Ticket History #7680: Add PKINIT responder support

# Tue Jul 16 11:52:44 2013 ghudson@mit.edu (Greg Hudson) - Ticket created

Subject:

Add PKINIT responder support

Download (untitled) / with headers
text/plain 173B

The PKINIT preauth mech may need a password to get at the private key of
one or more identities. It should be able to do so via the responder,
and not just the prompter.

# Thu Jul 18 00:58:54 2013 ghudson@mit.edu (Greg Hudson) - Given to ghudson@mit.edu (Greg Hudson)

# Thu Jul 18 00:58:54 2013 ghudson@mit.edu (Greg Hudson) - Status changed from 'open' to 'review'

# Thu Jul 18 00:58:54 2013 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 1.1KiB

Split pkinit_identity_initialize into two phases

Split part of pkinit_identity_initialize() into a second piece named
pkinit_identity_prompt(). Have each piece pass a new boolean flag to
crypto_load_certs() to indicate if it should defer prompting for a
password/PIN for client identities that require one. If the flag isn't
set, then crypto_load_certs() should attempt to use a responder-supplied
value, or call the prompter if there isn't one.

https://github.com/krb5/krb5/commit/60426439f672fe273ceead17910f818da1954c5b
Author: Nalin Dahyabhai <nalin@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 60426439f672fe273ceead17910f818da1954c5b
Branch: master
src/plugins/preauth/pkinit/pkinit.h | 10 +++
src/plugins/preauth/pkinit/pkinit_clnt.c | 26 +++++++--
src/plugins/preauth/pkinit/pkinit_crypto.h | 3 +-
src/plugins/preauth/pkinit/pkinit_crypto_nss.c | 3 +-
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 3 +-
src/plugins/preauth/pkinit/pkinit_identity.c | 60 ++++++++++++++++++--
src/plugins/preauth/pkinit/pkinit_srv.c | 7 ++-
7 files changed, 97 insertions(+), 15 deletions(-)

# Thu Jul 18 00:58:55 2013 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 1.1KiB

Add support for PKINIT deferring identity prompts

Learn to manage a list of deferred identities, for which we want to
prompt for passwords or PINs, in pkinit_identity_crypto_context
structures, along with their associated token flags. These are opaque
outside of pkinit_crypto_openssl and pkinit_crypto_nss, so both
implementations need to provide wrapper functions that can be called
from elsewhere in the module to populate and query the lists.

https://github.com/krb5/krb5/commit/805cd6078b5970750b979bd97b4b9f6147e1fd0d
Author: Nalin Dahyabhai <nalin@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 805cd6078b5970750b979bd97b4b9f6147e1fd0d
Branch: master
src/plugins/preauth/pkinit/pkinit.h | 21 ++++
src/plugins/preauth/pkinit/pkinit_crypto.h | 11 ++
src/plugins/preauth/pkinit/pkinit_crypto_nss.c | 40 +++++++
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 38 +++++++
src/plugins/preauth/pkinit/pkinit_crypto_openssl.h | 2 +
src/plugins/preauth/pkinit/pkinit_identity.c | 114 ++++++++++++++++++++
6 files changed, 226 insertions(+), 0 deletions(-)

# Thu Jul 18 00:58:56 2013 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 1KiB

Pass PKINIT identity prompts to the responder cb

Use the list of deferred identity prompts and warnings, which we have
after calling pkinit_identity_initialize(), to build a list of questions
to supply to responder callbacks.

Before calling pkinit_identity_prompt() to actually load identities that
are protected, save any passwords and PINs which a responder callback
may have supplied.

Because pkinit_client_prep_questions() can be called multiple times, and
we don't want to try to load all of our identities each of those times,
take some steps to ensure that we only call pkinit_identity_initialize()
and pkinit_identity_prompt() once per request.

https://github.com/krb5/krb5/commit/e8b63198029c632d097822104d6e17c9a67ef1a5
Author: Nalin Dahyabhai <nalin@dahyabhai.net>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: e8b63198029c632d097822104d6e17c9a67ef1a5
Branch: master
src/include/krb5/krb5.hin | 44 ++++++
src/plugins/preauth/pkinit/pkinit.h | 3 +
src/plugins/preauth/pkinit/pkinit_clnt.c | 234 +++++++++++++++++++++++++++---
3 files changed, 262 insertions(+), 19 deletions(-)

# Thu Jul 18 00:58:57 2013 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 1.1KiB

Support PKINIT NSS deferred identity prompting

The password callback which we usually supply to NSS already gets a
pointer to the pkinit_identity_crypto_context structure, but it needs to
be passed the name of the identity for which it's being called.

If it gets a name, and it's deferring prompting, just add the identity
to the list of deferred identity prompts (the password callback wouldn't
have been called if its result wasn't needed), and either return NULL
(as an indication that we couldn't get a password) or an empty string (a
value which we know is invalid) if that's handier.

Otherwise, check for a password that's been stashed for its use for that
identity, and return a copy of it if one's found. If none of that
works, try to use the prompter callback to ask for the password.

https://github.com/krb5/krb5/commit/c5bf0caa8abf2b931f5ad258463d706d3cfd5f5b
Author: Nalin Dahyabhai <nalin@dahyabhai.net>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: c5bf0caa8abf2b931f5ad258463d706d3cfd5f5b
Branch: master
src/plugins/preauth/pkinit/pkinit_crypto_nss.c | 312 +++++++++++++++++++-----
1 files changed, 252 insertions(+), 60 deletions(-)

# Thu Jul 18 00:58:58 2013 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 1KiB

Support PKINIT OpenSSL deferred identity prompting

Add a password to the set of things that we can pass to a PEM password
callback and the function we use for loading PKCS12 bundles. If we're
meant to defer identity prompts, just store the name of the identity
which we're loading. Otherwise, if we're passed a password, use it.
Otherwise, use the prompter callback.

Add a password to the set of things that we can pass to the function
that we use for logging in to PKCS11 tokens, too, but if we're deferring
identity prompts, just return the identity name without doing anything
else. If not, and we're passed a password, use that. Otherwise, try to
use the prompter callback to get one.

https://github.com/krb5/krb5/commit/a3abb0bf5fade0009c9899624d4b996a4e12a49f
Author: Nalin Dahyabhai <nalin@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: a3abb0bf5fade0009c9899624d4b996a4e12a49f
Branch: master
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 214 +++++++++++++++-----
1 files changed, 159 insertions(+), 55 deletions(-)

# Thu Jul 18 00:59:04 2013 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 1.2KiB

Add non-JSON APIs for PKINIT responder items

Add wrappers for the JSON-oriented APIs for PKINIT responder items,
modeled after the API we provide for OTP items:

* krb5_responder_pkinit_get_challenge() returns the list of
identities for which we need PINs
* krb5_responder_pkinit_challenge_free() frees the structure that
was returned by krb5_responder_pkinit_get_challenge()
* krb5_responder_pkinit_set_answer() sets the answer to the PIN for
one of the identities

[ghudson@mit.edu: style cleanup; added comment pointing to main body
of PKINIT module]

https://github.com/krb5/krb5/commit/ce02b69e27bcfa21bcab2ed195dfdbaa8040d773
Author: Nalin Dahyabhai <nalin@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: ce02b69e27bcfa21bcab2ed195dfdbaa8040d773
Branch: master
doc/appdev/init_creds.rst | 16 +++
doc/appdev/refs/api/index.rst | 3 +
src/include/krb5/krb5.hin | 59 +++++++++++
src/lib/krb5/krb/Makefile.in | 3 +
src/lib/krb5/krb/deps | 12 ++
src/lib/krb5/krb/preauth_pkinit.c | 204 +++++++++++++++++++++++++++++++++++++
src/lib/krb5/libkrb5.exports | 3 +
src/lib/krb5_32.def | 3 +
8 files changed, 303 insertions(+), 0 deletions(-)

# Thu Jul 18 00:59:05 2013 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 473B

Add a helper for testing PKINIT and responder cb

https://github.com/krb5/krb5/commit/e87b20116528dd68299c7cb4783ba68bfe12a5f0
Author: Nalin Dahyabhai <nalin@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: e87b20116528dd68299c7cb4783ba68bfe12a5f0
Branch: master
src/tests/Makefile.in | 13 +-
src/tests/deps | 5 +
src/tests/responder.c | 390 +++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 404 insertions(+), 4 deletions(-)

# Thu Jul 18 00:59:05 2013 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 954B

Add tests for PKINIT using responder functionality

We now also test that the PKINIT challenge looks like we expect it to
look, that PKINIT fails if we don't provide a response or a prompter
callback, and that PKINIT succeeds with a response provided using either
the raw responder API or the PKINIT responder functions.

One thing that we don't check is which specific error code we get when
PKINIT fails: the OpenSSL and NSS versions return different error codes
(some mixture of EIO, ENOMEM, ENOENT, and KRB5KDC_ERR_PREAUTH_FAILED)
when they encounter trouble loading client credentials.

https://github.com/krb5/krb5/commit/d3d07c3b2f3710c520af5698c096f124cc90f916
Author: Nalin Dahyabhai <nalin@dahyabhai.net>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: d3d07c3b2f3710c520af5698c096f124cc90f916
Branch: master
src/tests/t_authpkinit.py | 160 +++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 160 insertions(+), 0 deletions(-)

# Fri Oct 11 13:37:53 2013 tlyu (Taylor Yu) - Status changed from 'review' to 'resolved'

# Fri Oct 11 13:37:53 2013 tlyu (Taylor Yu) - Version_Fixed 1.12 added