From 2860fd4c6ce19f9743f11c451e20b24b172f0a0e Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Sun, 9 Apr 2017 14:15:28 +0100 Subject: [PATCH] Move privateKey schema into slapd --- doc/devel/OIDs | 3 ++ servers/slapd/overlays/autoca.c | 51 --------------------------------- servers/slapd/schema_init.c | 32 +++++++++++++++++++++ servers/slapd/schema_prep.c | 10 +++++++ servers/slapd/slap.h | 3 ++ 5 files changed, 48 insertions(+), 51 deletions(-) diff --git a/doc/devel/OIDs b/doc/devel/OIDs index 0276ffcd30..af2bf88fd5 100644 --- a/doc/devel/OIDs +++ b/doc/devel/OIDs @@ -62,12 +62,14 @@ ExperimentalAttr OpenLDAPexperimental:1 entryExpireTimestamp ExperimentalAttr:57 (slapo-dds) rdnValue ExperimentalAttr:58 (contrib/slapd-modules/samba4) parentUUID ExperimentalAttr:59 (...samba4) + x509PrivateKey ExperimentalAttr:60 ExperimentalSyntax OpenLDAPexperimental:2 ACIsyntax ExperimentalSyntax:1 authPassword ExperimentalSyntax:2 check - this was promoted to RFC3112 authz ExperimentalSyntax:7 + privateKey ExperimentalSyntax:13 ExperimentalObjectClass OpenLDAPexperimental:3 glue ExperimentalObjectClass:4 @@ -86,6 +88,7 @@ ExperimentalMatchingRule OpenLDAPexperimental:4 dnSubordinateMatch ExperimentalMatchingRule:10 dnSuperiorMatch ExperimentalMatchingRule:11 authzMatch ExperimentalMatchingRule:12 + privateKeyMatch ExperimentalMatchingRule:13 ExperimentalControl OpenLDAPexperimental:5 noop ExperimentalControl:2 diff --git a/servers/slapd/overlays/autoca.c b/servers/slapd/overlays/autoca.c index 717fad8768..0fd2034122 100644 --- a/servers/slapd/overlays/autoca.c +++ b/servers/slapd/overlays/autoca.c @@ -54,56 +54,12 @@ #define ACA_SCHEMA_AT ACA_SCHEMA_ROOT ".1" #define ACA_SCHEMA_OC ACA_SCHEMA_ROOT ".2" -#define ACA_SCHEMA_SYN ACA_SCHEMA_ROOT ".3" -#define ACA_SCHEMA_MR ACA_SCHEMA_ROOT ".4" static AttributeDescription *ad_caCert, *ad_caPkey, *ad_usrCert, *ad_usrPkey; static AttributeDescription *ad_mail, *ad_ipaddr; static ObjectClass *oc_caObj, *oc_usrObj; -/* OpenSSL privatekeys have no single specific format */ -static int -privateKeyValidate( - Syntax *syntax, - struct berval *val ) -{ - BerElementBuffer berbuf; - BerElement *ber = (BerElement *)&berbuf; - ber_tag_t tag; - ber_len_t len; - ber_int_t version; - - ber_init2( ber, val, LBER_USE_DER ); - tag = ber_skip_tag( ber, &len ); /* Sequence */ - if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX; - tag = ber_peek_tag( ber, &len ); - if ( tag != LBER_INTEGER ) return LDAP_INVALID_SYNTAX; - tag = ber_get_int( ber, &version ); - /* the rest varies for RSA, DSA, EC, PKCS#8 */ - return LDAP_SUCCESS; -} - -static slap_syntax_defs_rec aca_syntax = { - "( " ACA_SCHEMA_SYN ".1 DESC 'X.509 Private Key' " - "X-BINARY-TRANSFER-REQUIRED 'TRUE' " - "X-NOT-HUMAN-READABLE 'TRUE' )", - SLAP_SYNTAX_BINARY|SLAP_SYNTAX_BER, - NULL, - privateKeyValidate, - NULL }; - -static slap_mrule_defs_rec aca_mrule = { - "( " ACA_SCHEMA_MR ".1 NAME 'privateKeyMatch' " - "SYNTAX " ACA_SCHEMA_SYN ".1 )", - SLAP_MR_HIDE | SLAP_MR_EQUALITY, NULL, - NULL, NULL, octetStringMatch, octetStringIndexer, - octetStringFilter, NULL }; - static char *aca_attrs[] = { - "( " ACA_SCHEMA_AT ".0 NAME 'x509PrivateKey' " - "DESC 'X.509 private key, use ;binary' " - "EQUALITY privateKeyMatch " - "SYNTAX " ACA_SCHEMA_SYN ".1 )", "( " ACA_SCHEMA_AT ".1 NAME 'cAPrivateKey' " "DESC 'X.509 CA private key, use ;binary' " "SUP x509PrivateKey )", @@ -930,12 +886,6 @@ int autoca_initialize() { code = config_register_schema( autoca_cfg, autoca_ocs ); if ( code ) return code; - code = register_syntax( &aca_syntax ); - if ( code ) return code; - - code = register_matching_rule( &aca_mrule ); - if ( code ) return code; - for ( i=0; aca_attrs[i]; i++ ) { code = register_at( aca_attrs[i], NULL, 0 ); if ( code ) return code; @@ -954,7 +904,6 @@ int autoca_initialize() { if ( code ) return code; } - return overlay_register( &autoca ); } diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c index 2aed08a1fc..4c38db139b 100644 --- a/servers/slapd/schema_init.c +++ b/servers/slapd/schema_init.c @@ -593,6 +593,28 @@ attributeCertificateValidate( Syntax *syntax, struct berval *in ) return LDAP_SUCCESS; } +/* accept an OpenSSL-compatible private key */ +static int +privateKeyValidate( + Syntax *syntax, + struct berval *val ) +{ + BerElementBuffer berbuf; + BerElement *ber = (BerElement *)&berbuf; + ber_tag_t tag; + ber_len_t len; + ber_int_t version; + + ber_init2( ber, val, LBER_USE_DER ); + tag = ber_skip_tag( ber, &len ); /* Sequence */ + if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX; + tag = ber_peek_tag( ber, &len ); + if ( tag != LBER_INTEGER ) return LDAP_INVALID_SYNTAX; + tag = ber_get_int( ber, &version ); + /* the rest varies for RSA, DSA, EC, PKCS#8 */ + return LDAP_SUCCESS; +} + int octetStringMatch( int *matchp, @@ -6364,6 +6386,9 @@ static slap_syntax_defs_rec syntax_defs[] = { {"( 1.3.6.1.4.1.4203.666.2.7 DESC 'OpenLDAP authz' )", SLAP_SYNTAX_HIDE, NULL, authzValidate, authzPretty}, + /* OpenSSL-compatible Private Keys for X.509 certificates */ + {"( 1.3.6.1.4.1.4203.666.2.13 DESC 'OpenLDAP privateKey' )", + SLAP_SYNTAX_BINARY|SLAP_SYNTAX_BER, NULL, privateKeyValidate, NULL}, {NULL, 0, NULL, NULL, NULL} }; @@ -6851,6 +6876,13 @@ static slap_mrule_defs_rec mrule_defs[] = { NULL, NULL, NULL}, + {"( 1.3.6.1.4.1.4203.666.4.13 NAME 'privateKeyMatch' " + "SYNTAX 1.3.6.1.4.1.4203.666.2.13 )", /* OpenLDAP privateKey */ + SLAP_MR_HIDE | SLAP_MR_EQUALITY, NULL, + NULL, NULL, octetStringMatch, + NULL, NULL, + NULL}, + {NULL, SLAP_MR_NONE, NULL, NULL, NULL, NULL, NULL, NULL, NULL } diff --git a/servers/slapd/schema_prep.c b/servers/slapd/schema_prep.c index fac73e64d8..941c3ae060 100644 --- a/servers/slapd/schema_prep.c +++ b/servers/slapd/schema_prep.c @@ -1009,6 +1009,16 @@ static struct slap_schema_ad_map { NULL, NULL, NULL, NULL, NULL, offsetof(struct slap_internal_schema, si_ad_seeAlso) }, + { "x509PrivateKey", "( 1.3.6.1.4.1.4203.666.1.60 " + "NAME 'x509PrivateKey' " + "DESC 'X.509 private key, use ;binary' " + "EQUALITY privateKeyMatch " + "SYNTAX 1.3.6.1.4.1.4203.666.2.13 )", + NULL, 0, + NULL, NULL, + NULL, NULL, NULL, NULL, NULL, + offsetof(struct slap_internal_schema, si_ad_x509PrivateKey) }, + { NULL, NULL, NULL, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0 } }; diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index 9959aa4b39..e401650a86 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -979,6 +979,9 @@ struct slap_internal_schema { AttributeDescription *si_ad_description; AttributeDescription *si_ad_seeAlso; + /* privateKeys */ + AttributeDescription *si_ad_x509PrivateKey; + /* Undefined Attribute Type */ AttributeType *si_at_undefined; -- 2.39.5