#define KRB5_CONF_REALMS "realms"
#define KRB5_CONF_PKINIT_ALLOW_UPN "pkinit_allow_upn"
#define KRB5_CONF_PKINIT_ANCHORS "pkinit_anchors"
+#define KRB5_CONF_PKINIT_INDICATOR "pkinit_indicator"
#define KRB5_CONF_PKINIT_CERT_MATCH "pkinit_cert_match"
#define KRB5_CONF_PKINIT_DH_MIN_BITS "pkinit_dh_min_bits"
#define KRB5_CONF_PKINIT_EKU_CHECKING "pkinit_eku_checking"
pkinit_identity_opts *idopts;
char *realmname;
unsigned int realmname_len;
+ char **auth_indicators;
};
typedef struct _pkinit_kdc_context *pkinit_kdc_context;
int is_signed = 1;
krb5_pa_data **e_data = NULL;
krb5_kdcpreauth_modreq modreq = NULL;
+ char **sp;
pkiDebug("pkinit_verify_padata: entered!\n");
if (data == NULL || data->length <= 0 || data->contents == NULL) {
break;
}
+ if (is_signed && plgctx->auth_indicators != NULL) {
+ /* Assert configured authentication indicators. */
+ for (sp = plgctx->auth_indicators; *sp != NULL; sp++) {
+ retval = cb->add_auth_indicator(context, rock, *sp);
+ if (retval)
+ goto cleanup;
+ }
+ }
+
/* remember to set the PREAUTH flag in the reply */
enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
modreq = (krb5_kdcpreauth_modreq)reqctx;
free(eku_string);
}
+ pkinit_kdcdefault_strings(context, plgctx->realmname,
+ KRB5_CONF_PKINIT_INDICATOR,
+ &plgctx->auth_indicators);
return 0;
errout:
static void
pkinit_server_plugin_fini_realm(krb5_context context, pkinit_kdc_context plgctx)
{
+ char **sp;
+
if (plgctx == NULL)
return;
pkinit_fini_identity_crypto(plgctx->idctx);
pkinit_fini_plg_crypto(plgctx->cryptoctx);
pkinit_fini_plg_opts(plgctx->opts);
+ for (sp = plgctx->auth_indicators; sp != NULL && *sp != NULL; sp++)
+ free(*sp);
+ free(plgctx->auth_indicators);
free(plgctx->realmname);
free(plgctx);
}
pkinit_kdc_conf = {'realms': {'$realm': {
'default_principal_flags': '+preauth',
'pkinit_eku_checking': 'none',
- 'pkinit_identity': 'FILE:%s,%s' % (kdc_pem, privkey_pem)}}}
+ 'pkinit_identity': 'FILE:%s,%s' % (kdc_pem, privkey_pem),
+ 'pkinit_indicator': ['indpkinit1', 'indpkinit2']}}}
restrictive_kdc_conf = {'realms': {'$realm': {
'restrict_anonymous_to_tgt': 'true' }}}
realm.kinit('@%s' % realm.realm, flags=['-n'])
realm.klist('WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS')
realm.run([kvno, realm.host_princ])
+out = realm.run(['./adata', realm.host_princ])
+if '97:' in out:
+ fail('auth indicators seen in anonymous PKINIT ticket')
# Test anonymous kadmin.
f = open(os.path.join(realm.testdir, 'acl'), 'a')
password='encrypted')
realm.klist(realm.user_princ)
realm.run([kvno, realm.host_princ])
+out = realm.run(['./adata', realm.host_princ])
+if '+97: [indpkinit1, indpkinit2]' not in out:
+ fail('auth indicators not seen in PKINIT ticket')
# Run the basic test - PKINIT with FILE: identity, with a password on the key,
# supplied by the responder.
projects / thirdparty / krb5.git / commitdiff
