From: | ghudson@mit.edu |
Subject: | git commit |
Add certauth pluggable interface
Add the header include/krb5/certauth_plugin.h, defining a pluggable
interface to control authorization of PKINIT client certificates.
Add the "pkinit_san" and "pkinit_eku" builtin certauth modules and
related PKINIT crypto X.509 helper functions. Add authorize_cert() as
the entry function for certauth plugin module checks called in
pkinit_server_verify_padata(). Modify kdcpreauth_moddata to hold the
list of certauth module handles, and load the modules when the PKINIT
kdcpreauth server plugin is initialized. Change
crypto_retrieve_X509_sans() to return ENOENT when no SAN is found.
Add test modules in plugins/certauth/test. Create t_certauth.py with
basic certauth tests. Add plugin interface documentation in
doc/plugindev/certauth.rst and doc/admin/krb5_conf.rst.
[ghudson@mit.edu: simplified code, edited docs]
https://github.com/krb5/krb5/commit/b619ce84470519bea65470be3263cd85fba94f57
Author: Matt Rogers <mrogers@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: b619ce84470519bea65470be3263cd85fba94f57
Branch: master
doc/admin/conf_files/krb5_conf.rst | 21 ++
doc/plugindev/certauth.rst | 27 ++
doc/plugindev/index.rst | 1 +
src/Makefile.in | 1 +
src/configure.in | 1 +
src/include/Makefile.in | 1 +
src/include/k5-int.h | 3 +-
src/include/krb5/certauth_plugin.h | 103 ++++++
src/lib/krb5/krb/plugin.c | 3 +-
src/plugins/certauth/test/Makefile.in | 20 ++
src/plugins/certauth/test/certauth_test.exports | 2 +
src/plugins/certauth/test/deps | 14 +
src/plugins/certauth/test/main.c | 209 ++++++++++++
src/plugins/preauth/pkinit/pkinit_crypto.h | 4 +
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 30 ++
src/plugins/preauth/pkinit/pkinit_srv.c | 335 +++++++++++++++++---
src/plugins/preauth/pkinit/pkinit_trace.h | 5 +
src/tests/Makefile.in | 1 +
src/tests/t_certauth.py | 47 +++
19 files changed, 786 insertions(+), 42 deletions(-)