Add PKINIT KDC support for freshness token
Send a freshness token in the preauth hint list if PKINIT is
configured and the request padata indicates support. Verify the
freshness token if the client includes one in a PKINIT request, and
log whether one was received. If pkinit_require_freshness is set to
true in the realm config, reject non-anonymous requests which don't
contain a freshness token.
Add freshness token tests to t_pkinit.py with some related changes.
Remove client long-term keys after testing password preauth so we get
better error reporting when pkinit_require_freshness is set and a
token is not sent. Remove ./responder invocations for test cases
which don't ask PKINIT responder questions, or else the responder
would fail now that it isn't being asked for the password. Leave
anonymous PKINIT enabled after the anonymous tests so that we can use
it again when testing enforcement of pkinit_require_freshness. Add
expected trace messages for the basic test, including one for
receiving a freshness token. Add minimal expected trace messages for
the RSA test.
https://github.com/krb5/krb5/commit/4a9050df0bc34bfb08ba24462d6e2514640f4b8eAuthor: Greg Hudson <ghudson@mit.edu>
Commit: 4a9050df0bc34bfb08ba24462d6e2514640f4b8e
Branch: master
doc/admin/conf_files/kdc_conf.rst | 4 +
doc/admin/pkinit.rst | 25 ++++++
doc/appdev/refs/macros/index.rst | 2 +
doc/formats/freshness_token.rst | 19 +++++
doc/formats/index.rst | 1 +
src/include/krb5/kdcpreauth_plugin.h | 17 ++++
src/include/krb5/krb5.hin | 3 +
src/kdc/do_as_req.c | 2 +
src/kdc/kdc_preauth.c | 130 ++++++++++++++++++++++++++++++-
src/kdc/kdc_util.h | 2 +
src/plugins/preauth/pkinit/pkinit.h | 2 +
src/plugins/preauth/pkinit/pkinit_srv.c | 51 ++++++++++++-
src/tests/t_pkinit.py | 50 +++++++++---
13 files changed, 292 insertions(+), 16 deletions(-)