bx509d: /get-tgt add EKU to authorization check

kdc/bx509d.c

@@ -1672,6 +1672,9 @@ authorize_TGT_REQ(struct bx509_request_desc *r, const char *cname)
         return bad_500(r, ret, "Out of resources");
     heim_audit_addkv((heim_svc_req_desc)r, KDC_AUDIT_VIS,
                      "requested_krb5PrincipalName", "%s", cname);
+    ret = hx509_request_add_eku(r->context->hx509ctx, r->req,
+                                ASN1_OID_ID_PKEKUOID);
+    if (ret == 0)
         ret = hx509_request_add_pkinit(r->context->hx509ctx, r->req, cname);
     if (ret == 0)
         ret = kdc_authorize_csr(r->context, "get-tgt", r->req, p);

tests/kdc/check-bx509.in

@@ -435,6 +435,7 @@ $klist || { echo "failed to setup kimpersonate credentials"; exit 2; }
 
 echo "Fetch TGT"
 (set -vx; csr_grant pkinit foo@${R} foo@${R})
+(set -vx; csr_grant eku 1.3.6.1.5.2.3.4 foo@${R})
 token=$(KRB5CCNAME=$cache $gsstoken HTTP@$server)
 if ! (set -vx;
     curl -o "${cachefile2}" -Lgsf                                       \