diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 17:47:29 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 17:47:29 +0000 |
commit | 4f5791ebd03eaec1c7da0865a383175b05102712 (patch) | |
tree | 8ce7b00f7a76baa386372422adebbe64510812d4 /third_party/heimdal/kuser/kx509.c | |
parent | Initial commit. (diff) | |
download | samba-upstream.tar.xz samba-upstream.zip |
Adding upstream version 2:4.17.12+dfsg.upstream/2%4.17.12+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'third_party/heimdal/kuser/kx509.c')
-rw-r--r-- | third_party/heimdal/kuser/kx509.c | 303 |
1 files changed, 303 insertions, 0 deletions
diff --git a/third_party/heimdal/kuser/kx509.c b/third_party/heimdal/kuser/kx509.c new file mode 100644 index 0000000..1cd76fc --- /dev/null +++ b/third_party/heimdal/kuser/kx509.c @@ -0,0 +1,303 @@ +/* + * Copyright (c) 2019 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "kuser_locl.h" +#include "heimtools-commands.h" +#include <kx509_asn1.h> +#undef HC_DEPRECATED_CRYPTO +#include "../lib/hx509/hx_locl.h" +#include "../lib/krb5/krb5_locl.h" +#include "hx509-private.h" + +struct validate_store { + size_t ncerts; + int grace; +}; + +static int KRB5_CALLCONV +validate1(hx509_context hx509ctx, void *d, hx509_cert cert) +{ + struct validate_store *v = d; + + if (hx509_cert_get_notAfter(cert) < time(NULL) + v->grace) + return HX509_CERT_USED_AFTER_TIME; + v->ncerts++; + return 0; +} + +static void +validate(krb5_context context, + int grace, + const char *hx509_store, + krb5_data *der_cert, + krb5_data *pkcs8_priv_key) +{ + hx509_context hx509ctx = NULL; + hx509_cert cert; + krb5_error_code ret; + + ret = hx509_context_init(&hx509ctx); + if (ret) + krb5_err(context, 1, ret, "hx509 context init"); + + if (der_cert->data && pkcs8_priv_key->data) { + hx509_private_key key = NULL; + + cert = hx509_cert_init_data(hx509ctx, der_cert->data, + der_cert->length, NULL); + if (cert == NULL) + krb5_err(context, 1, errno, "certificate could not be loaded"); + ret = hx509_parse_private_key(hx509ctx, NULL, pkcs8_priv_key->data, + pkcs8_priv_key->length, + HX509_KEY_FORMAT_PKCS8, &key); + if (ret) + krb5_err(context, 1, ret, "certificate could not be loaded"); + if (hx509_cert_get_notAfter(cert) < time(NULL) + grace) + krb5_errx(context, 1, "certificate is expired"); + hx509_private_key_free(&key); + hx509_cert_free(cert); + } + if (hx509_store) { + struct validate_store v; + hx509_certs certs; + + v.ncerts = 0; + v.grace = grace; + + ret = hx509_certs_init(hx509ctx, hx509_store, 0, NULL, &certs); + if (ret) + krb5_err(context, 1, ret, "could not read hx509 store %s", + hx509_store); + ret = hx509_certs_iter_f(hx509ctx, certs, validate1, &v); + if (ret) + krb5_err(context, 1, ret, "at least one certificate in %s expired", + hx509_store); + if (!v.ncerts) + krb5_errx(context, 1, "no certificates in %s", hx509_store); + + hx509_certs_free(&certs); + } + + hx509_context_free(&hx509ctx); +} + +static krb5_error_code KRB5_CALLCONV +add1_2chain(hx509_context hx509ctx, void *d, hx509_cert cert) +{ + heim_octet_string os; + krb5_error_code ret; + Certificates *cs = d; + Certificate c; + + ret = hx509_cert_binary(hx509ctx, cert, &os); + if (ret == 0) + ret = decode_Certificate(os.data, os.length, &c, NULL); + der_free_octet_string(&os); + if (ret == 0) { + add_Certificates(cs, &c); + free_Certificate(&c); + } + return ret; +} + +static krb5_error_code +add_chain(hx509_context hx509ctx, hx509_certs certs, krb5_data *chain) +{ + krb5_error_code ret; + Certificates cs; + size_t len; + + ret = decode_Certificates(chain->data, chain->length, &cs, &len); + if (ret == 0) { + ret = hx509_certs_iter_f(hx509ctx, certs, add1_2chain, &cs); + free_Certificates(&cs); + } + return ret; +} + +static void +store(krb5_context context, + const char *hx509_store, + krb5_data *der_cert, + krb5_data *pkcs8_priv_key, + krb5_data *chain) +{ + hx509_context hx509ctx = NULL; + hx509_private_key key = NULL; + hx509_certs certs; + hx509_cert cert; + char *store_exp = NULL; + krb5_error_code ret; + + if (hx509_store == NULL) { + hx509_store = krb5_config_get_string(context, NULL, "libdefaults", + "kx509_store", NULL); + if (hx509_store) { + ret = _krb5_expand_path_tokens(context, hx509_store, 1, + &store_exp); + if (ret) + krb5_err(context, 1, ret, "expanding tokens in default " + "hx509 store"); + hx509_store = store_exp; + } + } + if (hx509_store == NULL) + krb5_errx(context, 1, "no hx509 store given and no default hx509 " + "store configured"); + + ret = hx509_context_init(&hx509ctx); + if (ret) + krb5_err(context, 1, ret, "hx509 context init"); + + cert = hx509_cert_init_data(hx509ctx, der_cert->data, + der_cert->length, NULL); + if (cert == NULL) + krb5_err(context, 1, errno, "certificate could not be loaded"); + ret = hx509_parse_private_key(hx509ctx, NULL, pkcs8_priv_key->data, + pkcs8_priv_key->length, + HX509_KEY_FORMAT_PKCS8, &key); + if (ret) + krb5_err(context, 1, ret, "certificate could not be loaded"); + (void) _hx509_cert_assign_key(cert, key); + + ret = hx509_certs_init(hx509ctx, hx509_store, HX509_CERTS_CREATE, NULL, + &certs); + if (ret == 0) + ret = hx509_certs_add(hx509ctx, certs, cert); + if (ret == 0) + add_chain(hx509ctx, certs, chain); + if (ret == 0) + ret = hx509_certs_store(hx509ctx, certs, 0, NULL); + if (ret) + krb5_err(context, 1, ret, "certificate could not be stored"); + + hx509_private_key_free(&key); + hx509_certs_free(&certs); + hx509_cert_free(cert); + hx509_context_free(&hx509ctx); + free(store_exp); +} + +static void +set_csr(krb5_context context, krb5_kx509_req_ctx req, const char *csr_file) +{ + krb5_error_code ret; + krb5_data d; + + if (strncmp(csr_file, "PKCS10:", sizeof("PKCS10:") - 1) != 0) + krb5_errx(context, 1, "CSR filename must start with \"PKCS10:\""); + ret = rk_undumpdata(csr_file + sizeof("PKCS10:") - 1, &d.data, &d.length); + if (ret) + krb5_err(context, 1, ret, "could not read CSR"); + ret = krb5_kx509_ctx_set_csr_der(context, req, &d); + if (ret) + krb5_err(context, 1, ret, "hx509 context init"); +} + +int +kx509(struct kx509_options *opt, int argc, char **argv) +{ + krb5_kx509_req_ctx req = NULL; + krb5_context context = heimtools_context; + krb5_error_code ret = 0; + krb5_ccache ccout = NULL; + krb5_ccache cc = NULL; + + if (opt->cache_string) + ret = krb5_cc_resolve(context, opt->cache_string, &cc); + else if (opt->save_flag || opt->extract_flag) + ret = krb5_cc_default(context, &cc); + if (ret) + krb5_err(context, 1, ret, "no input credential cache"); + if (opt->save_flag) + ccout = cc; + + if (opt->test_integer && + (opt->extract_flag || opt->csr_string || opt->private_key_string)) + krb5_errx(context, 1, "--test is exclusive of --extract, --csr, and " + "--private-key"); + + if (opt->extract_flag && (opt->csr_string || opt->private_key_string)) + krb5_errx(context, 1, "--extract is exclusive of --csr and " + "--private-key"); + + if (opt->test_integer || opt->extract_flag) { + krb5_data der_cert, pkcs8_key, chain; + + der_cert.data = pkcs8_key.data = chain.data = NULL; + der_cert.length = pkcs8_key.length = chain.length = 0; + ret = krb5_cc_get_config(context, cc, NULL, "kx509cert", &der_cert); + if (ret == 0) + ret = krb5_cc_get_config(context, cc, NULL, "kx509key", + &pkcs8_key); + if (ret == 0) + ret = krb5_cc_get_config(context, cc, NULL, "kx509cert-chain", + &chain); + if (ret) + krb5_err(context, 1, ret, "no certificate in credential cache"); + if (opt->test_integer) + validate(context, opt->test_integer, opt->out_string, &der_cert, + &pkcs8_key); + else + store(context, opt->out_string, &der_cert, &pkcs8_key, &chain); + krb5_data_free(&pkcs8_key); + krb5_data_free(&der_cert); + krb5_data_free(&chain); + } else { + /* + * XXX We should delete any cc configs that indicate that kx509 is + * disabled. + */ + ret = krb5_kx509_ctx_init(context, &req); + if (ret == 0 && opt->realm_string) + ret = krb5_kx509_ctx_set_realm(context, req, opt->realm_string); + if (ret == 0 && opt->csr_string) + set_csr(context, req, opt->csr_string); + if (ret == 0 && opt->private_key_string) + ret = krb5_kx509_ctx_set_key(context, req, + opt->private_key_string); + if (ret) + krb5_err(context, 1, ret, + "could not set up kx509 request options"); + + ret = krb5_kx509_ext(context, req, cc, opt->out_string, ccout); + if (ret) + krb5_err(context, 1, ret, + "could not acquire certificate with kx509"); + krb5_kx509_ctx_free(context, &req); + } + + krb5_cc_close(context, cc); + + return 0; +} |