This adds support for using a Heimdal-specific PKIX extension to derive
a maximum Kerberos ticket lifetime from a client's PKINIT certificate:
- a `--pkinit-max-life` to the `hxtool ca` command
- `hx509_ca_tbs_set_pkinit_max_life()`
- `hx509_cert_get_pkinit_max_life()`
- `HX509_CA_TEMPLATE_PKINIT_MAX_LIFE`
There are two extensions. One is an EKU, which if present means that
the maximum ticket lifetime should be derived from the notAfter minus
notBefore. The other is a certificate extension whose value is a
maximum ticket lifetime in seconds. The latter is preferred.
MSFT makes the `q` field of `DomainParameters` OPTIONAL even though it's
actually required. We currently validate DH groups not by validating
that p is a Sophie Germain prime but by checking the proposed group
against a compiled-in list and against a krb5.moduli file, therefore we
don't need q. Besides, for Oakley groups, because p is a Sophie Germain
prime, we'd have q=p/j and j=2, so we can always compute q as needed
(and MIT Kerberos does).
A common complaint about hxtool(1) is that if one fails to add a TYPE:
prefix to a CSR or certificate/private key store names, then hxtool
fails somewhat inscrutably. We can't just fix hx509_certs_init() or
hx509_certs_append() because they default to "MEMORY" so who knows what
might break. Instead we fix all uses of user-provided store names in
hxtool to have a FILE: prefix if no type was given. For CSRs we'll
default to adding the only type prefix supported, "PKCS10".
This adds a KDC configuration parameter that can be used to indicate
that a PKINIT client's certificate's notAfter overrides the client
principal's HDB entry's max_life. This parameter is a relative time
parameter, and it enables this only if set to a non-zero value (defaults
to zero). The value of this parameter caps the max_life inferred from
the certificate.
autoconf-2.70 and newer are more strict with quoting etc. and thus generate
a broken configure file:
configure: 20855: Syntax error: ")" unexpected (expecting "fi")
Gentoo-bug: https://bugs.gentoo.org/776241
Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
We need to revisit a lot of code in lib/hx509/, lib/krb5/, and kdc/ now
that the ASN.1 compiler properly handles IMPLICIT tagging. And we
should take advantage of automatic open type handling.
Add a `lifetime=NUMunit` query parameter.
Also add a krb5.conf parameter to indicate whether this is allowed.
We already have a max lifetime configuration parameter.
The TCG EK cert profile says that the context tags in the
TPMSecurityAssertions type are IMPLICIT. The sample EK cert we have
has them as EXPLICIT.
What to do?
