bx509d: Get KDC config out of bx509d
This commit is contained in:
Nicolas Williams
@@ -33,6 +33,7 @@ if HAVE_MICROHTTPD
|
|||||||
bx509d_SOURCES = bx509d.c
|
bx509d_SOURCES = bx509d.c
|
||||||
bx509d_AM_CPPFLAGS = $(AM_CPPFLAGS) $(MICROHTTPD_CFLAGS)
|
bx509d_AM_CPPFLAGS = $(AM_CPPFLAGS) $(MICROHTTPD_CFLAGS)
|
||||||
bx509d_LDADD = -ldl \
|
bx509d_LDADD = -ldl \
|
||||||
|
$(top_builddir)/lib/hdb/libhdb.la \
|
||||||
libkdc.la \
|
libkdc.la \
|
||||||
$(MICROHTTPD_LIBS) \
|
$(MICROHTTPD_LIBS) \
|
||||||
$(LIB_roken) \
|
$(LIB_roken) \
|
||||||
|
|||||||
53
kdc/bx509d.c
53
kdc/bx509d.c
@@ -126,7 +126,7 @@ struct bx509_request_desc {
|
|||||||
char frombuf[128];
|
char frombuf[128];
|
||||||
};
|
};
|
||||||
|
|
||||||
static krb5_kdc_configuration *kdc_config;
|
static krb5_log_facility *logfac;
|
||||||
static pthread_key_t k5ctx;
|
static pthread_key_t k5ctx;
|
||||||
|
|
||||||
static krb5_error_code
|
static krb5_error_code
|
||||||
@@ -425,7 +425,7 @@ bad_reqv(struct bx509_request_desc *r,
|
|||||||
(void) gettimeofday(&r->tv_end, NULL);
|
(void) gettimeofday(&r->tv_end, NULL);
|
||||||
if (code == ENOMEM) {
|
if (code == ENOMEM) {
|
||||||
if (r->context)
|
if (r->context)
|
||||||
kdc_log(r->context, kdc_config, 1, "Out of memory");
|
krb5_log_msg(r->context, logfac, 1, NULL, "Out of memory");
|
||||||
_kdc_audit_trail((kdc_request_t)r, code);
|
_kdc_audit_trail((kdc_request_t)r, code);
|
||||||
return resp(r, http_status_code, MHD_RESPMEM_PERSISTENT,
|
return resp(r, http_status_code, MHD_RESPMEM_PERSISTENT,
|
||||||
fmt, strlen(fmt), NULL);
|
fmt, strlen(fmt), NULL);
|
||||||
@@ -452,7 +452,7 @@ bad_reqv(struct bx509_request_desc *r,
|
|||||||
|
|
||||||
if (ret == -1 || msg == NULL) {
|
if (ret == -1 || msg == NULL) {
|
||||||
if (context)
|
if (context)
|
||||||
kdc_log(r->context, kdc_config, 1, "Out of memory");
|
krb5_log_msg(r->context, logfac, 1, NULL, "Out of memory");
|
||||||
return resp(r, MHD_HTTP_SERVICE_UNAVAILABLE,
|
return resp(r, MHD_HTTP_SERVICE_UNAVAILABLE,
|
||||||
MHD_RESPMEM_PERSISTENT,
|
MHD_RESPMEM_PERSISTENT,
|
||||||
"Out of memory", sizeof("Out of memory") - 1, NULL);
|
"Out of memory", sizeof("Out of memory") - 1, NULL);
|
||||||
@@ -646,7 +646,7 @@ authorize_CSR(struct bx509_request_desc *r,
|
|||||||
return bad_req(r, ret, MHD_HTTP_SERVICE_UNAVAILABLE,
|
return bad_req(r, ret, MHD_HTTP_SERVICE_UNAVAILABLE,
|
||||||
"Could not handle query parameters");
|
"Could not handle query parameters");
|
||||||
|
|
||||||
ret = kdc_authorize_csr(r->context, kdc_config, r->req, p);
|
ret = kdc_authorize_csr(r->context, "bx509d", r->req, p);
|
||||||
if (ret)
|
if (ret)
|
||||||
return bad_403(r, ret, "Not authorized to requested certificate");
|
return bad_403(r, ret, "Not authorized to requested certificate");
|
||||||
return ret;
|
return ret;
|
||||||
@@ -745,7 +745,7 @@ do_CA(struct bx509_request_desc *r, const char *csr)
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Issue the certificate */
|
/* Issue the certificate */
|
||||||
ret = kdc_issue_certificate(r->context, kdc_config, r->req, p,
|
ret = kdc_issue_certificate(r->context, "bx509d", logfac, r->req, p,
|
||||||
&r->token_times, 1 /* send_chain */, &certs);
|
&r->token_times, 1 /* send_chain */, &certs);
|
||||||
krb5_free_principal(r->context, p);
|
krb5_free_principal(r->context, p);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
@@ -807,8 +807,8 @@ set_req_desc(struct MHD_Connection *connection,
|
|||||||
r->request.length = sizeof("<HTTP-REQUEST>");
|
r->request.length = sizeof("<HTTP-REQUEST>");
|
||||||
r->from = r->frombuf;
|
r->from = r->frombuf;
|
||||||
r->hcontext = r->context->hcontext;
|
r->hcontext = r->context->hcontext;
|
||||||
r->config = kdc_config;
|
r->config = NULL;
|
||||||
r->logf = kdc_config->logf;
|
r->logf = logfac;
|
||||||
r->reqtype = url;
|
r->reqtype = url;
|
||||||
r->target = r->redir = NULL;
|
r->target = r->redir = NULL;
|
||||||
r->pkix_store = NULL;
|
r->pkix_store = NULL;
|
||||||
@@ -845,7 +845,7 @@ set_req_desc(struct MHD_Connection *connection,
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (ret == 0 && r->kv == NULL) {
|
if (ret == 0 && r->kv == NULL) {
|
||||||
kdc_log(r->context, kdc_config, 1, "Out of memory");
|
krb5_log_msg(r->context, logfac, 1, NULL, "Out of memory");
|
||||||
ret = ENOMEM;
|
ret = ENOMEM;
|
||||||
}
|
}
|
||||||
return ret;
|
return ret;
|
||||||
@@ -893,7 +893,8 @@ bx509(struct bx509_request_desc *r)
|
|||||||
return ret;
|
return ret;
|
||||||
|
|
||||||
/* Read and send the contents of the PKIX store */
|
/* Read and send the contents of the PKIX store */
|
||||||
kdc_log(r->context, kdc_config, 4, "Issued certificate to %s", r->cname);
|
krb5_log_msg(r->context, logfac, 1, NULL, "Issued certificate to %s",
|
||||||
|
r->cname);
|
||||||
return good_bx509(r);
|
return good_bx509(r);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1214,7 +1215,7 @@ bnegotiate_do_CA(struct bx509_request_desc *r)
|
|||||||
|
|
||||||
/* Issue the certificate */
|
/* Issue the certificate */
|
||||||
if (ret == 0)
|
if (ret == 0)
|
||||||
ret = kdc_issue_certificate(r->context, kdc_config, req, p,
|
ret = kdc_issue_certificate(r->context, "bx509d", logfac, req, p,
|
||||||
&r->token_times, 1 /* send_chain */,
|
&r->token_times, 1 /* send_chain */,
|
||||||
&certs);
|
&certs);
|
||||||
krb5_free_principal(r->context, p);
|
krb5_free_principal(r->context, p);
|
||||||
@@ -1664,6 +1665,32 @@ sighandler(int sig)
|
|||||||
;
|
;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
bx509_openlog(krb5_context context,
|
||||||
|
const char *svc,
|
||||||
|
krb5_log_facility **fac)
|
||||||
|
{
|
||||||
|
char **s = NULL, **p;
|
||||||
|
|
||||||
|
krb5_initlog(context, "kdc", fac);
|
||||||
|
s = krb5_config_get_strings(context, NULL, svc, "logging", NULL);
|
||||||
|
if (s == NULL)
|
||||||
|
s = krb5_config_get_strings(context, NULL, "logging", svc, NULL);
|
||||||
|
if (s) {
|
||||||
|
for(p = s; *p; p++)
|
||||||
|
krb5_addlog_dest(context, *fac, *p);
|
||||||
|
krb5_config_free_strings(s);
|
||||||
|
} else {
|
||||||
|
char *ss;
|
||||||
|
if (asprintf(&ss, "0-1/FILE:%s/%s", hdb_db_dir(context),
|
||||||
|
KDC_LOG_FILE) < 0)
|
||||||
|
err(1, "out of memory");
|
||||||
|
krb5_addlog_dest(context, *fac, ss);
|
||||||
|
free(ss);
|
||||||
|
}
|
||||||
|
krb5_set_warn_dest(context, *fac);
|
||||||
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
main(int argc, char **argv)
|
main(int argc, char **argv)
|
||||||
{
|
{
|
||||||
@@ -1721,11 +1748,7 @@ main(int argc, char **argv)
|
|||||||
if ((errno = get_krb5_context(&context)))
|
if ((errno = get_krb5_context(&context)))
|
||||||
err(1, "Could not init krb5 context");
|
err(1, "Could not init krb5 context");
|
||||||
|
|
||||||
if ((ret = krb5_kdc_get_config(context, &kdc_config)))
|
bx509_openlog(context, "bx509d", &logfac);
|
||||||
krb5_err(context, 1, ret, "Could not init krb5 context");
|
|
||||||
|
|
||||||
kdc_openlog(context, "bx509d", kdc_config);
|
|
||||||
kdc_config->app = "bx509";
|
|
||||||
|
|
||||||
if (cache_dir == NULL) {
|
if (cache_dir == NULL) {
|
||||||
char *s = NULL;
|
char *s = NULL;
|
||||||
|
|||||||
76
kdc/ca.c
76
kdc/ca.c
@@ -219,7 +219,8 @@ characterize(krb5_context context,
|
|||||||
*/
|
*/
|
||||||
static const krb5_config_binding *
|
static const krb5_config_binding *
|
||||||
get_cf(krb5_context context,
|
get_cf(krb5_context context,
|
||||||
krb5_kdc_configuration *config,
|
const char *app_name,
|
||||||
|
krb5_log_facility *logf,
|
||||||
hx509_request req,
|
hx509_request req,
|
||||||
krb5_principal cprinc)
|
krb5_principal cprinc)
|
||||||
{
|
{
|
||||||
@@ -236,7 +237,7 @@ get_cf(krb5_context context,
|
|||||||
size_t nsans = 0;
|
size_t nsans = 0;
|
||||||
|
|
||||||
if (ncomp == 0) {
|
if (ncomp == 0) {
|
||||||
kdc_log(context, config, 5, "Client principal has no components!");
|
krb5_log_msg(context, logf, 5, NULL, "Client principal has no components!");
|
||||||
krb5_set_error_message(context, ENOTSUP,
|
krb5_set_error_message(context, ENOTSUP,
|
||||||
"Client principal has no components!");
|
"Client principal has no components!");
|
||||||
return NULL;
|
return NULL;
|
||||||
@@ -244,7 +245,7 @@ get_cf(krb5_context context,
|
|||||||
|
|
||||||
if ((ret = count_sans(req, &nsans)) ||
|
if ((ret = count_sans(req, &nsans)) ||
|
||||||
(certtype = characterize(context, cprinc, req)) == CERT_NOTSUP) {
|
(certtype = characterize(context, cprinc, req)) == CERT_NOTSUP) {
|
||||||
kdc_log(context, config, 5, "Could not characterize CSR");
|
krb5_log_msg(context, logf, 5, NULL, "Could not characterize CSR");
|
||||||
krb5_set_error_message(context, ret, "Could not characterize CSR");
|
krb5_set_error_message(context, ret, "Could not characterize CSR");
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
@@ -275,24 +276,24 @@ get_cf(krb5_context context,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (strcmp(config->app, "kdc") == 0)
|
if (strcmp(app_name, "kdc") == 0)
|
||||||
cf = krb5_config_get_list(context, NULL, config->app, "realms", realm,
|
cf = krb5_config_get_list(context, NULL, app_name, "realms", realm,
|
||||||
"kx509", label, svc, NULL);
|
"kx509", label, svc, NULL);
|
||||||
else
|
else
|
||||||
cf = krb5_config_get_list(context, NULL, config->app, "realms", realm,
|
cf = krb5_config_get_list(context, NULL, app_name, "realms", realm,
|
||||||
label, svc, NULL);
|
label, svc, NULL);
|
||||||
if (cf == NULL) {
|
if (cf == NULL) {
|
||||||
kdc_log(context, config, 3,
|
krb5_log_msg(context, logf, 3, NULL,
|
||||||
"No %s configuration for %s %s certificates [%s] realm "
|
"No %s configuration for %s %s certificates [%s] realm "
|
||||||
"-> %s -> kx509 -> %s%s%s",
|
"-> %s -> kx509 -> %s%s%s",
|
||||||
strcmp(config->app, "bx509") == 0 ? "bx509" : "kx509",
|
strcmp(app_name, "bx509") == 0 ? "bx509" : "kx509",
|
||||||
def, label, config->app, realm, label,
|
def, label, app_name, realm, label,
|
||||||
svc ? " -> " : "", svc ? svc : "");
|
svc ? " -> " : "", svc ? svc : "");
|
||||||
krb5_set_error_message(context, KRB5KDC_ERR_POLICY,
|
krb5_set_error_message(context, KRB5KDC_ERR_POLICY,
|
||||||
"No %s configuration for %s %s certificates [%s] realm "
|
"No %s configuration for %s %s certificates [%s] realm "
|
||||||
"-> %s -> kx509 -> %s%s%s",
|
"-> %s -> kx509 -> %s%s%s",
|
||||||
strcmp(config->app, "bx509") == 0 ? "bx509" : "kx509",
|
strcmp(app_name, "bx509") == 0 ? "bx509" : "kx509",
|
||||||
def, label, config->app, realm, label,
|
def, label, app_name, realm, label,
|
||||||
svc ? " -> " : "", svc ? svc : "");
|
svc ? " -> " : "", svc ? svc : "");
|
||||||
}
|
}
|
||||||
return cf;
|
return cf;
|
||||||
@@ -312,7 +313,7 @@ get_cf(krb5_context context,
|
|||||||
*/
|
*/
|
||||||
static krb5_error_code
|
static krb5_error_code
|
||||||
set_template(krb5_context context,
|
set_template(krb5_context context,
|
||||||
krb5_kdc_configuration *config,
|
krb5_log_facility *logf,
|
||||||
const krb5_config_binding *cf,
|
const krb5_config_binding *cf,
|
||||||
hx509_ca_tbs tbs)
|
hx509_ca_tbs tbs)
|
||||||
{
|
{
|
||||||
@@ -338,9 +339,9 @@ set_template(krb5_context context,
|
|||||||
ret = hx509_get_one_cert(context->hx509ctx, certs, &template);
|
ret = hx509_get_one_cert(context->hx509ctx, certs, &template);
|
||||||
hx509_certs_free(&certs);
|
hx509_certs_free(&certs);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
kdc_log(context, config, 1,
|
krb5_log_msg(context, logf, 1, NULL,
|
||||||
"Failed to load certificate template from %s",
|
"Failed to load certificate template from %s",
|
||||||
cert_template);
|
cert_template);
|
||||||
krb5_set_error_message(context, KRB5KDC_ERR_POLICY,
|
krb5_set_error_message(context, KRB5KDC_ERR_POLICY,
|
||||||
"Failed to load certificate template from "
|
"Failed to load certificate template from "
|
||||||
"%s", cert_template);
|
"%s", cert_template);
|
||||||
@@ -418,7 +419,7 @@ set_template(krb5_context context,
|
|||||||
*/
|
*/
|
||||||
static krb5_error_code
|
static krb5_error_code
|
||||||
set_tbs(krb5_context context,
|
set_tbs(krb5_context context,
|
||||||
krb5_kdc_configuration *config,
|
krb5_log_facility *logf,
|
||||||
const krb5_config_binding *cf,
|
const krb5_config_binding *cf,
|
||||||
hx509_request req,
|
hx509_request req,
|
||||||
krb5_principal cprinc,
|
krb5_principal cprinc,
|
||||||
@@ -451,7 +452,7 @@ set_tbs(krb5_context context,
|
|||||||
/* Populate requested certificate extensions from CSR/CSRPlus if allowed */
|
/* Populate requested certificate extensions from CSR/CSRPlus if allowed */
|
||||||
ret = hx509_ca_tbs_set_from_csr(context->hx509ctx, tbs, req);
|
ret = hx509_ca_tbs_set_from_csr(context->hx509ctx, tbs, req);
|
||||||
if (ret == 0)
|
if (ret == 0)
|
||||||
ret = set_template(context, config, cf, tbs);
|
ret = set_template(context, logf, cf, tbs);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Optionally add PKINIT SAN.
|
* Optionally add PKINIT SAN.
|
||||||
@@ -533,8 +534,8 @@ set_tbs(krb5_context context,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
kdc_log(context, config, 5, "kx509/bx509 client %s has too many "
|
krb5_log_msg(context, logf, 5, NULL,
|
||||||
"components!", princ);
|
"kx509/bx509 client %s has too many components!", princ);
|
||||||
krb5_set_error_message(context, ret = KRB5KDC_ERR_POLICY,
|
krb5_set_error_message(context, ret = KRB5KDC_ERR_POLICY,
|
||||||
"kx509/bx509 client %s has too many "
|
"kx509/bx509 client %s has too many "
|
||||||
"components!", princ);
|
"components!", princ);
|
||||||
@@ -548,8 +549,8 @@ out:
|
|||||||
return ret;
|
return ret;
|
||||||
|
|
||||||
enomem:
|
enomem:
|
||||||
kdc_log(context, config, 0,
|
krb5_log_msg(context, logf, 0, NULL,
|
||||||
"Could not set up TBSCertificate: Out of memory");
|
"Could not set up TBSCertificate: Out of memory");
|
||||||
ret = krb5_enomem(context);
|
ret = krb5_enomem(context);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -591,7 +592,8 @@ tbs_set_times(krb5_context context,
|
|||||||
*/
|
*/
|
||||||
krb5_error_code
|
krb5_error_code
|
||||||
kdc_issue_certificate(krb5_context context,
|
kdc_issue_certificate(krb5_context context,
|
||||||
krb5_kdc_configuration *config,
|
const char *app_name,
|
||||||
|
krb5_log_facility *logf,
|
||||||
hx509_request req,
|
hx509_request req,
|
||||||
krb5_principal cprinc,
|
krb5_principal cprinc,
|
||||||
krb5_times *auth_times,
|
krb5_times *auth_times,
|
||||||
@@ -615,10 +617,11 @@ kdc_issue_certificate(krb5_context context,
|
|||||||
hx509_request_authorize_ku(req, ku);
|
hx509_request_authorize_ku(req, ku);
|
||||||
|
|
||||||
/* Get configuration */
|
/* Get configuration */
|
||||||
if ((cf = get_cf(context, config, req, cprinc)) == NULL)
|
if ((cf = get_cf(context, app_name, logf, req, cprinc)) == NULL)
|
||||||
return KRB5KDC_ERR_POLICY;
|
return KRB5KDC_ERR_POLICY;
|
||||||
if ((ca = krb5_config_get_string(context, cf, "ca", NULL)) == NULL) {
|
if ((ca = krb5_config_get_string(context, cf, "ca", NULL)) == NULL) {
|
||||||
kdc_log(context, config, 3, "No kx509 CA issuer credential specified");
|
krb5_log_msg(context, logf, 3, NULL,
|
||||||
|
"No kx509 CA issuer credential specified");
|
||||||
krb5_set_error_message(context, ret = KRB5KDC_ERR_POLICY,
|
krb5_set_error_message(context, ret = KRB5KDC_ERR_POLICY,
|
||||||
"No kx509 CA issuer credential specified");
|
"No kx509 CA issuer credential specified");
|
||||||
return ret;
|
return ret;
|
||||||
@@ -626,14 +629,14 @@ kdc_issue_certificate(krb5_context context,
|
|||||||
|
|
||||||
ret = hx509_ca_tbs_init(context->hx509ctx, &tbs);
|
ret = hx509_ca_tbs_init(context->hx509ctx, &tbs);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
kdc_log(context, config, 0,
|
krb5_log_msg(context, logf, 0, NULL,
|
||||||
"Failed to create certificate: Out of memory");
|
"Failed to create certificate: Out of memory");
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Lookup a template and set things in `env' and `tbs' as appropriate */
|
/* Lookup a template and set things in `env' and `tbs' as appropriate */
|
||||||
if (ret == 0)
|
if (ret == 0)
|
||||||
ret = set_tbs(context, config, cf, req, cprinc, &env, tbs);
|
ret = set_tbs(context, logf, cf, req, cprinc, &env, tbs);
|
||||||
|
|
||||||
/* Populate generic template "env" variables */
|
/* Populate generic template "env" variables */
|
||||||
|
|
||||||
@@ -646,8 +649,8 @@ kdc_issue_certificate(krb5_context context,
|
|||||||
*/
|
*/
|
||||||
if (ret == 0 && hx509_name_is_null_p(hx509_ca_tbs_get_name(tbs)) &&
|
if (ret == 0 && hx509_name_is_null_p(hx509_ca_tbs_get_name(tbs)) &&
|
||||||
!has_sans(req)) {
|
!has_sans(req)) {
|
||||||
kdc_log(context, config, 3,
|
krb5_log_msg(context, logf, 3, NULL,
|
||||||
"Not issuing certificate because it would have no names");
|
"Not issuing certificate because it would have no names");
|
||||||
krb5_set_error_message(context, ret = KRB5KDC_ERR_POLICY,
|
krb5_set_error_message(context, ret = KRB5KDC_ERR_POLICY,
|
||||||
"Not issuing certificate because it "
|
"Not issuing certificate because it "
|
||||||
"would have no names");
|
"would have no names");
|
||||||
@@ -672,8 +675,9 @@ kdc_issue_certificate(krb5_context context,
|
|||||||
|
|
||||||
ret = hx509_certs_init(context->hx509ctx, ca, 0, NULL, &certs);
|
ret = hx509_certs_init(context->hx509ctx, ca, 0, NULL, &certs);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
kdc_log(context, config, 1,
|
krb5_log_msg(context, logf, 1, NULL,
|
||||||
"Failed to load CA certificate and private key %s", ca);
|
"Failed to load CA certificate and private key %s",
|
||||||
|
ca);
|
||||||
krb5_set_error_message(context, ret, "Failed to load CA "
|
krb5_set_error_message(context, ret, "Failed to load CA "
|
||||||
"certificate and private key %s", ca);
|
"certificate and private key %s", ca);
|
||||||
goto out;
|
goto out;
|
||||||
@@ -691,8 +695,8 @@ kdc_issue_certificate(krb5_context context,
|
|||||||
hx509_query_free(context->hx509ctx, q);
|
hx509_query_free(context->hx509ctx, q);
|
||||||
hx509_certs_free(&certs);
|
hx509_certs_free(&certs);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
kdc_log(context, config, 1,
|
krb5_log_msg(context, logf, 1, NULL,
|
||||||
"Failed to find a CA certificate in %s", ca);
|
"Failed to find a CA certificate in %s", ca);
|
||||||
krb5_set_error_message(context, ret,
|
krb5_set_error_message(context, ret,
|
||||||
"Failed to find a CA certificate in %s",
|
"Failed to find a CA certificate in %s",
|
||||||
ca);
|
ca);
|
||||||
|
|||||||
@@ -1004,8 +1004,9 @@ _kdc_do_kx509(kx509_req_context r)
|
|||||||
krb5_data_zero(rep.hash);
|
krb5_data_zero(rep.hash);
|
||||||
krb5_data_zero(rep.certificate);
|
krb5_data_zero(rep.certificate);
|
||||||
krb5_ticket_get_times(r->context, ticket, &r->ticket_times);
|
krb5_ticket_get_times(r->context, ticket, &r->ticket_times);
|
||||||
ret = kdc_issue_certificate(r->context, r->config, r->csr, cprincipal,
|
ret = kdc_issue_certificate(r->context, r->config->app, r->logf, r->csr,
|
||||||
&r->ticket_times, r->send_chain, &certs);
|
cprincipal, &r->ticket_times, r->send_chain,
|
||||||
|
&certs);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
int level = 1;
|
int level = 1;
|
||||||
const char *msg = krb5_get_error_message(r->context, ret);
|
const char *msg = krb5_get_error_message(r->context, ret);
|
||||||
|
|||||||
@@ -37,7 +37,7 @@ usage(int e)
|
|||||||
int
|
int
|
||||||
main(int argc, char **argv)
|
main(int argc, char **argv)
|
||||||
{
|
{
|
||||||
krb5_kdc_configuration *config;
|
krb5_log_facility *logf = NULL;
|
||||||
krb5_error_code ret;
|
krb5_error_code ret;
|
||||||
krb5_principal p = NULL;
|
krb5_principal p = NULL;
|
||||||
krb5_context context;
|
krb5_context context;
|
||||||
@@ -67,16 +67,9 @@ main(int argc, char **argv)
|
|||||||
|
|
||||||
if ((errno = krb5_init_context(&context)))
|
if ((errno = krb5_init_context(&context)))
|
||||||
err(1, "Could not initialize krb5_context");
|
err(1, "Could not initialize krb5_context");
|
||||||
if ((ret = krb5_kdc_get_config(context, &config)))
|
if ((ret = krb5_initlog(context, argv0, &logf)) ||
|
||||||
krb5_err(context, 1, ret, "Could not get KDC configuration");
|
(ret = krb5_addlog_dest(context, logf, "0-5/STDERR")))
|
||||||
config->app = app_string;
|
|
||||||
if ((ret = krb5_initlog(context, argv0, &config->logf)) ||
|
|
||||||
(ret = krb5_addlog_dest(context, config->logf, "0-5/STDERR")))
|
|
||||||
krb5_err(context, 1, ret, "Could not set up logging to stderr");
|
krb5_err(context, 1, ret, "Could not set up logging to stderr");
|
||||||
#if 0
|
|
||||||
if ((ret = krb5_kdc_set_dbinfo(context, config)))
|
|
||||||
krb5_err(context, 1, ret, "Could not get KDC configuration (HDB)");
|
|
||||||
#endif
|
|
||||||
if ((ret = krb5_parse_name(context, argv[0], &p)))
|
if ((ret = krb5_parse_name(context, argv[0], &p)))
|
||||||
krb5_err(context, 1, ret, "Could not parse principal %s", argv[0]);
|
krb5_err(context, 1, ret, "Could not parse principal %s", argv[0]);
|
||||||
if ((ret = hx509_request_parse(context->hx509ctx, argv[1], &req)))
|
if ((ret = hx509_request_parse(context->hx509ctx, argv[1], &req)))
|
||||||
@@ -110,7 +103,7 @@ main(int argc, char **argv)
|
|||||||
}
|
}
|
||||||
if (ret == HX509_NO_ITEM)
|
if (ret == HX509_NO_ITEM)
|
||||||
ret = 0;
|
ret = 0;
|
||||||
} else if ((ret = kdc_authorize_csr(context, config, req, p))) {
|
} else if ((ret = kdc_authorize_csr(context, app_string, req, p))) {
|
||||||
krb5_err(context, 1, ret,
|
krb5_err(context, 1, ret,
|
||||||
"Requested certificate extensions rejected by policy");
|
"Requested certificate extensions rejected by policy");
|
||||||
}
|
}
|
||||||
@@ -118,7 +111,7 @@ main(int argc, char **argv)
|
|||||||
memset(&t, 0, sizeof(t));
|
memset(&t, 0, sizeof(t));
|
||||||
t.starttime = time(NULL);
|
t.starttime = time(NULL);
|
||||||
t.endtime = t.starttime + 3600;
|
t.endtime = t.starttime + 3600;
|
||||||
if ((ret = kdc_issue_certificate(context, config, req, p, &t, 1,
|
if ((ret = kdc_issue_certificate(context, app_string, logf, req, p, &t, 1,
|
||||||
&certs)))
|
&certs)))
|
||||||
krb5_err(context, 1, ret, "Certificate issuance failed");
|
krb5_err(context, 1, ret, "Certificate issuance failed");
|
||||||
|
|
||||||
@@ -143,6 +136,5 @@ main(int argc, char **argv)
|
|||||||
hx509_request_free(&req);
|
hx509_request_free(&req);
|
||||||
hx509_certs_free(&store);
|
hx509_certs_free(&store);
|
||||||
hx509_certs_free(&certs);
|
hx509_certs_free(&certs);
|
||||||
/* FIXME There's no free function for config yet */
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user