krb5: Add support for AD-KDC-ISSUED

2021-12-29 11:59:59 -06:00
parent 87f8c0d2b5
commit 1cede09a0b
3 changed files with 65 additions and 19 deletions
--- a/lib/asn1/krb5.asn1
+++ b/lib/asn1/krb5.asn1
@@ -462,8 +462,9 @@ PrincipalNameAttrSrc ::= CHOICE {
        enc-ticket-part     [1] EncTicketPart   -- minus session key
 }
 PrincipalNameAttrs ::= SEQUENCE {
+        -- True if this name was authenticated via an AP-REQ or a KDC-REP
        authenticated       [0]     BOOLEAN,
-        -- These are compiled from the Ticket and Authenticator:
+        -- These are compiled from the Ticket, KDC-REP, and/or Authenticator
        source              [1]     PrincipalNameAttrSrc OPTIONAL,
        authenticator-ad    [2]     AuthorizationData OPTIONAL,
        -- For the server on the client side we should keep track of the
@@ -472,7 +473,10 @@ PrincipalNameAttrs ::= SEQUENCE {
        -- We don't learn much more about the server from the KDC.
        peer-realm          [3]     Realm OPTIONAL,
        transited           [4]     TransitedEncoding OPTIONAL,
-        pac-verified        [5]     BOOLEAN
+        -- True if the PAC was verified
+        pac-verified        [5]     BOOLEAN,
+        -- True if any AD-KDC-ISSUEDs in the Ticket were validated
+        kdc-issued-verified [6]     BOOLEAN
        -- TODO: Add requested attributes, for gss_set_name_attribute(), which
        --       should cause corresponding authz-data elements to be added to
        --       any TGS-REQ or to the AP-REQ's Authenticator as appropriate.