bx509d: Allow requesting longer cert lifetimes

Add a `lifetime=NUMunit` query parameter. Also add a krb5.conf parameter to indicate whether this is allowed. We already have a max lifetime configuration parameter.
2021-03-07 22:20:06 -06:00
parent 00e0475ce2
commit fbb1a4e3ec
7 changed files with 105 additions and 14 deletions
--- a/kdc/ca.c
+++ b/kdc/ca.c
@@ -104,6 +104,7 @@ kdc_issue_certificate(krb5_context context,
                      hx509_request req,
                      krb5_principal cprinc,
                      krb5_times *auth_times,
+                      time_t req_life,
                      int send_chain,
                      hx509_certs *out)
 {
@@ -122,7 +123,9 @@ kdc_issue_certificate(krb5_context context,
                                          (const heim_config_binding *)cf,
                                          logf, req, &cprinc2,
                                          auth_times->starttime,
-                                          auth_times->endtime, send_chain,
+                                          auth_times->endtime,
+                                          req_life,
+                                          send_chain,
                                          out);
    if (ret == EACCES)
        ret = KRB5KDC_ERR_POLICY;