oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

bx509d: Add test of IPC CSR authorizer

Browse Source 
We have a CSR authorizer plugin for calling to an IPC service.

In this commit we add test implementation of such a service.

We also remove the simple_csr_authorizer plugin and fold its
functionality into the new test_csr_authorizer functionality.
This commit is contained in:
Nicolas Williams
2022-11-29 16:17:45 -06:00
committed by Nico Williams
parent f47f15d5b9
commit fd6597614e
11 changed files with 801 additions and 473 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
kdc/Makefile.am
View File

@@ -6,8 +6,9 @@ WFLAGS += $(WFLAGS_ENUM_CONV)
AM_CPPFLAGS += $(INCLUDE_libintl) $(INCLUDE_openssl_crypto) -I$(srcdir)/../lib/krb5
lib_LTLIBRARIES = simple_csr_authorizer.la ipc_csr_authorizer.la \
libkdc.la negotiate_token_validator.la
lib_LTLIBRARIES = ipc_csr_authorizer.la \
negotiate_token_validator.la \
libkdc.la
if HAVE_CJWT
lib_LTLIBRARIES += cjwt_token_validator.la
@@ -97,8 +98,6 @@ endif
negotiate_token_validator_la_SOURCES = negotiate_token_validator.c
negotiate_token_validator_la_LDFLAGS = -module $(LIB_gssapi)
# CSR Authorizer plugins (for kdc/kx509 and bx509d)
simple_csr_authorizer_la_SOURCES = simple_csr_authorizer.c
simple_csr_authorizer_la_LDFLAGS = -module
ipc_csr_authorizer_la_SOURCES = ipc_csr_authorizer.c
ipc_csr_authorizer_la_LDFLAGS = -module \
$(top_builddir)/lib/krb5/libkrb5.la \
@@ -155,7 +154,6 @@ ALL_OBJECTS += $(digest_service_OBJECTS)
ALL_OBJECTS += $(bx509d_OBJECTS)
ALL_OBJECTS += $(httpkadmind_OBJECTS)
ALL_OBJECTS += $(cjwt_token_validator_la_OBJECTS)
ALL_OBJECTS += $(simple_csr_authorizer_la_OBJECTS)
ALL_OBJECTS += $(test_token_validator_OBJECTS)
ALL_OBJECTS += $(test_csr_authorizer_OBJECTS)
ALL_OBJECTS += $(test_kdc_ca_OBJECTS)
@@ -237,7 +235,12 @@ digest_service_LDADD = \
kdc_replay_LDADD = libkdc.la $(LDADD) $(LIB_pidfile)
kdc_tester_LDADD = libkdc.la $(LDADD) $(LIB_pidfile) $(LIB_heimbase)
test_token_validator_LDADD = libkdc.la $(LDADD) $(LIB_pidfile) $(LIB_heimbase) $(LIB_gssapi)
test_csr_authorizer_LDADD = libkdc.la $(top_builddir)/lib/hx509/libhx509.la $(LDADD) $(LIB_pidfile) $(LIB_heimbase)
test_csr_authorizer_LDADD = libkdc.la \
$(top_builddir)/lib/hx509/libhx509.la \
$(LDADD) \
$(LIB_pidfile) \
$(LIB_heimbase) \
$(top_builddir)/lib/ipc/libheim-ipcs.la
test_kdc_ca_LDADD = libkdc.la $(top_builddir)/lib/hx509/libhx509.la $(LDADD) $(LIB_pidfile) $(LIB_heimbase)
include_HEADERS = kdc.h $(srcdir)/kdc-protos.h

17
kdc/ipc_csr_authorizer.c
View File

@@ -503,12 +503,23 @@ authorize(void *ctx,
int do_check = 0;
int piecemeal_check_ok = 1;
if ((svc = krb5_config_get_string(context, NULL, app ? app : "kdc",
"ipc_csr_authorizer", "service", NULL))
== NULL)
if ((svc = krb5_config_get_string_default(context, NULL,
"ANY:org.h5l.csr_authorizer",
app ? app : "kdc",
"ipc_csr_authorizer", "service",
NULL)) == NULL)
return KRB5_PLUGIN_NO_HANDLE;
if ((ret = heim_ipc_init_context(svc, &ipc))) {
/*
* If the IPC authorizer is optional, then fallback on whatever is
* next.
*/
if (krb5_config_get_bool_default(context, NULL, FALSE,
app ? app : "kdc",
"ipc_csr_authorizer", "optional",
NULL))
return KRB5_PLUGIN_NO_HANDLE;
krb5_set_error_message(context, ret, "Could not set up IPC client "
"end-point for service %s", svc);
return ret;

343
kdc/simple_csr_authorizer.c
View File

@@ -1,343 +0,0 @@
/*
* Copyright (c) 2019 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/*
* This plugin authorizes requested certificate SANs and EKUs by checking for
* existence of files of the form:
*
*
* /<path>/<princ>/<ext>-<value>
*
* where <path> is the value of:
*
* [kdc] simple_csr_authorizer_directory = PATH
*
* <princ> is a requesting client principal name with all characters other than
* alphanumeric, '-', '_', and non-leading '.' URL-encoded.
*
* <ext> is one of:
*
* - pkinit (SAN)
* - xmpp (SAN)
* - email (SAN)
* - ms-upn (SAN)
* - dnsname (SAN)
* - eku (EKU OID)
*
* and <value> is a display form of the SAN or EKU OID, with SANs URL-encoded
* just like principal names (see above).
*
* OIDs are of the form "1.2.3.4.5".
*
* Only digitalSignature and nonRepudiation key usage values are permitted.
*/
#define _GNU_SOURCE 1
#include <sys/types.h>
#include <sys/stat.h>
#include <ctype.h>
#include <errno.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <roken.h>
#include <krb5.h>
#include <hx509.h>
#include <kdc.h>
#include <common_plugin.h>
#include <csr_authorizer_plugin.h>
/*
* string_encode_sz() and string_encode() encode a string to be safe for use as
* a file name. They function very much like URL encoders, but '~' also gets
* encoded, and '@', '-', '_', and non-leading '.' do not.
*
* A corresponding decoder is not needed.
*/
static size_t
string_encode_sz(const char *in)
{
size_t sz = strlen(in);
int first = 1;
while (*in) {
char c = *(in++);
switch (c) {
case '@':
case '-':
case '_':
break;
case '.':
if (first)
sz += 2;
break;
default:
if (!isalnum(c))
sz += 2;
}
first = 0;
}
return sz;
}
static char *
string_encode(const char *in)
{
size_t len = strlen(in);
size_t sz = string_encode_sz(in);
size_t i, k;
char *s;
int first = 1;
if ((s = malloc(sz + 1)) == NULL)
return NULL;
s[sz] = '\0';
for (i = k = 0; i < len; i++, first = 0) {
unsigned char c = ((const unsigned char *)in)[i];
switch (c) {
case '@':
case '-':
case '_':
s[k++] = c;
break;
case '.':
if (first) {
s[k++] = '%';
s[k++] = "0123456789abcdef"[(c&0xff)>>4];
s[k++] = "0123456789abcdef"[(c&0x0f)];
} else {
s[k++] = c;
}
break;
default:
if (isalnum(c)) {
s[k++] = c;
} else {
s[k++] = '%';
s[k++] = "0123456789abcdef"[(c&0xff)>>4];
s[k++] = "0123456789abcdef"[(c&0x0f)];
}
}
}
return s;
}
static void
frees(char **s)
{
free(*s);
*s = NULL;
}
static KRB5_LIB_CALL krb5_error_code
authorize(void *ctx,
krb5_context context,
const char *app,
hx509_request csr,
krb5_const_principal client,
krb5_boolean *result)
{
krb5_error_code ret;
hx509_context hx509ctx = NULL;
KeyUsage ku;
const char *d;
size_t i;
char *princ = NULL;
char *s = NULL;
if ((d = krb5_config_get_string(context, NULL, app ? app : "kdc",
"simple_csr_authorizer_directory",
NULL)) == NULL)
return KRB5_PLUGIN_NO_HANDLE;
if ((ret = hx509_context_init(&hx509ctx)))
return ret;
if ((ret = krb5_unparse_name(context, client, &princ)))
goto out;
s = string_encode(princ);
free(princ);
princ = NULL;
if (s == NULL)
goto enomem;
princ = s;
s = NULL;
for (i = 0; ret == 0; i++) {
hx509_san_type san_type;
struct stat st;
const char *prefix;
char *san;
char *p;
ret = hx509_request_get_san(csr, i, &san_type, &s);
if (ret)
break;
switch (san_type) {
case HX509_SAN_TYPE_EMAIL:
prefix = "email";
break;
case HX509_SAN_TYPE_DNSNAME:
prefix = "dnsname";
break;
case HX509_SAN_TYPE_XMPP:
prefix = "xmpp";
break;
case HX509_SAN_TYPE_PKINIT:
prefix = "pkinit";
break;
case HX509_SAN_TYPE_MS_UPN:
prefix = "ms-upn";
break;
default:
ret = ENOTSUP;
break;
}
if (ret)
break;
if ((san = string_encode(s)) == NULL ||
asprintf(&p, "%s/%s/%s-%s", d, princ, prefix, san) == -1 ||
p == NULL) {
free(san);
goto enomem;
}
ret = stat(p, &st) == -1 ? errno : 0;
free(san);
free(p);
frees(&s);
if (ret)
goto skip;
ret = hx509_request_authorize_san(csr, i);
}
frees(&s);
if (ret == HX509_NO_ITEM)
ret = 0;
if (ret)
goto out;
for (i = 0; ret == 0; i++) {
struct stat st;
char *p;
ret = hx509_request_get_eku(csr, i, &s);
if (ret)
break;
if (asprintf(&p, "%s/%s/eku-%s", d, princ, s) == -1 || p == NULL)
goto enomem;
ret = stat(p, &st) == -1 ? errno : 0;
free(p);
frees(&s);
if (ret)
goto skip;
ret = hx509_request_authorize_eku(csr, i);
}
if (ret == HX509_NO_ITEM)
ret = 0;
if (ret)
goto out;
ku = int2KeyUsage(0);
ku.digitalSignature = 1;
ku.nonRepudiation = 1;
hx509_request_authorize_ku(csr, ku);
*result = TRUE;
ret = 0;
goto out;
skip:
/* Allow another plugin to get a crack at this */
ret = KRB5_PLUGIN_NO_HANDLE;
goto out;
enomem:
ret = krb5_enomem(context);
goto out;
out:
hx509_context_free(&hx509ctx);
free(princ);
free(s);
return ret;
}
static KRB5_LIB_CALL krb5_error_code
simple_csr_authorizer_init(krb5_context context, void **c)
{
*c = NULL;
return 0;
}
static KRB5_LIB_CALL void
simple_csr_authorizer_fini(void *c)
{
}
static krb5plugin_csr_authorizer_ftable plug_desc =
{ 1, simple_csr_authorizer_init, simple_csr_authorizer_fini, authorize };
static krb5plugin_csr_authorizer_ftable *plugs[] = { &plug_desc };
static uintptr_t
simple_csr_authorizer_get_instance(const char *libname)
{
if (strcmp(libname, "krb5") == 0)
return krb5_get_instance(libname);
if (strcmp(libname, "kdc") == 0)
return kdc_get_instance(libname);
if (strcmp(libname, "hx509") == 0)
return hx509_get_instance(libname);
return 0;
}
krb5_plugin_load_ft kdc_csr_authorizer_plugin_load;
krb5_error_code KRB5_CALLCONV
kdc_csr_authorizer_plugin_load(heim_pcontext context,
krb5_get_instance_func_t *get_instance,
size_t *num_plugins,
krb5_plugin_common_ftable_cp **plugins)
{
*get_instance = simple_csr_authorizer_get_instance;
*num_plugins = sizeof(plugs) / sizeof(plugs[0]);
*plugins = (krb5_plugin_common_ftable_cp *)plugs;
return 0;
}

513
kdc/test_csr_authorizer.c
View File

@@ -1,8 +1,84 @@
/*
* Copyright (c) 2022 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "kdc_locl.h"
#include <heim-ipc.h>
/*
* This program implements two things:
*
* - a utility for testing the `kdc_authorize_csr()' function and the plugins
* that uses,
*
* and
*
* - a server for the IPC authorizer.
*
* For the latter, requested certificate SANs and EKUs are authorized by
* checking for existence of files of the form:
*
* /<path>/<princ>/<ext>-<value>
*
* where <path> is given as an option.
*
* <princ> is a requesting client principal name with all characters other than
* alphanumeric, '-', '_', and non-leading '.' URL-encoded.
*
* <ext> is one of:
*
* - pkinit (SAN)
* - xmpp (SAN)
* - email (SAN)
* - ms-upn (SAN)
* - dnsname (SAN)
* - eku (EKU OID)
*
* and <value> is a display form of the SAN or EKU OID, with SANs URL-encoded
* just like principal names (see above).
*
* OIDs are of the form "1.2.3.4.5".
*
* Only digitalSignature and nonRepudiation key usage values are permitted.
*/
static int help_flag;
static int version_flag;
static int daemon_flag;
static int daemon_child_flag = -1;
static int ignore_flag = 0;
static int server_flag = 0;
static const char *app_string = "kdc";
static const char *socket_dir;
static const char *authz_dir;
struct getargs args[] = {
{ "help", 'h', arg_flag, &help_flag,
@@ -11,6 +87,18 @@ struct getargs args[] = {
"Print version", NULL },
{ "app", 'a', arg_string, &app_string,
"App to test (kdc or bx509); default: kdc", "APPNAME" },
{ "socket-dir", 'S', arg_string, &socket_dir,
"IPC socket directory", "DIR" },
{ "authorization-dir", 'A', arg_string, &authz_dir,
"authorization directory", "DIR" },
{ "server", '\0', arg_flag, &server_flag,
"Server mode", NULL },
{ "ignore", 'I', arg_flag, &ignore_flag,
"ignore requests", NULL },
{ "daemon", 'd', arg_flag, &daemon_flag,
"daemonize", NULL },
{ "daemon-child", '\0', arg_flag, &daemon_child_flag,
"internal-use-only option", NULL },
};
size_t num_args = sizeof(args) / sizeof(args[0]);
@@ -19,9 +107,23 @@ usage(int e)
{
arg_printusage(args, num_args, NULL, "PATH-TO-DER-CSR PRINCIPAL");
fprintf(stderr,
"\n\tExercise CSR authorization plugins for a given CSR for a\n"
"\tgiven principal.\n"
"\n\tExample: %s PKCS10:/tmp/csr.der foo@TEST.H5L.SE\n",
"\tExercise CSR authorization plugins for a given CSR for a\n"
"\tgiven principal.\n\n"
"\tServer-mode (--server) looks for files in the \n"
"\t--authorization-dir DIR directory named:\n"
"\n"
"\t\teku=OID\n"
"\t\tsan_pkinit=PRINCIPAL\n"
"\t\tsan_ms_upn=PRINCIPAL\n"
"\t\tsan_dnsname=DOMAINNAME\n"
"\t\tsan_xmpp=JABBER-ID\n"
"\t\tsan_email=EMAIL\n"
"\n"
"\tClient-mode positional arguments are:\n\n"
"\t\tPATH-TO-DER-CSR PRETEND-CLIENT-PRINCIPAL [...]\n\n"
"\twhere {...} are requested features that must be granted\n"
"\tif the request is only partially authorized.\n\n"
"\tClient example:\n\t\t%s PKCS10:/tmp/csr.der foo@TEST.H5L.SE\n",
getprogname());
exit(e);
return e;
@@ -58,6 +160,177 @@ load_plugins(krb5_context context)
#endif
}
static char *string_encode(const char *);
static int stat_authz(const char *, const char *);
static krb5_error_code
authorize(const char *subject, const char *thing)
{
krb5_error_code ret;
char *s = NULL;
s = string_encode(subject);
if (s == NULL)
return ENOMEM;
ret = stat_authz(s, thing);
free(s);
if (ret == ENOENT)
ret = stat_authz(s, "all");
if (ret == ENOENT)
ret = EACCES;
return ret;
}
static void
service(void *ctx,
const heim_octet_string *req,
const heim_icred cred,
heim_ipc_complete complete_cb,
heim_sipc_call complete_cb_data)
{
krb5_error_code ret = 0;
struct rk_strpool *result = NULL;
krb5_data rep;
const char *subject;
char *cmd;
char *next = NULL;
char *res = NULL;
char *tok;
char *s;
int none_granted = 1;
int all_granted = 1;
int first = 1;
/*
* A krb5_context and log facility for logging would be nice, but this is
* all just for testing.
*/
(void)ctx;
cmd = strndup(req->data, req->length);
if (cmd == NULL)
errx(1, "Out of memory");
if (strncmp(cmd, "check ", sizeof("check ") - 1) != 0) {
rep.data = "Invalid request command (must be \"check ...\")";
rep.length = sizeof("Invalid request command (must be \"check ...\")") - 1;
(*complete_cb)(complete_cb_data, EINVAL, &rep);
free(cmd);
return;
}
s = cmd + sizeof("check ") - 1;
subject = tok = strtok_r(s, " ", &next);
s = NULL;
while ((tok = strtok_r(s, " ", &next))) {
int ret2;
ret2 = authorize(subject, tok);
result = rk_strpoolprintf(result, "%s%s:%s",
first ? "" : ",",
tok,
ret2 == 0 ? "granted" : "denied");
if (ret2 == 0)
none_granted = 0;
else
all_granted = 0;
if (ret2 != 0 && ret == 0)
ret = ret2;
first = 0;
}
free(cmd);
if (ret == 0 && all_granted) {
rk_strpoolfree(result);
rep.data = "granted";
rep.length = sizeof("granted") - 1;
(*complete_cb)(complete_cb_data, 0, &rep);
return;
}
if (none_granted && ignore_flag) {
rk_strpoolfree(result);
rep.data = "ignore";
rep.length = sizeof("ignore") - 1;
(*complete_cb)(complete_cb_data, KRB5_PLUGIN_NO_HANDLE, &rep);
return;
}
s = rk_strpoolcollect(result); /* frees `result' */
if (s == NULL) {
rep.data = "denied out-of-memory";
rep.length = sizeof("denied out-of-memory") - 1;
(*complete_cb)(complete_cb_data, KRB5_PLUGIN_NO_HANDLE, &rep);
return;
}
if (asprintf(&res, "denied %s", s) == -1)
errx(1, "Out of memory");
if (res == NULL)
errx(1, "Out of memory");
rep.data = res;
rep.length = strlen(res);
(*complete_cb)(complete_cb_data, ret, &rep);
free(res);
free(s);
}
static char *
make_feature_argument(const char *kind,
hx509_san_type san_type,
const char *value)
{
const char *san_type_str = NULL;
char *s = NULL;
if (strcmp(kind, "san") != 0) {
if (asprintf(&s, "%s=%s", kind, value) == -1 || s == NULL)
errx(1, "Out of memory");
return s;
}
switch (san_type) {
case HX509_SAN_TYPE_EMAIL:
san_type_str = "email";
break;
case HX509_SAN_TYPE_DNSNAME:
san_type_str = "dnsname";
break;
case HX509_SAN_TYPE_DN:
san_type_str = "dn";
break;
case HX509_SAN_TYPE_REGISTERED_ID:
san_type_str = "registered_id";
break;
case HX509_SAN_TYPE_XMPP:
san_type_str = "xmpp";
break;
case HX509_SAN_TYPE_PKINIT:
case HX509_SAN_TYPE_MS_UPN:
san_type_str = "pkinit";
break;
case HX509_SAN_TYPE_DNSSRV:
san_type_str = "dnssrv";
break;
default:
warnx("SAN type not supported");
return "";
}
if (asprintf(&s, "san_%s=%s", san_type_str, value) == -1 || s == NULL)
errx(1, "Out of memory");
return s;
}
int
main(int argc, char **argv)
{
@@ -79,24 +352,143 @@ main(int argc, char **argv)
return 0;
}
argc -= optidx;
argv += optidx;
if (argc != 2)
usage(1);
if ((errno = krb5_init_context(&context)))
err(1, "Could not initialize krb5_context");
if ((ret = krb5_initlog(context, argv0, &logf)) ||
(ret = krb5_addlog_dest(context, logf, "0-5/STDERR")))
krb5_err(context, 1, ret, "Could not set up logging to stderr");
load_plugins(context);
if (server_flag && daemon_flag)
daemon_child_flag = roken_detach_prep(argc, argv, "--daemon-child");
argc -= optidx;
argv += optidx;
if (socket_dir)
setenv("HEIM_IPC_DIR", socket_dir, 1);
if (server_flag) {
const char *svc;
heim_sipc un;
rk_pidfile(NULL);
svc = krb5_config_get_string(context, NULL,
app_string ? app_string : "kdc",
"ipc_csr_authorizer", "service", NULL);
if (svc == NULL)
svc = "org.h5l.csr_authorizer";
/* `service' is our request handler; `argv' is its callback data */
ret = heim_sipc_service_unix(svc, service, NULL, &un);
if (ret)
krb5_err(context, 1, ret,
"Could not setup service on Unix domain socket "
"%s/.heim_%s-socket", socket_dir, svc);
roken_detach_finish(NULL, daemon_child_flag);
/* Enter the IPC event loop */
heim_ipc_main();
return 0;
}
/* Client mode */
if (argc < 2)
usage(1);
/* Parse the given CSR */
if ((ret = hx509_request_parse(context->hx509ctx, argv[0], &csr)))
krb5_err(context, 1, ret, "Could not parse PKCS#10 CSR from %s", argv[0]);
/*
* Parse the client principal that we'll pretend is an authenticated client
* principal.
*/
if ((ret = krb5_parse_name(context, argv[1], &princ)))
krb5_err(context, 1, ret, "Could not parse principal %s", argv[1]);
if ((ret = kdc_authorize_csr(context, app_string, csr, princ)))
krb5_err(context, 1, ret, "Authorization failed");
/* Call the authorizer */
ret = kdc_authorize_csr(context, app_string, csr, princ);
if (ret) {
unsigned n = hx509_request_count_unauthorized(csr);
size_t i, k;
int ret2 = 0;
int good = -1;
/*
* Check partial approval of SANs.
*
* Iterate over the SANs in the request, and for each check if a) it
* was granted, b) it's on the remainder of our argv[].
*/
for (i = 0; ret2 == 0; i++) {
hx509_san_type san_type;
char *feature = NULL;
char *san = NULL;
int granted;
ret2 = hx509_request_get_san(csr, i, &san_type, &san);
if (ret2)
break;
feature = make_feature_argument("san", san_type, san);
granted = hx509_request_san_authorized_p(csr, i);
for (k = 2; k < argc; k++) {
if (strcmp(feature, argv[k]) != 0)
continue;
/* The SAN is on our command line */
if (granted && good == -1)
good = 1;
else if (!granted)
good = 0;
break;
}
hx509_xfree(san);
}
/* Check partial approval of EKUs */
for (i = 0; ret2 == 0; i++) {
char *feature = NULL;
char *eku = NULL;
int granted;
ret2 = hx509_request_get_eku(csr, i, &eku);
if (ret2)
break;
feature = make_feature_argument("eku", 0, eku);
granted = hx509_request_eku_authorized_p(csr, i);
for (k = 2; k < argc; k++) {
if (strcmp(feature, argv[k]) != 0)
continue;
/* The SAN is on our command line */
if (granted && good == -1)
good = 1;
else if (!granted)
good = 0;
break;
}
hx509_xfree(eku);
}
if (good != 1) {
krb5_free_principal(context, princ);
_krb5_unload_plugins(context, "kdc");
hx509_request_free(&csr);
krb5_err(context, 1, ret,
"Authorization failed with %u rejected features", n);
}
}
printf("Authorized!\n");
krb5_free_principal(context, princ);
_krb5_unload_plugins(context, "kdc");
@@ -104,3 +496,102 @@ main(int argc, char **argv)
hx509_request_free(&csr);
return 0;
}
/*
* string_encode_sz() and string_encode() encode a string to be safe for use as
* a file name. They function very much like URL encoders, but '~' also gets
* encoded, and '@', '-', '_', and non-leading '.' do not.
*
* A corresponding decoder is not needed.
*/
static size_t
string_encode_sz(const char *in)
{
size_t sz = strlen(in);
int first = 1;
while (*in) {
char c = *(in++);
switch (c) {
case '@':
case '-':
case '_':
break;
case '.':
if (first)
sz += 2;
break;
default:
if (!isalnum(c))
sz += 2;
}
first = 0;
}
return sz;
}
static char *
string_encode(const char *in)
{
size_t len = strlen(in);
size_t sz = string_encode_sz(in);
size_t i, k;
char *s;
int first = 1;
if ((s = malloc(sz + 1)) == NULL)
return NULL;
s[sz] = '\0';
for (i = k = 0; i < len; i++, first = 0) {
unsigned char c = ((const unsigned char *)in)[i];
switch (c) {
case '@':
case '-':
case '_':
s[k++] = c;
break;
case '.':
if (first) {
s[k++] = '%';
s[k++] = "0123456789abcdef"[(c&0xff)>>4];
s[k++] = "0123456789abcdef"[(c&0x0f)];
} else {
s[k++] = c;
}
break;
default:
if (isalnum(c)) {
s[k++] = c;
} else {
s[k++] = '%';
s[k++] = "0123456789abcdef"[(c&0xff)>>4];
s[k++] = "0123456789abcdef"[(c&0x0f)];
}
}
}
return s;
}
static int
stat_authz(const char *subject,
const char *thing)
{
struct stat st;
char *p = NULL;
int ret;
if (authz_dir == NULL)
return KRB5_PLUGIN_NO_HANDLE;
if (thing)
ret = asprintf(&p, "%s/%s/%s", authz_dir, subject, thing);
else
ret = asprintf(&p, "%s/%s", authz_dir, subject);
if (ret == -1 || p == NULL)
return ENOMEM;
ret = stat(p, &st);
free(p);
return ret == 0 ? 0 : errno;
}