diff options
Diffstat (limited to 'src/lib/certmap/sss_certmap_int.h')
| -rw-r--r-- | src/lib/certmap/sss_certmap_int.h | 140 |
1 files changed, 140 insertions, 0 deletions
diff --git a/src/lib/certmap/sss_certmap_int.h b/src/lib/certmap/sss_certmap_int.h new file mode 100644 index 000000000..12954a326 --- /dev/null +++ b/src/lib/certmap/sss_certmap_int.h @@ -0,0 +1,140 @@ +/* + SSSD + + Library for rule based certificate to user mapping + + Authors: + Sumit Bose <sbose@redhat.com> + + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include <sys/types.h> +#include <regex.h> + +#ifndef __SSS_CERTMAP_INT_H__ +#define __SSS_CERTMAP_INT_H__ + +#define CM_DEBUG(cm_ctx, format, ...) do { \ + if (cm_ctx != NULL && cm_ctx->debug != NULL) { \ + cm_ctx->debug(cm_ctx->debug_priv, __FILE__, __LINE__, __FUNCTION__, \ + format, ##__VA_ARGS__); \ + } \ +} while (0) + +#define DEFAULT_MATCH_RULE "<KU>digitalSignature<EKU>clientAuth" +#define DEFAULT_MAP_RULE "LDAP:userCertificate;binary={cert!bin}" + +/* KRB5 matching rule */ +enum relation_type { + relation_none = 0, + relation_and, + relation_or +}; + +struct component_list { + char *val; + regex_t regexp; + uint32_t ku; + const char **eku_oid_list; + struct component_list *prev; + struct component_list *next; +}; + +struct krb5_match_rule { + enum relation_type r; + struct component_list *issuer; + struct component_list *subject; + struct component_list *ku; + struct component_list *eku; +}; + +enum comp_type { + comp_none = 0, + comp_string, + comp_template +}; + +struct parsed_template { + char *name; + char *attr_name; + char *conversion; +}; + +struct ldap_mapping_rule_comp { + enum comp_type type; + char *val; + struct parsed_template *parsed_template; + struct ldap_mapping_rule_comp *prev; + struct ldap_mapping_rule_comp *next; +}; + +struct ldap_mapping_rule { + struct ldap_mapping_rule_comp *list; +}; + +struct match_map_rule { + unsigned int priority; + char *match_rule; + struct krb5_match_rule *parsed_match_rule; + char *map_rule; + struct ldap_mapping_rule *parsed_mapping_rule; + char **domains; + struct match_map_rule *prev; + struct match_map_rule *next; +}; + +struct priority_list { + unsigned int priority; + struct match_map_rule *rule_list; + struct priority_list *prev; + struct priority_list *next; +}; + +struct sss_certmap_ctx { + struct priority_list *prio_list; + const char *err_msg; + sss_certmap_ext_debug *debug; + void *debug_priv; +}; + +/* key usage flags, see RFC 3280 section 4.2.1.3 */ +#define SSS_KU_DIGITAL_SIGNATURE 0x0080 +#define SSS_KU_NON_REPUDIATION 0x0040 +#define SSS_KU_KEY_ENCIPHERMENT 0x0020 +#define SSS_KU_DATA_ENCIPHERMENT 0x0010 +#define SSS_KU_KEY_AGREEMENT 0x0008 +#define SSS_KU_KEY_CERT_SIGN 0x0004 +#define SSS_KU_CRL_SIGN 0x0002 +#define SSS_KU_ENCIPHER_ONLY 0x0001 +#define SSS_KU_DECIPHER_ONLY 0x8000 + +struct sss_cert_content { + const char *issuer_str; + const char **issuer_rdn_list; + const char *subject_str; + const char **subject_rdn_list; + uint32_t key_usage; + const char **extended_key_usage_oids; + + uint8_t *cert_der; + size_t cert_der_size; +}; + +int sss_cert_get_content(TALLOC_CTX *mem_ctx, + const uint8_t *der_blob, size_t der_size, + struct sss_cert_content **content); +#endif /* __SSS_CERTMAP_INT_H__ */ |