oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

bx509d: Get KDC config out of bx509d

Browse Source
This commit is contained in:
Nicolas Williams
2020-08-14 20:59:12 -05:00
parent c3e99be519
commit 73c424ea66
5 changed files with 87 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
kdc/Makefile.am
View File

@@ -33,6 +33,7 @@ if HAVE_MICROHTTPD
bx509d_SOURCES = bx509d.c
bx509d_AM_CPPFLAGS = $(AM_CPPFLAGS) $(MICROHTTPD_CFLAGS)
bx509d_LDADD = -ldl \
$(top_builddir)/lib/hdb/libhdb.la \
libkdc.la \
$(MICROHTTPD_LIBS) \
$(LIB_roken) \

53
kdc/bx509d.c
View File

@@ -126,7 +126,7 @@ struct bx509_request_desc {
char frombuf[128];
};
static krb5_kdc_configuration *kdc_config;
static krb5_log_facility *logfac;
static pthread_key_t k5ctx;
static krb5_error_code
@@ -425,7 +425,7 @@ bad_reqv(struct bx509_request_desc *r,
(void) gettimeofday(&r->tv_end, NULL);
if (code == ENOMEM) {
if (r->context)
kdc_log(r->context, kdc_config, 1, "Out of memory");
krb5_log_msg(r->context, logfac, 1, NULL, "Out of memory");
_kdc_audit_trail((kdc_request_t)r, code);
return resp(r, http_status_code, MHD_RESPMEM_PERSISTENT,
fmt, strlen(fmt), NULL);
@@ -452,7 +452,7 @@ bad_reqv(struct bx509_request_desc *r,
if (ret == -1 || msg == NULL) {
if (context)
kdc_log(r->context, kdc_config, 1, "Out of memory");
krb5_log_msg(r->context, logfac, 1, NULL, "Out of memory");
return resp(r, MHD_HTTP_SERVICE_UNAVAILABLE,
MHD_RESPMEM_PERSISTENT,
"Out of memory", sizeof("Out of memory") - 1, NULL);
@@ -646,7 +646,7 @@ authorize_CSR(struct bx509_request_desc *r,
return bad_req(r, ret, MHD_HTTP_SERVICE_UNAVAILABLE,
"Could not handle query parameters");
ret = kdc_authorize_csr(r->context, kdc_config, r->req, p);
ret = kdc_authorize_csr(r->context, "bx509d", r->req, p);
if (ret)
return bad_403(r, ret, "Not authorized to requested certificate");
return ret;
@@ -745,7 +745,7 @@ do_CA(struct bx509_request_desc *r, const char *csr)
}
/* Issue the certificate */
ret = kdc_issue_certificate(r->context, kdc_config, r->req, p,
ret = kdc_issue_certificate(r->context, "bx509d", logfac, r->req, p,
&r->token_times, 1 /* send_chain */, &certs);
krb5_free_principal(r->context, p);
if (ret) {
@@ -807,8 +807,8 @@ set_req_desc(struct MHD_Connection *connection,
r->request.length = sizeof("<HTTP-REQUEST>");
r->from = r->frombuf;
r->hcontext = r->context->hcontext;
r->config = kdc_config;
r->logf = kdc_config->logf;
r->config = NULL;
r->logf = logfac;
r->reqtype = url;
r->target = r->redir = NULL;
r->pkix_store = NULL;
@@ -845,7 +845,7 @@ set_req_desc(struct MHD_Connection *connection,
}
if (ret == 0 && r->kv == NULL) {
kdc_log(r->context, kdc_config, 1, "Out of memory");
krb5_log_msg(r->context, logfac, 1, NULL, "Out of memory");
ret = ENOMEM;
}
return ret;
@@ -893,7 +893,8 @@ bx509(struct bx509_request_desc *r)
return ret;
/* Read and send the contents of the PKIX store */
kdc_log(r->context, kdc_config, 4, "Issued certificate to %s", r->cname);
krb5_log_msg(r->context, logfac, 1, NULL, "Issued certificate to %s",
r->cname);
return good_bx509(r);
}
@@ -1214,7 +1215,7 @@ bnegotiate_do_CA(struct bx509_request_desc *r)
/* Issue the certificate */
if (ret == 0)
ret = kdc_issue_certificate(r->context, kdc_config, req, p,
ret = kdc_issue_certificate(r->context, "bx509d", logfac, req, p,
&r->token_times, 1 /* send_chain */,
&certs);
krb5_free_principal(r->context, p);
@@ -1664,6 +1665,32 @@ sighandler(int sig)
;
}
static void
bx509_openlog(krb5_context context,
const char *svc,
krb5_log_facility **fac)
{
char **s = NULL, **p;
krb5_initlog(context, "kdc", fac);
s = krb5_config_get_strings(context, NULL, svc, "logging", NULL);
if (s == NULL)
s = krb5_config_get_strings(context, NULL, "logging", svc, NULL);
if (s) {
for(p = s; *p; p++)
krb5_addlog_dest(context, *fac, *p);
krb5_config_free_strings(s);
} else {
char *ss;
if (asprintf(&ss, "0-1/FILE:%s/%s", hdb_db_dir(context),
KDC_LOG_FILE) < 0)
err(1, "out of memory");
krb5_addlog_dest(context, *fac, ss);
free(ss);
}
krb5_set_warn_dest(context, *fac);
}
int
main(int argc, char **argv)
{
@@ -1721,11 +1748,7 @@ main(int argc, char **argv)
if ((errno = get_krb5_context(&context)))
err(1, "Could not init krb5 context");
if ((ret = krb5_kdc_get_config(context, &kdc_config)))
krb5_err(context, 1, ret, "Could not init krb5 context");
kdc_openlog(context, "bx509d", kdc_config);
kdc_config->app = "bx509";
bx509_openlog(context, "bx509d", &logfac);
if (cache_dir == NULL) {
char *s = NULL;

76
kdc/ca.c
View File

@@ -219,7 +219,8 @@ characterize(krb5_context context,
*/
static const krb5_config_binding *
get_cf(krb5_context context,
krb5_kdc_configuration *config,
const char *app_name,
krb5_log_facility *logf,
hx509_request req,
krb5_principal cprinc)
{
@@ -236,7 +237,7 @@ get_cf(krb5_context context,
size_t nsans = 0;
if (ncomp == 0) {
kdc_log(context, config, 5, "Client principal has no components!");
krb5_log_msg(context, logf, 5, NULL, "Client principal has no components!");
krb5_set_error_message(context, ENOTSUP,
"Client principal has no components!");
return NULL;
@@ -244,7 +245,7 @@ get_cf(krb5_context context,
if ((ret = count_sans(req, &nsans)) ||
(certtype = characterize(context, cprinc, req)) == CERT_NOTSUP) {
kdc_log(context, config, 5, "Could not characterize CSR");
krb5_log_msg(context, logf, 5, NULL, "Could not characterize CSR");
krb5_set_error_message(context, ret, "Could not characterize CSR");
return NULL;
}
@@ -275,24 +276,24 @@ get_cf(krb5_context context,
}
}
if (strcmp(config->app, "kdc") == 0)
cf = krb5_config_get_list(context, NULL, config->app, "realms", realm,
if (strcmp(app_name, "kdc") == 0)
cf = krb5_config_get_list(context, NULL, app_name, "realms", realm,
"kx509", label, svc, NULL);
else
cf = krb5_config_get_list(context, NULL, config->app, "realms", realm,
cf = krb5_config_get_list(context, NULL, app_name, "realms", realm,
label, svc, NULL);
if (cf == NULL) {
kdc_log(context, config, 3,
"No %s configuration for %s %s certificates [%s] realm "
"-> %s -> kx509 -> %s%s%s",
strcmp(config->app, "bx509") == 0 ? "bx509" : "kx509",
def, label, config->app, realm, label,
svc ? " -> " : "", svc ? svc : "");
krb5_log_msg(context, logf, 3, NULL,
"No %s configuration for %s %s certificates [%s] realm "
"-> %s -> kx509 -> %s%s%s",
strcmp(app_name, "bx509") == 0 ? "bx509" : "kx509",
def, label, app_name, realm, label,
svc ? " -> " : "", svc ? svc : "");
krb5_set_error_message(context, KRB5KDC_ERR_POLICY,
"No %s configuration for %s %s certificates [%s] realm "
"-> %s -> kx509 -> %s%s%s",
strcmp(config->app, "bx509") == 0 ? "bx509" : "kx509",
def, label, config->app, realm, label,
strcmp(app_name, "bx509") == 0 ? "bx509" : "kx509",
def, label, app_name, realm, label,
svc ? " -> " : "", svc ? svc : "");
}
return cf;
@@ -312,7 +313,7 @@ get_cf(krb5_context context,
*/
static krb5_error_code
set_template(krb5_context context,
krb5_kdc_configuration *config,
krb5_log_facility *logf,
const krb5_config_binding *cf,
hx509_ca_tbs tbs)
{
@@ -338,9 +339,9 @@ set_template(krb5_context context,
ret = hx509_get_one_cert(context->hx509ctx, certs, &template);
hx509_certs_free(&certs);
if (ret) {
kdc_log(context, config, 1,
"Failed to load certificate template from %s",
cert_template);
krb5_log_msg(context, logf, 1, NULL,
"Failed to load certificate template from %s",
cert_template);
krb5_set_error_message(context, KRB5KDC_ERR_POLICY,
"Failed to load certificate template from "
"%s", cert_template);
@@ -418,7 +419,7 @@ set_template(krb5_context context,
*/
static krb5_error_code
set_tbs(krb5_context context,
krb5_kdc_configuration *config,
krb5_log_facility *logf,
const krb5_config_binding *cf,
hx509_request req,
krb5_principal cprinc,
@@ -451,7 +452,7 @@ set_tbs(krb5_context context,
/* Populate requested certificate extensions from CSR/CSRPlus if allowed */
ret = hx509_ca_tbs_set_from_csr(context->hx509ctx, tbs, req);
if (ret == 0)
ret = set_template(context, config, cf, tbs);
ret = set_template(context, logf, cf, tbs);
/*
* Optionally add PKINIT SAN.
@@ -533,8 +534,8 @@ set_tbs(krb5_context context,
}
}
} else {
kdc_log(context, config, 5, "kx509/bx509 client %s has too many "
"components!", princ);
krb5_log_msg(context, logf, 5, NULL,
"kx509/bx509 client %s has too many components!", princ);
krb5_set_error_message(context, ret = KRB5KDC_ERR_POLICY,
"kx509/bx509 client %s has too many "
"components!", princ);
@@ -548,8 +549,8 @@ out:
return ret;
enomem:
kdc_log(context, config, 0,
"Could not set up TBSCertificate: Out of memory");
krb5_log_msg(context, logf, 0, NULL,
"Could not set up TBSCertificate: Out of memory");
ret = krb5_enomem(context);
goto out;
}
@@ -591,7 +592,8 @@ tbs_set_times(krb5_context context,
*/
krb5_error_code
kdc_issue_certificate(krb5_context context,
krb5_kdc_configuration *config,
const char *app_name,
krb5_log_facility *logf,
hx509_request req,
krb5_principal cprinc,
krb5_times *auth_times,
@@ -615,10 +617,11 @@ kdc_issue_certificate(krb5_context context,
hx509_request_authorize_ku(req, ku);
/* Get configuration */
if ((cf = get_cf(context, config, req, cprinc)) == NULL)
if ((cf = get_cf(context, app_name, logf, req, cprinc)) == NULL)
return KRB5KDC_ERR_POLICY;
if ((ca = krb5_config_get_string(context, cf, "ca", NULL)) == NULL) {
kdc_log(context, config, 3, "No kx509 CA issuer credential specified");
krb5_log_msg(context, logf, 3, NULL,
"No kx509 CA issuer credential specified");
krb5_set_error_message(context, ret = KRB5KDC_ERR_POLICY,
"No kx509 CA issuer credential specified");
return ret;
@@ -626,14 +629,14 @@ kdc_issue_certificate(krb5_context context,
ret = hx509_ca_tbs_init(context->hx509ctx, &tbs);
if (ret) {
kdc_log(context, config, 0,
"Failed to create certificate: Out of memory");
krb5_log_msg(context, logf, 0, NULL,
"Failed to create certificate: Out of memory");
return ret;
}
/* Lookup a template and set things in `env' and `tbs' as appropriate */
if (ret == 0)
ret = set_tbs(context, config, cf, req, cprinc, &env, tbs);
ret = set_tbs(context, logf, cf, req, cprinc, &env, tbs);
/* Populate generic template "env" variables */
@@ -646,8 +649,8 @@ kdc_issue_certificate(krb5_context context,
*/
if (ret == 0 && hx509_name_is_null_p(hx509_ca_tbs_get_name(tbs)) &&
!has_sans(req)) {
kdc_log(context, config, 3,
"Not issuing certificate because it would have no names");
krb5_log_msg(context, logf, 3, NULL,
"Not issuing certificate because it would have no names");
krb5_set_error_message(context, ret = KRB5KDC_ERR_POLICY,
"Not issuing certificate because it "
"would have no names");
@@ -672,8 +675,9 @@ kdc_issue_certificate(krb5_context context,
ret = hx509_certs_init(context->hx509ctx, ca, 0, NULL, &certs);
if (ret) {
kdc_log(context, config, 1,
"Failed to load CA certificate and private key %s", ca);
krb5_log_msg(context, logf, 1, NULL,
"Failed to load CA certificate and private key %s",
ca);
krb5_set_error_message(context, ret, "Failed to load CA "
"certificate and private key %s", ca);
goto out;
@@ -691,8 +695,8 @@ kdc_issue_certificate(krb5_context context,
hx509_query_free(context->hx509ctx, q);
hx509_certs_free(&certs);
if (ret) {
kdc_log(context, config, 1,
"Failed to find a CA certificate in %s", ca);
krb5_log_msg(context, logf, 1, NULL,
"Failed to find a CA certificate in %s", ca);
krb5_set_error_message(context, ret,
"Failed to find a CA certificate in %s",
ca);

5
kdc/kx509.c
View File

@@ -1004,8 +1004,9 @@ _kdc_do_kx509(kx509_req_context r)
krb5_data_zero(rep.hash);
krb5_data_zero(rep.certificate);
krb5_ticket_get_times(r->context, ticket, &r->ticket_times);
ret = kdc_issue_certificate(r->context, r->config, r->csr, cprincipal,
&r->ticket_times, r->send_chain, &certs);
ret = kdc_issue_certificate(r->context, r->config->app, r->logf, r->csr,
cprincipal, &r->ticket_times, r->send_chain,
&certs);
if (ret) {
int level = 1;
const char *msg = krb5_get_error_message(r->context, ret);

18
kdc/test_kdc_ca.c
View File

@@ -37,7 +37,7 @@ usage(int e)
int
main(int argc, char **argv)
{
krb5_kdc_configuration *config;
krb5_log_facility *logf = NULL;
krb5_error_code ret;
krb5_principal p = NULL;
krb5_context context;
@@ -67,16 +67,9 @@ main(int argc, char **argv)
if ((errno = krb5_init_context(&context)))
err(1, "Could not initialize krb5_context");
if ((ret = krb5_kdc_get_config(context, &config)))
krb5_err(context, 1, ret, "Could not get KDC configuration");
config->app = app_string;
if ((ret = krb5_initlog(context, argv0, &config->logf)) ||
(ret = krb5_addlog_dest(context, config->logf, "0-5/STDERR")))
if ((ret = krb5_initlog(context, argv0, &logf)) ||
(ret = krb5_addlog_dest(context, logf, "0-5/STDERR")))
krb5_err(context, 1, ret, "Could not set up logging to stderr");
#if 0
if ((ret = krb5_kdc_set_dbinfo(context, config)))
krb5_err(context, 1, ret, "Could not get KDC configuration (HDB)");
#endif
if ((ret = krb5_parse_name(context, argv[0], &p)))
krb5_err(context, 1, ret, "Could not parse principal %s", argv[0]);
if ((ret = hx509_request_parse(context->hx509ctx, argv[1], &req)))
@@ -110,7 +103,7 @@ main(int argc, char **argv)
}
if (ret == HX509_NO_ITEM)
ret = 0;
} else if ((ret = kdc_authorize_csr(context, config, req, p))) {
} else if ((ret = kdc_authorize_csr(context, app_string, req, p))) {
krb5_err(context, 1, ret,
"Requested certificate extensions rejected by policy");
}
@@ -118,7 +111,7 @@ main(int argc, char **argv)
memset(&t, 0, sizeof(t));
t.starttime = time(NULL);
t.endtime = t.starttime + 3600;
if ((ret = kdc_issue_certificate(context, config, req, p, &t, 1,
if ((ret = kdc_issue_certificate(context, app_string, logf, req, p, &t, 1,
&certs)))
krb5_err(context, 1, ret, "Certificate issuance failed");
@@ -143,6 +136,5 @@ main(int argc, char **argv)
hx509_request_free(&req);
hx509_certs_free(&store);
hx509_certs_free(&certs);
/* FIXME There's no free function for config yet */
return 0;
}