oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Add bx509d

Browse Source
This commit is contained in:
Nicolas Williams
2019-10-09 20:18:01 -05:00
parent 4d4c7078cd
commit 575c67806b
41 changed files with 5794 additions and 684 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/asn1/krb5.asn1
+6 -1
View File
@@ -216,7 +216,12 @@ AUTHDATA-TYPE ::= INTEGER {
-- N.B. these assignments have not been confirmed yet.
--
-- DO NOT USE in production yet!
KRB5-AUTHDATA-ON-BEHALF-OF(580) -- UTF8String princ name
KRB5-AUTHDATA-ON-BEHALF-OF(580), -- UTF8String princ name
KRB5-AUTHDATA-BEARER-TOKEN-JWT(581), -- JWT token
KRB5-AUTHDATA-BEARER-TOKEN-SAML(582), -- SAML token
KRB5-AUTHDATA-BEARER-TOKEN-OIDC(583), -- OIDC token
KRB5-AUTHDATA-CSR-AUTHORIZED(584) -- Proxy has authorized client
-- to requested exts in CSR
}
-- checksumtypes
lib/asn1/kx509.asn1
+2 -7
View File
@@ -7,7 +7,8 @@
KX509 DEFINITIONS ::= BEGIN
IMPORTS Extensions FROM rfc2459
KerberosTime, AUTHDATA-TYPE FROM krb5;
KerberosTime FROM krb5
KRB5PrincipalName FROM pkinit;
KX509-ERROR-CODE ::= INTEGER {
KX509-STATUS-GOOD(0),
@@ -61,12 +62,6 @@ KX509-ERROR-CODE ::= INTEGER {
Kx509CSRPlus ::= [APPLICATION 35] SEQUENCE {
-- PKCS#10, DER-encoded CSR, with or without meaningful attributes
csr OCTET STRING,
-- The AP-REQ's Authenticator may contain authz-data of interest here
-- for carrying confidential payloads. E.g., a bearer token for a user
-- to impersonate. This sequence tells the server what authz-data
-- elements there might be, effectively making them critical even if
-- they are in AD-IF-RELEVANT containers.
authz-datas SEQUENCE OF AUTHDATA-TYPE,
-- Desired certificate Extensions such as KeyUsage, ExtKeyUsage, or
-- subjectAlternativeName (SAN)
exts Extensions OPTIONAL,
lib/krb5/krb5.conf.5
+86 -60
View File
@@ -753,79 +753,106 @@ Specifies the digests the kdc will reply to. The default is
.Li ntlm-v2 .
.It Li enable-kx509 = Va boolean
Enables kx509 service.
.It Li kx509_ca = Va file
Specifies the PEM credentials for the kx509 certification authority.
.Pp
The kx509 service is configurable for a number of cases:
.Bl -tag -width "" -offset indent
.It Li default certificates for user or service principals,
.It Li non-default certificate requests including subject alternative names (SAN) and extended key usage (EKU) certificate extensions, for either client, server, or mixed usage.
.El
.Pp
Distinct configurations are supported for all of these cases as
shown below:
.Bd -literal -offset indent
[kdc]
enable-kx509 = yes | no
require_csr = yes | no
require_initial_kca_tickets = yes | no
realm = {
<REALM> = {
kx509 = {
<label> = {
<param> = <value>
}
hostbased_service = {
<service> = {
<param> = <value>
}
}
}
}
}
.Ed
where
.Va label
is one of:
.Bl -tag -width "xxx" -offset indent
.It Li user
for default certificates for user principals,
.It Li root_user
for default certificates for root user principals,
.It Li admin_user
for default certificates for admin user principals,
.It Li hostbased_service
for default certificates for host-based service principals, in which case the
service name is used as shown above,
.It Li client
for non-default client certificates,
.It Li server
for non-default server certificates,
.It Li mixed
for non-default client and server certificates.
.El
and where the parameters are as follows:
.Bl -tag -width "xxx" -offset indent
.It Li ca = Va file
Specifies the PEM credentials for the kx509 certification
authority. If not specified for any specific use-case, then that
use-case will be disabled.
.It Li require_initial_kca_tickets = Va boolean
Specified whether to require that tickets for the
.Li kca_service
service principal be INITIAL.
This may be set on a per-realm basis as well as globally.
Defaults to true for the global setting.
.It Li kx509_include_pkinit_san = Va boolean
.It Li include_pkinit_san = Va boolean
If true then the kx509 client principal's name and realm will be
included in an
.Li id-pkinit-san
subject alternative name certificate extension.
This can be set on a per-realm basis as well as globally.
Defaults to true for the global setting.
.It Li kx509_include_email_san = Va boolean
If true then the kx509 client user principal's name and realm will be
included in an
.It Li email_domain = Va domain
If set then the kx509 client user principal's name at the given
domain will be included in an
.Li rfc822Name
subject alternative name certificate extension, with the downcased
realm as the domainname.
subject alternative name certificate extension.
This can be set on a per-realm basis as well as globally.
Defaults to false for the global setting.
.It Li kx509_include_dnsname_san = Va boolean
If true then the kx509 host-based or domain-based client principal's
hostname will be included in an
.It Li include_dnsname_san = Va boolean
If true then a kx509 host-based or domain-based client
principal's hostname will be included in an
.Li dNSName
subject alternative name certificate extension, with the
downcased realm as the domainname. This can be set on a
per-realm basis as well as
globally. Defaults to false for the global setting.
.It Li kx509_template = Va file
Specifies the PEM file with a template for the certificates to be
issued to kx509 clients whose principal names have one component
(i.e., are user principals). A template is a certificate with
variables to be interpolated in the subjectName. The following
variables can be interpolated in the subject name using
${variable} syntax:
.Bl -tag -width "xxx" -offset indent
.It principal-name
The full name of the kx509 client principal.
.It principal-name-without-realm
The full name of the kx509 client principal, excluding the realm name.
.It principal-name-realm
The name of the client principal's realm.
.El
.It Li kx509_templates = {
.Bl -tag -width "xxx" -offset indent
.It Li two_component_user = {
.Bl -tag -width "xxx" -offset indent
.It Va first-component-of-principal-name = Va file
.It ...
.It Li }
.El
.It Li hostbased = {
.Bl -tag -width "xxx" -offset indent
.It Va service = Va file
.It ...
.It Li }
.El
.It Li domainbased = {
.Bl -tag -width "xxx" -offset indent
.It Va service = Va file
.It ...
.It Li }
.El
.It Li }
.El
Specifies the PEM files with templates for the certificates to be
issued to clients with principal names with two or three name
components. This is useful for issuing server certificates to
host-based principals. The following variables can be
interpolated in the subject name using
.It Li ekus = Va OID
List of OIDs to include as EKUs.
.It Li subject_name = Va DN
Specifies a subject name that should either be empty or contain
variable interpolation as described below for
.Va template_cert .
The subject may be the empty string, causing the issued
certificates' subject names to be empty.
.It Li template_cert = Va store
Specifies the hx509 store (e.g.,
.Va PEM-FILE:path )
with a template
for the certificates to be issued to kx509 clients whose
principal names have one component (i.e., are user principals).
A template is a certificate with variables to be interpolated in
the subjectName. The following variables can be interpolated in
the subject name using
.Va ${variable}
syntax:
.Bl -tag -width "xxx" -offset indent
@@ -846,6 +873,12 @@ The name of the service.
.It principal-host-name
The name of the host.
.El
.Pp
If a template and subject name are not specified and no default
SANs are configured, then no certificate will be issued.
Otherwise if a template and subject name are not specified, then
subject of the certificate will be empty.
.El
.It Li enable_derived_keys = Va boolean
Enable the use of derived key namespaces.
When enabled, principals of the form
@@ -870,13 +903,6 @@ The maximim number of dots in a name matched via
derived key namespaces.
.El
.Pp
The
.Li kx509 ,
.Li kx509_template ,
.Li kx509_include_pkinit_san ,
and
.Li require_initial_kca_tickets
parameters may be set on a per-realm basis as well.
.It Li [kadmin]
.Bl -tag -width "xxx" -offset indent
.It Li password_lifetime = Va time
lib/krb5/kx509.c
+1 -32
View File
@@ -358,37 +358,6 @@ krb5_kx509_ctx_add_san_registeredID(krb5_context context,
return ret;
}
/**
* Adds authorization data to a kx509 request context.
*
* @param context The Kerberos library context
* @param ctx The kx509 request context
* @param ad_type The authorization data type
* @param ad_data The authorization data
*
* @return A krb5 error code.
*/
krb5_error_code
krb5_kx509_ctx_add_auth_data(krb5_context context,
krb5_kx509_req_ctx kx509_ctx,
krb5int32 ad_type,
krb5_data *ad_data)
{
AUTHDATA_TYPE *tmp;
Kx509CSRPlus *p = &kx509_ctx->csr_plus;
tmp = realloc(p->authz_datas.val,
sizeof(p->authz_datas.val[0]) * (p->authz_datas.len + 1));
if (tmp == NULL)
return krb5_enomem(context);
p->authz_datas.val = tmp;
p->authz_datas.val[p->authz_datas.len++] = ad_type;
return krb5_auth_con_add_AuthorizationDataIfRelevant(context,
kx509_ctx->ac,
ad_type, ad_data);
}
static krb5_error_code
load_priv_key(krb5_context context,
krb5_kx509_req_ctx kx509_ctx,
@@ -833,7 +802,7 @@ mk_kx509_req(krb5_context context,
* that already unless there's no start_realm cc config, in which case
* we'll use the ccache's default client principal's realm.
*/
hostname = krb5_config_get_string(context, NULL, "realm",
hostname = krb5_config_get_string(context, NULL, "realms",
kx509_ctx->realm, "kx509_hostname",
NULL);
if (hostname == NULL)
lib/krb5/libkrb5-exports.def.in
-1
View File
@@ -439,7 +439,6 @@ EXPORTS
krb5_kt_start_seq_get
krb5_kuserok
krb5_kx509
krb5_kx509_ctx_add_auth_data
krb5_kx509_ctx_add_eku
krb5_kx509_ctx_add_san_dns_name
krb5_kx509_ctx_add_san_ms_upn
lib/krb5/version-script.map
-1
View File
@@ -432,7 +432,6 @@ HEIMDAL_KRB5_2.0 {
krb5_kt_start_seq_get;
krb5_kuserok;
krb5_kx509;
krb5_kx509_ctx_add_auth_data;
krb5_kx509_ctx_add_eku;
krb5_kx509_ctx_add_san_dns_name;
krb5_kx509_ctx_add_san_ms_upn;