kdc: Add Heimdal cert ext for ticket max_life

This adds support for using a Heimdal-specific PKIX extension to derive
a maximum Kerberos ticket lifetime from a client's PKINIT certificate.

KDC configuration parameters:

 - pkinit_max_life_from_cert_extension
 - pkinit_max_life_bound

If `pkinit_max_life_from_cert_extension` is set to true then the
certificate extension or EKU will be checked.

If `pkinit_max_life_bound` is set to a positive relative time, then that
will be the upper bound of maximum Kerberos ticket lifetime derived from
these extensions.

The KDC config `pkinit_ticket_max_life_from_cert` that was added earlier
has been renamed to `pkinit_max_life_from_cert`.

See lib/hx509 and lib/krb5/krb5.conf.5.

tests/kdc/check-pkinit.in

@@ -189,31 +189,65 @@ ${hxtool} issue-certificate \
 echo foo > ${objdir}/foopassword
 
 echo Starting kdc ; > messages.log
+KRB5_CONFIG="${objdir}/krb5-pkinit2.conf"
 ${kdc} --detach --testing || { echo "kdc failed to start"; exit 1; }
 kdcpid=`getpid kdc`
 
-trap "kill -9 ${kdcpid}; echo signal killing kdc; cat ca.crt kdc.crt pkinit.crt ;exit 1;" EXIT
+trap 'kill -9 ${kdcpid}; echo signal killing kdc; cat ca.crt kdc.crt pkinit.crt; exit 1;' EXIT
 
 ec=0
 
+echo "Trying pk-init (principal in cert; longer max_life)"; > messages.log
+base="${objdir}"
+${kinit} --lifetime=5d -C FILE:${base}/pkinit.crt,${keyfile2} bar@${R} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+${klist}
+if jq --version >/dev/null 2>&1 && jq -ne true >/dev/null 2>&1; then
+    ${klistjson} |
+        jq -e '(((.tickets[0].Expires|
+               strptime("%b %d %H:%M:%S %Y")|mktime) - now) / 86400) |
+               (floor < 4)' >/dev/null &&
+           { ec=1 ; eval "${testfailed}"; }
+fi
+${kdestroy}
+
+echo "Restarting kdc ($kdcpid)"
+sh ${leaks_kill} kdc $kdcpid || ec=1
+KRB5_CONFIG="${objdir}/krb5-pkinit.conf"
+${kdc} --detach --testing || { echo "kdc failed to start"; exit 1; }
+kdcpid=`getpid kdc`
+
 echo "Trying pk-init (principal in cert)"; > messages.log
 base="${objdir}"
 ${kinit} -C FILE:${base}/pkinit.crt,${keyfile2} bar@${R} || \
 	{ ec=1 ; eval "${testfailed}"; }
 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
 ${klist}
+if jq --version >/dev/null 2>&1 && jq -ne true >/dev/null 2>&1; then
+    ${klistjson} |
+        jq -e '(((.tickets[0].Expires|
+               strptime("%b %d %H:%M:%S %Y")|mktime) - now) / 86400) |
+               (floor > 1)' >/dev/null &&
+           { ec=1 ; eval "${testfailed}"; }
+fi
 ${kdestroy}
 
-echo "Restarting kdc (${kdcpid}) for longer max_life test"
-sh ${leaks_kill} kdc $kdcpid || ec=1
-KRB5_CONFIG="${objdir}/krb5-pkinit2.conf"
-${kdc} --detach --testing || { echo "kdc failed to start"; exit 1; }
-kdcpid=`getpid kdc`
-
-echo "Trying pk-init (principal in cert; longer max_life)"; > messages.log
+echo "Trying pk-init (principal in cert; longer max_life from cert ext)"; > messages.log
+# Re-issue cert with --pkinit-max-life=7d
+${hxtool} issue-certificate \
+	  --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \
+	  --type="pkinit-client" \
+          --pk-init-principal="bar@TEST.H5L.SE" \
+	  --req="PKCS10:req-pkinit.der" \
+          --lifetime=7d \
+          --pkinit-max-life=7d \
+	  --certificate="FILE:pkinit.crt" || exit 1
 base="${objdir}"
+set -vx
 ${kinit} --lifetime=5d -C FILE:${base}/pkinit.crt,${keyfile2} bar@${R} || \
 	{ ec=1 ; eval "${testfailed}"; }
+set +vx
 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
 ${klist}
 if jq --version >/dev/null 2>&1 && jq -ne true >/dev/null 2>&1; then

tests/kdc/krb5-pkinit.conf.in

@@ -19,7 +19,8 @@
 	pkinit_identity = FILE:@objdir@/kdc.crt,@srcdir@/../../lib/hx509/data/key2.der
 	pkinit_anchors = FILE:@objdir@/ca.crt
 	pkinit_mappings_file = @srcdir@/pki-mapping
-	pkinit_ticket_max_life_from_cert = @max_life_from_cert@
+        pkinit_max_life_from_cert_extension = true
+	pkinit_max_life_from_cert = @max_life_from_cert@
 
         plugin_dir =  @objdir@/../../kdc/.libs