/* Fetch the currently active master key version number and keyblock. */ krb5_error_code kdb_get_active_mkey(kadm5_server_handle_t handle, krb5_kvno *act_kvno_out, krb5_keyblock **act_mkey_out) { krb5_error_code ret; krb5_actkvno_node *active_mkey_list; ret = krb5_dbe_fetch_act_key_list(handle->context, master_princ, &active_mkey_list); if (ret) return ret; ret = krb5_dbe_find_act_mkey(handle->context, active_mkey_list, act_kvno_out, act_mkey_out); krb5_dbe_free_actkvno_list(handle->context, active_mkey_list); return ret; }
void kdb5_list_mkeys(int argc, char *argv[]) { krb5_error_code retval; char *mkey_fullname = NULL, *output_str = NULL, enctype[BUFSIZ]; krb5_kvno act_kvno; krb5_timestamp act_time; krb5_actkvno_node *actkvno_list = NULL, *cur_actkvno; krb5_db_entry *master_entry; krb5_keylist_node *cur_kb_node; krb5_keyblock *act_mkey; krb5_keylist_node *master_keylist = krb5_db_mkey_list_alias(util_context); if (master_keylist == NULL) { com_err(progname, 0, _("master keylist not initialized")); exit_status++; return; } /* assemble & parse the master key name */ if ((retval = krb5_db_setup_mkey_name(util_context, global_params.mkey_name, global_params.realm, &mkey_fullname, &master_princ))) { com_err(progname, retval, _("while setting up master key name")); exit_status++; return; } retval = krb5_db_get_principal(util_context, master_princ, 0, &master_entry); if (retval != 0) { com_err(progname, retval, _("while getting master key principal %s"), mkey_fullname); exit_status++; goto cleanup_return; } retval = krb5_dbe_lookup_actkvno(util_context, master_entry, &actkvno_list); if (retval != 0) { com_err(progname, retval, _("while looking up active kvno list")); exit_status++; goto cleanup_return; } if (actkvno_list == NULL) { act_kvno = master_entry->key_data[0].key_data_kvno; } else { retval = krb5_dbe_find_act_mkey(util_context, actkvno_list, &act_kvno, &act_mkey); if (retval == KRB5_KDB_NOACTMASTERKEY) { /* Maybe we went through a time warp, and the only keys with activation dates have them set in the future? */ com_err(progname, retval, ""); /* Keep going. */ act_kvno = -1; } else if (retval != 0) { com_err(progname, retval, _("while looking up active master key")); exit_status++; goto cleanup_return; } } printf("Master keys for Principal: %s\n", mkey_fullname); for (cur_kb_node = master_keylist; cur_kb_node != NULL; cur_kb_node = cur_kb_node->next) { if ((retval = krb5_enctype_to_name(cur_kb_node->keyblock.enctype, FALSE, enctype, sizeof(enctype)))) { com_err(progname, retval, _("while getting enctype description")); exit_status++; goto cleanup_return; } if (actkvno_list != NULL) { act_time = -1; /* assume actkvno entry not found */ for (cur_actkvno = actkvno_list; cur_actkvno != NULL; cur_actkvno = cur_actkvno->next) { if (cur_actkvno->act_kvno == cur_kb_node->kvno) { act_time = cur_actkvno->act_time; break; } } } else { /* * mkey princ doesn't have an active knvo list so assume the current * key is active now */ if ((retval = krb5_timeofday(util_context, &act_time))) { com_err(progname, retval, _("while getting current time")); exit_status++; goto cleanup_return; } } if (cur_kb_node->kvno == act_kvno) { /* * indicates kvno is currently active */ retval = asprintf(&output_str, _("KVNO: %d, Enctype: %s, Active on: %s *\n"), cur_kb_node->kvno, enctype, strdate(act_time)); } else { if (act_time != -1) { retval = asprintf(&output_str, _("KVNO: %d, Enctype: %s, Active on: %s\n"), cur_kb_node->kvno, enctype, strdate(act_time)); } else { retval = asprintf(&output_str, _("KVNO: %d, Enctype: %s, No activate time " "set\n"), cur_kb_node->kvno, enctype); } } if (retval == -1) { com_err(progname, ENOMEM, _("asprintf could not allocate enough " "memory to hold output")); exit_status++; goto cleanup_return; } printf("%s", output_str); free(output_str); output_str = NULL; } cleanup_return: /* clean up */ (void) krb5_db_fini(util_context); krb5_free_unparsed_name(util_context, mkey_fullname); free(output_str); krb5_free_principal(util_context, master_princ); krb5_dbe_free_actkvno_list(util_context, actkvno_list); return; }
void kdb5_update_princ_encryption(int argc, char *argv[]) { struct update_enc_mkvno data = { 0 }; char *name_pattern = NULL; int force = 0; int optchar; krb5_error_code retval; krb5_actkvno_node *actkvno_list = 0; krb5_db_entry *master_entry; char *mkey_fullname = 0; #ifdef BSD_REGEXPS char *msg; #endif char *regexp = NULL; krb5_keyblock *act_mkey; krb5_keylist_node *master_keylist = krb5_db_mkey_list_alias(util_context); while ((optchar = getopt(argc, argv, "fnv")) != -1) { switch (optchar) { case 'f': force = 1; break; case 'n': data.dry_run = 1; break; case 'v': data.verbose = 1; break; case '?': case ':': default: usage(); } } if (argv[optind] != NULL) { name_pattern = argv[optind]; if (argv[optind+1] != NULL) usage(); } retval = krb5_unparse_name(util_context, master_princ, &mkey_fullname); if (retval) { com_err(progname, retval, _("while formatting master principal name")); exit_status++; goto cleanup; } if (master_keylist == NULL) { com_err(progname, retval, _("master keylist not initialized")); exit_status++; goto cleanup; } /* The glob_to_regexp code only cares if the "realm" parameter is NULL or not; the string data is irrelevant. */ if (name_pattern == NULL) name_pattern = "*"; if (glob_to_regexp(name_pattern, "hi", ®exp) != 0) { com_err(progname, ENOMEM, _("converting glob pattern '%s' to regular expression"), name_pattern); exit_status++; goto cleanup; } if ( #ifdef SOLARIS_REGEXPS ((data.expbuf = compile(regexp, NULL, NULL)) == NULL) #endif #ifdef POSIX_REGEXPS ((regcomp(&data.preg, regexp, REG_NOSUB)) != 0) #endif #ifdef BSD_REGEXPS ((msg = (char *) re_comp(regexp)) != NULL) #endif ) { /* XXX syslog msg or regerr(regerrno) */ com_err(progname, 0, _("error compiling converted regexp '%s'"), regexp); exit_status++; goto cleanup; } retval = krb5_db_get_principal(util_context, master_princ, 0, &master_entry); if (retval != 0) { com_err(progname, retval, _("while getting master key principal %s"), mkey_fullname); exit_status++; goto cleanup; } retval = krb5_dbe_lookup_actkvno(util_context, master_entry, &actkvno_list); if (retval != 0) { com_err(progname, retval, _("while looking up active kvno list")); exit_status++; goto cleanup; } retval = krb5_dbe_find_act_mkey(util_context, actkvno_list, &new_mkvno, &act_mkey); if (retval) { com_err(progname, retval, _("while looking up active master key")); exit_status++; goto cleanup; } new_master_keyblock = *act_mkey; if (!force && !data.dry_run && !are_you_sure(_("Re-encrypt all keys not using master key vno %u?"), new_mkvno)) { printf(_("OK, doing nothing.\n")); exit_status++; goto cleanup; } if (data.verbose) { if (data.dry_run) { printf(_("Principals whose keys WOULD BE re-encrypted to master " "key vno %u:\n"), new_mkvno); } else { printf(_("Principals whose keys are being re-encrypted to master " "key vno %u if necessary:\n"), new_mkvno); } } if (!data.dry_run) { /* Grab a write lock so we don't have to upgrade to a write lock and * reopen the DB while iterating. */ retval = krb5_db_lock(util_context, KRB5_DB_LOCKMODE_EXCLUSIVE); if (retval != 0 && retval != KRB5_PLUGIN_OP_NOTSUPP) { com_err(progname, retval, _("trying to lock database")); exit_status++; } } retval = krb5_db_iterate(util_context, name_pattern, update_princ_encryption_1, &data); /* If exit_status is set, then update_princ_encryption_1 already printed a message. */ if (retval != 0 && exit_status == 0) { com_err(progname, retval, _("trying to process principal database")); exit_status++; } if (!data.dry_run) (void)krb5_db_unlock(util_context); (void) krb5_db_fini(util_context); if (data.dry_run) { printf(_("%u principals processed: %u would be updated, %u already " "current\n"), data.re_match_count, data.updated, data.already_current); } else { printf(_("%u principals processed: %u updated, %u already current\n"), data.re_match_count, data.updated, data.already_current); } cleanup: free(regexp); memset(&new_master_keyblock, 0, sizeof(new_master_keyblock)); krb5_free_unparsed_name(util_context, mkey_fullname); krb5_dbe_free_actkvno_list(util_context, actkvno_list); }
void kdb5_list_mkeys(int argc, char *argv[]) { krb5_error_code retval; char *output_str = NULL, enctype[BUFSIZ]; krb5_kvno act_kvno; krb5_timestamp act_time; krb5_actkvno_node *actkvno_list = NULL, *cur_actkvno; krb5_db_entry *master_entry = NULL; krb5_keylist_node *cur_kb_node; krb5_keyblock *act_mkey; krb5_keylist_node *master_keylist = krb5_db_mkey_list_alias(util_context); if (master_keylist == NULL) { com_err(progname, 0, _("master keylist not initialized")); exit_status++; return; } retval = krb5_db_get_principal(util_context, master_princ, 0, &master_entry); if (retval != 0) { com_err(progname, retval, _("while getting master key principal %s"), mkey_fullname); exit_status++; goto cleanup_return; } retval = krb5_dbe_lookup_actkvno(util_context, master_entry, &actkvno_list); if (retval != 0) { com_err(progname, retval, _("while looking up active kvno list")); exit_status++; goto cleanup_return; } retval = krb5_dbe_find_act_mkey(util_context, actkvno_list, &act_kvno, &act_mkey); if (retval != 0) { com_err(progname, retval, _("while looking up active master key")); exit_status++; goto cleanup_return; } printf("Master keys for Principal: %s\n", mkey_fullname); for (cur_kb_node = master_keylist; cur_kb_node != NULL; cur_kb_node = cur_kb_node->next) { if ((retval = krb5_enctype_to_name(cur_kb_node->keyblock.enctype, FALSE, enctype, sizeof(enctype)))) { com_err(progname, retval, _("while getting enctype description")); exit_status++; goto cleanup_return; } act_time = -1; /* assume actkvno entry not found */ for (cur_actkvno = actkvno_list; cur_actkvno != NULL; cur_actkvno = cur_actkvno->next) { if (cur_actkvno->act_kvno == cur_kb_node->kvno) { act_time = cur_actkvno->act_time; break; } } if (cur_kb_node->kvno == act_kvno) { /* * indicates kvno is currently active */ retval = asprintf(&output_str, _("KVNO: %d, Enctype: %s, Active on: %s *\n"), cur_kb_node->kvno, enctype, strdate(act_time)); } else { if (act_time != -1) { retval = asprintf(&output_str, _("KVNO: %d, Enctype: %s, Active on: %s\n"), cur_kb_node->kvno, enctype, strdate(act_time)); } else { retval = asprintf(&output_str, _("KVNO: %d, Enctype: %s, No activate time " "set\n"), cur_kb_node->kvno, enctype); } } if (retval == -1) { com_err(progname, ENOMEM, _("asprintf could not allocate enough " "memory to hold output")); exit_status++; goto cleanup_return; } printf("%s", output_str); free(output_str); output_str = NULL; } cleanup_return: /* clean up */ krb5_db_free_principal(util_context, master_entry); free(output_str); krb5_dbe_free_actkvno_list(util_context, actkvno_list); return; }