diff options
| author | Will Fiveash <will.fiveash@oracle.com> | 2009-01-30 23:55:14 +0000 |
|---|---|---|
| committer | Will Fiveash <will.fiveash@oracle.com> | 2009-01-30 23:55:14 +0000 |
| commit | e246f7e7b2cddfca9eb744f24e50dd034247a74b (patch) | |
| tree | 97ec348048dab2eec4206fa99df1e18adab77cf1 /src/kadmin/dbutil/kdb5_create.c | |
| parent | 77b1e1108ca32617fe43825748c68c575e77f010 (diff) | |
| download | krb5-e246f7e7b2cddfca9eb744f24e50dd034247a74b.tar.gz krb5-e246f7e7b2cddfca9eb744f24e50dd034247a74b.tar.xz krb5-e246f7e7b2cddfca9eb744f24e50dd034247a74b.zip | |
Master Key Migration Project
Commit for the Master Key Migration Project.
http://k5wiki.kerberos.org/wiki/Projects/Master_Key_Migration
This commit provides the ability to add a new master key (with an
enctype differing from the current master key) to the master key
principal and stash file and then migrate the encryption of existing
principals long term keys to use the new master key. In addition
deletion of master keys is provided.
ticket: 6354
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21844 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/kadmin/dbutil/kdb5_create.c')
| -rw-r--r-- | src/kadmin/dbutil/kdb5_create.c | 25 |
1 files changed, 23 insertions, 2 deletions
diff --git a/src/kadmin/dbutil/kdb5_create.c b/src/kadmin/dbutil/kdb5_create.c index c7fb31bb20..6a638a3512 100644 --- a/src/kadmin/dbutil/kdb5_create.c +++ b/src/kadmin/dbutil/kdb5_create.c @@ -230,6 +230,10 @@ master key name '%s'\n", pw_size = 1024; pw_str = malloc(pw_size); + if (pw_str == NULL) { + com_err(progname, ENOMEM, "while creating new master key"); + exit_status++; return; + } retval = krb5_read_password(util_context, KRB5_KDC_MKEY_1, KRB5_KDC_MKEY_2, pw_str, &pw_size); @@ -315,6 +319,9 @@ master key name '%s'\n", com_err(progname, retval, "while adding entries to the database"); exit_status++; return; } + + + /* * Always stash the master key so kadm5_create does not prompt for * it; delete the file below if it was not requested. DO NOT EXIT @@ -414,11 +421,10 @@ add_principal(context, princ, op, pblock) krb5_error_code retval; krb5_db_entry entry; krb5_kvno mkey_kvno; - krb5_timestamp now; struct iterate_args iargs; - int nentries = 1; + krb5_actkvno_node actkvno; memset((char *) &entry, 0, sizeof(entry)); @@ -455,6 +461,21 @@ add_principal(context, princ, op, pblock) &master_keyblock, NULL, mkey_kvno, entry.key_data))) return retval; + /* + * There should always be at least one "active" mkey so creating the + * KRB5_TL_ACTKVNO entry now so the initial mkey is active. + */ + actkvno.next = NULL; + actkvno.act_kvno = mkey_kvno; + /* earliest possible time in case system clock is set back */ + actkvno.act_time = 0; + if ((retval = krb5_dbe_update_actkvno(context, &entry, &actkvno))) + return retval; + + /* so getprinc shows the right kvno */ + if ((retval = krb5_dbe_update_mkvno(context, &entry, mkey_kvno))) + return retval; + break; case TGT_KEY: iargs.ctx = context; |