Add routine to create certificate

2 files changed, 69 insertions, 0 deletions

diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp
index 936bb94..34123cd 100644
--- a/src/libtdeldap.cpp
+++ b/src/libtdeldap.cpp
@@ -32,6 +32,8 @@
 #include <klineedit.h>
 #include <kpassdlg.h>
 #include <ksimpleconfig.h>
+#include <tdesu/process.h>
+#include <ksslcertificate.h>
 
 #include <ldap.h>
 #include <stdlib.h>
@@ -1678,6 +1680,39 @@ void LDAPManager::writeTDERealmList(LDAPRealmConfigList realms, KSimpleConfig* c
 	}
 }
 
+TQDateTime LDAPManager::getCertificateExpiration(TQString certfile) {
+	TQDateTime ret;
+
+	TQFile file(certfile);
+	if (file.open(IO_ReadOnly)) {
+		TQByteArray ba = file.readAll();
+		file.close();
+
+		TQCString ssldata(ba);
+		ssldata.replace("-----BEGIN CERTIFICATE-----", "");
+		ssldata.replace("-----END CERTIFICATE-----", "");
+		ssldata.replace("\n", "");
+		KSSLCertificate* cert = KSSLCertificate::fromString(ssldata);
+		if (cert) {
+			ret = cert->getQDTNotAfter();
+			delete cert;
+		}
+	}
+
+	return ret;
+}
+
+int LDAPManager::generatePublicKerberosCACertificate(LDAPCertConfig certinfo) {
+	TQString command;
+
+	command = TQString("openssl req -key %1 -new -x509 -out %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress);
+	system(command);
+	chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
+	chown(KERBEROS_PKI_PEM_FILE, 0, 0);
+
+	return 0;
+}
+
 TQString LDAPManager::getMachineFQDN() {
 	struct addrinfo hints, *info, *p;
 	int gai_result;
diff --git a/src/libtdeldap.h b/src/libtdeldap.h
index b6d899e..be3c84a 100644
--- a/src/libtdeldap.h
+++ b/src/libtdeldap.h
@@ -36,6 +36,16 @@
 #define KERBEROS_PKI_PRIVATEDIR "/etc/trinity/ldap/tde-ca/private/"
 #define KERBEROS_PKI_PUBLICDIR "/etc/trinity/ldap/tde-ca/public/"
 
+#define KERBEROS_PKI_PEM_FILE KERBEROS_PKI_ANCHORDIR "tdeca.pem"
+#define KERBEROS_PKI_PEMKEY_FILE KERBEROS_PKI_ANCHORDIR "tdeca.key.pem"
+#define KERBEROS_PKI_KDC_FILE KERBEROS_PKI_PUBLICDIR "@@@KDCSERVER@@@.pki.crt"
+#define KERBEROS_PKI_KDCKEY_FILE KERBEROS_PKI_PRIVATEDIR "@@@KDCSERVER@@@.pki.key"
+#define KERBEROS_PKI_KDCREQ_FILE KERBEROS_PKI_PRIVATEDIR "@@@KDCSERVER@@@.pki.req"
+
+#define LDAP_CERT_FILE KERBEROS_PKI_PUBLICDIR "@@@ADMINSERVER@@@.ldap.crt"
+#define LDAP_CERTKEY_FILE KERBEROS_PKI_PRIVATEDIR "@@@ADMINSERVER@@@.ldap.key"
+#define LDAP_CERTREQ_FILE KERBEROS_PKI_PRIVATEDIR "@@@ADMINSERVER@@@.ldap.req"
+
 #define DEFAULT_IGNORED_USERS_LIST "avahi,avahi-autoipd,backup,bin,colord,daemon,games,gnats,haldaemon,hplip,irc,klog,landscape,libuuid,list,lp,mail,man,messagebus,news,ntp,polkituser,postfix,proxy,pulse,root,rtkit,saned,sshd,statd,sync,sys,syslog,timidity,usbmux,uucp,www-data"
 
 // Values from hdb.asn1
@@ -100,6 +110,27 @@ class LDAPRealmConfig
 		bool win2k_pkinit_require_binding;
 };
 
+// PRIVATE
+class LDAPCertConfig
+{
+	public:
+		bool generate_certs;
+		TQString provided_kerberos_pem;
+		TQString provided_kerberos_pemkey;
+		TQString provided_kerberos_crt;
+		TQString provided_kerberos_key;
+		TQString provided_ldap_crt;
+		TQString provided_ldap_key;
+
+		TQString countryName;
+		TQString stateOrProvinceName;
+		TQString localityName;
+		TQString organizationName;
+		TQString orgUnitName;
+		TQString commonName;
+		TQString emailAddress;
+};
+
 typedef TQMap<TQString, LDAPRealmConfig> LDAPRealmConfigList;
 
 class LDAPUserInfo
@@ -271,6 +302,9 @@ class LDAPManager : public TQObject {
 		static TQString getMachineFQDN();
 		static void writeLDAPConfFile(LDAPRealmConfig realmcfg);
 		static void writeTDERealmList(LDAPRealmConfigList realms, KSimpleConfig* config);
+		static TQDateTime getCertificateExpiration(TQString certfile);
+
+		static int generatePublicKerberosCACertificate(LDAPCertConfig certinfo);
 
 	private:
 		LDAPUserInfo parseLDAPUserRecord(LDAPMessage* entry);