1 /* autoca.c - Automatic Certificate Authority */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 2009-2017 The OpenLDAP Foundation.
6 * Copyright 2009-2017 by Howard Chu.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted only as authorized by the OpenLDAP
13 * A copy of this license is available in the file LICENSE in the
14 * top-level directory of the distribution or, alternatively, at
15 * <http://www.OpenLDAP.org/license.html>.
18 * This work was initially developed by Howard Chu for inclusion in
24 #define SLAPD_OVER_AUTOCA SLAPD_MOD_DYNAMIC
26 #ifdef SLAPD_OVER_AUTOCA
30 #include <ac/string.h>
31 #include <ac/socket.h>
37 #include <openssl/x509v3.h>
38 #include <openssl/evp.h>
40 /* Starting with OpenSSL 1.1.0, rsa.h is no longer included in
41 * x509.h, so we need to explicitly include it for the
42 * call to EVP_PKEY_CTX_set_rsa_keygen_bits
45 #if OPENSSL_VERSION_NUMBER >= 0x10100000
46 #include <openssl/rsa.h>
49 /* This overlay implements a certificate authority that can generate
50 * certificates automatically for any entry in the directory.
51 * On startup it generates a self-signed CA cert for the directory's
52 * suffix entry and uses this to sign all other certs that it generates.
53 * User and server certs are generated on demand, using a Search request.
56 #define LBER_TAG_OID ((ber_tag_t) 0x06UL)
57 #define LBER_TAG_UTF8 ((ber_tag_t) 0x0cUL)
60 #define MIN_KEYBITS 512
62 #define ACA_SCHEMA_ROOT "1.3.6.1.4.1.4203.666.11.11"
64 #define ACA_SCHEMA_AT ACA_SCHEMA_ROOT ".1"
65 #define ACA_SCHEMA_OC ACA_SCHEMA_ROOT ".2"
67 static AttributeDescription *ad_caCert, *ad_caPkey, *ad_usrCert, *ad_usrPkey;
68 static AttributeDescription *ad_mail, *ad_ipaddr;
69 static ObjectClass *oc_caObj, *oc_usrObj;
71 static char *aca_attrs[] = {
72 "( " ACA_SCHEMA_AT ".1 NAME 'cAPrivateKey' "
73 "DESC 'X.509 CA private key, use ;binary' "
74 "SUP x509PrivateKey )",
75 "( " ACA_SCHEMA_AT ".2 NAME 'userPrivateKey' "
76 "DESC 'X.509 user private key, use ;binary' "
77 "SUP x509PrivateKey )",
83 AttributeDescription **ad;
85 { "cACertificate;binary", &ad_caCert },
86 { "cAPrivateKey;binary", &ad_caPkey },
87 { "userCertificate;binary", &ad_usrCert },
88 { "userPrivateKey;binary", &ad_usrPkey },
97 { "( " ACA_SCHEMA_OC ".1 NAME 'autoCA' "
98 "DESC 'Automated PKI certificate authority' "
99 "SUP pkiCA AUXILIARY "
100 "MAY cAPrivateKey )", &oc_caObj },
101 { "( " ACA_SCHEMA_OC ".2 NAME 'autoCAuser' "
102 "DESC 'Automated PKI CA user' "
103 "SUP pkiUser AUXILIARY "
104 "MAY userPrivateKey )", &oc_usrObj },
108 typedef struct autoca_info {
111 ObjectClass *ai_usrclass;
112 ObjectClass *ai_srvclass;
113 struct berval ai_localdn;
114 struct berval ai_localndn;
123 /* Rewrite an LDAP DN in DER form
124 * Input must be valid DN, therefore no error checking is done here.
126 static int autoca_dnbv2der( Operation *op, struct berval *bv, struct berval *der )
128 BerElementBuffer berbuf;
129 BerElement *ber = (BerElement *)&berbuf;
133 AttributeDescription *ad;
136 ldap_bv2dn_x( bv, &dn, LDAP_DN_FORMAT_LDAP, op->o_tmpmemctx );
138 ber_init2( ber, NULL, LBER_USE_DER );
139 ber_set_option( ber, LBER_OPT_BER_MEMCTX, &op->o_tmpmemctx );
141 /* count RDNs, we need them in reverse order */
142 for (irdn = 0; dn[irdn]; irdn++);
145 /* DN is a SEQuence of RDNs */
146 ber_start_seq( ber, LBER_SEQUENCE );
147 for (; irdn >=0; irdn--)
149 /* RDN is a SET of AVAs */
150 ber_start_set( ber, LBER_SET );
152 for (iava = 0; rdn[iava]; iava++)
156 struct berval bvo = { sizeof(oid), oid };
159 /* AVA is a SEQuence of attr and value */
160 ber_start_seq( ber, LBER_SEQUENCE );
163 slap_bv2ad( &ava->la_attr, &ad, &text );
164 ber_str2bv( ad->ad_type->sat_oid, 0, 0, &bva );
165 ber_encode_oid( &bva, &bvo );
166 ber_put_berval( ber, &bvo, LBER_TAG_OID );
167 ber_put_berval( ber, &ava->la_value, LBER_TAG_UTF8 );
173 ber_flatten2( ber, der, 0 );
174 ldap_dnfree_x( dn, op->o_tmpmemctx );
178 static int autoca_genpkey(int bits, EVP_PKEY **pkey)
183 kctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL);
186 if (EVP_PKEY_keygen_init(kctx) <= 0)
188 EVP_PKEY_CTX_free(kctx);
191 if (EVP_PKEY_CTX_set_rsa_keygen_bits(kctx, bits) <= 0)
193 EVP_PKEY_CTX_free(kctx);
196 rc = EVP_PKEY_keygen(kctx, pkey);
197 EVP_PKEY_CTX_free(kctx);
201 static int autoca_signcert(X509 *cert, EVP_PKEY *pkey)
203 EVP_MD_CTX *ctx = EVP_MD_CTX_create();
204 EVP_PKEY_CTX *pkctx = NULL;
209 if (EVP_DigestSignInit(ctx, &pkctx, NULL, NULL, pkey))
211 rc = X509_sign_ctx(cert, ctx);
213 EVP_MD_CTX_destroy(ctx);
217 #define SERIAL_BITS 64 /* should be less than 160 */
219 typedef struct myext {
224 static myext CAexts[] = {
225 { "subjectKeyIdentifier", "hash" },
226 { "authorityKeyIdentifier", "keyid:always,issuer" },
227 { "basicConstraints", "critical,CA:true" },
228 { "keyUsage", "digitalSignature,cRLSign,keyCertSign" },
229 { "nsComment", "OpenLDAP automatic certificate" },
233 static myext usrExts[] = {
234 { "subjectKeyIdentifier", "hash" },
235 { "authorityKeyIdentifier", "keyid:always,issuer" },
236 { "basicConstraints", "CA:false" },
237 { "keyUsage", "digitalSignature,nonRepudiation,keyEncipherment" },
238 { "extendedKeyUsage", "clientAuth,emailProtection,codeSigning" },
239 { "nsComment", "OpenLDAP automatic certificate" },
243 static myext srvExts[] = {
244 { "subjectKeyIdentifier", "hash" },
245 { "authorityKeyIdentifier", "keyid:always,issuer" },
246 { "basicConstraints", "CA:false" },
247 { "keyUsage", "digitalSignature,keyEncipherment" },
248 { "extendedKeyUsage", "serverAuth,clientAuth" },
249 { "nsComment", "OpenLDAP automatic certificate" },
253 typedef struct genargs {
255 EVP_PKEY *issuer_pkey;
256 struct berval *subjectDN;
261 struct berval dercert;
262 struct berval derpkey;
267 static int autoca_gencert( Operation *op, genargs *args )
269 X509_NAME *subj_name, *issuer_name;
273 EVP_PKEY *evpk = NULL;
276 if ((subj_cert = X509_new()) == NULL)
279 autoca_dnbv2der( op, args->subjectDN, &derdn );
280 pp = (unsigned char *)derdn.bv_val;
281 subj_name = d2i_X509_NAME( NULL, (const unsigned char **)&pp, derdn.bv_len );
282 op->o_tmpfree( derdn.bv_val, op->o_tmpmemctx );
283 if ( subj_name == NULL )
286 X509_free( subj_cert );
290 rc = autoca_genpkey( args->keybits, &evpk );
294 if ( subj_name ) X509_NAME_free( subj_name );
297 /* encode DER in PKCS#8 */
299 PKCS8_PRIV_KEY_INFO *p8inf;
300 if (( p8inf = EVP_PKEY2PKCS8( evpk )) == NULL )
302 args->derpkey.bv_len = i2d_PKCS8_PRIV_KEY_INFO( p8inf, NULL );
303 args->derpkey.bv_val = op->o_tmpalloc( args->derpkey.bv_len, op->o_tmpmemctx );
304 pp = (unsigned char *)args->derpkey.bv_val;
305 i2d_PKCS8_PRIV_KEY_INFO( p8inf, &pp );
306 PKCS8_PRIV_KEY_INFO_free( p8inf );
308 args->newpkey = evpk;
310 /* set random serial */
312 BIGNUM *bn = BN_new();
316 EVP_PKEY_free( evpk );
319 if (!BN_pseudo_rand(bn, SERIAL_BITS, 0, 0))
324 if (!BN_to_ASN1_INTEGER(bn, X509_get_serialNumber(subj_cert)))
331 if (args->issuer_cert) {
332 issuer_name = X509_get_subject_name(args->issuer_cert);
334 issuer_name = subj_name;
335 args->issuer_cert = subj_cert;
336 args->issuer_pkey = evpk;
338 if (!X509_set_version(subj_cert, 2) || /* set version to V3 */
339 !X509_set_issuer_name(subj_cert, issuer_name) ||
340 !X509_set_subject_name(subj_cert, subj_name) ||
341 !X509_gmtime_adj(X509_get_notBefore(subj_cert), 0) ||
342 !X509_time_adj_ex(X509_get_notAfter(subj_cert), args->days, 0, NULL) ||
343 !X509_set_pubkey(subj_cert, evpk))
347 X509_NAME_free(subj_name);
350 /* set cert extensions */
356 X509V3_set_ctx(&ctx, args->issuer_cert, subj_cert, NULL, NULL, 0);
357 for (i=0; args->cert_exts[i].name; i++) {
358 ext = X509V3_EXT_nconf(NULL, &ctx, args->cert_exts[i].name, args->cert_exts[i].value);
361 rc = X509_add_ext(subj_cert, ext, -1);
362 X509_EXTENSION_free(ext);
366 if (args->more_exts) {
367 for (i=0; args->more_exts[i].name; i++) {
368 ext = X509V3_EXT_nconf(NULL, &ctx, args->more_exts[i].name, args->more_exts[i].value);
371 rc = X509_add_ext(subj_cert, ext, -1);
372 X509_EXTENSION_free(ext);
378 rc = autoca_signcert( subj_cert, args->issuer_pkey );
381 args->dercert.bv_len = i2d_X509( subj_cert, NULL );
382 args->dercert.bv_val = op->o_tmpalloc( args->dercert.bv_len, op->o_tmpmemctx );
383 pp = (unsigned char *)args->dercert.bv_val;
384 i2d_X509( subj_cert, &pp );
385 args->newcert = subj_cert;
389 typedef struct saveargs {
391 struct berval *dercert;
392 struct berval *derpkey;
399 static int autoca_savecert( Operation *op, saveargs *args )
401 Modifications mod[3], *mp = mod;
402 struct berval bvs[6], *bp = bvs;
404 slap_callback cb = {0};
405 SlapReply rs = {REP_RESULT};
410 mp->sml_nvalues = NULL;
411 mp->sml_desc = slap_schema.si_ad_objectClass;
412 mp->sml_op = LDAP_MOD_ADD;
413 mp->sml_flags = SLAP_MOD_INTERNAL;
414 *bp++ = args->oc->soc_cname;
422 mp->sml_nvalues = NULL;
423 mp->sml_desc = args->isca ? ad_caCert : ad_usrCert;
424 mp->sml_op = LDAP_MOD_REPLACE;
425 mp->sml_flags = SLAP_MOD_INTERNAL;
426 *bp++ = *args->dercert;
434 mp->sml_nvalues = NULL;
435 mp->sml_desc = args->isca ? ad_caPkey : ad_usrPkey;
436 mp->sml_op = LDAP_MOD_ADD;
437 mp->sml_flags = SLAP_MOD_INTERNAL;
438 *bp++ = *args->derpkey;
442 cb.sc_response = slap_null_cb;
443 bi = op->o_bd->bd_info;
444 op->o_bd->bd_info = args->on->on_info->oi_orig;
445 op->o_tag = LDAP_REQ_MODIFY;
446 op->o_callback = &cb;
447 op->orm_modlist = mod;
448 op->orm_no_opattrs = 1;
449 op->o_req_dn = *args->dn;
450 op->o_req_ndn = *args->ndn;
451 op->o_bd->be_modify( op, &rs );
452 op->o_bd->bd_info = bi;
456 static const struct berval configDN = BER_BVC("cn=config");
458 /* must run as a pool thread to avoid cn=config deadlock */
460 autoca_setca_task( void *ctx, void *arg )
462 Connection conn = { 0 };
463 OperationBuffer opbuf;
465 struct berval *cacert = arg;
467 struct berval bvs[2];
468 slap_callback cb = {0};
469 SlapReply rs = {REP_RESULT};
472 connection_fake_init( &conn, &opbuf, ctx );
476 mod.sml_values = bvs;
477 mod.sml_nvalues = NULL;
479 if ( slap_str2ad( "olcTLSCACertificate;binary", &mod.sml_desc, &text ))
481 mod.sml_op = LDAP_MOD_REPLACE;
482 mod.sml_flags = SLAP_MOD_INTERNAL;
484 BER_BVZERO( &bvs[1] );
487 cb.sc_response = slap_null_cb;
488 op->o_bd = select_backend( (struct berval *)&configDN, 0 );
492 op->o_tag = LDAP_REQ_MODIFY;
493 op->o_callback = &cb;
494 op->orm_modlist = &mod;
495 op->orm_no_opattrs = 1;
496 op->o_req_dn = configDN;
497 op->o_req_ndn = configDN;
498 op->o_dn = op->o_bd->be_rootdn;
499 op->o_ndn = op->o_bd->be_rootndn;
500 op->o_bd->be_modify( op, &rs );
507 autoca_setca( struct berval *cacert )
509 struct berval *bv = ch_malloc( sizeof(struct berval) + cacert->bv_len );
510 bv->bv_len = cacert->bv_len;
511 bv->bv_val = (char *)(bv+1);
512 AC_MEMCPY( bv->bv_val, cacert->bv_val, bv->bv_len );
513 return ldap_pvt_thread_pool_submit( &connection_pool, autoca_setca_task, bv );
517 autoca_setlocal( Operation *op, struct berval *cert, struct berval *pkey )
519 Modifications mod[2];
520 struct berval bvs[4];
521 slap_callback cb = {0};
522 SlapReply rs = {REP_RESULT};
525 mod[0].sml_numvals = 1;
526 mod[0].sml_values = bvs;
527 mod[0].sml_nvalues = NULL;
528 mod[0].sml_desc = NULL;
529 if ( slap_str2ad( "olcTLSCertificate;binary", &mod[0].sml_desc, &text ))
531 mod[0].sml_op = LDAP_MOD_REPLACE;
532 mod[0].sml_flags = SLAP_MOD_INTERNAL;
534 BER_BVZERO( &bvs[1] );
535 mod[0].sml_next = &mod[1];
537 mod[1].sml_numvals = 1;
538 mod[1].sml_values = &bvs[2];
539 mod[1].sml_nvalues = NULL;
540 mod[1].sml_desc = NULL;
541 if ( slap_str2ad( "olcTLSCertificateKey;binary", &mod[1].sml_desc, &text ))
543 mod[1].sml_op = LDAP_MOD_REPLACE;
544 mod[1].sml_flags = SLAP_MOD_INTERNAL;
546 BER_BVZERO( &bvs[3] );
547 mod[1].sml_next = NULL;
549 cb.sc_response = slap_null_cb;
550 op->o_bd = select_backend( (struct berval *)&configDN, 0 );
554 op->o_tag = LDAP_REQ_MODIFY;
555 op->o_callback = &cb;
556 op->orm_modlist = mod;
557 op->orm_no_opattrs = 1;
558 op->o_req_dn = configDN;
559 op->o_req_ndn = configDN;
560 op->o_dn = op->o_bd->be_rootdn;
561 op->o_ndn = op->o_bd->be_rootndn;
562 op->o_bd->be_modify( op, &rs );
578 static int autoca_cf( ConfigArgs *c )
580 slap_overinst *on = (slap_overinst *)c->bi;
581 autoca_info *ai = on->on_bi.bi_private;
585 case SLAP_CONFIG_EMIT:
588 if ( ai->ai_usrclass ) {
589 c->value_string = ch_strdup( ai->ai_usrclass->soc_cname.bv_val );
595 if ( ai->ai_srvclass ) {
596 c->value_string = ch_strdup( ai->ai_srvclass->soc_cname.bv_val );
602 c->value_int = ai->ai_usrkeybits;
605 c->value_int = ai->ai_srvkeybits;
608 c->value_int = ai->ai_cakeybits;
611 c->value_int = ai->ai_usrdays;
614 c->value_int = ai->ai_srvdays;
617 c->value_int = ai->ai_cadays;
620 if ( !BER_BVISNULL( &ai->ai_localdn )) {
621 rc = value_add_one( &c->rvalue_vals, &ai->ai_localdn );
628 case LDAP_MOD_DELETE:
631 ai->ai_usrclass = NULL;
634 ai->ai_srvclass = NULL;
637 if ( ai->ai_localdn.bv_val ) {
638 ch_free( ai->ai_localdn.bv_val );
639 ch_free( ai->ai_localndn.bv_val );
640 BER_BVZERO( &ai->ai_localdn );
641 BER_BVZERO( &ai->ai_localndn );
644 /* single-valued attrs, all no-ops */
647 case SLAP_CONFIG_ADD:
652 ObjectClass *oc = oc_find( c->value_string );
654 ai->ai_usrclass = oc;
661 ObjectClass *oc = oc_find( c->value_string );
663 ai->ai_srvclass = oc;
668 if ( c->value_int < MIN_KEYBITS )
671 ai->ai_usrkeybits = c->value_int;
674 if ( c->value_int < MIN_KEYBITS )
677 ai->ai_srvkeybits = c->value_int;
680 if ( c->value_int < MIN_KEYBITS )
683 ai->ai_cakeybits = c->value_int;
686 ai->ai_usrdays = c->value_int;
689 ai->ai_srvdays = c->value_int;
692 ai->ai_cadays = c->value_int;
695 if ( c->be->be_nsuffix == NULL ) {
696 snprintf( c->cr_msg, sizeof( c->cr_msg ),
697 "suffix must be set" );
698 Debug( LDAP_DEBUG_CONFIG, "autoca_config: %s\n",
699 c->cr_msg, NULL, NULL );
703 if ( !dnIsSuffix( &c->value_ndn, c->be->be_nsuffix )) {
704 snprintf( c->cr_msg, sizeof( c->cr_msg ),
705 "DN is not a subordinate of backend" );
706 Debug( LDAP_DEBUG_CONFIG, "autoca_config: %s\n",
707 c->cr_msg, NULL, NULL );
711 if ( ai->ai_localdn.bv_val ) {
712 ch_free( ai->ai_localdn.bv_val );
713 ch_free( ai->ai_localndn.bv_val );
715 ai->ai_localdn = c->value_dn;
716 ai->ai_localndn = c->value_ndn;
722 static ConfigTable autoca_cfg[] = {
723 { "userClass", "objectclass", 2, 2, 0,
724 ARG_STRING|ARG_MAGIC|ACA_USRCLASS, autoca_cf,
725 "( OLcfgOvAt:22.1 NAME 'olcACAuserClass' "
726 "DESC 'ObjectClass of user entries' "
727 "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
728 { "serverClass", "objectclass", 2, 2, 0,
729 ARG_STRING|ARG_MAGIC|ACA_SRVCLASS, autoca_cf,
730 "( OLcfgOvAt:22.2 NAME 'olcACAserverClass' "
731 "DESC 'ObjectClass of server entries' "
732 "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
733 { "userKeybits", "integer", 2, 2, 0,
734 ARG_INT|ARG_MAGIC|ACA_USRKEYBITS, autoca_cf,
735 "( OLcfgOvAt:22.3 NAME 'olcACAuserKeybits' "
736 "DESC 'Size of PrivateKey for user entries' "
737 "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
738 { "serverKeybits", "integer", 2, 2, 0,
739 ARG_INT|ARG_MAGIC|ACA_SRVKEYBITS, autoca_cf,
740 "( OLcfgOvAt:22.4 NAME 'olcACAserverKeybits' "
741 "DESC 'Size of PrivateKey for server entries' "
742 "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
743 { "caKeybits", "integer", 2, 2, 0,
744 ARG_INT|ARG_MAGIC|ACA_CAKEYBITS, autoca_cf,
745 "( OLcfgOvAt:22.5 NAME 'olcACAKeybits' "
746 "DESC 'Size of PrivateKey for CA certificate' "
747 "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
748 { "userDays", "integer", 2, 2, 0,
749 ARG_INT|ARG_MAGIC|ACA_USRDAYS, autoca_cf,
750 "( OLcfgOvAt:22.6 NAME 'olcACAuserDays' "
751 "DESC 'Lifetime of user certificates in days' "
752 "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
753 { "serverDays", "integer", 2, 2, 0,
754 ARG_INT|ARG_MAGIC|ACA_SRVDAYS, autoca_cf,
755 "( OLcfgOvAt:22.7 NAME 'olcACAserverDays' "
756 "DESC 'Lifetime of server certificates in days' "
757 "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
758 { "caDays", "integer", 2, 2, 0,
759 ARG_INT|ARG_MAGIC|ACA_CADAYS, autoca_cf,
760 "( OLcfgOvAt:22.8 NAME 'olcACADays' "
761 "DESC 'Lifetime of CA certificate in days' "
762 "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
763 { "localdn", "dn", 2, 2, 0,
764 ARG_DN|ARG_MAGIC|ACA_LOCALDN, autoca_cf,
765 "( OLcfgOvAt:22.9 NAME 'olcACAlocalDN' "
766 "DESC 'DN of local server cert' "
767 "SYNTAX OMsDN SINGLE-VALUE )", NULL, NULL },
768 { NULL, NULL, 0, 0, 0, ARG_IGNORED }
771 static ConfigOCs autoca_ocs[] = {
772 { "( OLcfgOvOc:22.1 "
773 "NAME 'olcACAConfig' "
774 "DESC 'AutoCA configuration' "
775 "SUP olcOverlayConfig "
776 "MAY ( olcACAuserClass $ olcACAserverClass $ "
777 "olcACAuserKeybits $ olcACAserverKeybits $ olcACAKeyBits $ "
778 "olcACAuserDays $ olcACAserverDays $ olcACADays $ "
780 Cft_Overlay, autoca_cfg },
790 slap_overinst *on = op->o_callback->sc_private;
791 autoca_info *ai = on->on_bi.bi_private;
795 if (rs->sr_type != REP_SEARCH)
796 return SLAP_CB_CONTINUE;
798 /* If root or self */
799 if ( !be_isroot( op ) &&
800 !dn_match( &rs->sr_entry->e_nname, &op->o_ndn ))
801 return SLAP_CB_CONTINUE;
803 isusr = is_entry_objectclass( rs->sr_entry, ai->ai_usrclass, SLAP_OCF_CHECK_SUP );
806 if (!is_entry_objectclass( rs->sr_entry, ai->ai_srvclass, SLAP_OCF_CHECK_SUP ))
807 return SLAP_CB_CONTINUE;
809 a = attr_find( rs->sr_entry->e_attrs, ad_usrPkey );
818 args.issuer_cert = ai->ai_cert;
819 args.issuer_pkey = ai->ai_pkey;
820 args.subjectDN = &rs->sr_entry->e_name;
821 args.more_exts = NULL;
824 args.cert_exts = usrExts;
825 args.keybits = ai->ai_usrkeybits;
826 args.days = ai->ai_usrdays;
827 a = attr_find( rs->sr_entry->e_attrs, ad_mail );
830 extras[0].name = "subjectAltName";
831 extras[1].name = NULL;
832 extras[0].value = op->o_tmpalloc( sizeof("email:") + a->a_vals[0].bv_len, op->o_tmpmemctx );
833 sprintf(extras[0].value, "email:%s", a->a_vals[0].bv_val);
834 args.more_exts = extras;
838 args.cert_exts = srvExts;
839 args.keybits = ai->ai_srvkeybits;
840 args.days = ai->ai_srvdays;
841 if ( ad_ipaddr && (a = attr_find( rs->sr_entry->e_attrs, ad_ipaddr )))
843 extras[0].name = "subjectAltName";
844 extras[1].name = NULL;
845 extras[0].value = op->o_tmpalloc( sizeof("IP:") + a->a_vals[0].bv_len, op->o_tmpmemctx );
846 sprintf(extras[0].value, "IP:%s", a->a_vals[0].bv_val);
847 args.more_exts = extras;
850 rc = autoca_gencert( op, &args );
852 return SLAP_CB_CONTINUE;
853 X509_free( args.newcert );
854 EVP_PKEY_free( args.newpkey );
856 if ( is_entry_objectclass( rs->sr_entry, oc_usrObj, 0 ))
860 if ( !( rs->sr_flags & REP_ENTRY_MODIFIABLE ))
862 Entry *e = entry_dup( rs->sr_entry );
863 rs_replace_entry( op, rs, on, e );
864 rs->sr_flags |= REP_ENTRY_MODIFIABLE | REP_ENTRY_MUSTBEFREED;
866 arg2.dercert = &args.dercert;
867 arg2.derpkey = &args.derpkey;
869 arg2.dn = &rs->sr_entry->e_name;
870 arg2.ndn = &rs->sr_entry->e_nname;
873 rc = autoca_savecert( &op2, &arg2 );
876 /* If this is our cert DN, configure it */
877 if ( dn_match( &rs->sr_entry->e_nname, &ai->ai_localndn ))
878 autoca_setlocal( &op2, &args.dercert, &args.derpkey );
879 attr_merge_one( rs->sr_entry, ad_usrCert, &args.dercert, NULL );
880 attr_merge_one( rs->sr_entry, ad_usrPkey, &args.derpkey, NULL );
882 op->o_tmpfree( args.dercert.bv_val, op->o_tmpmemctx );
883 op->o_tmpfree( args.derpkey.bv_val, op->o_tmpmemctx );
886 return SLAP_CB_CONTINUE;
895 /* we only act on a search that returns just our cert/key attrs */
896 if ( op->ors_attrs && op->ors_attrs[0].an_desc == ad_usrCert &&
897 op->ors_attrs[1].an_desc == ad_usrPkey &&
898 op->ors_attrs[2].an_name.bv_val == NULL )
900 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
901 slap_callback *sc = op->o_tmpcalloc( 1, sizeof(slap_callback), op->o_tmpmemctx );
902 sc->sc_response = autoca_op_response;
904 sc->sc_next = op->o_callback;
907 return SLAP_CB_CONTINUE;
916 slap_overinst *on = (slap_overinst *) be->bd_info;
919 ai = ch_calloc(1, sizeof(autoca_info));
920 on->on_bi.bi_private = ai;
923 ai->ai_usrclass = oc_find( "person" );
924 ai->ai_srvclass = oc_find( "ipHost" );
925 ai->ai_usrkeybits = KEYBITS;
926 ai->ai_srvkeybits = KEYBITS;
927 ai->ai_cakeybits = KEYBITS;
928 ai->ai_usrdays = 365; /* 1 year */
929 ai->ai_srvdays = 1826; /* 5 years */
930 ai->ai_cadays = 3652; /* 10 years */
940 slap_overinst *on = (slap_overinst *) be->bd_info;
941 autoca_info *ai = on->on_bi.bi_private;
944 X509_free( ai->ai_cert );
946 EVP_PKEY_free( ai->ai_pkey );
958 slap_overinst *on = (slap_overinst *)be->bd_info;
959 autoca_info *ai = on->on_bi.bi_private;
961 Connection conn = { 0 };
962 OperationBuffer opbuf;
969 if (slapMode & SLAP_TOOL_MODE)
972 if ( ! *aca_attr2[0].ad ) {
976 for ( i=0; aca_attr2[i].at; i++ ) {
977 code = slap_str2ad( aca_attr2[i].at, aca_attr2[i].ad, &text );
978 if ( code ) return code;
981 /* Schema may not be loaded, ignore if missing */
982 slap_str2ad( "ipHostNumber", &ad_ipaddr, &text );
984 for ( i=0; aca_ocs[i].ot; i++ ) {
985 code = register_oc( aca_ocs[i].ot, aca_ocs[i].oc, 0 );
986 if ( code ) return code;
990 thrctx = ldap_pvt_thread_pool_context();
991 connection_fake_init2( &conn, &opbuf, thrctx, 0 );
994 op->o_dn = be->be_rootdn;
995 op->o_ndn = be->be_rootndn;
996 rc = overlay_entry_get_ov( op, be->be_nsuffix, NULL,
1000 int gotoc = 0, gotat = 0;
1001 if ( is_entry_objectclass( e, oc_caObj, 0 )) {
1003 a = attr_find( e->e_attrs, ad_caPkey );
1005 const unsigned char *pp;
1006 pp = (unsigned char *)a->a_vals[0].bv_val;
1007 ai->ai_pkey = d2i_AutoPrivateKey( NULL, &pp, a->a_vals[0].bv_len );
1010 a = attr_find( e->e_attrs, ad_caCert );
1013 pp = (unsigned char *)a->a_vals[0].bv_val;
1014 ai->ai_cert = d2i_X509( NULL, &pp, a->a_vals[0].bv_len );
1015 /* If TLS wasn't configured yet, set this as our CA */
1016 if ( !slap_tls_ctx )
1017 autoca_setca( a->a_vals );
1023 overlay_entry_release_ov( op, e, 0, on );
1024 /* generate attrs, store... */
1029 args.issuer_cert = NULL;
1030 args.issuer_pkey = NULL;
1031 args.subjectDN = &be->be_suffix[0];
1032 args.cert_exts = CAexts;
1033 args.more_exts = NULL;
1034 args.keybits = ai->ai_cakeybits;
1035 args.days = ai->ai_cadays;
1037 rc = autoca_gencert( op, &args );
1041 ai->ai_cert = args.newcert;
1042 ai->ai_pkey = args.newpkey;
1044 arg2.dn = be->be_suffix;
1045 arg2.ndn = be->be_nsuffix;
1052 arg2.dercert = &args.dercert;
1053 arg2.derpkey = &args.derpkey;
1055 autoca_savecert( op, &arg2 );
1057 /* If TLS wasn't configured yet, set this as our CA */
1058 if ( !slap_tls_ctx )
1059 autoca_setca( &args.dercert );
1061 op->o_tmpfree( args.dercert.bv_val, op->o_tmpmemctx );
1062 op->o_tmpfree( args.derpkey.bv_val, op->o_tmpmemctx );
1069 static slap_overinst autoca;
1071 /* This overlay is set up for dynamic loading via moduleload. For static
1072 * configuration, you'll need to arrange for the slap_overinst to be
1073 * initialized and registered by some other function inside slapd.
1076 int autoca_initialize() {
1079 autoca.on_bi.bi_type = "autoca";
1080 autoca.on_bi.bi_db_init = autoca_db_init;
1081 autoca.on_bi.bi_db_destroy = autoca_db_destroy;
1082 autoca.on_bi.bi_db_open = autoca_db_open;
1083 autoca.on_bi.bi_op_search = autoca_op_search;
1085 autoca.on_bi.bi_cf_ocs = autoca_ocs;
1086 code = config_register_schema( autoca_cfg, autoca_ocs );
1087 if ( code ) return code;
1089 for ( i=0; aca_attrs[i]; i++ ) {
1090 code = register_at( aca_attrs[i], NULL, 0 );
1091 if ( code ) return code;
1094 return overlay_register( &autoca );
1097 #if SLAPD_OVER_AUTOCA == SLAPD_MOD_DYNAMIC
1099 init_module( int argc, char *argv[] )
1101 return autoca_initialize();
1105 #endif /* defined(SLAPD_OVER_AUTOCA) */