lib/certmap/sss_certmap_int.h

db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose/*
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    SSSD
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    Library for rule based certificate to user mapping
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    Authors:
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        Sumit Bose <sbose@redhat.com>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    Copyright (C) 2017 Red Hat
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    This program is free software; you can redistribute it and/or modify
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    it under the terms of the GNU General Public License as published by
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    the Free Software Foundation; either version 3 of the License, or
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    (at your option) any later version.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    This program is distributed in the hope that it will be useful,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    but WITHOUT ANY WARRANTY; without even the implied warranty of
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    GNU General Public License for more details.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    You should have received a copy of the GNU General Public License
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    along with this program.  If not, see <http://www.gnu.org/licenses/>.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose*/
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose#ifndef __SSS_CERTMAP_INT_H__
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose#define __SSS_CERTMAP_INT_H__
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
31a6661ff2a640fbcf97460df2415fd1bab309b5Sumit Bose#include <sys/types.h>
31a6661ff2a640fbcf97460df2415fd1bab309b5Sumit Bose#include <regex.h>
31a6661ff2a640fbcf97460df2415fd1bab309b5Sumit Bose#include <stdint.h>
a20fb9cbd5f42a6ca895aea1b84347fdfea34b89Sumit Bose#include <stdbool.h>
31a6661ff2a640fbcf97460df2415fd1bab309b5Sumit Bose#include <talloc.h>
31a6661ff2a640fbcf97460df2415fd1bab309b5Sumit Bose
a20fb9cbd5f42a6ca895aea1b84347fdfea34b89Sumit Bose#include "lib/certmap/sss_certmap.h"
a20fb9cbd5f42a6ca895aea1b84347fdfea34b89Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose#define CM_DEBUG(cm_ctx, format, ...) do { \
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    if (cm_ctx != NULL && cm_ctx->debug != NULL) { \
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        cm_ctx->debug(cm_ctx->debug_priv, __FILE__, __LINE__, __FUNCTION__, \
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                      format, ##__VA_ARGS__); \
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    } \
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose} while (0)
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose#define DEFAULT_MATCH_RULE "<KU>digitalSignature<EKU>clientAuth"
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose#define DEFAULT_MAP_RULE "LDAP:(userCertificate;binary={cert!bin})"
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
a20fb9cbd5f42a6ca895aea1b84347fdfea34b89Sumit Bose#define PKINIT_OID "1.3.6.1.5.2.2"
a20fb9cbd5f42a6ca895aea1b84347fdfea34b89Sumit Bose#define NT_PRINCIPAL_OID "1.3.6.1.4.1.311.20.2.3"
a20fb9cbd5f42a6ca895aea1b84347fdfea34b89Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Boseenum san_opt {
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    SAN_OTHER_NAME = 0,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    SAN_RFC822_NAME,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    SAN_DNS_NAME,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    SAN_X400_ADDRESS,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    SAN_DIRECTORY_NAME,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    SAN_EDIPART_NAME,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    SAN_URI,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    SAN_IP_ADDRESS,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    SAN_REGISTERED_ID,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    SAN_PKINIT,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    SAN_NT,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    SAN_PRINCIPAL,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    SAN_STRING_OTHER_NAME,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    SAN_END,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    SAN_INVALID
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose};
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose/* KRB5 matching rule */
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Boseenum relation_type {
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    relation_none = 0,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    relation_and,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    relation_or
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose};
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bosestruct component_list {
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    char *val;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    regex_t regexp;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    uint32_t ku;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    const char **eku_oid_list;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    enum san_opt san_opt;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    char *str_other_name_oid;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    uint8_t *bin_val;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    size_t bin_val_len;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    struct component_list *prev;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    struct component_list *next;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose};
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bosestruct krb5_match_rule {
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    enum relation_type r;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    struct component_list *issuer;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    struct component_list *subject;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    struct component_list *ku;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    struct component_list *eku;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    struct component_list *san;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose};
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Boseenum comp_type {
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    comp_none = 0,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    comp_string,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    comp_template
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose};
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bosestruct parsed_template {
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    char *name;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    char *attr_name;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    char *conversion;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose};
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bosestruct ldap_mapping_rule_comp {
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    enum comp_type type;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    char *val;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    struct parsed_template *parsed_template;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    struct ldap_mapping_rule_comp *prev;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    struct ldap_mapping_rule_comp *next;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose};
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bosestruct ldap_mapping_rule {
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    struct ldap_mapping_rule_comp *list;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose};
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bosestruct match_map_rule {
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    uint32_t priority;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    char *match_rule;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    struct krb5_match_rule *parsed_match_rule;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    char *map_rule;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    struct ldap_mapping_rule *parsed_mapping_rule;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    char **domains;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    struct match_map_rule *prev;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    struct match_map_rule *next;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose};
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bosestruct priority_list {
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    uint32_t priority;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    struct match_map_rule *rule_list;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    struct priority_list *prev;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    struct priority_list *next;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose};
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bosestruct sss_certmap_ctx {
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    struct priority_list *prio_list;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    sss_certmap_ext_debug *debug;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    void *debug_priv;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    struct ldap_mapping_rule *default_mapping_rule;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose};
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bosestruct san_list {
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    enum san_opt san_opt;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    char *val;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    uint8_t *bin_val;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    size_t bin_val_len;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    char *other_name_oid;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    char *short_name;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    const char **rdn_list;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    struct san_list *prev;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    struct san_list *next;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose};
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose/* key usage flags, see RFC 3280 section 4.2.1.3 */
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose#define SSS_KU_DIGITAL_SIGNATURE    0x0080
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose#define SSS_KU_NON_REPUDIATION      0x0040
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose#define SSS_KU_KEY_ENCIPHERMENT     0x0020
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose#define SSS_KU_DATA_ENCIPHERMENT    0x0010
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose#define SSS_KU_KEY_AGREEMENT        0x0008
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose#define SSS_KU_KEY_CERT_SIGN        0x0004
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose#define SSS_KU_CRL_SIGN             0x0002
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose#define SSS_KU_ENCIPHER_ONLY        0x0001
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose#define SSS_KU_DECIPHER_ONLY        0x8000
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bosestruct sss_cert_content {
a20fb9cbd5f42a6ca895aea1b84347fdfea34b89Sumit Bose    char *issuer_str;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    const char **issuer_rdn_list;
a20fb9cbd5f42a6ca895aea1b84347fdfea34b89Sumit Bose    char *subject_str;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    const char **subject_rdn_list;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    uint32_t key_usage;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    const char **extended_key_usage_oids;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    struct san_list *san_list;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    uint8_t *cert_der;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    size_t cert_der_size;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose};
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Boseint sss_cert_get_content(TALLOC_CTX *mem_ctx,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                         const uint8_t *der_blob, size_t der_size,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                         struct sss_cert_content **content);
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bosechar *check_ad_attr_name(TALLOC_CTX *mem_ctx, const char *rdn);
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
a20fb9cbd5f42a6ca895aea1b84347fdfea34b89Sumit Bosechar *openssl_2_nss_attr_name(const char *attr);
a20fb9cbd5f42a6ca895aea1b84347fdfea34b89Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Boseint parse_krb5_match_rule(struct sss_certmap_ctx *ctx,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                          const char *rule_start,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                          struct krb5_match_rule **match_rule);
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Boseint parse_ldap_mapping_rule(struct sss_certmap_ctx *ctx,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                            const char *rule_start,
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                            struct ldap_mapping_rule **mapping_rule);
a20fb9cbd5f42a6ca895aea1b84347fdfea34b89Sumit Bose
a20fb9cbd5f42a6ca895aea1b84347fdfea34b89Sumit Boseint get_short_name(TALLOC_CTX *mem_ctx, const char *full_name,
a20fb9cbd5f42a6ca895aea1b84347fdfea34b89Sumit Bose                   char delim, char **short_name);
a20fb9cbd5f42a6ca895aea1b84347fdfea34b89Sumit Bose
a20fb9cbd5f42a6ca895aea1b84347fdfea34b89Sumit Boseint add_to_san_list(TALLOC_CTX *mem_ctx, bool is_bin,
a20fb9cbd5f42a6ca895aea1b84347fdfea34b89Sumit Bose                    enum san_opt san_opt, const uint8_t *data, size_t len,
a20fb9cbd5f42a6ca895aea1b84347fdfea34b89Sumit Bose                    struct san_list **item);
a20fb9cbd5f42a6ca895aea1b84347fdfea34b89Sumit Bose
a20fb9cbd5f42a6ca895aea1b84347fdfea34b89Sumit Boseint add_principal_to_san_list(TALLOC_CTX *mem_ctx, enum san_opt san_opt,
a20fb9cbd5f42a6ca895aea1b84347fdfea34b89Sumit Bose                              const char *princ, struct san_list **item);
a20fb9cbd5f42a6ca895aea1b84347fdfea34b89Sumit Bose
a20fb9cbd5f42a6ca895aea1b84347fdfea34b89Sumit Boseint rdn_list_2_dn_str(TALLOC_CTX *mem_ctx, const char *conversion,
a20fb9cbd5f42a6ca895aea1b84347fdfea34b89Sumit Bose                      const char **rdn_list, char **result);
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose#endif /* __SSS_CERTMAP_INT_H__ */