Skip Menu |
 

From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 2.2KiB

Add certauth pluggable interface

Add the header include/krb5/certauth_plugin.h, defining a pluggable
interface to control authorization of PKINIT client certificates.

Add the "pkinit_san" and "pkinit_eku" builtin certauth modules and
related PKINIT crypto X.509 helper functions. Add authorize_cert() as
the entry function for certauth plugin module checks called in
pkinit_server_verify_padata(). Modify kdcpreauth_moddata to hold the
list of certauth module handles, and load the modules when the PKINIT
kdcpreauth server plugin is initialized. Change
crypto_retrieve_X509_sans() to return ENOENT when no SAN is found.

Add test modules in plugins/certauth/test. Create t_certauth.py with
basic certauth tests. Add plugin interface documentation in
doc/plugindev/certauth.rst and doc/admin/krb5_conf.rst.

[ghudson@mit.edu: simplified code, edited docs]

https://github.com/krb5/krb5/commit/b619ce84470519bea65470be3263cd85fba94f57
Author: Matt Rogers <mrogers@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: b619ce84470519bea65470be3263cd85fba94f57
Branch: master
doc/admin/conf_files/krb5_conf.rst | 21 ++
doc/plugindev/certauth.rst | 27 ++
doc/plugindev/index.rst | 1 +
src/Makefile.in | 1 +
src/configure.in | 1 +
src/include/Makefile.in | 1 +
src/include/k5-int.h | 3 +-
src/include/krb5/certauth_plugin.h | 103 ++++++
src/lib/krb5/krb/plugin.c | 3 +-
src/plugins/certauth/test/Makefile.in | 20 ++
src/plugins/certauth/test/certauth_test.exports | 2 +
src/plugins/certauth/test/deps | 14 +
src/plugins/certauth/test/main.c | 209 ++++++++++++
src/plugins/preauth/pkinit/pkinit_crypto.h | 4 +
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 30 ++
src/plugins/preauth/pkinit/pkinit_srv.c | 335 +++++++++++++++++---
src/plugins/preauth/pkinit/pkinit_trace.h | 5 +
src/tests/Makefile.in | 1 +
src/tests/t_certauth.py | 47 +++
19 files changed, 786 insertions(+), 42 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Correct error handling bug in prior commit

In crypto_encode_der_cert(), if the second i2d_X509() invocation
fails, make sure to free the allocated pointer and not the
possibly-modified alias.

https://github.com/krb5/krb5/commit/7fdaef7c3280c86b5df25ae061fb04cc56d8620c
Author: Greg Hudson <ghudson@mit.edu>
Commit: 7fdaef7c3280c86b5df25ae061fb04cc56d8620c
Branch: master
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Avoid repeating typedef in certauth_plugin.h

Repeating an identical typedef is allowed by C11, but not C99 or C89.
Use the underlying structure type in certauth_plugin.h so that it can
safely be included along with kdb.h.

Also constify the name field in the vtable.

https://github.com/krb5/krb5/commit/da47c655f084b511ea1f6142b6f571b5198915b7
Author: Greg Hudson <ghudson@mit.edu>
Commit: da47c655f084b511ea1f6142b6f571b5198915b7
Branch: master
src/include/krb5/certauth_plugin.h | 8 +++++---
src/plugins/certauth/test/main.c | 6 ++++--
src/plugins/preauth/pkinit/pkinit_srv.c | 9 ++++++---
3 files changed, 15 insertions(+), 8 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Use standard comment in certauth plugin header

Each pluggable interface header needs to include some boilerplate text
to make it clear what a module implementor needs to provide. Include
that text in certauth_plugin.h.

https://github.com/krb5/krb5/commit/a96ac7f73b5804a9c34033539a933ec0b64cce11
Author: Greg Hudson <ghudson@mit.edu>
Commit: a96ac7f73b5804a9c34033539a933ec0b64cce11
Branch: master
src/include/krb5/certauth_plugin.h | 29 ++++++++++++++++++++++++++---
1 files changed, 26 insertions(+), 3 deletions(-)
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 1.1KiB

Fix certauth built-in module returns

The PKINIT certauth eku module should never authoritatively authorize
a certificate, because an extended key usage does not establish a
relationship between the certificate and any specific user; it only
establishes that the certificate was created for PKINIT client
authentication. Therefore, pkinit_eku_authorize() should return
KRB5_PLUGIN_NO_HANDLE on success, not 0.

The certauth san module should pass if it does not find any SANs of
the types it can match against; the presence of other types of SANs
should not cause it to explicitly deny a certificate. Check for an
empty result from crypto_retrieve_cert_sans() in verify_client_san(),
instead of returning ENOENT from crypto_retrieve_cert_sans() when
there are no SANs at all.

https://github.com/krb5/krb5/commit/07243f85a760fb37f0622d7ff0177db3f19ab025
Author: Greg Hudson <ghudson@mit.edu>
Commit: 07243f85a760fb37f0622d7ff0177db3f19ab025
Branch: master
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 39 +++++++++-----------
src/plugins/preauth/pkinit/pkinit_srv.c | 14 +++++---
2 files changed, 27 insertions(+), 26 deletions(-)