kdc: Add synthetic PKINIT principals option

2021-06-28 23:29:18 -05:00
parent 4a5fc6bcde
commit 00358252d3
11 changed files with 228 additions and 46 deletions
--- a/lib/hdb/hdb.asn1
+++ b/lib/hdb/hdb.asn1
@@ -53,6 +53,7 @@ HDBFlags ::= BIT STRING {
 	materialize(19),		-- store even if within virtual namespace
 	virtual-keys(20),		-- entry     stored; keys mostly derived
 	virtual(21),			-- entry not stored; keys always derived
+	synthetic(22),			-- entry not stored; for PKINIT

 	force-canonicalize(30),		-- force the KDC to return the canonical
 					-- principal irrespective of the setting
--- a/lib/hdb/hdb.h
+++ b/lib/hdb/hdb.h
@@ -70,6 +70,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
 #define HDB_F_FOR_TGS_REQ	8192	/* fetch is for a TGS REQ */
 #define HDB_F_PRECHECK		16384	/* check that the operation would succeed */
 #define HDB_F_DELAY_NEW_KEYS	32768	/* apply [hdb] new_service_key_delay */
+#define HDB_F_SYNTHETIC_OK	65536	/* synthetic principal for PKINIT OK */

 /* hdb_capability_flags */
 #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1