search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix user2user principal (again)
[heimdal.git] / kuser / kx509.c
blob1cd76fcf955b20d08f181dbfd491aaec6934f75a
1 /*
2 * Copyright (c) 2019 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "kuser_locl.h"
35 #include "heimtools-commands.h"
36 #include <kx509_asn1.h>
37 #undef HC_DEPRECATED_CRYPTO
38 #include "../lib/hx509/hx_locl.h"
39 #include "../lib/krb5/krb5_locl.h"
40 #include "hx509-private.h"
41
42 struct validate_store {
43 size_t ncerts;
44 int grace;
45 };
46
47 static int KRB5_CALLCONV
48 validate1(hx509_context hx509ctx, void *d, hx509_cert cert)
49 {
50 struct validate_store *v = d;
51
52 if (hx509_cert_get_notAfter(cert) < time(NULL) + v->grace)
53 return HX509_CERT_USED_AFTER_TIME;
54 v->ncerts++;
55 return 0;
56 }
57
58 static void
59 validate(krb5_context context,
60 int grace,
61 const char *hx509_store,
62 krb5_data *der_cert,
63 krb5_data *pkcs8_priv_key)
64 {
65 hx509_context hx509ctx = NULL;
66 hx509_cert cert;
67 krb5_error_code ret;
68
69 ret = hx509_context_init(&hx509ctx);
70 if (ret)
71 krb5_err(context, 1, ret, "hx509 context init");
72
73 if (der_cert->data && pkcs8_priv_key->data) {
74 hx509_private_key key = NULL;
75
76 cert = hx509_cert_init_data(hx509ctx, der_cert->data,
77 der_cert->length, NULL);
78 if (cert == NULL)
79 krb5_err(context, 1, errno, "certificate could not be loaded");
80 ret = hx509_parse_private_key(hx509ctx, NULL, pkcs8_priv_key->data,
81 pkcs8_priv_key->length,
82 HX509_KEY_FORMAT_PKCS8, &key);
83 if (ret)
84 krb5_err(context, 1, ret, "certificate could not be loaded");
85 if (hx509_cert_get_notAfter(cert) < time(NULL) + grace)
86 krb5_errx(context, 1, "certificate is expired");
87 hx509_private_key_free(&key);
88 hx509_cert_free(cert);
89 }
90 if (hx509_store) {
91 struct validate_store v;
92 hx509_certs certs;
93
94 v.ncerts = 0;
95 v.grace = grace;
96
97 ret = hx509_certs_init(hx509ctx, hx509_store, 0, NULL, &certs);
98 if (ret)
99 krb5_err(context, 1, ret, "could not read hx509 store %s",
100 hx509_store);
101 ret = hx509_certs_iter_f(hx509ctx, certs, validate1, &v);
102 if (ret)
103 krb5_err(context, 1, ret, "at least one certificate in %s expired",
104 hx509_store);
105 if (!v.ncerts)
106 krb5_errx(context, 1, "no certificates in %s", hx509_store);
107
108 hx509_certs_free(&certs);
109 }
110
111 hx509_context_free(&hx509ctx);
112 }
113
114 static krb5_error_code KRB5_CALLCONV
115 add1_2chain(hx509_context hx509ctx, void *d, hx509_cert cert)
116 {
117 heim_octet_string os;
118 krb5_error_code ret;
119 Certificates *cs = d;
120 Certificate c;
121
122 ret = hx509_cert_binary(hx509ctx, cert, &os);
123 if (ret == 0)
124 ret = decode_Certificate(os.data, os.length, &c, NULL);
125 der_free_octet_string(&os);
126 if (ret == 0) {
127 add_Certificates(cs, &c);
128 free_Certificate(&c);
129 }
130 return ret;
131 }
132
133 static krb5_error_code
134 add_chain(hx509_context hx509ctx, hx509_certs certs, krb5_data *chain)
135 {
136 krb5_error_code ret;
137 Certificates cs;
138 size_t len;
139
140 ret = decode_Certificates(chain->data, chain->length, &cs, &len);
141 if (ret == 0) {
142 ret = hx509_certs_iter_f(hx509ctx, certs, add1_2chain, &cs);
143 free_Certificates(&cs);
144 }
145 return ret;
146 }
147
148 static void
149 store(krb5_context context,
150 const char *hx509_store,
151 krb5_data *der_cert,
152 krb5_data *pkcs8_priv_key,
153 krb5_data *chain)
154 {
155 hx509_context hx509ctx = NULL;
156 hx509_private_key key = NULL;
157 hx509_certs certs;
158 hx509_cert cert;
159 char *store_exp = NULL;
160 krb5_error_code ret;
161
162 if (hx509_store == NULL) {
163 hx509_store = krb5_config_get_string(context, NULL, "libdefaults",
164 "kx509_store", NULL);
165 if (hx509_store) {
166 ret = _krb5_expand_path_tokens(context, hx509_store, 1,
167 &store_exp);
168 if (ret)
169 krb5_err(context, 1, ret, "expanding tokens in default "
170 "hx509 store");
171 hx509_store = store_exp;
172 }
173 }
174 if (hx509_store == NULL)
175 krb5_errx(context, 1, "no hx509 store given and no default hx509 "
176 "store configured");
177
178 ret = hx509_context_init(&hx509ctx);
179 if (ret)
180 krb5_err(context, 1, ret, "hx509 context init");
181
182 cert = hx509_cert_init_data(hx509ctx, der_cert->data,
183 der_cert->length, NULL);
184 if (cert == NULL)
185 krb5_err(context, 1, errno, "certificate could not be loaded");
186 ret = hx509_parse_private_key(hx509ctx, NULL, pkcs8_priv_key->data,
187 pkcs8_priv_key->length,
188 HX509_KEY_FORMAT_PKCS8, &key);
189 if (ret)
190 krb5_err(context, 1, ret, "certificate could not be loaded");
191 (void) _hx509_cert_assign_key(cert, key);
192
193 ret = hx509_certs_init(hx509ctx, hx509_store, HX509_CERTS_CREATE, NULL,
194 &certs);
195 if (ret == 0)
196 ret = hx509_certs_add(hx509ctx, certs, cert);
197 if (ret == 0)
198 add_chain(hx509ctx, certs, chain);
199 if (ret == 0)
200 ret = hx509_certs_store(hx509ctx, certs, 0, NULL);
201 if (ret)
202 krb5_err(context, 1, ret, "certificate could not be stored");
203
204 hx509_private_key_free(&key);
205 hx509_certs_free(&certs);
206 hx509_cert_free(cert);
207 hx509_context_free(&hx509ctx);
208 free(store_exp);
209 }
210
211 static void
212 set_csr(krb5_context context, krb5_kx509_req_ctx req, const char *csr_file)
213 {
214 krb5_error_code ret;
215 krb5_data d;
216
217 if (strncmp(csr_file, "PKCS10:", sizeof("PKCS10:") - 1) != 0)
218 krb5_errx(context, 1, "CSR filename must start with \"PKCS10:\"");
219 ret = rk_undumpdata(csr_file + sizeof("PKCS10:") - 1, &d.data, &d.length);
220 if (ret)
221 krb5_err(context, 1, ret, "could not read CSR");
222 ret = krb5_kx509_ctx_set_csr_der(context, req, &d);
223 if (ret)
224 krb5_err(context, 1, ret, "hx509 context init");
225 }
226
227 int
228 kx509(struct kx509_options *opt, int argc, char **argv)
229 {
230 krb5_kx509_req_ctx req = NULL;
231 krb5_context context = heimtools_context;
232 krb5_error_code ret = 0;
233 krb5_ccache ccout = NULL;
234 krb5_ccache cc = NULL;
235
236 if (opt->cache_string)
237 ret = krb5_cc_resolve(context, opt->cache_string, &cc);
238 else if (opt->save_flag || opt->extract_flag)
239 ret = krb5_cc_default(context, &cc);
240 if (ret)
241 krb5_err(context, 1, ret, "no input credential cache");
242 if (opt->save_flag)
243 ccout = cc;
244
245 if (opt->test_integer &&
246 (opt->extract_flag || opt->csr_string || opt->private_key_string))
247 krb5_errx(context, 1, "--test is exclusive of --extract, --csr, and "
248 "--private-key");
249
250 if (opt->extract_flag && (opt->csr_string || opt->private_key_string))
251 krb5_errx(context, 1, "--extract is exclusive of --csr and "
252 "--private-key");
253
254 if (opt->test_integer || opt->extract_flag) {
255 krb5_data der_cert, pkcs8_key, chain;
256
257 der_cert.data = pkcs8_key.data = chain.data = NULL;
258 der_cert.length = pkcs8_key.length = chain.length = 0;
259 ret = krb5_cc_get_config(context, cc, NULL, "kx509cert", &der_cert);
260 if (ret == 0)
261 ret = krb5_cc_get_config(context, cc, NULL, "kx509key",
262 &pkcs8_key);
263 if (ret == 0)
264 ret = krb5_cc_get_config(context, cc, NULL, "kx509cert-chain",
265 &chain);
266 if (ret)
267 krb5_err(context, 1, ret, "no certificate in credential cache");
268 if (opt->test_integer)
269 validate(context, opt->test_integer, opt->out_string, &der_cert,
270 &pkcs8_key);
271 else
272 store(context, opt->out_string, &der_cert, &pkcs8_key, &chain);
273 krb5_data_free(&pkcs8_key);
274 krb5_data_free(&der_cert);
275 krb5_data_free(&chain);
276 } else {
277 /*
278 * XXX We should delete any cc configs that indicate that kx509 is
279 * disabled.
280 */
281 ret = krb5_kx509_ctx_init(context, &req);
282 if (ret == 0 && opt->realm_string)
283 ret = krb5_kx509_ctx_set_realm(context, req, opt->realm_string);
284 if (ret == 0 && opt->csr_string)
285 set_csr(context, req, opt->csr_string);
286 if (ret == 0 && opt->private_key_string)
287 ret = krb5_kx509_ctx_set_key(context, req,
288 opt->private_key_string);
289 if (ret)
290 krb5_err(context, 1, ret,
291 "could not set up kx509 request options");
292
293 ret = krb5_kx509_ext(context, req, cc, opt->out_string, ccout);
294 if (ret)
295 krb5_err(context, 1, ret,
296 "could not acquire certificate with kx509");
297 krb5_kx509_ctx_free(context, &req);
298 }
299
300 krb5_cc_close(context, cc);
301
302 return 0;
303 }
Heimdal