764 lines
		
	
	
		
			25 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			764 lines
		
	
	
		
			25 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| /*
 | |
|  * Copyright (c) 2019 Kungliga Tekniska Högskolan
 | |
|  * (Royal Institute of Technology, Stockholm, Sweden).
 | |
|  * All rights reserved.
 | |
|  *
 | |
|  * Redistribution and use in source and binary forms, with or without
 | |
|  * modification, are permitted provided that the following conditions
 | |
|  * are met:
 | |
|  *
 | |
|  * 1. Redistributions of source code must retain the above copyright
 | |
|  *    notice, this list of conditions and the following disclaimer.
 | |
|  *
 | |
|  * 2. Redistributions in binary form must reproduce the above copyright
 | |
|  *    notice, this list of conditions and the following disclaimer in the
 | |
|  *    documentation and/or other materials provided with the distribution.
 | |
|  *
 | |
|  * 3. Neither the name of the Institute nor the names of its contributors
 | |
|  *    may be used to endorse or promote products derived from this software
 | |
|  *    without specific prior written permission.
 | |
|  *
 | |
|  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
 | |
|  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 | |
|  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 | |
|  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
 | |
|  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 | |
|  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 | |
|  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 | |
|  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 | |
|  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 | |
|  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 | |
|  * SUCH DAMAGE.
 | |
|  */
 | |
| 
 | |
| #include "kdc_locl.h"
 | |
| #include <hex.h>
 | |
| #include <rfc2459_asn1.h>
 | |
| #include <hx509.h>
 | |
| #include <hx509_err.h>
 | |
| 
 | |
| #include <stdarg.h>
 | |
| 
 | |
| /*
 | |
|  * This file implements a singular utility function `kdc_issue_certificate()'
 | |
|  * for certificate issuance for kx509 and bx509, which takes a principal name,
 | |
|  * an `hx509_request' resulting from parsing a CSR and possibly adding
 | |
|  * SAN/EKU/KU extensions, the start/end times of request's authentication
 | |
|  * method, and whether to include a full certificate chain in the result.
 | |
|  */
 | |
| 
 | |
| typedef enum {
 | |
|     CERT_NOTSUP = 0,
 | |
|     CERT_CLIENT = 1,
 | |
|     CERT_SERVER = 2,
 | |
|     CERT_MIXED  = 3
 | |
| } cert_type;
 | |
| 
 | |
| static void
 | |
| frees(char **s)
 | |
| {
 | |
|     free(*s);
 | |
|     *s = NULL;
 | |
| }
 | |
| 
 | |
| static krb5_error_code
 | |
| count_sans(hx509_request req, size_t *n)
 | |
| {
 | |
|     size_t i;
 | |
|     char *s = NULL;
 | |
|     int ret = 0;
 | |
| 
 | |
|     *n = 0;
 | |
|     for (i = 0; ret == 0; i++) {
 | |
|         hx509_san_type san_type;
 | |
| 
 | |
|         frees(&s);
 | |
|         ret = hx509_request_get_san(req, i, &san_type, &s);
 | |
|         if (ret)
 | |
|             break;
 | |
|         switch (san_type) {
 | |
|         case HX509_SAN_TYPE_DNSNAME:
 | |
|         case HX509_SAN_TYPE_EMAIL:
 | |
|         case HX509_SAN_TYPE_XMPP:
 | |
|         case HX509_SAN_TYPE_PKINIT:
 | |
|         case HX509_SAN_TYPE_MS_UPN:
 | |
|             (*n)++;
 | |
|             break;
 | |
|         default:
 | |
|             ret = ENOTSUP;
 | |
|         }
 | |
|         frees(&s);
 | |
|     }
 | |
|     return ret == HX509_NO_ITEM ? 0 : ret;
 | |
| }
 | |
| 
 | |
| static int
 | |
| has_sans(hx509_request req)
 | |
| {
 | |
|     hx509_san_type san_type;
 | |
|     char *s = NULL;
 | |
|     int ret = hx509_request_get_san(req, 0, &san_type, &s);
 | |
| 
 | |
|     frees(&s);
 | |
|     return ret == HX509_NO_ITEM ? 0 : 1;
 | |
| }
 | |
| 
 | |
| static cert_type
 | |
| characterize_cprinc(krb5_context context,
 | |
|                     krb5_principal cprinc)
 | |
| {
 | |
|     unsigned int ncomp = krb5_principal_get_num_comp(context, cprinc);
 | |
|     const char *comp1 = krb5_principal_get_comp_string(context, cprinc, 1);
 | |
| 
 | |
|     switch (ncomp) {
 | |
|     case 1:
 | |
|         return CERT_CLIENT;
 | |
|     case 2:
 | |
|         if (strchr(comp1, '.') == NULL)
 | |
|             return CERT_CLIENT;
 | |
|         return CERT_SERVER;
 | |
|     case 3:
 | |
|         if (strchr(comp1, '.'))
 | |
|             return CERT_SERVER;
 | |
|         return CERT_NOTSUP;
 | |
|     default:
 | |
|         return CERT_NOTSUP;
 | |
|     }
 | |
| }
 | |
| 
 | |
| /* Characterize request as client or server cert req */
 | |
| static cert_type
 | |
| characterize(krb5_context context,
 | |
|              krb5_principal cprinc,
 | |
|              hx509_request req)
 | |
| {
 | |
|     krb5_error_code ret = 0;
 | |
|     cert_type res = CERT_NOTSUP;
 | |
|     size_t i;
 | |
|     char *s = NULL;
 | |
|     int want_ekus = 0;
 | |
| 
 | |
|     if (!has_sans(req))
 | |
|         return characterize_cprinc(context, cprinc);
 | |
| 
 | |
|     for (i = 0; ret == 0; i++) {
 | |
|         heim_oid oid;
 | |
| 
 | |
|         frees(&s);
 | |
|         ret = hx509_request_get_eku(req, i, &s);
 | |
|         if (ret)
 | |
|             break;
 | |
| 
 | |
|         want_ekus = 1;
 | |
|         ret = der_parse_heim_oid(s, ".", &oid);
 | |
|         if (ret)
 | |
|             break;
 | |
|         /*
 | |
|          * If the client wants only a server certificate, then we'll be
 | |
|          * willing to issue one that may be longer-lived than the client's
 | |
|          * ticket/token.
 | |
|          *
 | |
|          * There may be other server EKUs, but these are the ones we know
 | |
|          * of.
 | |
|          */
 | |
|         if (der_heim_oid_cmp(&asn1_oid_id_pkix_kp_serverAuth, &oid) &&
 | |
|             der_heim_oid_cmp(&asn1_oid_id_pkix_kp_OCSPSigning, &oid) &&
 | |
|             der_heim_oid_cmp(&asn1_oid_id_pkix_kp_secureShellServer, &oid))
 | |
|             res |= CERT_CLIENT;
 | |
|         else
 | |
|             res |= CERT_SERVER;
 | |
|         der_free_oid(&oid);
 | |
|     }
 | |
|     frees(&s);
 | |
|     if (ret == HX509_NO_ITEM)
 | |
|         ret = 0;
 | |
| 
 | |
|     for (i = 0; ret == 0; i++) {
 | |
|         hx509_san_type san_type;
 | |
| 
 | |
|         frees(&s);
 | |
|         ret = hx509_request_get_san(req, i, &san_type, &s);
 | |
|         if (ret)
 | |
|             break;
 | |
|         switch (san_type) {
 | |
|         case HX509_SAN_TYPE_DNSNAME:
 | |
|             if (!want_ekus)
 | |
|                 res |= CERT_SERVER;
 | |
|             break;
 | |
|         case HX509_SAN_TYPE_EMAIL:
 | |
|         case HX509_SAN_TYPE_XMPP:
 | |
|         case HX509_SAN_TYPE_PKINIT:
 | |
|         case HX509_SAN_TYPE_MS_UPN:
 | |
|             if (!want_ekus)
 | |
|                 res |= CERT_CLIENT;
 | |
|             break;
 | |
|         default:
 | |
|             ret = ENOTSUP;
 | |
|         }
 | |
|         if (ret)
 | |
|             break;
 | |
|     }
 | |
|     frees(&s);
 | |
|     if (ret == HX509_NO_ITEM)
 | |
|         ret = 0;
 | |
|     return ret ? CERT_NOTSUP : res;
 | |
| }
 | |
| 
 | |
| /*
 | |
|  * Get a configuration sub-tree for kx509 based on what's being requested and
 | |
|  * by whom.
 | |
|  *
 | |
|  * We have a number of cases:
 | |
|  *
 | |
|  *  - default certificate (no CSR used, or no certificate extensions requested)
 | |
|  *     - for client principals
 | |
|  *     - for service principals
 | |
|  *  - client certificate requested (CSR used and client-y SANs/EKUs requested)
 | |
|  *  - server certificate requested (CSR used and server-y SANs/EKUs requested)
 | |
|  *  - mixed client/server certificate requested (...)
 | |
|  */
 | |
| static const krb5_config_binding *
 | |
| get_cf(krb5_context context,
 | |
|        krb5_kdc_configuration *config,
 | |
|        hx509_request req,
 | |
|        krb5_principal cprinc)
 | |
| {
 | |
|     krb5_error_code ret;
 | |
|     const krb5_config_binding *cf = NULL;
 | |
|     unsigned int ncomp = krb5_principal_get_num_comp(context, cprinc);
 | |
|     const char *realm = krb5_principal_get_realm(context, cprinc);
 | |
|     const char *comp0 = krb5_principal_get_comp_string(context, cprinc, 0);
 | |
|     const char *comp1 = krb5_principal_get_comp_string(context, cprinc, 1);
 | |
|     const char *label = NULL;
 | |
|     const char *svc = NULL;
 | |
|     const char *def = NULL;
 | |
|     cert_type certtype = CERT_NOTSUP;
 | |
|     size_t nsans = 0;
 | |
| 
 | |
|     if (ncomp == 0) {
 | |
|         kdc_log(context, config, 5, "Client principal has no components!");
 | |
|         krb5_set_error_message(context, ENOTSUP,
 | |
|                                "Client principal has no components!");
 | |
|         return NULL;
 | |
|     }
 | |
| 
 | |
|     if ((ret = count_sans(req, &nsans)) ||
 | |
|         (certtype = characterize(context, cprinc, req)) == CERT_NOTSUP) {
 | |
|         kdc_log(context, config, 5, "Could not characterize CSR");
 | |
|         krb5_set_error_message(context, ret, "Could not characterize CSR");
 | |
|         return NULL;
 | |
|     }
 | |
| 
 | |
|     if (nsans) {
 | |
|         def = "custom";
 | |
|         /* Client requested some certificate extension, a SAN or EKU */
 | |
|         switch (certtype) {
 | |
|         case CERT_MIXED:    label = "mixed";  break;
 | |
|         case CERT_CLIENT:   label = "client"; break;
 | |
|         case CERT_SERVER:   label = "server"; break;
 | |
|         default:            return NULL;
 | |
|         }
 | |
|     } else {
 | |
|         def = "default";
 | |
|         /* Default certificate desired */
 | |
|         if (ncomp == 1) {
 | |
|             label = "user";
 | |
|         } else if (ncomp == 2 && strcmp(comp1, "root") == 0) {
 | |
|             label = "root_user";
 | |
|         } else if (ncomp == 2 && strcmp(comp1, "admin") == 0) {
 | |
|             label = "admin_user";
 | |
|         } else if (strchr(comp1, '.')) {
 | |
|             label = "hostbased_service";
 | |
|             svc = comp0;
 | |
|         } else {
 | |
|             label = "other";
 | |
|         }
 | |
|     }
 | |
| 
 | |
|     if (strcmp(config->app, "kdc") == 0)
 | |
|         cf = krb5_config_get_list(context, NULL, config->app, "realms", realm,
 | |
|                                   "kx509", label, svc, NULL);
 | |
|     else
 | |
|         cf = krb5_config_get_list(context, NULL, config->app, "realms", realm,
 | |
|                                   label, svc, NULL);
 | |
|     if (cf == NULL) {
 | |
|         kdc_log(context, config, 3,
 | |
|                 "No %s configuration for %s %s certificates [%s] realm "
 | |
|                 "-> %s -> kx509 -> %s%s%s",
 | |
|                 strcmp(config->app, "bx509") == 0 ? "bx509" : "kx509",
 | |
|                 def, label, config->app, realm, label,
 | |
|                 svc ? " -> " : "", svc ? svc : "");
 | |
|         krb5_set_error_message(context, KRB5KDC_ERR_POLICY,
 | |
|                 "No %s configuration for %s %s certificates [%s] realm "
 | |
|                 "-> %s -> kx509 -> %s%s%s",
 | |
|                 strcmp(config->app, "bx509") == 0 ? "bx509" : "kx509",
 | |
|                 def, label, config->app, realm, label,
 | |
|                 svc ? " -> " : "", svc ? svc : "");
 | |
|     }
 | |
|     return cf;
 | |
| }
 | |
| 
 | |
| /*
 | |
|  * Find and set a certificate template using a configuration sub-tree
 | |
|  * appropriate to the requesting principal.
 | |
|  *
 | |
|  * This allows for the specification of the following in configuration:
 | |
|  *
 | |
|  *  - certificates as templates, with ${var} tokens in subjectName attribute
 | |
|  *    values that will be expanded later
 | |
|  *  - a plain string with ${var} tokens to use as the subjectName
 | |
|  *  - EKUs
 | |
|  *  - whether to include a PKINIT SAN
 | |
|  */
 | |
| static krb5_error_code
 | |
| set_template(krb5_context context,
 | |
|              krb5_kdc_configuration *config,
 | |
|              const krb5_config_binding *cf,
 | |
|              hx509_ca_tbs tbs)
 | |
| {
 | |
|     krb5_error_code ret = 0;
 | |
|     const char *cert_template = NULL;
 | |
|     const char *subj_name = NULL;
 | |
|     char **ekus = NULL;
 | |
| 
 | |
|     if (cf == NULL)
 | |
|         return KRB5KDC_ERR_POLICY; /* Can't happen */
 | |
| 
 | |
|     cert_template = krb5_config_get_string(context, cf, "template_cert", NULL);
 | |
|     subj_name = krb5_config_get_string(context, cf, "subject_name", NULL);
 | |
|     ekus = krb5_config_get_strings(context, cf, "ekus", NULL);
 | |
| 
 | |
|     if (cert_template) {
 | |
|         hx509_certs certs;
 | |
|         hx509_cert template;
 | |
| 
 | |
|         ret = hx509_certs_init(context->hx509ctx, cert_template, 0,
 | |
|                                NULL, &certs);
 | |
|         if (ret == 0)
 | |
|             ret = hx509_get_one_cert(context->hx509ctx, certs, &template);
 | |
|         hx509_certs_free(&certs);
 | |
|         if (ret) {
 | |
|             kdc_log(context, config, 1,
 | |
|                     "Failed to load certificate template from %s",
 | |
|                     cert_template);
 | |
|             krb5_set_error_message(context, KRB5KDC_ERR_POLICY,
 | |
|                                    "Failed to load certificate template from "
 | |
|                                    "%s", cert_template);
 | |
|             return ret;
 | |
|         }
 | |
| 
 | |
|         /*
 | |
|          * Only take the subjectName, the keyUsage, and EKUs from the template
 | |
|          * certificate.
 | |
|          */
 | |
|         ret = hx509_ca_tbs_set_template(context->hx509ctx, tbs,
 | |
|                                         HX509_CA_TEMPLATE_SUBJECT |
 | |
|                                         HX509_CA_TEMPLATE_KU |
 | |
|                                         HX509_CA_TEMPLATE_EKU,
 | |
|                                         template);
 | |
|         hx509_cert_free(template);
 | |
|         if (ret)
 | |
|             return ret;
 | |
|     }
 | |
| 
 | |
|     if (subj_name) {
 | |
|         hx509_name dn = NULL;
 | |
| 
 | |
|         ret = hx509_parse_name(context->hx509ctx, subj_name, &dn);
 | |
|         if (ret == 0)
 | |
|             ret = hx509_ca_tbs_set_subject(context->hx509ctx, tbs, dn);
 | |
|         hx509_name_free(&dn);
 | |
|         if (ret)
 | |
|             return ret;
 | |
|     }
 | |
| 
 | |
|     if (cert_template == NULL && subj_name == NULL) {
 | |
|         hx509_name dn = NULL;
 | |
| 
 | |
|         ret = hx509_empty_name(context->hx509ctx, &dn);
 | |
|         if (ret == 0)
 | |
|             ret = hx509_ca_tbs_set_subject(context->hx509ctx, tbs, dn);
 | |
|         hx509_name_free(&dn);
 | |
|         if (ret)
 | |
|             return ret;
 | |
|     }
 | |
| 
 | |
|     if (ekus) {
 | |
|         size_t i;
 | |
| 
 | |
|         for (i = 0; ret == 0 && ekus[i]; i++) {
 | |
|             heim_oid oid = { 0, 0 };
 | |
| 
 | |
|             if ((ret = der_find_or_parse_heim_oid(ekus[i], ".", &oid)) == 0)
 | |
|                 ret = hx509_ca_tbs_add_eku(context->hx509ctx, tbs, &oid);
 | |
|             der_free_oid(&oid);
 | |
|         }
 | |
|         krb5_config_free_strings(ekus);
 | |
|     }
 | |
| 
 | |
|     /*
 | |
|      * XXX A KeyUsage template would be nice, but it needs some smarts to
 | |
|      * remove, e.g., encipherOnly, decipherOnly, keyEncipherment, if the SPKI
 | |
|      * algorithm does not support encryption.  The same logic should be added
 | |
|      * to hx509_ca_tbs_set_template()'s HX509_CA_TEMPLATE_KU functionality.
 | |
|      */
 | |
|     return ret;
 | |
| }
 | |
| 
 | |
| /*
 | |
|  * Find and set a certificate template, set "variables" in `env', and add add
 | |
|  * default SANs/EKUs as appropriate.
 | |
|  *
 | |
|  * TODO:
 | |
|  *  - lookup a template for the client principal in its HDB entry
 | |
|  *  - lookup subjectName, SANs for a principal in its HDB entry
 | |
|  *  - lookup a host-based client principal's HDB entry and add its canonical
 | |
|  *    name / aliases as dNSName SANs
 | |
|  *    (this would have to be if requested by the client, perhaps)
 | |
|  */
 | |
| static krb5_error_code
 | |
| set_tbs(krb5_context context,
 | |
|         krb5_kdc_configuration *config,
 | |
|         const krb5_config_binding *cf,
 | |
|         hx509_request req,
 | |
|         krb5_principal cprinc,
 | |
|         hx509_env *env,
 | |
|         hx509_ca_tbs tbs)
 | |
| {
 | |
|     krb5_error_code ret;
 | |
|     unsigned int ncomp = krb5_principal_get_num_comp(context, cprinc);
 | |
|     const char *realm = krb5_principal_get_realm(context, cprinc);
 | |
|     const char *comp0 = krb5_principal_get_comp_string(context, cprinc, 0);
 | |
|     const char *comp1 = krb5_principal_get_comp_string(context, cprinc, 1);
 | |
|     const char *comp2 = krb5_principal_get_comp_string(context, cprinc, 2);
 | |
|     char *princ_no_realm = NULL;
 | |
|     char *princ = NULL;
 | |
| 
 | |
|     ret = krb5_unparse_name_flags(context, cprinc, 0, &princ);
 | |
|     if (ret == 0)
 | |
|         ret = krb5_unparse_name_flags(context, cprinc,
 | |
|                                       KRB5_PRINCIPAL_UNPARSE_NO_REALM,
 | |
|                                       &princ_no_realm);
 | |
|     if (ret == 0)
 | |
|         ret = hx509_env_add(context->hx509ctx, env,
 | |
|                             "principal-name-without-realm", princ_no_realm);
 | |
|     if (ret == 0)
 | |
|         ret = hx509_env_add(context->hx509ctx, env, "principal-name", princ);
 | |
|     if (ret == 0)
 | |
|         ret = hx509_env_add(context->hx509ctx, env, "principal-name-realm",
 | |
|                             realm);
 | |
| 
 | |
|     /* Populate requested certificate extensions from CSR/CSRPlus if allowed */
 | |
|     ret = hx509_ca_tbs_set_from_csr(context->hx509ctx, tbs, req);
 | |
|     if (ret == 0)
 | |
|         ret = set_template(context, config, cf, tbs);
 | |
| 
 | |
|     /*
 | |
|      * Optionally add PKINIT SAN.
 | |
|      *
 | |
|      * Adding an id-pkinit-san means the client can use the certificate to
 | |
|      * initiate PKINIT.  That might seem odd, but it enables a sort of PKIX
 | |
|      * credential delegation by allowing forwarded Kerberos tickets to be
 | |
|      * used to acquire PKIX credentials.  Thus this can work:
 | |
|      *
 | |
|      *      PKIX (w/ HW token) -> Kerberos ->
 | |
|      *        PKIX (w/ softtoken) -> Kerberos ->
 | |
|      *          PKIX (w/ softtoken) -> Kerberos ->
 | |
|      *            ...
 | |
|      *
 | |
|      * Note that we may not have added the PKINIT EKU -- that depends on the
 | |
|      * template, and host-based service templates might well not include it.
 | |
|      */
 | |
|     if (ret == 0 && !has_sans(req) &&
 | |
|         krb5_config_get_bool_default(context, cf, FALSE, "include_pkinit_san",
 | |
|                                      NULL)) {
 | |
|         ret = hx509_ca_tbs_add_san_pkinit(context->hx509ctx, tbs, princ);
 | |
|     }
 | |
| 
 | |
|     if (ret)
 | |
|         goto out;
 | |
| 
 | |
|     if (ncomp == 1) {
 | |
|         const char *email_domain;
 | |
| 
 | |
|         ret = hx509_env_add(context->hx509ctx, env, "principal-component0",
 | |
|                             princ_no_realm);
 | |
| 
 | |
|         /*
 | |
|          * If configured, include an rfc822Name that's just the client's
 | |
|          * principal name sans realm @ configured email domain.
 | |
|          */
 | |
|         if (ret == 0 && !has_sans(req) &&
 | |
|             (email_domain = krb5_config_get_string(context, cf, "email_domain",
 | |
|                                                    NULL))) {
 | |
|             char *email;
 | |
| 
 | |
|             if (asprintf(&email, "%s@%s", princ_no_realm, email_domain) == -1 ||
 | |
|                 email == NULL)
 | |
|                 goto enomem;
 | |
|             ret = hx509_ca_tbs_add_san_rfc822name(context->hx509ctx, tbs, email);
 | |
|             free(email);
 | |
|         }
 | |
|     } else if (ncomp == 2 || ncomp == 3) {
 | |
|         /*
 | |
|          * 2- and 3-component principal name.
 | |
|          *
 | |
|          * We do not have a reliable name-type indicator.  If the second
 | |
|          * component has a '.' in it then we'll assume that the name is a
 | |
|          * host-based (2-component) or domain-based (3-component) service
 | |
|          * principal name.  Else we'll assume it's a two-component admin-style
 | |
|          * username.
 | |
|          */
 | |
| 
 | |
|         ret = hx509_env_add(context->hx509ctx, env, "principal-component0",
 | |
|                             comp0);
 | |
|         if (ret == 0)
 | |
|             ret = hx509_env_add(context->hx509ctx, env, "principal-component1",
 | |
|                                 comp1);
 | |
|         if (ret == 0 && ncomp == 3)
 | |
|             ret = hx509_env_add(context->hx509ctx, env, "principal-component2",
 | |
|                                 comp2);
 | |
|         if (ret == 0 && strchr(comp1, '.')) {
 | |
|             /* Looks like host-based or domain-based service */
 | |
|             ret = hx509_env_add(context->hx509ctx, env,
 | |
|                                 "principal-service-name", comp0);
 | |
|             if (ret == 0)
 | |
|                 ret = hx509_env_add(context->hx509ctx, env, "principal-host-name", comp1);
 | |
|             if (ret == 0 && ncomp == 3)
 | |
|                 ret = hx509_env_add(context->hx509ctx, env, "principal-domain-name", comp2);
 | |
|             if (ret == 0 && !has_sans(req) &&
 | |
|                 krb5_config_get_bool_default(context, cf, FALSE,
 | |
|                                              "include_dnsname_san", NULL)) {
 | |
|                 ret = hx509_ca_tbs_add_san_hostname(context->hx509ctx, tbs, comp1);
 | |
|             }
 | |
|         }
 | |
|     } else {
 | |
|         kdc_log(context, config, 5, "kx509/bx509 client %s has too many "
 | |
|                 "components!", princ);
 | |
|         krb5_set_error_message(context, ret = KRB5KDC_ERR_POLICY,
 | |
|                                "kx509/bx509 client %s has too many "
 | |
|                                "components!", princ);
 | |
|     }
 | |
| 
 | |
| out:
 | |
|     if (ret == ENOMEM)
 | |
|         goto enomem;
 | |
|     krb5_xfree(princ_no_realm);
 | |
|     krb5_xfree(princ);
 | |
|     return ret;
 | |
| 
 | |
| enomem:
 | |
|     kdc_log(context, config, 0,
 | |
|             "Could not set up TBSCertificate: Out of memory");
 | |
|     ret = krb5_enomem(context);
 | |
|     goto out;
 | |
| }
 | |
| 
 | |
| static krb5_error_code
 | |
| tbs_set_times(krb5_context context,
 | |
|               const krb5_config_binding *cf,
 | |
|               krb5_times *auth_times,
 | |
|               time_t req_life,
 | |
|               hx509_ca_tbs tbs)
 | |
| {
 | |
|     time_t now = time(NULL);
 | |
|     time_t endtime = auth_times->endtime;
 | |
|     time_t starttime = auth_times->starttime ?
 | |
|         auth_times->starttime : now - 5 * 60;
 | |
|     time_t fudge =
 | |
|         krb5_config_get_time_default(context, cf, 5 * 24 * 3600,
 | |
|                                      "force_cert_lifetime", NULL);
 | |
|     time_t clamp =
 | |
|         krb5_config_get_time_default(context, cf, 0, "max_cert_lifetime",
 | |
|                                      NULL);
 | |
| 
 | |
|     if (fudge && now + fudge > endtime)
 | |
|         endtime = now + fudge;
 | |
| 
 | |
|     if (req_life && req_life < endtime - now)
 | |
|         endtime = now + req_life;
 | |
| 
 | |
|     if (clamp && clamp < endtime - now)
 | |
|         endtime = now + clamp;
 | |
| 
 | |
|     hx509_ca_tbs_set_notAfter(context->hx509ctx, tbs, endtime);
 | |
|     hx509_ca_tbs_set_notBefore(context->hx509ctx, tbs, starttime);
 | |
|     return 0;
 | |
| }
 | |
| 
 | |
| /*
 | |
|  * Build a certifate for `principal' and its CSR.
 | |
|  */
 | |
| krb5_error_code
 | |
| kdc_issue_certificate(krb5_context context,
 | |
|                       krb5_kdc_configuration *config,
 | |
|                       hx509_request req,
 | |
|                       krb5_principal cprinc,
 | |
|                       krb5_times *auth_times,
 | |
|                       int send_chain,
 | |
|                       hx509_certs *out)
 | |
| {
 | |
|     const krb5_config_binding *cf;
 | |
|     krb5_error_code ret;
 | |
|     const char *ca;
 | |
|     hx509_ca_tbs tbs = NULL;
 | |
|     hx509_certs chain = NULL;
 | |
|     hx509_cert signer = NULL;
 | |
|     hx509_cert cert = NULL;
 | |
|     hx509_env env = NULL;
 | |
|     KeyUsage ku;
 | |
| 
 | |
|     *out = NULL;
 | |
|     /* Force KU */
 | |
|     ku = int2KeyUsage(0);
 | |
|     ku.digitalSignature = 1;
 | |
|     hx509_request_authorize_ku(req, ku);
 | |
| 
 | |
|     /* Get configuration */
 | |
|     if ((cf = get_cf(context, config, req, cprinc)) == NULL)
 | |
|         return KRB5KDC_ERR_POLICY;
 | |
|     if ((ca = krb5_config_get_string(context, cf, "ca", NULL)) == NULL) {
 | |
|         kdc_log(context, config, 3, "No kx509 CA issuer credential specified");
 | |
|         krb5_set_error_message(context, ret = KRB5KDC_ERR_POLICY,
 | |
|                                "No kx509 CA issuer credential specified");
 | |
|         return ret;
 | |
|     }
 | |
| 
 | |
|     ret = hx509_ca_tbs_init(context->hx509ctx, &tbs);
 | |
|     if (ret) {
 | |
|         kdc_log(context, config, 0,
 | |
|                 "Failed to create certificate: Out of memory");
 | |
|         return ret;
 | |
|     }
 | |
| 
 | |
|     /* Lookup a template and set things in `env' and `tbs' as appropriate */
 | |
|     if (ret == 0)
 | |
|         ret = set_tbs(context, config, cf, req, cprinc, &env, tbs);
 | |
| 
 | |
|     /* Populate generic template "env" variables */
 | |
| 
 | |
|     /*
 | |
|      * The `tbs' and `env' are now complete as to naming and EKUs.
 | |
|      *
 | |
|      * We check that the `tbs' is not name-less, after which all remaining
 | |
|      * failures here will not be policy failures.  So we also log the intent to
 | |
|      * issue a certificate now.
 | |
|      */
 | |
|     if (ret == 0 && hx509_name_is_null_p(hx509_ca_tbs_get_name(tbs)) &&
 | |
|         !has_sans(req)) {
 | |
|         kdc_log(context, config, 3,
 | |
|                 "Not issuing certificate because it would have no names");
 | |
|         krb5_set_error_message(context, ret = KRB5KDC_ERR_POLICY,
 | |
|                                "Not issuing certificate because it "
 | |
|                                "would have no names");
 | |
|     }
 | |
|     if (ret)
 | |
|         goto out;
 | |
| 
 | |
|     /*
 | |
|      * Still to be done below:
 | |
|      *
 | |
|      *  - set certificate spki
 | |
|      *  - set certificate validity
 | |
|      *  - expand variables in certificate subject name template
 | |
|      *  - sign certificate
 | |
|      *  - encode certificate and chain
 | |
|      */
 | |
| 
 | |
|     /* Load the issuer certificate and private key */
 | |
|     {
 | |
|         hx509_certs certs;
 | |
|         hx509_query *q;
 | |
| 
 | |
|         ret = hx509_certs_init(context->hx509ctx, ca, 0, NULL, &certs);
 | |
|         if (ret) {
 | |
|             kdc_log(context, config, 1,
 | |
|                     "Failed to load CA certificate and private key %s", ca);
 | |
|             krb5_set_error_message(context, ret, "Failed to load CA "
 | |
|                                    "certificate and private key %s", ca);
 | |
|             goto out;
 | |
|         }
 | |
|         ret = hx509_query_alloc(context->hx509ctx, &q);
 | |
|         if (ret) {
 | |
|             hx509_certs_free(&certs);
 | |
|             goto out;
 | |
|         }
 | |
| 
 | |
|         hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
 | |
|         hx509_query_match_option(q, HX509_QUERY_OPTION_KU_KEYCERTSIGN);
 | |
| 
 | |
|         ret = hx509_certs_find(context->hx509ctx, certs, q, &signer);
 | |
|         hx509_query_free(context->hx509ctx, q);
 | |
|         hx509_certs_free(&certs);
 | |
|         if (ret) {
 | |
|             kdc_log(context, config, 1,
 | |
|                     "Failed to find a CA certificate in %s", ca);
 | |
|             krb5_set_error_message(context, ret,
 | |
|                                    "Failed to find a CA certificate in %s",
 | |
|                                    ca);
 | |
|             goto out;
 | |
|         }
 | |
|     }
 | |
| 
 | |
|     /* Populate the subject public key in the TBS context */
 | |
|     {
 | |
|         SubjectPublicKeyInfo spki;
 | |
| 
 | |
|         ret = hx509_request_get_SubjectPublicKeyInfo(context->hx509ctx,
 | |
|                                                      req, &spki);
 | |
|         if (ret == 0)
 | |
|             ret = hx509_ca_tbs_set_spki(context->hx509ctx, tbs, &spki);
 | |
|         free_SubjectPublicKeyInfo(&spki);
 | |
|         if (ret)
 | |
|             goto out;
 | |
|     }
 | |
| 
 | |
|     /* Work out cert expiration */
 | |
|     if (ret == 0)
 | |
|         ret = tbs_set_times(context, cf, auth_times, 0 /* XXX req_life */, tbs);
 | |
| 
 | |
|     /* Expand the subjectName template in the TBS using the env */
 | |
|     if (ret == 0)
 | |
|         ret = hx509_ca_tbs_subject_expand(context->hx509ctx, tbs, env);
 | |
|     hx509_env_free(&env);
 | |
| 
 | |
|     /* All done with the TBS, sign/issue the certificate */
 | |
|     ret = hx509_ca_sign(context->hx509ctx, tbs, signer, &cert);
 | |
|     if (ret)
 | |
|         goto out;
 | |
| 
 | |
|     /*
 | |
|      * Gather the certificate and chain into a MEMORY store, being careful not
 | |
|      * to include private keys in the chain.
 | |
|      *
 | |
|      * We could have specified a separate configuration parameter for an hx509
 | |
|      * store meant to have only the chain and no private keys, but expecting
 | |
|      * the full chain in the issuer credential store and copying only the certs
 | |
|      * (but not the private keys) is safer and easier to configure.
 | |
|      */
 | |
|     ret = hx509_certs_init(context->hx509ctx, "MEMORY:certs",
 | |
|                            HX509_CERTS_NO_PRIVATE_KEYS, NULL, out);
 | |
|     if (ret == 0)
 | |
|         ret = hx509_certs_add(context->hx509ctx, *out, cert);
 | |
|     if (ret == 0 && send_chain) {
 | |
|         ret = hx509_certs_init(context->hx509ctx, ca,
 | |
|                                HX509_CERTS_NO_PRIVATE_KEYS, NULL, &chain);
 | |
|         if (ret == 0)
 | |
|             ret = hx509_certs_merge(context->hx509ctx, *out, chain);
 | |
|     }
 | |
| 
 | |
| out:
 | |
|     hx509_certs_free(&chain);
 | |
|     if (env)
 | |
|         hx509_env_free(&env);
 | |
|     if (tbs)
 | |
|         hx509_ca_tbs_free(&tbs);
 | |
|     if (cert)
 | |
|         hx509_cert_free(cert);
 | |
|     if (signer)
 | |
|         hx509_cert_free(signer);
 | |
|     if (ret)
 | |
|         hx509_certs_free(out);
 | |
|     return ret;
 | |
| }
 | 
