3 static int authorized_flag
;
5 static char *lifetime_string
;
6 static const char *app_string
= "kdc";
7 static int version_flag
;
9 struct getargs args
[] = {
10 { "authorized", 'A', arg_flag
, &authorized_flag
,
11 "Assume CSR is authorized", NULL
},
12 { "lifetime", 'l', arg_string
, &lifetime_string
,
13 "Certificate lifetime desired", "TIME" },
14 { "help", 'h', arg_flag
, &help_flag
,
15 "Print usage message", NULL
},
16 { "app", 'a', arg_string
, &app_string
,
17 "Application name (kdc or bx509); default: kdc", "APPNAME" },
18 { "version", 'v', arg_flag
, &version_flag
,
19 "Print version", NULL
}
21 size_t num_args
= sizeof(args
) / sizeof(args
[0]);
26 arg_printusage(args
, num_args
, NULL
,
27 "PRINC PKCS10:/path/to/der/CSR [HX509-STORE]");
29 "\n\tTest kx509/bx509 online CA issuer functionality.\n"
30 "\n\tIf --authorized / -A not given, then authorizer plugins\n"
31 "\twill be invoked.\n"
32 "\n\tUse --app kdc to test the kx509 configuration.\n"
33 "\tUse --app bx509 to test the bx509 configuration.\n\n\t"
34 "Example: %s foo@TEST.H5L.SE PKCS10:/tmp/csr PEM-FILE:/tmp/cert\n",
40 static const char *sysplugin_dirs
[] = {
44 "$ORIGIN/../lib/plugin/kdc",
53 load_plugins(krb5_context context
)
55 const char * const *dirs
= sysplugin_dirs
;
59 cfdirs
= krb5_config_get_strings(context
, NULL
, "kdc", "plugin_dir", NULL
);
61 dirs
= (const char * const *)cfdirs
;
64 _krb5_load_plugins(context
, "kdc", (const char **)dirs
);
67 krb5_config_free_strings(cfdirs
);
72 main(int argc
, char **argv
)
74 krb5_log_facility
*logf
= NULL
;
76 krb5_principal p
= NULL
;
79 hx509_request req
= NULL
;
80 hx509_certs store
= NULL
;
81 hx509_certs certs
= NULL
;
82 const char *argv0
= argv
[0];
83 const char *out
= "MEMORY:junk-it";
88 if (getarg(args
, num_args
, argc
, argv
, &optidx
))
93 print_version(argv
[0]);
100 if (argc
< 3 || argc
> 4)
103 if ((errno
= krb5_init_context(&context
)))
104 err(1, "Could not initialize krb5_context");
105 if ((ret
= krb5_initlog(context
, argv0
, &logf
)) ||
106 (ret
= krb5_addlog_dest(context
, logf
, "0-5/STDERR")))
107 krb5_err(context
, 1, ret
, "Could not set up logging to stderr");
108 load_plugins(context
);
109 if ((ret
= krb5_parse_name(context
, argv
[0], &p
)))
110 krb5_err(context
, 1, ret
, "Could not parse principal %s", argv
[0]);
111 if ((ret
= hx509_request_parse(context
->hx509ctx
, argv
[1], &req
)))
112 krb5_err(context
, 1, ret
, "Could not parse PKCS#10 CSR from %s", argv
[1]);
114 if (authorized_flag
) {
115 KeyUsage ku
= int2KeyUsage(0);
119 /* Mark all the things authorized */
120 ku
.digitalSignature
= 1;
121 hx509_request_authorize_ku(req
, ku
);
123 for (i
= 0; ret
== 0; i
++) {
124 ret
= hx509_request_get_eku(req
, i
, &s
);
127 hx509_request_authorize_eku(req
, i
);
129 if (ret
== HX509_NO_ITEM
)
132 for (i
= 0; ret
== 0; i
++) {
133 hx509_san_type san_type
;
135 ret
= hx509_request_get_san(req
, i
, &san_type
, &s
);
138 hx509_request_authorize_san(req
, i
);
140 if (ret
&& ret
!= HX509_NO_ITEM
)
141 krb5_err(context
, 1, ret
,
142 "Failed to mark requested extensions authorized");
143 } else if ((ret
= kdc_authorize_csr(context
, app_string
, req
, p
))) {
144 krb5_err(context
, 1, ret
,
145 "Requested certificate extensions rejected by policy");
148 memset(&t
, 0, sizeof(t
));
149 t
.starttime
= time(NULL
);
150 t
.endtime
= t
.starttime
+ 3600;
151 req_life
= lifetime_string
? parse_time(lifetime_string
, "day") : 0;
152 if ((ret
= kdc_issue_certificate(context
, app_string
, logf
, req
, p
, &t
,
153 req_life
, 1, &certs
)))
154 krb5_err(context
, 1, ret
, "Certificate issuance failed");
159 if ((ret
= hx509_certs_init(context
->hx509ctx
, out
, HX509_CERTS_CREATE
,
161 (ret
= hx509_certs_merge(context
->hx509ctx
, store
, certs
)) ||
162 (ret
= hx509_certs_store(context
->hx509ctx
, store
, 0, NULL
)))
164 * If the store is a MEMORY store, say, we're really not being asked to
165 * store -- we're just testing the online CA functionality without
166 * wanting to inspect the result.
168 if (ret
!= HX509_UNSUPPORTED_OPERATION
)
169 krb5_err(context
, 1, ret
,
170 "Could not store certificate and chain in %s", out
);
171 _krb5_unload_plugins(context
, "kdc");
172 krb5_free_principal(context
, p
);
173 krb5_free_context(context
);
174 hx509_request_free(&req
);
175 hx509_certs_free(&store
);
176 hx509_certs_free(&certs
);