Properly set CRL URL and fix up a few other glitches

author: Timothy Pearson <kb9vqf@pearsoncomputing.net> 2015-08-31 23:18:14 +0000
committer: Timothy Pearson <kb9vqf@pearsoncomputing.net> 2015-08-31 23:39:08 +0000
commit: bc95fa92b04a4e372e9e0615def79b6458e5f673 (patch)
tree: 3ff7318b178b08e19d2b83da7addd560742b4078
parent: f0eeda5dc890372b39c1afc09b6b0dd0af5738ea (diff)
download: libtdeldap-bc95fa92.tar.gz
libtdeldap-bc95fa92.zip
1 files changed, 20 insertions, 14 deletions
diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp
index 5be4ce6..66a1397 100644
--- a/src/libtdeldap.cpp
+++ b/src/libtdeldap.cpp
@@ -3859,10 +3859,10 @@ int LDAPManager::generatePublicKerberosCertificate(LDAPCertConfig certinfo, LDAP
 
 	TQString common_name = TQString::null;
 	if (realmcfg.kdc != "") {
-		common_name = TQString("/CN=%1").arg(common_name);
+		common_name = TQString("/CN=%1").arg(realmcfg.kdc);
 	}
 
-	subject = TQString("\"/C=%1/ST=%2/L=%3/O=%4/OU=%5/%6%7\"").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(common_name).arg(openssldcForRealm(realmcfg.name));
+	subject = TQString("\"/C=%1/ST=%2/L=%3/O=%4/OU=%5%6%7\"").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(common_name).arg(openssldcForRealm(realmcfg.name));
 	command = TQString("openssl req -days %1 -new -out %2 -key %3 -config %4 -subj %5").arg(certinfo.kerberosExpiryDays).arg(kdc_reqfile).arg(kdc_keyfile).arg(OPENSSL_EXTENSIONS_FILE).arg(subject);
 	if (system(command) < 0) {
 		printf("ERROR: Execution of \"%s\" failed!\n", command.ascii());
@@ -3910,10 +3910,10 @@ int LDAPManager::generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPReal
 
 	TQString common_name = TQString::null;
 	if (realmcfg.kdc != "") {
-		common_name = TQString("/CN=%1").arg(common_name);
+		common_name = TQString("/CN=%1").arg(realmcfg.kdc);
 	}
 
-	subject = TQString("\"/C=%1/ST=%2/L=%3/O=%4/OU=%5/%6%7\"").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(common_name).arg(openssldcForRealm(realmcfg.name));
+	subject = TQString("\"/C=%1/ST=%2/L=%3/O=%4/OU=%5%6%7\"").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(common_name).arg(openssldcForRealm(realmcfg.name));
 	command = TQString("openssl req -days %1 -new -out %2 -key %3 -config %4 -subj %5").arg(certinfo.ldapExpiryDays).arg(ldap_reqfile).arg(ldap_keyfile).arg(OPENSSL_EXTENSIONS_FILE).arg(subject);
 	if (system(command) < 0) {
 		printf("ERROR: Execution of \"%s\" failed!\n", command.ascii());
@@ -4201,6 +4201,12 @@ int LDAPManager::writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr) {
 }
 
 int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, TQString *errstr) {
+	TQString crl_url = realmcfg.certificate_revocation_list_url;
+	if (crl_url == "") {
+		// Use a default to preserve certificate validity
+		// crl_url = TQString("http://%1/%2.crl").arg(realmcfg.name).arg(realmcfg.kdc);
+	}
+
 	TQDir tde_cert_dir(TDE_CERTIFICATE_DIR);
 	if (!tde_cert_dir.exists()) {
 		TQString command = TQString("mkdir -p %1").arg(TDE_CERTIFICATE_DIR);
@@ -4299,7 +4305,7 @@ int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, TQStrin
 		stream << "string_mask = utf8only" << "\n";
 		stream << "\n";
 		stream << "[v3_ca]" << "\n";
-		stream << "subjectKeyIdentifier=hash" << "\n";
+		stream << "subjectKeyIdentifier = hash" << "\n";
 		stream << "authorityKeyIdentifier=keyid:always,issuer:always" << "\n";
 		stream << "basicConstraints = CA:true" << "\n";
 		stream << "keyUsage = critical, cRLSign, keyCertSign, keyEncipherment, nonRepudiation, digitalSignature" << "\n";
@@ -4307,19 +4313,19 @@ int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, TQStrin
 		stream << "[usr_cert]" << "\n";
 		stream << "basicConstraints=CA:FALSE" << "\n";
 		stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
-		stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url);
+		stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
 		stream << "subjectKeyIdentifier = hash" << "\n";
 		stream << "\n";
 		stream << "[usr_cert_ke]" << "\n";
 		stream << "basicConstraints=CA:FALSE" << "\n";
 		stream << "keyUsage = critical, nonRepudiation, keyEncipherment" << "\n";
-		stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url);
+		stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
 		stream << "subjectKeyIdentifier = hash" << "\n";
 		stream << "\n";
 		stream << "[proxy_cert]" << "\n";
 		stream << "basicConstraints=CA:FALSE" << "\n";
 		stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
-		stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url);
+		stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
 		stream << "subjectKeyIdentifier = hash" << "\n";
 		// stream << "proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:0,policy:text:foo" << "\n";
 		stream << "\n";
@@ -4337,7 +4343,7 @@ int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, TQStrin
 		stream << "[pkinit_client_cert]" << "\n";
 		stream << "basicConstraints=CA:FALSE" << "\n";
 		stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
-		stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url);
+		stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
 		stream << "subjectKeyIdentifier = hash" << "\n";
 		stream << "authorityKeyIdentifier=keyid,issuer" << "\n";
 		stream << "issuerAltName=issuer:copy" << "\n";
@@ -4346,14 +4352,14 @@ int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, TQStrin
 		stream << "[https_cert]" << "\n";
 		stream << "basicConstraints=CA:FALSE" << "\n";
 		stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
-		stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url);
+		stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
 		// stream << "extendedKeyUsage = https-server XXX" << "\n";
 		stream << "subjectKeyIdentifier = hash" << "\n";
 		stream << "\n";
 		stream << "[pkinit_kdc_cert]" << "\n";
 		stream << "basicConstraints=CA:FALSE" << "\n";
 		stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
-		stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url);
+		stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
 		stream << "extendedKeyUsage = 1.3.6.1.5.2.3.5" << "\n";
 		stream << "subjectKeyIdentifier = hash" << "\n";
 		stream << "authorityKeyIdentifier=keyid,issuer" << "\n";
@@ -4375,20 +4381,20 @@ int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, TQStrin
 		stream << "[proxy10_cert]" << "\n";
 		stream << "basicConstraints=CA:FALSE" << "\n";
 		stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
-		stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url);
+		stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
 		stream << "subjectKeyIdentifier = hash" << "\n";
 		// stream << "proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:10,policy:text:foo" << "\n";
 		stream << "\n";
 		stream << "[usr_cert_ds]" << "\n";
 		stream << "basicConstraints=CA:FALSE" << "\n";
 		stream << "keyUsage = critical, nonRepudiation, digitalSignature" << "\n";
-		stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url);
+		stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
 		stream << "subjectKeyIdentifier = hash" << "\n";
 		stream << "\n";
 		stream << "[ocsp_cert]" << "\n";
 		stream << "basicConstraints=CA:FALSE" << "\n";
 		stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
-		stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url);
+		stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
 		// stream << "ocsp-nocheck and kp-OCSPSigning" << "\n";
 		stream << "extendedKeyUsage = 1.3.6.1.5.5.7.48.1.5, 1.3.6.1.5.5.7.3.9" << "\n";
 		stream << "subjectKeyIdentifier = hash" << "\n";
author	Timothy Pearson <kb9vqf@pearsoncomputing.net>	2015-08-31 23:18:14 +0000
committer	Timothy Pearson <kb9vqf@pearsoncomputing.net>	2015-08-31 23:39:08 +0000
commit	bc95fa92b04a4e372e9e0615def79b6458e5f673 (patch)
tree	3ff7318b178b08e19d2b83da7addd560742b4078
parent	f0eeda5dc890372b39c1afc09b6b0dd0af5738ea (diff)
download	libtdeldap-bc95fa92.tar.gz libtdeldap-bc95fa92.zip