sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-03 13:47:25 +03:00
Code
samba-mirror/third_party/heimdal/kuser/kx509.c
Stefan Metzmacher 7055827b8f HEIMDAL: move code from source4/heimdal* to third_party/heimdal* 
This makes it clearer that we always want to do heimdal changes
via the lorikeet-heimdal repository.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Wed Jan 19 21:41:59 UTC 2022 on sn-devel-184
2022-01-19 21:41:59 +00:00

304 lines
10 KiB
C
Raw Blame History

/*
* Copyright (c) 2019 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "kuser_locl.h"
#include "heimtools-commands.h"
#include <kx509_asn1.h>
#undef HC_DEPRECATED_CRYPTO
#include "../lib/hx509/hx_locl.h"
#include "../lib/krb5/krb5_locl.h"
#include "hx509-private.h"
struct validate_store {
size_t ncerts;
int grace;
};
static int KRB5_CALLCONV
validate1(hx509_context hx509ctx, void *d, hx509_cert cert)
{
struct validate_store *v = d;
if (hx509_cert_get_notAfter(cert) < time(NULL) + v->grace)
return HX509_CERT_USED_AFTER_TIME;
v->ncerts++;
return 0;
}
static void
validate(krb5_context context,
int grace,
const char *hx509_store,
krb5_data *der_cert,
krb5_data *pkcs8_priv_key)
{
hx509_context hx509ctx = NULL;
hx509_cert cert;
krb5_error_code ret;
ret = hx509_context_init(&hx509ctx);
if (ret)
krb5_err(context, 1, ret, "hx509 context init");
if (der_cert->data && pkcs8_priv_key->data) {
hx509_private_key key = NULL;
cert = hx509_cert_init_data(hx509ctx, der_cert->data,
der_cert->length, NULL);
if (cert == NULL)
krb5_err(context, 1, errno, "certificate could not be loaded");
ret = hx509_parse_private_key(hx509ctx, NULL, pkcs8_priv_key->data,
pkcs8_priv_key->length,
HX509_KEY_FORMAT_PKCS8, &key);
if (ret)
krb5_err(context, 1, ret, "certificate could not be loaded");
if (hx509_cert_get_notAfter(cert) < time(NULL) + grace)
krb5_errx(context, 1, "certificate is expired");
hx509_private_key_free(&key);
hx509_cert_free(cert);
}
if (hx509_store) {
struct validate_store v;
hx509_certs certs;
v.ncerts = 0;
v.grace = grace;
ret = hx509_certs_init(hx509ctx, hx509_store, 0, NULL, &certs);
if (ret)
krb5_err(context, 1, ret, "could not read hx509 store %s",
hx509_store);
ret = hx509_certs_iter_f(hx509ctx, certs, validate1, &v);
if (ret)
krb5_err(context, 1, ret, "at least one certificate in %s expired",
hx509_store);
if (!v.ncerts)
krb5_errx(context, 1, "no certificates in %s", hx509_store);
hx509_certs_free(&certs);
}
hx509_context_free(&hx509ctx);
}
static krb5_error_code KRB5_CALLCONV
add1_2chain(hx509_context hx509ctx, void *d, hx509_cert cert)
{
heim_octet_string os;
krb5_error_code ret;
Certificates *cs = d;
Certificate c;
ret = hx509_cert_binary(hx509ctx, cert, &os);
if (ret == 0)
ret = decode_Certificate(os.data, os.length, &c, NULL);
der_free_octet_string(&os);
if (ret == 0) {
add_Certificates(cs, &c);
free_Certificate(&c);
}
return ret;
}
static krb5_error_code
add_chain(hx509_context hx509ctx, hx509_certs certs, krb5_data *chain)
{
krb5_error_code ret;
Certificates cs;
size_t len;
ret = decode_Certificates(chain->data, chain->length, &cs, &len);
if (ret == 0) {
ret = hx509_certs_iter_f(hx509ctx, certs, add1_2chain, &cs);
free_Certificates(&cs);
}
return ret;
}
static void
store(krb5_context context,
const char *hx509_store,
krb5_data *der_cert,
krb5_data *pkcs8_priv_key,
krb5_data *chain)
{
hx509_context hx509ctx = NULL;
hx509_private_key key = NULL;
hx509_certs certs;
hx509_cert cert;
char *store_exp = NULL;
krb5_error_code ret;
if (hx509_store == NULL) {
hx509_store = krb5_config_get_string(context, NULL, "libdefaults",
"kx509_store", NULL);
if (hx509_store) {
ret = _krb5_expand_path_tokens(context, hx509_store, 1,
&store_exp);
if (ret)
krb5_err(context, 1, ret, "expanding tokens in default "
"hx509 store");
hx509_store = store_exp;
}
}
if (hx509_store == NULL)
krb5_errx(context, 1, "no hx509 store given and no default hx509 "
"store configured");
ret = hx509_context_init(&hx509ctx);
if (ret)
krb5_err(context, 1, ret, "hx509 context init");
cert = hx509_cert_init_data(hx509ctx, der_cert->data,
der_cert->length, NULL);
if (cert == NULL)
krb5_err(context, 1, errno, "certificate could not be loaded");
ret = hx509_parse_private_key(hx509ctx, NULL, pkcs8_priv_key->data,
pkcs8_priv_key->length,
HX509_KEY_FORMAT_PKCS8, &key);
if (ret)
krb5_err(context, 1, ret, "certificate could not be loaded");
(void) _hx509_cert_assign_key(cert, key);
ret = hx509_certs_init(hx509ctx, hx509_store, HX509_CERTS_CREATE, NULL,
&certs);
if (ret == 0)
ret = hx509_certs_add(hx509ctx, certs, cert);
if (ret == 0)
add_chain(hx509ctx, certs, chain);
if (ret == 0)
ret = hx509_certs_store(hx509ctx, certs, 0, NULL);
if (ret)
krb5_err(context, 1, ret, "certificate could not be stored");
hx509_private_key_free(&key);
hx509_certs_free(&certs);
hx509_cert_free(cert);
hx509_context_free(&hx509ctx);
free(store_exp);
}
static void
set_csr(krb5_context context, krb5_kx509_req_ctx req, const char *csr_file)
{
krb5_error_code ret;
krb5_data d;
if (strncmp(csr_file, "PKCS10:", sizeof("PKCS10:") - 1) != 0)
krb5_errx(context, 1, "CSR filename must start with \"PKCS10:\"");
ret = rk_undumpdata(csr_file + sizeof("PKCS10:") - 1, &d.data, &d.length);
if (ret)
krb5_err(context, 1, ret, "could not read CSR");
ret = krb5_kx509_ctx_set_csr_der(context, req, &d);
if (ret)
krb5_err(context, 1, ret, "hx509 context init");
}
int
kx509(struct kx509_options *opt, int argc, char **argv)
{
krb5_kx509_req_ctx req = NULL;
krb5_context context = heimtools_context;
krb5_error_code ret = 0;
krb5_ccache ccout = NULL;
krb5_ccache cc = NULL;
if (opt->cache_string)
ret = krb5_cc_resolve(context, opt->cache_string, &cc);
else if (opt->save_flag || opt->extract_flag)
ret = krb5_cc_default(context, &cc);
if (ret)
krb5_err(context, 1, ret, "no input credential cache");
if (opt->save_flag)
ccout = cc;
if (opt->test_integer &&
(opt->extract_flag || opt->csr_string || opt->private_key_string))
krb5_errx(context, 1, "--test is exclusive of --extract, --csr, and "
"--private-key");
if (opt->extract_flag && (opt->csr_string || opt->private_key_string))
krb5_errx(context, 1, "--extract is exclusive of --csr and "
"--private-key");
if (opt->test_integer || opt->extract_flag) {
krb5_data der_cert, pkcs8_key, chain;
der_cert.data = pkcs8_key.data = chain.data = NULL;
der_cert.length = pkcs8_key.length = chain.length = 0;
ret = krb5_cc_get_config(context, cc, NULL, "kx509cert", &der_cert);
if (ret == 0)
ret = krb5_cc_get_config(context, cc, NULL, "kx509key",
&pkcs8_key);
if (ret == 0)
ret = krb5_cc_get_config(context, cc, NULL, "kx509cert-chain",
&chain);
if (ret)
krb5_err(context, 1, ret, "no certificate in credential cache");
if (opt->test_integer)
validate(context, opt->test_integer, opt->out_string, &der_cert,
&pkcs8_key);
else
store(context, opt->out_string, &der_cert, &pkcs8_key, &chain);
krb5_data_free(&pkcs8_key);
krb5_data_free(&der_cert);
krb5_data_free(&chain);
} else {
/*
* XXX We should delete any cc configs that indicate that kx509 is
* disabled.
*/
ret = krb5_kx509_ctx_init(context, &req);
if (ret == 0 && opt->realm_string)
ret = krb5_kx509_ctx_set_realm(context, req, opt->realm_string);
if (ret == 0 && opt->csr_string)
set_csr(context, req, opt->csr_string);
if (ret == 0 && opt->private_key_string)
ret = krb5_kx509_ctx_set_key(context, req,
opt->private_key_string);
if (ret)
krb5_err(context, 1, ret,
"could not set up kx509 request options");
ret = krb5_kx509_ext(context, req, cc, opt->out_string, ccout);
if (ret)
krb5_err(context, 1, ret,
"could not acquire certificate with kx509");
krb5_kx509_ctx_free(context, &req);
}
krb5_cc_close(context, cc);
return 0;
}
View Git Blame Copy Permalink