/* Fetch the currently active master key version number and keyblock. */
krb5_error_code
kdb_get_active_mkey(kadm5_server_handle_t handle, krb5_kvno *act_kvno_out,
krb5_keyblock **act_mkey_out)
{
krb5_error_code ret;
krb5_actkvno_node *active_mkey_list;
ret = krb5_dbe_fetch_act_key_list(handle->context, master_princ,
&active_mkey_list);
if (ret)
return ret;
ret = krb5_dbe_find_act_mkey(handle->context, active_mkey_list,
act_kvno_out, act_mkey_out);
krb5_dbe_free_actkvno_list(handle->context, active_mkey_list);
return ret;
}
void
kdb5_list_mkeys(int argc, char *argv[])
{
krb5_error_code retval;
char *mkey_fullname = NULL, *output_str = NULL, enctype[BUFSIZ];
krb5_kvno act_kvno;
krb5_timestamp act_time;
krb5_actkvno_node *actkvno_list = NULL, *cur_actkvno;
krb5_db_entry *master_entry;
krb5_keylist_node *cur_kb_node;
krb5_keyblock *act_mkey;
krb5_keylist_node *master_keylist = krb5_db_mkey_list_alias(util_context);
if (master_keylist == NULL) {
com_err(progname, 0, _("master keylist not initialized"));
exit_status++;
return;
}
/* assemble & parse the master key name */
if ((retval = krb5_db_setup_mkey_name(util_context,
global_params.mkey_name,
global_params.realm,
&mkey_fullname, &master_princ))) {
com_err(progname, retval, _("while setting up master key name"));
exit_status++;
return;
}
retval = krb5_db_get_principal(util_context, master_princ, 0,
&master_entry);
if (retval != 0) {
com_err(progname, retval, _("while getting master key principal %s"),
mkey_fullname);
exit_status++;
goto cleanup_return;
}
retval = krb5_dbe_lookup_actkvno(util_context, master_entry, &actkvno_list);
if (retval != 0) {
com_err(progname, retval, _("while looking up active kvno list"));
exit_status++;
goto cleanup_return;
}
if (actkvno_list == NULL) {
act_kvno = master_entry->key_data[0].key_data_kvno;
} else {
retval = krb5_dbe_find_act_mkey(util_context, actkvno_list, &act_kvno,
&act_mkey);
if (retval == KRB5_KDB_NOACTMASTERKEY) {
/* Maybe we went through a time warp, and the only keys
with activation dates have them set in the future? */
com_err(progname, retval, "");
/* Keep going. */
act_kvno = -1;
} else if (retval != 0) {
com_err(progname, retval, _("while looking up active master key"));
exit_status++;
goto cleanup_return;
}
}
printf("Master keys for Principal: %s\n", mkey_fullname);
for (cur_kb_node = master_keylist; cur_kb_node != NULL;
cur_kb_node = cur_kb_node->next) {
if ((retval = krb5_enctype_to_name(cur_kb_node->keyblock.enctype,
FALSE, enctype, sizeof(enctype)))) {
com_err(progname, retval, _("while getting enctype description"));
exit_status++;
goto cleanup_return;
}
if (actkvno_list != NULL) {
act_time = -1; /* assume actkvno entry not found */
for (cur_actkvno = actkvno_list; cur_actkvno != NULL;
cur_actkvno = cur_actkvno->next) {
if (cur_actkvno->act_kvno == cur_kb_node->kvno) {
act_time = cur_actkvno->act_time;
break;
}
}
} else {
/*
* mkey princ doesn't have an active knvo list so assume the current
* key is active now
*/
if ((retval = krb5_timeofday(util_context, &act_time))) {
com_err(progname, retval, _("while getting current time"));
exit_status++;
goto cleanup_return;
}
}
if (cur_kb_node->kvno == act_kvno) {
/* * indicates kvno is currently active */
retval = asprintf(&output_str,
_("KVNO: %d, Enctype: %s, Active on: %s *\n"),
cur_kb_node->kvno, enctype, strdate(act_time));
} else {
if (act_time != -1) {
retval = asprintf(&output_str,
_("KVNO: %d, Enctype: %s, Active on: %s\n"),
cur_kb_node->kvno, enctype, strdate(act_time));
} else {
retval = asprintf(&output_str,
_("KVNO: %d, Enctype: %s, No activate time "
"set\n"), cur_kb_node->kvno, enctype);
}
}
if (retval == -1) {
com_err(progname, ENOMEM, _("asprintf could not allocate enough "
"memory to hold output"));
exit_status++;
goto cleanup_return;
}
printf("%s", output_str);
free(output_str);
output_str = NULL;
}
cleanup_return:
/* clean up */
(void) krb5_db_fini(util_context);
krb5_free_unparsed_name(util_context, mkey_fullname);
free(output_str);
krb5_free_principal(util_context, master_princ);
krb5_dbe_free_actkvno_list(util_context, actkvno_list);
return;
}
void
kdb5_update_princ_encryption(int argc, char *argv[])
{
struct update_enc_mkvno data = { 0 };
char *name_pattern = NULL;
int force = 0;
int optchar;
krb5_error_code retval;
krb5_actkvno_node *actkvno_list = 0;
krb5_db_entry *master_entry;
char *mkey_fullname = 0;
#ifdef BSD_REGEXPS
char *msg;
#endif
char *regexp = NULL;
krb5_keyblock *act_mkey;
krb5_keylist_node *master_keylist = krb5_db_mkey_list_alias(util_context);
while ((optchar = getopt(argc, argv, "fnv")) != -1) {
switch (optchar) {
case 'f':
force = 1;
break;
case 'n':
data.dry_run = 1;
break;
case 'v':
data.verbose = 1;
break;
case '?':
case ':':
default:
usage();
}
}
if (argv[optind] != NULL) {
name_pattern = argv[optind];
if (argv[optind+1] != NULL)
usage();
}
retval = krb5_unparse_name(util_context, master_princ, &mkey_fullname);
if (retval) {
com_err(progname, retval, _("while formatting master principal name"));
exit_status++;
goto cleanup;
}
if (master_keylist == NULL) {
com_err(progname, retval, _("master keylist not initialized"));
exit_status++;
goto cleanup;
}
/* The glob_to_regexp code only cares if the "realm" parameter is
NULL or not; the string data is irrelevant. */
if (name_pattern == NULL)
name_pattern = "*";
if (glob_to_regexp(name_pattern, "hi", ®exp) != 0) {
com_err(progname, ENOMEM,
_("converting glob pattern '%s' to regular expression"),
name_pattern);
exit_status++;
goto cleanup;
}
if (
#ifdef SOLARIS_REGEXPS
((data.expbuf = compile(regexp, NULL, NULL)) == NULL)
#endif
#ifdef POSIX_REGEXPS
((regcomp(&data.preg, regexp, REG_NOSUB)) != 0)
#endif
#ifdef BSD_REGEXPS
((msg = (char *) re_comp(regexp)) != NULL)
#endif
) {
/* XXX syslog msg or regerr(regerrno) */
com_err(progname, 0, _("error compiling converted regexp '%s'"),
regexp);
exit_status++;
goto cleanup;
}
retval = krb5_db_get_principal(util_context, master_princ, 0,
&master_entry);
if (retval != 0) {
com_err(progname, retval, _("while getting master key principal %s"),
mkey_fullname);
exit_status++;
goto cleanup;
}
retval = krb5_dbe_lookup_actkvno(util_context, master_entry, &actkvno_list);
if (retval != 0) {
com_err(progname, retval, _("while looking up active kvno list"));
exit_status++;
goto cleanup;
}
retval = krb5_dbe_find_act_mkey(util_context, actkvno_list, &new_mkvno,
&act_mkey);
if (retval) {
com_err(progname, retval, _("while looking up active master key"));
exit_status++;
goto cleanup;
}
new_master_keyblock = *act_mkey;
if (!force &&
!data.dry_run &&
!are_you_sure(_("Re-encrypt all keys not using master key vno %u?"),
new_mkvno)) {
printf(_("OK, doing nothing.\n"));
exit_status++;
goto cleanup;
}
if (data.verbose) {
if (data.dry_run) {
printf(_("Principals whose keys WOULD BE re-encrypted to master "
"key vno %u:\n"), new_mkvno);
} else {
printf(_("Principals whose keys are being re-encrypted to master "
"key vno %u if necessary:\n"), new_mkvno);
}
}
if (!data.dry_run) {
/* Grab a write lock so we don't have to upgrade to a write lock and
* reopen the DB while iterating. */
retval = krb5_db_lock(util_context, KRB5_DB_LOCKMODE_EXCLUSIVE);
if (retval != 0 && retval != KRB5_PLUGIN_OP_NOTSUPP) {
com_err(progname, retval, _("trying to lock database"));
exit_status++;
}
}
retval = krb5_db_iterate(util_context, name_pattern,
update_princ_encryption_1, &data);
/* If exit_status is set, then update_princ_encryption_1 already
printed a message. */
if (retval != 0 && exit_status == 0) {
com_err(progname, retval, _("trying to process principal database"));
exit_status++;
}
if (!data.dry_run)
(void)krb5_db_unlock(util_context);
(void) krb5_db_fini(util_context);
if (data.dry_run) {
printf(_("%u principals processed: %u would be updated, %u already "
"current\n"),
data.re_match_count, data.updated, data.already_current);
} else {
printf(_("%u principals processed: %u updated, %u already current\n"),
data.re_match_count, data.updated, data.already_current);
}
cleanup:
free(regexp);
memset(&new_master_keyblock, 0, sizeof(new_master_keyblock));
krb5_free_unparsed_name(util_context, mkey_fullname);
krb5_dbe_free_actkvno_list(util_context, actkvno_list);
}
void
kdb5_list_mkeys(int argc, char *argv[])
{
krb5_error_code retval;
char *output_str = NULL, enctype[BUFSIZ];
krb5_kvno act_kvno;
krb5_timestamp act_time;
krb5_actkvno_node *actkvno_list = NULL, *cur_actkvno;
krb5_db_entry *master_entry = NULL;
krb5_keylist_node *cur_kb_node;
krb5_keyblock *act_mkey;
krb5_keylist_node *master_keylist = krb5_db_mkey_list_alias(util_context);
if (master_keylist == NULL) {
com_err(progname, 0, _("master keylist not initialized"));
exit_status++;
return;
}
retval = krb5_db_get_principal(util_context, master_princ, 0,
&master_entry);
if (retval != 0) {
com_err(progname, retval, _("while getting master key principal %s"),
mkey_fullname);
exit_status++;
goto cleanup_return;
}
retval = krb5_dbe_lookup_actkvno(util_context, master_entry, &actkvno_list);
if (retval != 0) {
com_err(progname, retval, _("while looking up active kvno list"));
exit_status++;
goto cleanup_return;
}
retval = krb5_dbe_find_act_mkey(util_context, actkvno_list, &act_kvno,
&act_mkey);
if (retval != 0) {
com_err(progname, retval, _("while looking up active master key"));
exit_status++;
goto cleanup_return;
}
printf("Master keys for Principal: %s\n", mkey_fullname);
for (cur_kb_node = master_keylist; cur_kb_node != NULL;
cur_kb_node = cur_kb_node->next) {
if ((retval = krb5_enctype_to_name(cur_kb_node->keyblock.enctype,
FALSE, enctype, sizeof(enctype)))) {
com_err(progname, retval, _("while getting enctype description"));
exit_status++;
goto cleanup_return;
}
act_time = -1; /* assume actkvno entry not found */
for (cur_actkvno = actkvno_list; cur_actkvno != NULL;
cur_actkvno = cur_actkvno->next) {
if (cur_actkvno->act_kvno == cur_kb_node->kvno) {
act_time = cur_actkvno->act_time;
break;
}
}
if (cur_kb_node->kvno == act_kvno) {
/* * indicates kvno is currently active */
retval = asprintf(&output_str,
_("KVNO: %d, Enctype: %s, Active on: %s *\n"),
cur_kb_node->kvno, enctype, strdate(act_time));
} else {
if (act_time != -1) {
retval = asprintf(&output_str,
_("KVNO: %d, Enctype: %s, Active on: %s\n"),
cur_kb_node->kvno, enctype, strdate(act_time));
} else {
retval = asprintf(&output_str,
_("KVNO: %d, Enctype: %s, No activate time "
"set\n"), cur_kb_node->kvno, enctype);
}
}
if (retval == -1) {
com_err(progname, ENOMEM, _("asprintf could not allocate enough "
"memory to hold output"));
exit_status++;
goto cleanup_return;
}
printf("%s", output_str);
free(output_str);
output_str = NULL;
}
cleanup_return:
/* clean up */
krb5_db_free_principal(util_context, master_entry);
free(output_str);
krb5_dbe_free_actkvno_list(util_context, actkvno_list);
return;
}
