bx509d: /get-tgt add EKU to authorization check

2021-04-16 14:12:40 -05:00
parent eb2d1029c2
commit f60300984e
2 changed files with 5 additions and 1 deletions
--- a/kdc/bx509d.c
+++ b/kdc/bx509d.c
@@ -1672,7 +1672,10 @@ authorize_TGT_REQ(struct bx509_request_desc *r, const char *cname)
        return bad_500(r, ret, "Out of resources");
    heim_audit_addkv((heim_svc_req_desc)r, KDC_AUDIT_VIS,
                     "requested_krb5PrincipalName", "%s", cname);
-    ret = hx509_request_add_pkinit(r->context->hx509ctx, r->req, cname);
+    ret = hx509_request_add_eku(r->context->hx509ctx, r->req,
+                                ASN1_OID_ID_PKEKUOID);
+    if (ret == 0)
+        ret = hx509_request_add_pkinit(r->context->hx509ctx, r->req, cname);
    if (ret == 0)
        ret = kdc_authorize_csr(r->context, "get-tgt", r->req, p);
    krb5_free_principal(r->context, p);
--- a/tests/kdc/check-bx509.in
+++ b/tests/kdc/check-bx509.in
@@ -435,6 +435,7 @@ $klist || { echo "failed to setup kimpersonate credentials"; exit 2; }

 echo "Fetch TGT"
 (set -vx; csr_grant pkinit foo@${R} foo@${R})
+(set -vx; csr_grant eku 1.3.6.1.5.2.3.4 foo@${R})
 token=$(KRB5CCNAME=$cache $gsstoken HTTP@$server)
 if ! (set -vx;
    curl -o "${cachefile2}" -Lgsf                                       \