search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Allow KDC to always return the salt in the PA-ETYPE-INFO[2]
[heimdal.git] / kdc / test_kdc_ca.c
blob12b873c039b7a43e8c6328bd5f876968b0004309
1 #include "kdc_locl.h"
2
3 static int authorized_flag;
4 static int help_flag;
5 static char *lifetime_string;
6 static const char *app_string = "kdc";
7 static int version_flag;
8
9 struct getargs args[] = {
10 { "authorized", 'A', arg_flag, &authorized_flag,
11 "Assume CSR is authorized", NULL },
12 { "lifetime", 'l', arg_string, &lifetime_string,
13 "Certificate lifetime desired", "TIME" },
14 { "help", 'h', arg_flag, &help_flag,
15 "Print usage message", NULL },
16 { "app", 'a', arg_string, &app_string,
17 "Application name (kdc or bx509); default: kdc", "APPNAME" },
18 { "version", 'v', arg_flag, &version_flag,
19 "Print version", NULL }
20 };
21 size_t num_args = sizeof(args) / sizeof(args[0]);
22
23 static int
24 usage(int e)
25 {
26 arg_printusage(args, num_args, NULL,
27 "PRINC PKCS10:/path/to/der/CSR [HX509-STORE]");
28 fprintf(stderr,
29 "\n\tTest kx509/bx509 online CA issuer functionality.\n"
30 "\n\tIf --authorized / -A not given, then authorizer plugins\n"
31 "\twill be invoked.\n"
32 "\n\tUse --app kdc to test the kx509 configuration.\n"
33 "\tUse --app bx509 to test the bx509 configuration.\n\n\t"
34 "Example: %s foo@TEST.H5L.SE PKCS10:/tmp/csr PEM-FILE:/tmp/cert\n",
35 getprogname());
36 exit(e);
37 return e;
38 }
39
40 static const char *sysplugin_dirs[] = {
41 #ifdef _WIN32
42 "$ORIGIN",
43 #else
44 "$ORIGIN/../lib/plugin/kdc",
45 #endif
46 #ifdef __APPLE__
47 LIBDIR "/plugin/kdc",
48 #endif
49 NULL
50 };
51
52 static void
53 load_plugins(krb5_context context)
54 {
55 const char * const *dirs = sysplugin_dirs;
56 #ifndef _WIN32
57 char **cfdirs;
58
59 cfdirs = krb5_config_get_strings(context, NULL, "kdc", "plugin_dir", NULL);
60 if (cfdirs)
61 dirs = (const char * const *)cfdirs;
62 #endif
63
64 _krb5_load_plugins(context, "kdc", (const char **)dirs);
65
66 #ifndef _WIN32
67 krb5_config_free_strings(cfdirs);
68 #endif
69 }
70
71 int
72 main(int argc, char **argv)
73 {
74 krb5_log_facility *logf = NULL;
75 krb5_error_code ret;
76 krb5_principal p = NULL;
77 krb5_context context;
78 krb5_times t;
79 hx509_request req = NULL;
80 hx509_certs store = NULL;
81 hx509_certs certs = NULL;
82 const char *argv0 = argv[0];
83 const char *out = "MEMORY:junk-it";
84 time_t req_life = 0;
85 int optidx = 0;
86
87 setprogname(argv[0]);
88 if (getarg(args, num_args, argc, argv, &optidx))
89 return usage(1);
90 if (help_flag)
91 return usage(0);
92 if (version_flag) {
93 print_version(argv[0]);
94 return 0;
95 }
96
97 argc -= optidx;
98 argv += optidx;
99
100 if (argc < 3 || argc > 4)
101 usage(1);
102
103 if ((errno = krb5_init_context(&context)))
104 err(1, "Could not initialize krb5_context");
105 if ((ret = krb5_initlog(context, argv0, &logf)) ||
106 (ret = krb5_addlog_dest(context, logf, "0-5/STDERR")))
107 krb5_err(context, 1, ret, "Could not set up logging to stderr");
108 load_plugins(context);
109 if ((ret = krb5_parse_name(context, argv[0], &p)))
110 krb5_err(context, 1, ret, "Could not parse principal %s", argv[0]);
111 if ((ret = hx509_request_parse(context->hx509ctx, argv[1], &req)))
112 krb5_err(context, 1, ret, "Could not parse PKCS#10 CSR from %s", argv[1]);
113
114 if (authorized_flag) {
115 KeyUsage ku = int2KeyUsage(0);
116 size_t i;
117 char *s;
118
119 /* Mark all the things authorized */
120 ku.digitalSignature = 1;
121 hx509_request_authorize_ku(req, ku);
122
123 for (i = 0; ret == 0; i++) {
124 ret = hx509_request_get_eku(req, i, &s);
125 free(s); s = NULL;
126 if (ret == 0)
127 hx509_request_authorize_eku(req, i);
128 }
129 if (ret == HX509_NO_ITEM)
130 ret = 0;
131
132 for (i = 0; ret == 0; i++) {
133 hx509_san_type san_type;
134
135 ret = hx509_request_get_san(req, i, &san_type, &s);
136 free(s); s = NULL;
137 if (ret == 0)
138 hx509_request_authorize_san(req, i);
139 }
140 if (ret == HX509_NO_ITEM)
141 ret = 0;
142 } else if ((ret = kdc_authorize_csr(context, app_string, req, p))) {
143 krb5_err(context, 1, ret,
144 "Requested certificate extensions rejected by policy");
145 }
146
147 memset(&t, 0, sizeof(t));
148 t.starttime = time(NULL);
149 t.endtime = t.starttime + 3600;
150 req_life = lifetime_string ? parse_time(lifetime_string, "day") : 0;
151 if ((ret = kdc_issue_certificate(context, app_string, logf, req, p, &t,
152 req_life, 1, &certs)))
153 krb5_err(context, 1, ret, "Certificate issuance failed");
154
155 if (argv[2])
156 out = argv[2];
157
158 if ((ret = hx509_certs_init(context->hx509ctx, out, HX509_CERTS_CREATE,
159 NULL, &store)) ||
160 (ret = hx509_certs_merge(context->hx509ctx, store, certs)) ||
161 (ret = hx509_certs_store(context->hx509ctx, store, 0, NULL)))
162 /*
163 * If the store is a MEMORY store, say, we're really not being asked to
164 * store -- we're just testing the online CA functionality without
165 * wanting to inspect the result.
166 */
167 if (ret != HX509_UNSUPPORTED_OPERATION)
168 krb5_err(context, 1, ret,
169 "Could not store certificate and chain in %s", out);
170 _krb5_unload_plugins(context, "kdc");
171 krb5_free_principal(context, p);
172 krb5_free_context(context);
173 hx509_request_free(&req);
174 hx509_certs_free(&store);
175 hx509_certs_free(&certs);
176 return 0;
177 }
Heimdal