This commit adds a few functions for marking KU, EKUs, and SANs as
authorized, and for getting a count of unsupported certificate
extensions requested, and a count of authorized KU/EKUs/SANs.
The intent is to make it easier to build CSR authorization and CA code
that is robust in the face of future support for certificate extensions
and SAN types not currently supported. An application could parse a
CSR, iterate all KU/EKUs/SANs, check a subject's authorization to them,
mark them authorized where authorized, then check if there are any
remaining unauthorized extensions or unsupported extensions requested.
Ultimately, if a CSR's KU/EKUs/SANs are all authorized, then they can
all be copied to a TBS, and a certificate can be issued.
In 0cc708ba36, we removed the definition of id-ms-client-authentication
without a corresponding removal from lib/asn1/libasn1-exports.def.
Maybe we should generate lib*-exports.def?
This will help programs that need to URL-escape strings.
Also, this changes `do_hvis()` to not fallback on `do_svis()` for chars in
`extra` -- that `do_hvis()` was doing that seems like an oversight. Christos
Zoulas, of NetBSD, agrees. `do_hvis()` still falls back on `do_svis()` for
characters not in the RFC 1808 / 3986 to-be-escaped set *and* characters not in
the `extra` set -- that much seems to have been the intent.
Now that we're using krb5_net_write() with non-blocking sockets in
ipropd_master, we MUST correctly account for partial writes.
Therefore, roken net_write() called from krb5_net_write() now
returns the number of bytes written when the socket error was
EWOULDBLOCK (or EAGAIN).
Also, fix potential issue on Windows, where errno was used instead
of rk_SOCKET_ERRNO whether or not we used _write() or send().
The Verisign and Symantec timestamping services have been shutdown.
Switch to the Digicert service which replaced the Symantec services
as of 31 Oct 2019.
http://timestamp.digicert.com
Change-Id: I365e6c3698b8fc99b18e8d1e5a54ce3519f3c5eb
Most consumers of PEM files don't care about the order in which private
keys and certificates are stored. However, Postfix does care when
multiple EE certs (and chains) are stored in a file, in which case it
requires that private keys come before their certificates.
Refactor and enhance TGT forwarding to allow forwarding of leaf
(destination) TGTs for selected destination realms.
Enhance kinit(1) to renew non-origin realm tickets
Document delegate-destination-tgt
Use the newly implemented _krb5_mk_1cred().
