Commit Graph

1133 Commits

Author SHA1 Message Date
Nicolas Williams
fdc13c4aac Fix switch fallthrough warnings/errors 2020-09-07 22:04:59 -05:00
Nicolas Williams
473e5be741 asn1: Leave comment about great futures 2020-09-07 22:04:59 -05:00
Jeffrey Altman
bc3270cd88 asn1: function ptrs passed as ASN1CALL ptrs must be ASN1CALL
On Windows i386 the asn1 tests would crash due to stack corruption
as a result of functions being executed with the wrong calling
conventions.

Change-Id: Ic4f8b3a05dad36e3db6397fbd9270b98f0a5dfc5
2020-07-13 15:48:06 -04:00
Jeffrey Altman
136abf55b7 asn1: code generators that left bit shift .gt. 31 must use 1ULL
The code generators were shifting "1LU" by (<< 32) and (<< 63) which
are undefined operations for a 32-bit integer.  To ensure the integer
is 64-bit use "1ULL".

Change-Id: I062cae5638139a9fe51563f64b1964f87e2f49e3
2020-07-13 15:48:06 -04:00
Luke Howard
d7138cfbe7 base: make heimqueue.h a shared header
Share heimqueue.h between base and asn1, to avoid duplication of code.
2020-02-04 17:28:35 +11:00
Nicolas Williams
5c7a8f63c7 Fix Windows build 2019-12-11 20:11:02 -06:00
Nicolas Williams
575c67806b Add bx509d 2019-12-04 21:34:44 -06:00
Nicolas Williams
4d4c7078cd kx509: Add desired_life to Kx509CSRPlus 2019-12-04 21:34:37 -06:00
Roland C. Dowdeswell
9265c1ce54 Fix windows build
In 0cc708ba36, we removed the definition of id-ms-client-authentication
without a corresponding removal from lib/asn1/libasn1-exports.def.

Maybe we should generate lib*-exports.def?
2019-11-21 09:56:29 -05:00
Nicolas Williams
a40d4056bd asn1: Add der_find_or_parse_heim_oid() 2019-11-19 23:00:41 -06:00
Nicolas Williams
944eae82cf asn1: Remove alias of id-kp-clientAuth 2019-11-19 23:00:41 -06:00
Nicolas Williams
b54107ee2b asn1: Add more EKU OIDs from RFC7299, OpenSSL 2019-11-02 18:37:13 -05:00
Nicolas Williams
ed1f900cfb asn1: Add some missing OIDs from RFC5280 2019-11-02 18:37:13 -05:00
Nicolas Williams
db35aeb5be asn1: Fix OID resolution bug 2019-11-02 18:37:13 -05:00
Nicolas Williams
dfada0ccad kx509: Add CSR support
This commit adds support for proof of posession to the kx509 protocol by
using PKCS#10 CSRs.

This allows conveyance of extReq CSR attributes requesting desired
Certificate Extensions.
2019-10-09 20:53:30 -05:00
Nicolas Williams
8af2d79d35 hx509: Add missing CSR extension request support
This is necessary in order to add proper support for CSRs in kx509,
where the KDC can examine all requested KUs/EKUs/SANs, check
authorization, and issue a certificate with all those extensions if
authorized.

This is the convention used by OpenSSL, of encoding all the KU, EKUs,
and SANs being requested as Extensions as they would appear in the
TBSCertificate, then putting those in as a single Attribute in the CSR's
Attributes list with attribute OID {id-pkcs-9, 14}.

 - expose all hx509_request_*() functions
 - finish support in hx509_request_parse*() for KU, EKU, and SAN CSR
   attributes
 - finish support in hx509_request_to_pkcs10() for encoding all
   requested KU, EKU, and SAN extensions as a CSR extReq (extension request)
 - add hx509_request_add_*() support for:
    - id-pkinit-san and ms-upn-pkinit-san
    - XMPP (Jabber) SAN
    - registeredID (useless but trivial)
 - add hxtool request-create options for all supported SANs
 - add hxtool request-create options for KeyUsage
 - add hxtool request-create options for ExtKeyUsage
 - add hxtool request-print support for all these things
 - fix bugs in existing id-pkinit-san handling

Possible future improvements

 - add HX509_TRACE env var and support (it would be nice to be able to
   observe why some certificate is rejected, or not matched in a query)
 - add testing that CSR creating and printing round-trip for all KUs,
   EKUs, and SANs
   (probably in tests/kdc/check-pkinit.in)
 - add testing that OpenSSL can print a CSR made by hxtool and
   vice-versa
 - hxtool ca: add KU sanity checking (via hx509_ca_sign() and/or friends)
   (don't allow encrypt for signing-only algs)
   (don't allow encrypt for RSA at all, or for RSA with small e exponents)
 - hxtool request-print: warn about all unknown attributes and
   extensions
 - hxtool ca: MAYBE add support for adding requested extensions from the
   --req=CSR
   ("Maybe" because CA operators should really verify and authorize all
    requested attributes, and should acknowledge that they have, and the
    simplest way to do this is to make them add all the corresponding
    CLI arguments to the hxtool ca command, but too, that is
    error-prone, thus it's not clear yet which approach is best.
    Perhaps interactively prompt for yes/no for each attribute.)
 - add additional SAN types:
    - iPAddress                 (useless?)
    - dNSSrv                    (useful!)
    - directoryName             (useless, but trivial)
    - uniformResourceIdentifier (useful)
 - it would be nice if the ASN.1 compiler could generate print
   functions..., and/or even better, to-JSON functions
 - it would be nice if we had a known-OID db, including the names of the
   types they refer to in certificate extensions, otherName SANs and CSR
   attributes, then we could generate a CSR and certificate printer for
   all known options even when they are not supported by the rest of
   Heimdal
    - and we could also get friendly names for OIDs, and we could
      resolve their arc names
    - longer term, we could also stand to add some ASN.1 information
      object system functionality, just enough to make
      lib/hx509/asn1_print awesome by being able to automatically decode
      all heim_any and OCTET STRING content (better than its current
      --inner option)
2019-10-08 22:20:40 -05:00
Nicolas Williams
6a7e7eace6 Add kx509 client and revamp kx509 service
This commit adds support for kx509 in libkrb5, and revamps the KDC's
kx509 service (fixing bugs, adding features).

Of note is that kx509 is attempted optimistically by the client, with
the certificate and private key stored in the ccache, and optionally in
an external PEM or DER file.

NOTE: We do not optimistically use kx509 in krb5_cc_store_cred() if the
      ccache is a MEMORY ccache so we don't generate a key when
      accepting a GSS context with a delegated credential.

kx509 protocol issues to be fixed in an upcoming commit:

 - no proof of possession (this is mostly not too bad, but we'll want to
   fix it by using CSRs)
 - no algorithm agility (only plain RSA is supported)
 - very limited (no way to request any options in regards to the
   requested cert)
 - error codes are not very useful

Things we're adding in this commit:

 - libkrb5 kx509 client
 - automatic kx509 usage hooked in via krb5_cc_store_cred() of start TGT
 - per-realm templates on the KDC side
 - per-realm issuer certificates
 - send error messages on the KDC side
   (this is essential to avoid client-side timeouts on error)
 - authenticate as many error messages
 - add a protocol probe feature so we can avoid generating a
   keypair if the service is not enabled
   (once we add support for ECC algorithms we won't need this
    anymore; the issue is that RSA keygen is slow)
 - support for different types of client principals, not just username:

    - host-based service and domain-based service, each with its own
      template set per-{realm, service} or per-service

   (the idea is to support issuance of server certificates too, not
    just client/user certs)
 - more complete support for SAN types
 - tests (including that PKINIT->kx509->PKINIT works, which makes it
   possible to have "delegation" of PKIX credentials by just delegating
   Kerberos credentials)
 - document the protocol in lib/krb5/kx509.c

Future work:

 - add option for longer-ticket-lifetime service certs
 - add support for ECDSA, and some day for ed25519 and ed448
 - reuse private key when running kinit
   (this will require rethinking how we trigger optimistic kx509
    usage)
 - HDB lookup for:
    - optional revocation check (not strictly necessary)
    - adding to certificates those SANs listed in HDB
       - hostname aliases (dNSName SANs)
       - rfc822Name (email)
       - XMPP SANs
       - id-pkinit-san (a user could have aliases too)
 - support username wild-card A RRs, ala OSKT/krb5_admin
    i.e., if a host/f.q.d.n principal asks for a certificate for
    some service at some-label.f.q.d.n, then issue it
   (this is not needed at OSKT sites because OSKT already
    supports keying such service principals, which means kx509
    will issue certificates for them, however, it would be nice
    to be able to have this independent of OSKT)
   (a better way to do this would be to integrate more of OSKT
    into Heimdal proper)
 - a kx509 command, or heimtools kx509 subcommand for explicitly
   attempting use of the kx509 protocol (as opposed to implicit, as is
   done in kinit via krb5_cc_store_cred() magic right now)

Issues:

 - optimistically trying kx509 on start realm TGT store -> timeout issues!
    - newer KDCs will return errors because of this commit; older ones
      will not, which causes timouts
    - need a separate timeout setting for kx509 for optimistic case
    - need a [realm] config item and DNS SRV RR lookup for whether a
      realm is expected to support kx509 service
2019-10-08 21:26:50 -05:00
Nicolas Williams
25c493137d asn1: use --sequence=Certificates 2019-10-07 21:32:00 -05:00
Nicolas Williams
038ed5ec31 hx509: check Name RDN attribute size bounds 2019-10-07 21:32:00 -05:00
Nicolas Williams
cb2db14ed1 asn1: support DEFAULTed sequence fields
Prior to this commit the Heimdal ASN.1 compiler supported DEFAULTing
SEQUENCE fields on the encoder side, but not the decoder side, where
ASN1_MISSING_FIELD would inevitably result when fields were defaulted.

This patch adds the missing decode-side support for DEFAULT.
2019-10-07 21:32:00 -05:00
Nicolas Williams
330ced5b9e asn1: add missing symbols on Windows 2019-10-07 21:32:00 -05:00
Nicolas Williams
d657528e91 asn1: work around OpenSSL conflict 2019-10-07 21:32:00 -05:00
Nicolas Williams
5465b2ddec libasn1: Add OID symbol resolution
This commit adds functions for finding OIDs by symbolic name, meaning by
their symbolic names given in the ASN.1 modules that define them.

TBD:

 - Resolve OIDs to names.
 - Support a file in /etc for additional OID resolution.
 - Add support for resolving OID arc names.
2019-10-07 21:32:00 -05:00
Nicolas Williams
6471fcaa54 Move ASN.1 modules from lib/hx509 to lib/asn1
This will help us generate a directory of OIDs from all the ASN.1
modules in lib/asn1, which will then help us create an hx509 API for
resolving OIDs to/from friendly names, which ultimately will help us
make hxtool more user-friendly.
2019-10-07 21:32:00 -05:00
Nicolas Williams
120619dbd0 asn1: use rfc2459.opt 2019-10-07 21:32:00 -05:00
Luke Howard
cf940e15f4 krb5: rename constrained-delegatiom to cname-in-addl-tkt
For consistency with [MS-SFU] rename the constrained-delegation KDC option to
cname-in-addl-tkt (client name in additional ticket).
2019-06-02 14:44:11 +10:00
Daria Phoebe Brashear
c3e2c048c3 tests: generate test_template_asn1-template.c for testing
the rule to generate test_template_asn1-template.c from
test_template_asn1-template.x was missing. add it.
2019-05-15 14:12:28 -04:00
Nicolas Williams
18226819cd ASN.1 compiler: check write errors 2019-01-15 13:21:25 -06:00
Nicolas Williams
a3a8c1e4a4 ASN.1: Support wider bit sets (fix #514) 2019-01-15 13:21:25 -06:00
Jeffrey Altman
dcfcdd00d8 lib/asn1: WIN32 suppress "unreferenced local variable" warning
the code generated by asn1_compile.exe includes a large number
of unreferenced local variables.  The resulting warnings drown
out other potentially more serious warnings.

This change suppresses the C4101 warnings in the generated
source files.

Change-Id: I17642ff427f457c885b1eb0e62436f3bc9057ee1
2019-01-14 06:12:36 -05:00
Nicolas Williams
ffc4ac1d8d Fix warnings in ASN.1 template test 2019-01-02 13:56:04 -05:00
Luke Howard
5180a4ed75 asn1: maximum unsigned INTEGER range is 2^63 (#458)
As ranges are stored as signed 64-bit integers, they will be clamped to 2^63.
Do not use a maximum range of 2^64 in the test suite.
2018-12-20 12:23:13 +11:00
Chris Lamb
946caad7d0 Correct "extention" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
(cherry picked from Samba commit afa9bb4ac55d616fe7816e3830bab5e3a51aed7a)
2018-09-10 14:42:18 -04:00
Nicolas Williams
5a13323b68 Fix Appveyor build: lib/asn1 2017-05-26 23:24:30 -04:00
Nicolas Williams
6a0f45c4d7 Use __attribute__ ((__name__)) form
Protect against macros named noreturn and so on.
2017-03-13 18:39:41 -04:00
Nicolas Williams
3e65dfbc32 Fix make dist missing files (#228) 2016-12-15 12:15:56 -06:00
Nicolas Williams
1c81ddf4e2 Round #2 of scan-build warnings cleanup 2016-11-16 17:03:14 -06:00
Viktor Dukhovni
f9749627f0 New test case detects previous template bug 2016-11-09 18:34:24 -05:00
Viktor Dukhovni
9be93ad9ff Fix typo 2016-11-09 11:50:07 -05:00
Viktor Dukhovni
be2527500d Restored check-gen.c inadvertently deleted 2016-11-09 11:40:57 -05:00
Viktor Dukhovni
3d590d651f Reapply incorectly reverted gen_template bugfix
Without this, template memory allocation is incorrect for nested
sequences, which, as luck would have it, breaks tests on NetBSD
(whose malloc seems to give tighter allocations).

This partly undoes:

    commit 060474df16
    Author: Love Hornquist Astrand <lha@h5l.org>
    Date:   Mon Jun 3 21:45:51 2013 -0700

	quel 64bit warnings, fixup implicit encoding for template,
	fix spelling

Restoring changes from:

    commit 5e081aa4a6
    Author: Viktor Dukhovni <viktor@dukhovni.org>
    Date:   Sun May 27 08:07:28 2012 +0000

	Fix ASN.1 template compiler bug and add test cases more
	likely to trip on similar (structure size/type) errors

For example, without the bugfix, the sizeof(...) argument in multiple
generated nested structure templates is wrong, as seen in the bad vs.
good diff:

    --- test_template_asn1-template.c	2016-11-09 08:23:21.000000000 +0000
    +++ test_template_asn1-template.c	2016-11-09 08:23:40.000000000 +0000
    @@ -593,3 +593,3 @@
     const struct asn1_template asn1_TESTImplicit_tag_ti2_26[] = {
    -/* 0 */ { 0, sizeof(struct TESTImplicit), ((void *)1) },
    +/* 0 */ { 0, sizeof(struct TESTImplicit_ti2), ((void *)1) },
     /* 1 */ { A1_TAG_T(ASN1_C_CONTEXT,CONS,127), offsetof(struct TESTImplicit_ti2, foo), asn1_TESTLargeTag_tag_foo_4 }
    @@ -1618,3 +1618,3 @@
     const struct asn1_template asn1_TESTSeqOf2_tag_strings_68[] = {
    -/* 0 */ { 0, sizeof(struct TESTSeqOf2), ((void *)1) },
    +/* 0 */ { 0, sizeof(struct TESTSeqOf2_strings), ((void *)1) },
     /* 1 */ { A1_OP_SEQOF, 0, asn1_TESTSeqOfSeq2_val_tag_string_60 }
    @@ -1679,3 +1679,3 @@
     const struct asn1_template asn1_TESTSeqOf3_tag_strings_71[] = {
    -/* 0 */ { 0, sizeof(struct TESTSeqOf3), ((void *)1) },
    +/* 0 */ { 0, sizeof(struct TESTSeqOf3_strings), ((void *)1) },
     /* 1 */ { A1_OP_SEQOF, 0, asn1_TESTSeqOfSeq2_val_tag_string_60 }
    @@ -1760,3 +1760,3 @@
     const struct asn1_template asn1_TESTSeqOf4_tag_b1_75[] = {
    -/* 0 */ { 0, sizeof(struct TESTSeqOf4), ((void *)1) },
    +/* 0 */ { 0, sizeof(struct TESTSeqOf4_b1), ((void *)1) },
     /* 1 */ { A1_OP_SEQOF, 0, asn1_TESTSeqOf4_seofTstruct_10 }
    @@ -1765,3 +1765,3 @@
     const struct asn1_template asn1_TESTSeqOf4_tag_b1_74[] = {
    -/* 0 */ { 0, sizeof(struct TESTSeqOf4), ((void *)1) },
    +/* 0 */ { 0, sizeof(struct TESTSeqOf4_b1), ((void *)1) },
     /* 1 */ { A1_TAG_T(ASN1_C_UNIV,CONS,UT_Sequence), 0, asn1_TESTSeqOf4_tag_b1_75 }
    @@ -1801,3 +1801,3 @@
     const struct asn1_template asn1_TESTSeqOf4_tag_b2_79[] = {
    -/* 0 */ { 0, sizeof(struct TESTSeqOf4), ((void *)1) },
    +/* 0 */ { 0, sizeof(struct TESTSeqOf4_b2), ((void *)1) },
     /* 1 */ { A1_OP_SEQOF, 0, asn1_TESTSeqOf4_seofTstruct_11 }
    @@ -1842,3 +1842,3 @@
     const struct asn1_template asn1_TESTSeqOf4_tag_b3_84[] = {
    -/* 0 */ { 0, sizeof(struct TESTSeqOf4), ((void *)1) },
    +/* 0 */ { 0, sizeof(struct TESTSeqOf4_b3), ((void *)1) },
     /* 1 */ { A1_OP_SEQOF, 0, asn1_TESTSeqOf4_seofTstruct_12 }
2016-11-09 03:33:34 -05:00
Luke Howard
7b720cf61c krb5: implement draft-ietf-kitten-aes-cts-hmac-sha2-07 2016-10-08 08:17:11 +02:00
Jeffrey Altman
6234073499 add missing principal types
Add the WELLKNOWN and NT-HST-DOMAIN principal types to the nametype
table and asn.1

Change-Id: Ife9c3860f375bac1a06152b0d261c63ec071a763
2016-07-17 00:44:50 -04:00
Viktor Dukhovni
131c8dd30e Export new ASN1 oid symbols and fix build
We added some new OID symbols in libasn1, make them public.

When an older Heimdal is already installed and its libraries don't
have some newly created symbols we run into build or test problems,
if libtool decides to use installed rather than just-built libraries.
This was happening with a few of test programs in libhx509.  Fixed.
2016-05-06 21:09:03 -04:00
Viktor Dukhovni
8078e089f1 Add support for ECDSA w/ SHA-2 signature algs 2016-04-15 10:32:50 -05:00
Nicolas Williams
2b6bc1a7dc asn1_compile: fix null deref bug 2016-02-29 19:13:13 -06:00
Jeffrey Altman
c81572ab5d Windows: Remove *_PA_ClientCanon* from export list
Change 29f6290fe6 removed the
PA_ClientCanon* ASN.1 functionality but failed to remove the generated
symbols from the Windows export list.

Change-Id: I9a46532ed7d8612fbc597dec9848505d4b440e09
2015-09-13 20:34:41 -04:00
Stefan Metzmacher
be63a2914a heimdal:krb5.asn1: remove KRB5_PADATA_CLIENT_CANONICALIZED handling
This got removed between draft-ietf-krb-wg-kerberos-referrals-11.txt
and the final rfc6806.txt.

The number 133 was reassigned to PA-FX-COOKIE in rfc6113.txt.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-06-17 17:41:27 -05:00
Nicolas Williams
41524590be fixup coverity 1164099 2015-04-19 14:03:59 -05:00
Nicolas Williams
0e524f3acb coverity 1164099 2015-04-18 23:19:25 -05:00