oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

hx509: keep track of authorized CSR features

Browse Source 
This commit adds a few functions for marking KU, EKUs, and SANs as
authorized, and for getting a count of unsupported certificate
extensions requested, and a count of authorized KU/EKUs/SANs.

The intent is to make it easier to build CSR authorization and CA code
that is robust in the face of future support for certificate extensions
and SAN types not currently supported.  An application could parse a
CSR, iterate all KU/EKUs/SANs, check a subject's authorization to them,
mark them authorized where authorized, then check if there are any
remaining unauthorized extensions or unsupported extensions requested.

Ultimately, if a CSR's KU/EKUs/SANs are all authorized, then they can
all be copied to a TBS, and a certificate can be issued.
This commit is contained in:
Nicolas Williams
2019-11-18 23:18:57 -06:00
parent d519094117
commit a7a1d798c3
7 changed files with 603 additions and 286 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
lib/hx509/version-script.map
View File

@@ -33,6 +33,11 @@ HEIMDAL_X509_1.2 {
hx509_request_add_pkinit;
hx509_request_add_registered;
hx509_request_add_xmpp_name;
hx509_request_authorize_ku;
hx509_request_authorize_eku;
hx509_request_authorize_san;
hx509_request_count_unsupported;
hx509_request_count_unauthorized;
hx509_request_print;
hx509_request_to_pkcs10;
_hx509_unmap_file_os;
@@ -43,6 +48,7 @@ HEIMDAL_X509_1.2 {
hx509_ca_tbs_add_crl_dp_uri;
hx509_ca_tbs_add_eku;
hx509_ca_tbs_add_ku;
hx509_ca_tbs_add_san;
hx509_ca_tbs_add_san_hostname;
hx509_ca_tbs_add_san_jid;
hx509_ca_tbs_add_san_ms_upn;
@@ -54,6 +60,7 @@ HEIMDAL_X509_1.2 {
hx509_ca_tbs_init;
hx509_ca_tbs_set_ca;
hx509_ca_tbs_set_domaincontroller;
hx509_ca_tbs_set_from_csr;
hx509_ca_tbs_set_notAfter;
hx509_ca_tbs_set_notAfter_lifetime;
hx509_ca_tbs_set_notBefore;
@@ -216,16 +223,12 @@ HEIMDAL_X509_1.2 {
hx509_query_match_option;
hx509_query_statistic_file;
hx509_query_unparse_stats;
hx509_request_get_dns_name_san;
hx509_request_get_eku;
hx509_request_get_email_san;
hx509_request_get_exts;
hx509_request_get_ku;
hx509_request_get_ms_upn_san;
hx509_request_get_name;
hx509_request_get_pkinit_san;
hx509_request_get_san;
hx509_request_get_SubjectPublicKeyInfo;
hx509_request_get_xmpp_san;
hx509_request_free;
hx509_request_init;
hx509_request_parse;