kdc/test_kdc_ca.c

   1 #include "kdc_locl.h"
   2
   3 static int authorized_flag;
   4 static int help_flag;
   5 static const char *app_string = "kdc";
   6 static int version_flag;
   7
   8 struct getargs args[] = {
   9     {   "authorized",   'A',    arg_flag,   &authorized_flag,
  10         "Assume CSR is authorized", NULL },
  11     {   "help",         'h',    arg_flag,   &help_flag,
  12         "Print usage message", NULL },
  13     {   "app",          'a',    arg_string, &app_string,
  14         "Application name (kdc or bx509); default: kdc", "APPNAME" },
  15     {   "version",      'v',    arg_flag,   &version_flag,
  16         "Print version", NULL }
  17 };
  18 size_t num_args = sizeof(args) / sizeof(args[0]);
  19
  20 static int
  21 usage(int e)
  22 {
  23     arg_printusage(args, num_args, NULL,
  24                    "PRINC PKCS10:/path/to/der/CSR [HX509-STORE]");
  25     fprintf(stderr,
  26             "\n\tTest kx509/bx509 online CA issuer functionality.\n"
  27             "\n\tIf --authorized / -A not given, then authorizer plugins\n"
  28             "\twill be invoked.\n"
  29             "\n\tUse --app kdc to test the kx509 configuration.\n"
  30             "\tUse --app bx509 to test the bx509 configuration.\n\n\t"
  31             "Example: %s foo@TEST.H5L.SE PKCS10:/tmp/csr PEM-FILE:/tmp/cert\n",
  32             getprogname());
  33     exit(e);
  34     return e;
  35 }
  36
  37 int
  38 main(int argc, char **argv)
  39 {
  40     krb5_kdc_configuration *config;
  41     krb5_error_code ret;
  42     krb5_principal p = NULL;
  43     krb5_context context;
  44     krb5_times t;
  45     hx509_request req = NULL;
  46     hx509_certs store = NULL;
  47     hx509_certs certs = NULL;
  48     const char *argv0 = argv[0];
  49     const char *out = "MEMORY:junk-it";
  50     int optidx = 0;
  51
  52     setprogname(argv[0]);
  53     if (getarg(args, num_args, argc, argv, &optidx))
  54         return usage(1);
  55     if (help_flag)
  56         return usage(0);
  57     if (version_flag) {
  58         print_version(argv[0]);
  59         return 0;
  60     }
  61
  62     argc -= optidx;
  63     argv += optidx;
  64
  65     if (argc < 3 || argc > 4)
  66         usage(1);
  67
  68     if ((errno = krb5_init_context(&context)))
  69         err(1, "Could not initialize krb5_context");
  70     if ((ret = krb5_kdc_get_config(context, &config)))
  71         krb5_err(context, 1, ret, "Could not get KDC configuration");
  72     config->app = app_string;
  73     if ((ret = krb5_initlog(context, argv0, &config->logf)) ||
  74         (ret = krb5_addlog_dest(context, config->logf, "0-5/STDERR")))
  75         krb5_err(context, 1, ret, "Could not set up logging to stderr");
  76 #if 0
  77     if ((ret = krb5_kdc_set_dbinfo(context, config)))
  78         krb5_err(context, 1, ret, "Could not get KDC configuration (HDB)");
  79 #endif
  80     if ((ret = krb5_parse_name(context, argv[0], &p)))
  81         krb5_err(context, 1, ret, "Could not parse principal %s", argv[0]);
  82     if ((ret = hx509_request_parse(context->hx509ctx, argv[1], &req)))
  83         krb5_err(context, 1, ret, "Could not parse PKCS#10 CSR from %s", argv[1]);
  84
  85     if (authorized_flag) {
  86         KeyUsage ku = int2KeyUsage(0);
  87         size_t i;
  88         char *s;
  89
  90         /* Mark all the things authorized */
  91         ku.digitalSignature = 1;
  92         hx509_request_authorize_ku(req, ku);
  93
  94         for (i = 0; ret == 0; i++) {
  95             ret = hx509_request_get_eku(req, i, &s);
  96             free(s); s = NULL;
  97             if (ret == 0)
  98                 hx509_request_authorize_eku(req, i);
  99         }
 100         if (ret == HX509_NO_ITEM)
 101             ret = 0;
 102
 103         for (i = 0; ret == 0; i++) {
 104             hx509_san_type san_type;
 105
 106             ret = hx509_request_get_san(req, i, &san_type, &s);
 107             free(s); s = NULL;
 108             if (ret == 0)
 109                 hx509_request_authorize_san(req, i);
 110         }
 111         if (ret == HX509_NO_ITEM)
 112             ret = 0;
 113     } else if ((ret = kdc_authorize_csr(context, config, req, p))) {
 114         krb5_err(context, 1, ret,
 115                  "Requested certificate extensions rejected by policy");
 116     }
 117
 118     memset(&t, 0, sizeof(t));
 119     t.starttime = time(NULL);
 120     t.endtime = t.starttime + 3600;
 121     if ((ret = kdc_issue_certificate(context, config, req, p, &t, 1,
 122                                      &certs)))
 123         krb5_err(context, 1, ret, "Certificate issuance failed");
 124
 125     if (argv[2])
 126         out = argv[2];
 127
 128     if ((ret = hx509_certs_init(context->hx509ctx, out, HX509_CERTS_CREATE,
 129                                 NULL, &store)) ||
 130         (ret = hx509_certs_merge(context->hx509ctx, store, certs)) ||
 131         (ret = hx509_certs_store(context->hx509ctx, store, 0, NULL)))
 132         /*
 133          * If the store is a MEMORY store, say, we're really not being asked to
 134          * store -- we're just testing the online CA functionality without
 135          * wanting to inspect the result.
 136          */
 137         if (ret != HX509_UNSUPPORTED_OPERATION)
 138             krb5_err(context, 1, ret,
 139                      "Could not store certificate and chain in %s", out);
 140     _krb5_unload_plugins(context, "kdc");
 141     krb5_free_principal(context, p);
 142     krb5_free_context(context);
 143     hx509_request_free(&req);
 144     hx509_certs_free(&store);
 145     hx509_certs_free(&certs);
 146     /* FIXME There's no free function for config yet */
 147     return 0;
 148 }