oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

hx509: Add Heimdal cert ext for ticket max_life

Browse Source 
This adds support for using a Heimdal-specific PKIX extension to derive
a maximum Kerberos ticket lifetime from a client's PKINIT certificate:

 - a `--pkinit-max-life` to the `hxtool ca` command
 - `hx509_ca_tbs_set_pkinit_max_life()`
 - `hx509_cert_get_pkinit_max_life()`
 - `HX509_CA_TEMPLATE_PKINIT_MAX_LIFE`

There are two extensions.  One is an EKU, which if present means that
the maximum ticket lifetime should be derived from the notAfter minus
notBefore.  The other is a certificate extension whose value is a
maximum ticket lifetime in seconds.  The latter is preferred.
This commit is contained in:
Nicolas Williams
2021-03-24 15:57:15 -05:00
parent f0e628c2cf
commit 15b2094079
7 changed files with 112 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/hx509/version-script.map
View File

@@ -74,6 +74,7 @@ HEIMDAL_X509_1.2 {
hx509_ca_tbs_set_notAfter;
hx509_ca_tbs_set_notAfter_lifetime;
hx509_ca_tbs_set_notBefore;
hx509_ca_tbs_set_pkinit_max_life;
hx509_ca_tbs_set_proxy;
hx509_ca_tbs_set_serialnumber;
hx509_ca_tbs_set_spki;
@@ -97,6 +98,7 @@ HEIMDAL_X509_1.2 {
hx509_cert_get_issuer;
hx509_cert_get_notAfter;
hx509_cert_get_notBefore;
hx509_cert_get_pkinit_max_life;
hx509_cert_get_serialnumber;
hx509_cert_get_subject;
hx509_cert_get_issuer_unique_id;