Add certauth pluggable interface Add the header include/krb5/certauth_plugin.h, defining a pluggable interface to control authorization of PKINIT client certificates. Add the "pkinit_san" and "pkinit_eku" builtin certauth modules and related PKINIT crypto X.509 helper functions. Add authorize_cert() as the entry function for certauth plugin module checks called in pkinit_server_verify_padata(). Modify kdcpreauth_moddata to hold the list of certauth module handles, and load the modules when the PKINIT kdcpreauth server plugin is initialized. Change crypto_retrieve_X509_sans() to return ENOENT when no SAN is found. Add test modules in plugins/certauth/test. Create t_certauth.py with basic certauth tests. Add plugin interface documentation in doc/plugindev/certauth.rst and doc/admin/krb5_conf.rst. [ghudson@mit.edu: simplified code, edited docs] https://github.com/krb5/krb5/commit/b619ce84470519bea65470be3263cd85fba94f57 Author: Matt Rogers Committer: Greg Hudson Commit: b619ce84470519bea65470be3263cd85fba94f57 Branch: master doc/admin/conf_files/krb5_conf.rst | 21 ++ doc/plugindev/certauth.rst | 27 ++ doc/plugindev/index.rst | 1 + src/Makefile.in | 1 + src/configure.in | 1 + src/include/Makefile.in | 1 + src/include/k5-int.h | 3 +- src/include/krb5/certauth_plugin.h | 103 ++++++ src/lib/krb5/krb/plugin.c | 3 +- src/plugins/certauth/test/Makefile.in | 20 ++ src/plugins/certauth/test/certauth_test.exports | 2 + src/plugins/certauth/test/deps | 14 + src/plugins/certauth/test/main.c | 209 ++++++++++++ src/plugins/preauth/pkinit/pkinit_crypto.h | 4 + src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 30 ++ src/plugins/preauth/pkinit/pkinit_srv.c | 335 +++++++++++++++++--- src/plugins/preauth/pkinit/pkinit_trace.h | 5 + src/tests/Makefile.in | 1 + src/tests/t_certauth.py | 47 +++ 19 files changed, 786 insertions(+), 42 deletions(-)