Commit Graph

29573 Commits

Author SHA1 Message Date
Nicolas Williams
6f9eb81243 krb5: copy AD from auth_context to Authenticator
If the caller provides authz data in the auth context, then we should
copy it to the Authenticator when making an AP-REQ!
2019-10-08 22:20:40 -05:00
Nicolas Williams
8af2d79d35 hx509: Add missing CSR extension request support
This is necessary in order to add proper support for CSRs in kx509,
where the KDC can examine all requested KUs/EKUs/SANs, check
authorization, and issue a certificate with all those extensions if
authorized.

This is the convention used by OpenSSL, of encoding all the KU, EKUs,
and SANs being requested as Extensions as they would appear in the
TBSCertificate, then putting those in as a single Attribute in the CSR's
Attributes list with attribute OID {id-pkcs-9, 14}.

 - expose all hx509_request_*() functions
 - finish support in hx509_request_parse*() for KU, EKU, and SAN CSR
   attributes
 - finish support in hx509_request_to_pkcs10() for encoding all
   requested KU, EKU, and SAN extensions as a CSR extReq (extension request)
 - add hx509_request_add_*() support for:
    - id-pkinit-san and ms-upn-pkinit-san
    - XMPP (Jabber) SAN
    - registeredID (useless but trivial)
 - add hxtool request-create options for all supported SANs
 - add hxtool request-create options for KeyUsage
 - add hxtool request-create options for ExtKeyUsage
 - add hxtool request-print support for all these things
 - fix bugs in existing id-pkinit-san handling

Possible future improvements

 - add HX509_TRACE env var and support (it would be nice to be able to
   observe why some certificate is rejected, or not matched in a query)
 - add testing that CSR creating and printing round-trip for all KUs,
   EKUs, and SANs
   (probably in tests/kdc/check-pkinit.in)
 - add testing that OpenSSL can print a CSR made by hxtool and
   vice-versa
 - hxtool ca: add KU sanity checking (via hx509_ca_sign() and/or friends)
   (don't allow encrypt for signing-only algs)
   (don't allow encrypt for RSA at all, or for RSA with small e exponents)
 - hxtool request-print: warn about all unknown attributes and
   extensions
 - hxtool ca: MAYBE add support for adding requested extensions from the
   --req=CSR
   ("Maybe" because CA operators should really verify and authorize all
    requested attributes, and should acknowledge that they have, and the
    simplest way to do this is to make them add all the corresponding
    CLI arguments to the hxtool ca command, but too, that is
    error-prone, thus it's not clear yet which approach is best.
    Perhaps interactively prompt for yes/no for each attribute.)
 - add additional SAN types:
    - iPAddress                 (useless?)
    - dNSSrv                    (useful!)
    - directoryName             (useless, but trivial)
    - uniformResourceIdentifier (useful)
 - it would be nice if the ASN.1 compiler could generate print
   functions..., and/or even better, to-JSON functions
 - it would be nice if we had a known-OID db, including the names of the
   types they refer to in certificate extensions, otherName SANs and CSR
   attributes, then we could generate a CSR and certificate printer for
   all known options even when they are not supported by the rest of
   Heimdal
    - and we could also get friendly names for OIDs, and we could
      resolve their arc names
    - longer term, we could also stand to add some ASN.1 information
      object system functionality, just enough to make
      lib/hx509/asn1_print awesome by being able to automatically decode
      all heim_any and OCTET STRING content (better than its current
      --inner option)
2019-10-08 22:20:40 -05:00
Nicolas Williams
6a7e7eace6 Add kx509 client and revamp kx509 service
This commit adds support for kx509 in libkrb5, and revamps the KDC's
kx509 service (fixing bugs, adding features).

Of note is that kx509 is attempted optimistically by the client, with
the certificate and private key stored in the ccache, and optionally in
an external PEM or DER file.

NOTE: We do not optimistically use kx509 in krb5_cc_store_cred() if the
      ccache is a MEMORY ccache so we don't generate a key when
      accepting a GSS context with a delegated credential.

kx509 protocol issues to be fixed in an upcoming commit:

 - no proof of possession (this is mostly not too bad, but we'll want to
   fix it by using CSRs)
 - no algorithm agility (only plain RSA is supported)
 - very limited (no way to request any options in regards to the
   requested cert)
 - error codes are not very useful

Things we're adding in this commit:

 - libkrb5 kx509 client
 - automatic kx509 usage hooked in via krb5_cc_store_cred() of start TGT
 - per-realm templates on the KDC side
 - per-realm issuer certificates
 - send error messages on the KDC side
   (this is essential to avoid client-side timeouts on error)
 - authenticate as many error messages
 - add a protocol probe feature so we can avoid generating a
   keypair if the service is not enabled
   (once we add support for ECC algorithms we won't need this
    anymore; the issue is that RSA keygen is slow)
 - support for different types of client principals, not just username:

    - host-based service and domain-based service, each with its own
      template set per-{realm, service} or per-service

   (the idea is to support issuance of server certificates too, not
    just client/user certs)
 - more complete support for SAN types
 - tests (including that PKINIT->kx509->PKINIT works, which makes it
   possible to have "delegation" of PKIX credentials by just delegating
   Kerberos credentials)
 - document the protocol in lib/krb5/kx509.c

Future work:

 - add option for longer-ticket-lifetime service certs
 - add support for ECDSA, and some day for ed25519 and ed448
 - reuse private key when running kinit
   (this will require rethinking how we trigger optimistic kx509
    usage)
 - HDB lookup for:
    - optional revocation check (not strictly necessary)
    - adding to certificates those SANs listed in HDB
       - hostname aliases (dNSName SANs)
       - rfc822Name (email)
       - XMPP SANs
       - id-pkinit-san (a user could have aliases too)
 - support username wild-card A RRs, ala OSKT/krb5_admin
    i.e., if a host/f.q.d.n principal asks for a certificate for
    some service at some-label.f.q.d.n, then issue it
   (this is not needed at OSKT sites because OSKT already
    supports keying such service principals, which means kx509
    will issue certificates for them, however, it would be nice
    to be able to have this independent of OSKT)
   (a better way to do this would be to integrate more of OSKT
    into Heimdal proper)
 - a kx509 command, or heimtools kx509 subcommand for explicitly
   attempting use of the kx509 protocol (as opposed to implicit, as is
   done in kinit via krb5_cc_store_cred() magic right now)

Issues:

 - optimistically trying kx509 on start realm TGT store -> timeout issues!
    - newer KDCs will return errors because of this commit; older ones
      will not, which causes timouts
    - need a separate timeout setting for kx509 for optimistic case
    - need a [realm] config item and DNS SRV RR lookup for whether a
      realm is expected to support kx509 service
2019-10-08 21:26:50 -05:00
Nicolas Williams
78cb995e6e krb5: add missing export 2019-10-08 20:58:04 -05:00
Nicolas Williams
d31dd9e00b hx509: make file store writes atomic
Now we'll use mkostemp() and rename() into place to make
hx509_certs_store() atomic for FILE/DER-FILE/PEM-FILE stores.

This is not ideal, as it can leave temp files in place if a process
crashes in between the mkostemp() and the rename into place.

On Linux we'll eventually make use of O_TMPFILE and linkat().  The idea
will be to first create an anonymous, zero-link file in the directory
that will contain the file at the end, write the file, then linkat() the
file into place as a .new file, then rename() the .new into place.  That
will limit the amount of junk that may be left behind to just one file.
(If the linkat() fails, then unlink() the .new and try again.  If the
rename() fails that just means the caller raced with another and the
operation is complete.)

We should really make a lib/roken interface that does this.
2019-10-08 20:58:04 -05:00
Nicolas Williams
098f6480e4 krb5: Fix spurious error (debug) msg in keytab 2019-10-07 21:32:00 -05:00
Nicolas Williams
89b076c543 hx509: match docs for hx509_certs_init() 2019-10-07 21:32:00 -05:00
Nicolas Williams
fbacb5f5fe hx509: set errno in hx509_cert_init_data() 2019-10-07 21:32:00 -05:00
Nicolas Williams
25c493137d asn1: use --sequence=Certificates 2019-10-07 21:32:00 -05:00
Nicolas Williams
25dbe28291 hx509: SANs are critical if DN is empty 2019-10-07 21:32:00 -05:00
Nicolas Williams
038ed5ec31 hx509: check Name RDN attribute size bounds 2019-10-07 21:32:00 -05:00
Nicolas Williams
cb2db14ed1 asn1: support DEFAULTed sequence fields
Prior to this commit the Heimdal ASN.1 compiler supported DEFAULTing
SEQUENCE fields on the encoder side, but not the decoder side, where
ASN1_MISSING_FIELD would inevitably result when fields were defaulted.

This patch adds the missing decode-side support for DEFAULT.
2019-10-07 21:32:00 -05:00
Nicolas Williams
330ced5b9e asn1: add missing symbols on Windows 2019-10-07 21:32:00 -05:00
Nicolas Williams
d657528e91 asn1: work around OpenSSL conflict 2019-10-07 21:32:00 -05:00
Nicolas Williams
93e48f8fba hxtool: Add OID symbol resolution 2019-10-07 21:32:00 -05:00
Nicolas Williams
5465b2ddec libasn1: Add OID symbol resolution
This commit adds functions for finding OIDs by symbolic name, meaning by
their symbolic names given in the ASN.1 modules that define them.

TBD:

 - Resolve OIDs to names.
 - Support a file in /etc for additional OID resolution.
 - Add support for resolving OID arc names.
2019-10-07 21:32:00 -05:00
Nicolas Williams
6471fcaa54 Move ASN.1 modules from lib/hx509 to lib/asn1
This will help us generate a directory of OIDs from all the ASN.1
modules in lib/asn1, which will then help us create an hx509 API for
resolving OIDs to/from friendly names, which ultimately will help us
make hxtool more user-friendly.
2019-10-07 21:32:00 -05:00
Nicolas Williams
120619dbd0 asn1: use rfc2459.opt 2019-10-07 21:32:00 -05:00
Viktor Dukhovni
6f2b52bc97 Expose new Heimdal 8 KRB5_PLUGIN_COMMON_SPI_VERSION macro 2019-10-07 20:17:59 -04:00
Viktor Dukhovni
d0211ef475 Refactor send_diffs making it progressive
When a slave is many diffs behind, send these in batches of up to
50, then handle other slaves.

This also implements a fast-path that makes incremental diffs faster
when the log has not rolled over.

Related code cleanup.
2019-10-03 15:52:15 -05:00
Viktor Dukhovni
96fd393d29 Disable Nagle in iprop master and slave 2019-10-03 15:52:15 -05:00
Nicolas Williams
0334472ab5 ipropd-master: use async I/O
If a slave is slow to consume what the master sends it, the master can
block and all iprop operations with it.

With minimal effort we make the master async oriented.
2019-10-03 15:52:15 -05:00
Nicolas Williams
9de1728850 ipropd-slave: don't send I_HAVE in response to AYT
ipropd-master sends AYT messages often as a result of a possibly-
transient error, but if the slave responds to such an AYT with I_HAVE,
then the same code path that failed will be executed on the master, and
if the error wasn't transient then we'll loop hard.  So don't send an
I_HAVE in response to an AYT.
2019-10-03 15:52:15 -05:00
Nicolas Williams
c6d0793e63 Do not recover log in kadm5_get_principal() 2019-10-03 15:52:15 -05:00
Nicolas Williams
afaaf3d89d Add krb5_cc_configured_default_name()
Refactor krb5_cc_set_default_name() by splitting out the part that looks
for a configured default ccache name.  This will allow one to check if a
given ccache is a default ccache for a process ignoring KRB5CCNAME,
which might prove useful in the kx509 client.
2019-10-03 13:09:18 -05:00
Nicolas Williams
375dd8897f klist: partial fix of -v --json
It's still not supported, but at least it generates valid JSON now.

Note that --json w/o -v is functional but has issues, specifically the
rtbl_add_column_entry() does not encode strings properly for output as JSON
strings.  Fixing this will take significantly more effort.  One wonders if it
might not be better to use a proper JSON library instead of the rtbl stuff.
2019-10-03 13:09:18 -05:00
Nicolas Williams
697c6462cf klist: fix verbose printing of config entries 2019-10-03 13:09:18 -05:00
Nicolas Williams
941dfd95a3 pkinit: fix leak in client 2019-10-03 13:09:18 -05:00
Nicolas Williams
37b55e1fdb pkinit: fix memory leak in libkrb5 2019-10-03 13:09:18 -05:00
Nicolas Williams
6deb2a6bae kdc: improve HTTP parsing 2019-10-03 13:09:18 -05:00
Nicolas Williams
fe5c0a907c unparse_principal: reject embedded NULs 2019-10-03 13:09:18 -05:00
Nicolas Williams
621c68abea Improve krb5_cc_remove_cred() test 2019-10-03 13:09:18 -05:00
Nicolas Williams
e163bfd81b Make ccache init atomic 2019-10-03 13:09:18 -05:00
Nicolas Williams
ec84667763 Fix krb5_cc_move() issues
Move init/copy/destroy fallback sequence from fcc_move() to
krb5_cc_move().

Make sure all backends's move() method calls krb5_cc_destroy() on the
source on success (and only on success).

In text_cc make sure that we can find in the destination the cred
stored into the source.
2019-10-03 13:09:18 -05:00
Nicolas Williams
cf16e60f3b Fix off by one in KEYRING krcc_remove_cred() 2019-10-03 13:09:18 -05:00
Nicolas Williams
96d1e80bda roken: add mkostemp() 2019-10-03 13:09:18 -05:00
Nicolas Williams
f31cdc30b2 roken: add rk_memmem() 2019-10-03 13:09:18 -05:00
Nicolas Williams
d3ef0ee743 kdc: fix leaks 2019-10-03 13:09:18 -05:00
Nicolas Williams
75b5c94a62 kdc: fix invalid free at exit time 2019-10-03 13:09:18 -05:00
Nicolas Williams
5e270a8914 Fix missing error checking in lib/krb5/pkinit.c 2019-10-03 13:09:18 -05:00
Nicolas Williams
44677c01ae hxtool print: fix output device bugs 2019-10-03 13:09:18 -05:00
Nicolas Williams
63ccdca137 hx509: _hx509_certs_keys_free() should not require gate 2019-10-03 13:09:18 -05:00
Nicolas Williams
d13f89cb11 hx509: expose hx509_request_parse*() 2019-10-03 13:09:18 -05:00
Nicolas Williams
87eb05df6a hx509: always verify CSR signature 2019-10-03 13:09:18 -05:00
Nicolas Williams
f2776ce841 hx509: make hx509_get_error_string(NULL, ...) work
If hx509_context_init() fails we should still be able to do something
with its return code.
2019-10-03 13:09:18 -05:00
Nicolas Williams
eaebb892b8 hx509: hx509_context_free(&null_var) should work 2019-10-03 13:09:18 -05:00
Nicolas Williams
41fcafd20c hx509: add hx509_certs_destroy() 2019-10-03 13:09:18 -05:00
Nicolas Williams
e4b35ba13f hx509: create files with safe mode_t 2019-10-03 13:09:18 -05:00
Nicolas Williams
5a0d85e423 hx509: Add PKCS#8 private key format option 2019-10-03 13:09:18 -05:00
Nicolas Williams
63116100a8 hx509: do not crash on missing FILE: name 2019-10-03 13:09:18 -05:00