oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

bx509d: Allow requesting longer cert lifetimes

Browse Source 
Add a `lifetime=NUMunit` query parameter.

Also add a krb5.conf parameter to indicate whether this is allowed.
We already have a max lifetime configuration parameter.
This commit is contained in:
Nicolas Williams
2021-03-07 22:20:06 -06:00
parent 00e0475ce2
commit fbb1a4e3ec
7 changed files with 105 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
kdc/bx509d.c
View File

@@ -117,6 +117,7 @@ typedef struct bx509_request_desc {
struct MHD_Connection *connection;
krb5_times token_times;
time_t req_life;
hx509_request req;
const char *target;
const char *redir;
@@ -667,6 +668,8 @@ bx509_param_cb(void *d,
} else if (strcmp(key, "csr") == 0 && val) {
heim_audit_addkv((heim_svc_req_desc)a->r, 0, "requested_csr", "true");
a->ret = 0; /* Handled upstairs */
} else if (strcmp(key, "lifetime") == 0 && val) {
a->r->req_life = parse_time(val, "day");
} else {
/* Produce error for unknown params */
heim_audit_addkv((heim_svc_req_desc)a->r, 0, "requested_unknown", "true");
@@ -798,7 +801,8 @@ do_CA(struct bx509_request_desc *r, const char *csr)
/* Issue the certificate */
ret = kdc_issue_certificate(r->context, "bx509", logfac, r->req, p,
&r->token_times, 1 /* send_chain */, &certs);
&r->token_times, r->req_life,
1 /* send_chain */, &certs);
krb5_free_principal(r->context, p);
if (ret) {
if (ret == KRB5KDC_ERR_POLICY || ret == EACCES)
@@ -872,6 +876,7 @@ set_req_desc(struct MHD_Connection *connection,
r->cname = NULL;
r->addr = NULL;
r->req = NULL;
r->req_life = 0;
r->kv = heim_array_create();
ci = MHD_get_connection_info(connection,
MHD_CONNECTION_INFO_CLIENT_ADDRESS);
@@ -1268,8 +1273,8 @@ bnegotiate_do_CA(struct bx509_request_desc *r)
/* Issue the certificate */
if (ret == 0)
ret = kdc_issue_certificate(r->context, "bx509", logfac, req, p,
&r->token_times, 1 /* send_chain */,
&certs);
&r->token_times, 0,
1 /* send_chain */, &certs);
krb5_free_principal(r->context, p);
hx509_request_free(&req);
p = NULL;