From 07d094fd32bc7b60a205afeb3bcc0c0b9bbb6a84 Mon Sep 17 00:00:00 2001
From: Timothy Pearson <kb9vqf@pearsoncomputing.net>
Date: Sat, 19 Sep 2015 00:32:45 -0500
Subject: Extend PKCS certificate generation routines This breaks the ABI

---
 src/libtdeldap.cpp | 76 +++++++++++++++++++++++++++++++-----------------------
 src/libtdeldap.h   |  8 +++---
 2 files changed, 48 insertions(+), 36 deletions(-)

diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp
index 15a0996..4d3cdc9 100644
--- a/src/libtdeldap.cpp
+++ b/src/libtdeldap.cpp
@@ -4108,24 +4108,26 @@ TQDateTime LDAPManager::getCertificateExpiration(TQByteArray certfileContents) {
 
 	KSSLCertificate* cert = NULL;
 	TQCString ssldata(certfileContents);
-	ssldata[certfileContents.size()] = 0;
-	ssldata.replace("\n", "");
-	if (ssldata.contains("-----BEGIN CERTIFICATE-----")) {
-		ssldata.replace("-----BEGIN CERTIFICATE-----", "");
-		ssldata.replace("-----END CERTIFICATE-----", "");
-		cert = KSSLCertificate::fromString(ssldata);
-		if (cert) {
-			ret = cert->getQDTNotAfter();
-			delete cert;
+	if (certfileContents.size() > 0) {
+		ssldata[certfileContents.size()] = 0;
+		ssldata.replace("\n", "");
+		if (ssldata.contains("-----BEGIN CERTIFICATE-----")) {
+			ssldata.replace("-----BEGIN CERTIFICATE-----", "");
+			ssldata.replace("-----END CERTIFICATE-----", "");
+			cert = KSSLCertificate::fromString(ssldata);
+			if (cert) {
+				ret = cert->getQDTNotAfter();
+				delete cert;
+			}
 		}
-	}
-	else if (ssldata.contains("-----BEGIN X509 CRL-----")) {
-		ssldata.replace("-----BEGIN X509 CRL-----", "");
-		ssldata.replace("-----END X509 CRL-----", "");
-		cert = KSSLCertificate::crlFromString(ssldata);
-		if (cert) {
-			ret = cert->getQDTNextUpdate();
-			delete cert;
+		else if (ssldata.contains("-----BEGIN X509 CRL-----")) {
+			ssldata.replace("-----BEGIN X509 CRL-----", "");
+			ssldata.replace("-----END X509 CRL-----", "");
+			cert = KSSLCertificate::crlFromString(ssldata);
+			if (cert) {
+				ret = cert->getQDTNextUpdate();
+				delete cert;
+			}
 		}
 	}
 
@@ -4275,28 +4277,27 @@ int LDAPManager::generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPReal
 	return 0;
 }
 
-int LDAPManager::generateClientCertificatePair(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, TQString *errstr) {
+int LDAPManager::generateClientCertificatePair(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, int clientKeyBitLength, TQString autoLoginPIN, TQString *errstr) {
 	int ret;
 
-	ret = generateClientCertificatePrivateKey(privateKeyFile, errstr);
+	ret = generateClientCertificatePrivateKey(privateKeyFile, clientKeyBitLength, errstr);
 	if (ret == 0) {
-		ret = generateClientCertificatePublicCertificate(expirydays, user, realmcfg, signingPrivateKeyFile, privateKeyFile, publicCertFile, errstr);
+		ret = generateClientCertificatePublicCertificate(expirydays, user, realmcfg, signingPrivateKeyFile, privateKeyFile, publicCertFile, autoLoginPIN, errstr);
 	}
 
 	return ret;
 }
 
-int LDAPManager::generateClientCertificatePrivateKey(TQString privateKeyFile, TQString *errstr) {
+int LDAPManager::generateClientCertificatePrivateKey(TQString privateKeyFile, int clientKeyBitLength, TQString *errstr) {
 	TQString command;
 	TQString subject;
 
 	TQString client_keyfile = privateKeyFile;
 	TQString client_reqfile = privateKeyFile + ".req";
 	TQString client_cfgfile = privateKeyFile + ".cfg";
-	unsigned int client_key_bit_length = 2048;
 
 	// Create private key
-	command = TQString("openssl genrsa -out %1 %2").arg(client_keyfile).arg(client_key_bit_length);
+	command = TQString("openssl genrsa -out %1 %2").arg(client_keyfile).arg(clientKeyBitLength);
 	if (system(command) < 0) {
 		if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(command);
 		return -1;
@@ -4323,7 +4324,7 @@ int LDAPManager::generateClientCertificatePrivateKey(TQString privateKeyFile, TQ
 	return 0;
 }
 
-int LDAPManager::generateClientCertificatePublicCertificate(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, TQString *errstr) {
+int LDAPManager::generateClientCertificatePublicCertificate(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, TQString autoLoginPIN, TQString *errstr) {
 	TQString command;
 	TQString subject;
 
@@ -4339,7 +4340,7 @@ int LDAPManager::generateClientCertificatePublicCertificate(int expirydays, LDAP
 		signing_public_certfile = KERBEROS_PKI_PEM_FILE;
 	}
 
-	if (writeOpenSSLConfigurationFile(realmcfg, user, client_cfgfile, TQString::null, TQString::null, TQString::null, errstr) != 0) {
+	if (writeOpenSSLConfigurationFile(realmcfg, user, client_cfgfile, TQString::null, TQString::null, TQString::null, autoLoginPIN, errstr) != 0) {
 		return -1;
 	}
 
@@ -4405,7 +4406,7 @@ int LDAPManager::generatePKICRL(int expirydays, LDAPRealmConfig realmcfg, TQStri
 		}
 
 		// Set up OpenSSL environment
-		if (writeOpenSSLConfigurationFile(realmcfg, LDAPUserInfo(), OPENSSL_EXTENSIONS_FILE, signingPrivateKeyFile, signing_public_certfile, revocationDatabaseFile, errstr) != 0) {
+		if (writeOpenSSLConfigurationFile(realmcfg, LDAPUserInfo(), OPENSSL_EXTENSIONS_FILE, signingPrivateKeyFile, signing_public_certfile, revocationDatabaseFile, TQString::null, errstr) != 0) {
 			return -1;
 		}
 		command = TQString("rm -f %1").arg(revocationDatabaseFile);
@@ -4867,10 +4868,10 @@ int LDAPManager::writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr) {
 }
 
 int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, TQString *errstr) {
-	return writeOpenSSLConfigurationFile(realmcfg, LDAPUserInfo(), TQString::fromLatin1(OPENSSL_EXTENSIONS_FILE), TQString::null, TQString::null, TQString::null, errstr);
+	return writeOpenSSLConfigurationFile(realmcfg, LDAPUserInfo(), TQString::fromLatin1(OPENSSL_EXTENSIONS_FILE), TQString::null, TQString::null, TQString::null, TQString::null, errstr);
 }
 
-int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUserInfo user, TQString opensslConfigFile, TQString caRootKeyFile, TQString caRootCertFile, TQString caRootDatabaseFile, TQString *errstr) {
+int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUserInfo user, TQString opensslConfigFile, TQString caRootKeyFile, TQString caRootCertFile, TQString caRootDatabaseFile, TQString autoLoginPIN, TQString *errstr) {
 	TQString ca_public_crl_certfile = KERBEROS_PKI_PUBLICDIR + realmcfg.admin_server + ".ldap.crl";
 	TQString crl_url;
 	
@@ -5040,14 +5041,25 @@ int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUse
 		stream << TQString("realm = EXP:0,GeneralString:%1").arg(realmcfg.name.upper()) << "\n";
 		stream << "principal_name = EXP:1,SEQUENCE:pkinitc_principal_seq" << "\n";
 		stream << "\n";
+		if (autoLoginPIN != TQString::null) {
+			stream << "[tde_autopin_login_data]" << "\n"; 
+			stream << TQString("realm = EXP:0,GeneralString:%1").arg(autoLoginPIN) << "\n";
+			stream << "\n";
+		}
+		stream << "[pkinit_client_cert_alt_names]" << "\n";
+		stream << "otherName.1=1.3.6.1.5.2.2;SEQUENCE:pkinitc_princ_name" << "\n";
+		if (autoLoginPIN != TQString::null) {
+			stream << "otherName.2=1.3.6.1.4.1.40364.1.2.1;SEQUENCE:tde_autopin_login_data" << "\n";
+		}
+		stream << "\n";
 		stream << "[pkinit_client_cert]" << "\n";
 		stream << "basicConstraints = CA:FALSE" << "\n";
 		stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
 		stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n";
 		stream << "subjectKeyIdentifier = hash" << "\n";
 		stream << "authorityKeyIdentifier = keyid,issuer" << "\n";
-		stream << "issuerAltName=issuer:copy" << "\n";
-		stream << "subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:pkinitc_princ_name" << "\n";
+		stream << "issuerAltName = issuer:copy" << "\n";
+		stream << "subjectAltName = @pkinit_client_cert_alt_names" << "\n";
 		stream << "\n";
 		stream << "[https_cert]" << "\n";
 		stream << "basicConstraints = CA:FALSE" << "\n";
@@ -5063,8 +5075,8 @@ int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUse
 		stream << "extendedKeyUsage = 1.3.6.1.5.2.3.5" << "\n";
 		stream << "subjectKeyIdentifier = hash" << "\n";
 		stream << "authorityKeyIdentifier = keyid,issuer" << "\n";
-		stream << "issuerAltName=issuer:copy" << "\n";
-		stream << "subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:pkinitkdc_princ_name" << "\n";
+		stream << "issuerAltName = issuer:copy" << "\n";
+		stream << "subjectAltName = otherName:1.3.6.1.5.2.2;SEQUENCE:pkinitkdc_princ_name" << "\n";
 		stream << "\n";
 		stream << "[pkinitkdc_princ_name]" << "\n"; 
 		stream << TQString("realm = EXP:0,GeneralString:%1").arg(realmcfg.name.upper()) << "\n";
diff --git a/src/libtdeldap.h b/src/libtdeldap.h
index 5bd6173..ee70ad2 100644
--- a/src/libtdeldap.h
+++ b/src/libtdeldap.h
@@ -554,9 +554,9 @@ class LDAPManager : public TQObject {
 		static int generatePublicKerberosCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg);
 		static int generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg, uid_t ldap_uid, gid_t ldap_gid);
 
-		static int generateClientCertificatePair(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, TQString *errstr=0);
-		static int generateClientCertificatePrivateKey(TQString privateKeyFile, TQString *errstr=0);
-		static int generateClientCertificatePublicCertificate(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, TQString *errstr=0);
+		static int generateClientCertificatePair(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, int clientKeyBitLength=2048, TQString autoLoginPIN=TQString::null, TQString *errstr=0);
+		static int generateClientCertificatePrivateKey(TQString privateKeyFile, int clientKeyBitLength=2048, TQString *errstr=0);
+		static int generateClientCertificatePublicCertificate(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, TQString autoLoginPIN=TQString::null, TQString *errstr=0);
 
 		int generatePKICRL(int expirydays, LDAPRealmConfig realmcfg, TQString crlFile, TQString signingPrivateKeyFile, TQString revocationDatabaseFile, TQString *errstr=0);
 
@@ -579,7 +579,7 @@ class LDAPManager : public TQObject {
 		static int writeLDAPConfFile(LDAPRealmConfig realmcfg, LDAPMachineRole machineRole, TQString *errstr=0);
 		static int writeNSSwitchFile(TQString *errstr=0);
 		static int writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, TQString *errstr=0);
-		static int writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUserInfo user, TQString opensslConfigFile, TQString caRootKeyFile=TQString::null, TQString caRootCertFile=TQString::null, TQString caRootDatabaseFile=TQString::null, TQString *errstr=0);
+		static int writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUserInfo user, TQString opensslConfigFile, TQString caRootKeyFile=TQString::null, TQString caRootCertFile=TQString::null, TQString caRootDatabaseFile=TQString::null, TQString autoLoginPIN=TQString::null, TQString *errstr=0);
 		static int writeClientCronFiles(TQString *errstr=0);
 		static int rehashClientPKCSCertificates(TQString *errstr=0);
 		static int writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr=0);
-- 
cgit v1.2.3