upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-12-24 00:29:35 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Move privateKey schema into slapd

Browse source
This commit is contained in:
Howard Chu 2017-04-09 14:15:28 +01:00
parent 6b573cea57
commit 2860fd4c6c
5 changed files with 48 additions and 51 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
doc/devel/OIDs
View file

@ -62,12 +62,14 @@ ExperimentalAttr OpenLDAPexperimental:1
entryExpireTimestamp ExperimentalAttr:57 (slapo-dds)
rdnValue ExperimentalAttr:58 (contrib/slapd-modules/samba4)
parentUUID ExperimentalAttr:59 (...samba4)
x509PrivateKey ExperimentalAttr:60
ExperimentalSyntax OpenLDAPexperimental:2
ACIsyntax ExperimentalSyntax:1
authPassword ExperimentalSyntax:2 check - this was promoted to RFC3112
authz ExperimentalSyntax:7
privateKey ExperimentalSyntax:13
ExperimentalObjectClass OpenLDAPexperimental:3
glue ExperimentalObjectClass:4
@ -86,6 +88,7 @@ ExperimentalMatchingRule OpenLDAPexperimental:4
dnSubordinateMatch ExperimentalMatchingRule:10
dnSuperiorMatch ExperimentalMatchingRule:11
authzMatch ExperimentalMatchingRule:12
privateKeyMatch ExperimentalMatchingRule:13
ExperimentalControl OpenLDAPexperimental:5
noop ExperimentalControl:2

51
servers/slapd/overlays/autoca.c
View file

@ -54,56 +54,12 @@
#define ACA_SCHEMA_AT ACA_SCHEMA_ROOT ".1"
#define ACA_SCHEMA_OC ACA_SCHEMA_ROOT ".2"
#define ACA_SCHEMA_SYN ACA_SCHEMA_ROOT ".3"
#define ACA_SCHEMA_MR ACA_SCHEMA_ROOT ".4"
static AttributeDescription *ad_caCert, *ad_caPkey, *ad_usrCert, *ad_usrPkey;
static AttributeDescription *ad_mail, *ad_ipaddr;
static ObjectClass *oc_caObj, *oc_usrObj;
/* OpenSSL privatekeys have no single specific format */
static int
privateKeyValidate(
Syntax *syntax,
struct berval *val )
{
BerElementBuffer berbuf;
BerElement *ber = (BerElement *)&berbuf;
ber_tag_t tag;
ber_len_t len;
ber_int_t version;
ber_init2( ber, val, LBER_USE_DER );
tag = ber_skip_tag( ber, &len ); /* Sequence */
if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
tag = ber_peek_tag( ber, &len );
if ( tag != LBER_INTEGER ) return LDAP_INVALID_SYNTAX;
tag = ber_get_int( ber, &version );
/* the rest varies for RSA, DSA, EC, PKCS#8 */
return LDAP_SUCCESS;
}
static slap_syntax_defs_rec aca_syntax = {
"( " ACA_SCHEMA_SYN ".1 DESC 'X.509 Private Key' "
"X-BINARY-TRANSFER-REQUIRED 'TRUE' "
"X-NOT-HUMAN-READABLE 'TRUE' )",
SLAP_SYNTAX_BINARY|SLAP_SYNTAX_BER,
NULL,
privateKeyValidate,
NULL };
static slap_mrule_defs_rec aca_mrule = {
"( " ACA_SCHEMA_MR ".1 NAME 'privateKeyMatch' "
"SYNTAX " ACA_SCHEMA_SYN ".1 )",
SLAP_MR_HIDE | SLAP_MR_EQUALITY, NULL,
NULL, NULL, octetStringMatch, octetStringIndexer,
octetStringFilter, NULL };
static char *aca_attrs[] = {
"( " ACA_SCHEMA_AT ".0 NAME 'x509PrivateKey' "
"DESC 'X.509 private key, use ;binary' "
"EQUALITY privateKeyMatch "
"SYNTAX " ACA_SCHEMA_SYN ".1 )",
"( " ACA_SCHEMA_AT ".1 NAME 'cAPrivateKey' "
"DESC 'X.509 CA private key, use ;binary' "
"SUP x509PrivateKey )",
@ -930,12 +886,6 @@ int autoca_initialize() {
code = config_register_schema( autoca_cfg, autoca_ocs );
if ( code ) return code;
code = register_syntax( &aca_syntax );
if ( code ) return code;
code = register_matching_rule( &aca_mrule );
if ( code ) return code;
for ( i=0; aca_attrs[i]; i++ ) {
code = register_at( aca_attrs[i], NULL, 0 );
if ( code ) return code;
@ -954,7 +904,6 @@ int autoca_initialize() {
if ( code ) return code;
}
return overlay_register( &autoca );
}

32
servers/slapd/schema_init.c
View file

@ -593,6 +593,28 @@ attributeCertificateValidate( Syntax *syntax, struct berval *in )
return LDAP_SUCCESS;
}
/* accept an OpenSSL-compatible private key */
static int
privateKeyValidate(
Syntax *syntax,
struct berval *val )
{
BerElementBuffer berbuf;
BerElement *ber = (BerElement *)&berbuf;
ber_tag_t tag;
ber_len_t len;
ber_int_t version;
ber_init2( ber, val, LBER_USE_DER );
tag = ber_skip_tag( ber, &len ); /* Sequence */
if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
tag = ber_peek_tag( ber, &len );
if ( tag != LBER_INTEGER ) return LDAP_INVALID_SYNTAX;
tag = ber_get_int( ber, &version );
/* the rest varies for RSA, DSA, EC, PKCS#8 */
return LDAP_SUCCESS;
}
int
octetStringMatch(
int *matchp,
@ -6364,6 +6386,9 @@ static slap_syntax_defs_rec syntax_defs[] = {
{"( 1.3.6.1.4.1.4203.666.2.7 DESC 'OpenLDAP authz' )",
SLAP_SYNTAX_HIDE, NULL, authzValidate, authzPretty},
/* OpenSSL-compatible Private Keys for X.509 certificates */
{"( 1.3.6.1.4.1.4203.666.2.13 DESC 'OpenLDAP privateKey' )",
SLAP_SYNTAX_BINARY|SLAP_SYNTAX_BER, NULL, privateKeyValidate, NULL},
{NULL, 0, NULL, NULL, NULL}
};
@ -6851,6 +6876,13 @@ static slap_mrule_defs_rec mrule_defs[] = {
NULL, NULL,
NULL},
{"( 1.3.6.1.4.1.4203.666.4.13 NAME 'privateKeyMatch' "
"SYNTAX 1.3.6.1.4.1.4203.666.2.13 )", /* OpenLDAP privateKey */
SLAP_MR_HIDE | SLAP_MR_EQUALITY, NULL,
NULL, NULL, octetStringMatch,
NULL, NULL,
NULL},
{NULL, SLAP_MR_NONE, NULL,
NULL, NULL, NULL, NULL, NULL,
NULL }

10
servers/slapd/schema_prep.c
View file

@ -1009,6 +1009,16 @@ static struct slap_schema_ad_map {
NULL, NULL, NULL, NULL, NULL,
offsetof(struct slap_internal_schema, si_ad_seeAlso) },
{ "x509PrivateKey", "( 1.3.6.1.4.1.4203.666.1.60 "
"NAME 'x509PrivateKey' "
"DESC 'X.509 private key, use ;binary' "
"EQUALITY privateKeyMatch "
"SYNTAX 1.3.6.1.4.1.4203.666.2.13 )",
NULL, 0,
NULL, NULL,
NULL, NULL, NULL, NULL, NULL,
offsetof(struct slap_internal_schema, si_ad_x509PrivateKey) },
{ NULL, NULL, NULL, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0 }
};

3
servers/slapd/slap.h
View file

@ -979,6 +979,9 @@ struct slap_internal_schema {
AttributeDescription *si_ad_description;
AttributeDescription *si_ad_seeAlso;
/* privateKeys */
AttributeDescription *si_ad_x509PrivateKey;
/* Undefined Attribute Type */
AttributeType *si_at_undefined;