bx509d: Allow requesting longer cert lifetimes

Add a `lifetime=NUMunit` query parameter. Also add a krb5.conf parameter to indicate whether this is allowed. We already have a max lifetime configuration parameter.
2021-03-07 22:20:06 -06:00
parent 00e0475ce2
commit fbb1a4e3ec
7 changed files with 105 additions and 14 deletions
@@ -2835,6 +2835,7 @@ enomem:
 static heim_error_code
 tbs_set_times(hx509_context context,
              const heim_config_binding *cf,
+              heim_log_facility *logf,
              time_t starttime,
              time_t endtime,
              time_t req_life,
@@ -2847,15 +2848,29 @@ tbs_set_times(hx509_context context,
    time_t clamp =
        heim_config_get_time_default(context->hcontext, cf, 0,
                                     "max_cert_lifetime", NULL);
+    int allow_more =
+        heim_config_get_bool_default(context->hcontext, cf, FALSE,
+                                     "allow_extra_lifetime", NULL);
+
+    if (!allow_more && fudge && now + fudge > endtime)
+        allow_more = 1;

    starttime = starttime ?  starttime : now - 5 * 60;
    if (fudge && now + fudge > endtime)
        endtime = now + fudge;
-    if (req_life && req_life < endtime - now)
+    if (req_life > 0 && req_life < endtime - now)
        endtime = now + req_life;
    if (clamp && clamp < endtime - now)
        endtime = now + clamp;

+    if (endtime < now) {
+        heim_log_msg(context->hcontext, logf, 3, NULL,
+                     "Endtime would be in the past");
+        hx509_set_error_string(context, 0, ERANGE,
+                               "Endtime would be in the past");
+        return ERANGE;
+    }
+
    hx509_ca_tbs_set_notAfter(context, tbs, endtime);
    hx509_ca_tbs_set_notBefore(context, tbs, starttime);
    return 0;
@@ -2874,6 +2889,7 @@ _hx509_ca_issue_certificate(hx509_context context,
                            KRB5PrincipalName *cprinc,
                            time_t starttime,
                            time_t endtime,
+                            time_t req_life,
                            int send_chain,
                            hx509_certs *out)
 {
@@ -2995,8 +3011,8 @@ _hx509_ca_issue_certificate(hx509_context context,

    /* Work out cert expiration */
    if (ret == 0)
-        ret = tbs_set_times(context, cf, starttime, endtime,
-                            0 /* XXX req_life */, tbs);
+        ret = tbs_set_times(context, cf, logf, starttime, endtime, req_life,
+                            tbs);

    /* Expand the subjectName template in the TBS using the env */
    if (ret == 0)
@@ -827,9 +827,30 @@ for non-default client and server certificates.
 and where the parameters are as follows:
 .Bl -tag -width "xxx" -offset indent
 .It Li ca = Va file
-Specifies the PEM credentials for the kx509 certification
-authority.  If not specified for any specific use-case, then that
-use-case will be disabled.
+Specifies the PEM credentials for the kx509 / bx509d certification
+authority.
+If not specified for any specific use-case, then that use-case
+will be disabled.
+.It Li max_cert_lifetime = Va NUMunit
+Specifies the maximum certificate lifetime as a decimal number
+and an optional unit (the default unit is
+.Dq day
+).
+.It Li force_cert_lifetime = Va NUMunit
+Specifies a minimum certificate lifetime as a decimal number and
+an optional unit (the default unit is
+.Dq day
+).
+.It Li allow_extra_lifetime = Va boolean
+Indicates whether a client may request longer lifetimes than
+their authentication credentials.
+Defaults to false.
+If a
+.Li force_cert_lifetime
+is specified, then
+.Li allow_extra_lifetime
+is implicitly forced to
+.Va true .
 .It Li require_initial_kca_tickets = Va boolean
 Specified whether to require that tickets for the
 .Li kca_service