Skip Menu |
 

Subject: Implement PKINIT freshness tokens
RFC 8070 specifies PKINIT freshness tokens, which (once required)
prevent a client with temporary access to the client certificate key
from composing AS-REQs for future timestamps and passing them off as
valid later.
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 1.2KiB

Add PKINIT client support for freshness token

Send an empty PA_AS_FRESHNESS padata item in unauthenticated AS
requests to indicate support for RFC 8070. If the KDC includes a
PA_AS_FRESHNESS value in its method data, echo it back in the new
freshnessToken field of pkAuthenticator

https://github.com/krb5/krb5/commit/085785362e01467cb25c79a90dcebfba9ea019d8
Author: Greg Hudson <ghudson@mit.edu>
Commit: 085785362e01467cb25c79a90dcebfba9ea019d8
Branch: master
doc/user/user_commands/kinit.rst | 3 +++
src/include/k5-int-pkinit.h | 1 +
src/include/krb5/krb5.hin | 1 +
src/lib/krb5/asn.1/asn1_k_encode.c | 5 ++++-
src/lib/krb5/krb/get_in_tkt.c | 12 ++++++++----
src/lib/krb5/krb/init_creds_ctx.h | 2 +-
src/plugins/preauth/pkinit/pkinit.h | 3 +++
src/plugins/preauth/pkinit/pkinit_clnt.c | 19 ++++++++++++++++++-
src/plugins/preauth/pkinit/pkinit_lib.c | 3 +++
src/plugins/preauth/pkinit/pkinit_trace.h | 2 ++
src/tests/asn.1/ktest.c | 4 ++++
src/tests/asn.1/pkinit_encode.out | 2 +-
src/tests/asn.1/pkinit_trval.out | 1 +
13 files changed, 50 insertions(+), 8 deletions(-)
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 1.9KiB

Add PKINIT KDC support for freshness token

Send a freshness token in the preauth hint list if PKINIT is
configured and the request padata indicates support. Verify the
freshness token if the client includes one in a PKINIT request, and
log whether one was received. If pkinit_require_freshness is set to
true in the realm config, reject non-anonymous requests which don't
contain a freshness token.

Add freshness token tests to t_pkinit.py with some related changes.
Remove client long-term keys after testing password preauth so we get
better error reporting when pkinit_require_freshness is set and a
token is not sent. Remove ./responder invocations for test cases
which don't ask PKINIT responder questions, or else the responder
would fail now that it isn't being asked for the password. Leave
anonymous PKINIT enabled after the anonymous tests so that we can use
it again when testing enforcement of pkinit_require_freshness. Add
expected trace messages for the basic test, including one for
receiving a freshness token. Add minimal expected trace messages for
the RSA test.

https://github.com/krb5/krb5/commit/4a9050df0bc34bfb08ba24462d6e2514640f4b8e
Author: Greg Hudson <ghudson@mit.edu>
Commit: 4a9050df0bc34bfb08ba24462d6e2514640f4b8e
Branch: master
doc/admin/conf_files/kdc_conf.rst | 4 +
doc/admin/pkinit.rst | 25 ++++++
doc/appdev/refs/macros/index.rst | 2 +
doc/formats/freshness_token.rst | 19 +++++
doc/formats/index.rst | 1 +
src/include/krb5/kdcpreauth_plugin.h | 17 ++++
src/include/krb5/krb5.hin | 3 +
src/kdc/do_as_req.c | 2 +
src/kdc/kdc_preauth.c | 130 ++++++++++++++++++++++++++++++-
src/kdc/kdc_util.h | 2 +
src/plugins/preauth/pkinit/pkinit.h | 2 +
src/plugins/preauth/pkinit/pkinit_srv.c | 51 ++++++++++++-
src/tests/t_pkinit.py | 50 +++++++++---
13 files changed, 292 insertions(+), 16 deletions(-)