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
+		if (force_update || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
 			printf("Regenerating certificate %s...\n", kdc_certfile.ascii()); fflush(stdout);
 			LDAPManager::generatePublicKerberosCertificate(m_certconfig, m_realmconfig[m_defaultRealm]);
 		}
@@ -157,7 +277,7 @@ int main(int argc, char *argv[])
 		if (certExpiry >= now) {
 			printf("Certificate %s expires %s\n", ldap_certfile.ascii(), certExpiry.toString().ascii()); fflush(stdout);
 		}
-		if ((certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
+		if (force_update || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
 			printf("Regenerating certificate %s...\n", ldap_certfile.ascii()); fflush(stdout);
 			uid_t slapd_uid = 0;
 			gid_t slapd_gid = 0;
-- 
cgit v1.2.3