clxutils/krbtool/krbtool.cpp

/*
 * Copyright (c) 2004,2006,2008 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_LICENSE_HEADER_END@
 */
/*
 * krbtool.cpp - basic PKINIT tool
 *
 * Created 20 May 2004 by Doug Mitchell.
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <pwd.h>
#include "identPicker.h"
#include "asnUtils.h"
#include <Kerberos/KerberosLogin.h>
#include <Kerberos/pkinit_cert_store.h>

static void usage(char **argv)
{
    printf("Usage: op [option..]\n");
    printf("Ops:\n");
    printf("   l   login\n");
    printf("   s   select PKINIT client cert\n");
    printf("   d   display PKINIT client cert\n");
    printf("   D   delete PKINIT client cert setting\n");
    printf("Options:\n");
    printf("  -p principal      -- default is current user for login\n");
    printf("  -l                -- loop (for malloc debug)\n");
    printf("   TBD\n");
    exit(1);
}

typedef enum {
    KTO_Login = 0,
    KTO_Select,
    KTO_Display,
    KTO_DeleteCert
} KrbToolOp;

typedef struct {
    const char *principal;
    /* I'm sure others */
} KrbToolArgs;

static int pkinitLogin(
    const KrbToolArgs *args)
{
    /* Get a principal string one way or the other */
    const char *principalStr = args->principal;
    bool freeStr = false;
    int ourRtn = 0;
    KLLoginOptions klOpts = NULL;

    if(principalStr == NULL) {
        struct passwd *pw = getpwuid(getuid ());
	if(pw == NULL) {
	    printf("***Sorry, can't find current user info. Aborting.\n");
	    return -1;
	}
	principalStr = strdup(pw->pw_name);
	freeStr = true;
    }

    KLPrincipal principal = NULL;
    KLStatus klrtn;

    klrtn = KLCreatePrincipalFromString(principalStr, kerberosVersion_V5, &principal);
    if(klrtn) {
	printf("***KLCreatePrincipalFromString returned %d. Aborting.\n", (int)klrtn);
	ourRtn = -1;
	goto errOut;
    }

    /* Options, later maybe */
    /* FIXME - don't know if the login options arg is optional */

    /* By convention we use a non-NULL string as password; this may change later */
    printf("...attempting TGT acquisition\n");
    klrtn = KLAcquireNewInitialTicketsWithPassword(principal, klOpts, " ", NULL);
    if(klrtn) {
	printf("***KLAcquireInitialTicketsWithPassword returned %d\n", (int)klrtn);
    }
    else {
	printf("...TGT acquisition successful.\n");
    }
errOut:
    if(freeStr && (principalStr != NULL)) {
	free((void *)principalStr);
    }
    if(klOpts != NULL) {
	KLDisposeLoginOptions(klOpts);
    }
    if(principal != NULL) {
	KLDisposePrincipal(principal);
    }
    return ourRtn;
}

static int pkinitSelect(
    const KrbToolArgs *args)
{
    OSStatus ortn;
    SecIdentityRef idRef = NULL;

    if(args->principal == NULL) {
	printf("***You must supply a principal name for this operation.\n");
	return -1;
    }
    ortn = simpleIdentPicker(NULL, &idRef);
    switch(ortn) {
	case CSSMERR_CSSM_USER_CANCELED:
	    printf("...operation terminated with no change to your settings.\n");
	    return 0;
	case noErr:
	    break;
	default:
	    printf("***Operation aborted.\n");
	    return -1;
    }

    krb5_error_code krtn = krb5_pkinit_set_client_cert(args->principal,
	(krb5_pkinit_signing_cert_t)idRef);
    if(krtn) {
	cssmPerror("krb5_pkinit_set_client_cert", krtn);
    }
    else {
	printf("...PKINIT client cert selection successful.\n\n");
    }
    if(idRef) {
	CFRelease(idRef);
    }
    return 0;
}

static int pkinitDisplay(
    const KrbToolArgs *args)
{
    krb5_pkinit_signing_cert_t idRef = NULL;
    krb5_error_code krtn;

    if(args->principal == NULL) {
	printf("***You must supply a principal name for this operation.\n");
	return -1;
    }
    krtn = krb5_pkinit_get_client_cert(args->principal, &idRef);
    switch(krtn) {
	case errSecItemNotFound:
	    printf("...No PKINIT client cert configured for %s.\n",
		args->principal ? args->principal : "Default");
	    break;
	case noErr:
	{
	    SecCertificateRef certRef = NULL;
	    OSStatus ortn;
	    CSSM_DATA cdata;

	    ortn = SecIdentityCopyCertificate((SecIdentityRef)idRef, &certRef);
	    if(ortn) {
		cssmPerror("SecIdentityCopyCertificate", ortn);
		break;
	    }
	    ortn = SecCertificateGetData(certRef, &cdata);
	    if(ortn) {
		cssmPerror("SecCertificateGetData", ortn);
		break;
	    }
	    printf("--------- PKINIT Client Certificate ---------\n");
	    printCertName(cdata.Data, cdata.Length, NameBoth);
	    printf("---------------------------------------------\n\n");

	    char *cert_hash = NULL;
	    krb5_data kcert = {0, cdata.Length, (char *)cdata.Data};
	    cert_hash = krb5_pkinit_cert_hash_str(&kcert);
	    if(cert_hash == NULL) {
		printf("***Error obtaining cert hash\n");
	    }
	    else {
		printf("Cert hash string : %s\n\n", cert_hash);
		free(cert_hash);
	    }
	    CFRelease(certRef);
	    break;
	}
	default:
	    cssmPerror("krb5_pkinit_get_client_cert", krtn);
	    printf("***Error obtaining client cert\n");
	    break;
    }
    if(idRef) {
	krb5_pkinit_release_cert(idRef);
    }

    return 0;
}

static int pkinitDeleteCert(
    const KrbToolArgs *args)
{
    krb5_error_code krtn;

    krtn = krb5_pkinit_set_client_cert(args->principal, NULL);
    if(krtn) {
	cssmPerror("krb5_pkinit_set_client_cert(NULL)", krtn);
	printf("***Error deleting client cert entry\n");
    }
    else {
	printf("...client cert setting for %s deleted\n", args->principal ?
	    args->principal : "Default principal");
    }
    return krtn;
}

int main(int argc, char **argv)
{
    if(argc < 2) {
	usage(argv);
    }

    KrbToolOp op = KTO_Login;
    switch(argv[1][0]) {
	case 'l':
	    op = KTO_Login;
	    break;
	case 's':
	    op = KTO_Select;
	    break;
	case 'd':
	    op = KTO_Display;
	    break;
	case 'D':
	    op = KTO_DeleteCert;
	    break;
	default:
	    usage(argv);
    }

    extern int optind;
    extern char *optarg;
    int arg;
    int ourRtn = 0;
    KrbToolArgs args;
    bool doLoop = false;

    memset(&args, 0, sizeof(args));
    optind = 2;
    while ((arg = getopt(argc, argv, "p:lh")) != -1) {
	switch (arg) {
	    case 'p':
		args.principal = optarg;
		break;
	    case 'l':
		doLoop = true;
		break;
	    case 'h':
	    default:
		usage(argv);
	}
    }

    do {
	switch(op) {
	    case KTO_Login:
		ourRtn = pkinitLogin(&args);
		break;
	    case KTO_Select:
		ourRtn = pkinitSelect(&args);
		break;
	    case KTO_Display:
		ourRtn = pkinitDisplay(&args);
		break;
	    case KTO_DeleteCert:
		ourRtn = pkinitDeleteCert(&args);
		break;
	    default:
		printf("***BRRZAP! Internal error.\n");
		exit(1);
	}
	if(doLoop) {
	    char resp;

	    fpurge(stdin);
	    printf("q to quit, anything else to loop: ");
	    resp = getchar();
	    if(resp == 'q') {
		break;
	    }
	}
    } while(doLoop);
    /* cleanup */
    return ourRtn;

}