is defined in the ``<gssapi/gssapi_krb5.h>`` header. (New in
release 1.17.)
+* **GSS_KRB5_NT_X509_CERT**: The value should be an X.509 certificate
+ encoded according to :rfc:`5280`. This name form can be used for
+ the desired_name parameter of gss_acquire_cred_impersonate_name(),
+ to identify the S4U2Self user by certificate. (New in release
+ 1.19.)
+
Initiator credentials
---------------------
krb5_principal princ; /* immutable */
char *service; /* immutable */
char *host; /* immutable */
+ int is_cert; /* immutable */
k5_mutex_t lock; /* protects ad_context only for now */
krb5_authdata_context ad_context;
} krb5_gss_name_rec, *krb5_gss_name_t;
{GET_CRED_IMPERSONATOR_OID_LENGTH, GET_CRED_IMPERSONATOR_OID},
/* GSS_KRB5_NT_ENTERPRISE_NAME */
{10, "\052\206\110\206\367\022\001\002\002\006"},
+ /* GSS_KRB5_NT_X509_CERT */
+ {10, "\052\206\110\206\367\022\001\002\002\007"},
{ 0, 0 }
};
const gss_OID GSS_KRB5_CRED_NO_CI_FLAGS_X = &kg_oids[7];
const gss_OID GSS_KRB5_GET_CRED_IMPERSONATOR = &kg_oids[8];
const gss_OID GSS_KRB5_NT_ENTERPRISE_NAME = &kg_oids[9];
+const gss_OID GSS_KRB5_NT_X509_CERT = &kg_oids[10];
static const gss_OID_set_desc oidsets[] = {
{1, &kg_oids[0]}, /* RFC OID */
/* {iso(1) member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
* krb5(2) krb5-enterprise-name(6)}. */
+/* Kerberos X.509 DER-encoded certificate */
+GSS_DLLIMP extern const gss_OID GSS_KRB5_NT_X509_CERT;
+/* {iso(1) member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+ * krb5(2) krb5-x509-cert(7)}. */
+
GSS_DLLIMP extern const gss_OID gss_mech_krb5;
GSS_DLLIMP extern const gss_OID gss_mech_krb5_old;
GSS_DLLIMP extern const gss_OID gss_mech_krb5_wrong;
#ifndef NO_PASSWORD
struct passwd *pw;
#endif
- int is_composite = 0;
+ int is_composite = 0, is_cert = 0;
krb5_authdata_context ad_context = NULL;
OM_uint32 status = GSS_S_FAILURE;
krb5_gss_name_t name;
&princ);
if (code)
goto cleanup;
+ } else if ((input_name_type != NULL) &&
+ g_OID_equal(input_name_type, GSS_KRB5_NT_X509_CERT)) {
+ code = krb5_build_principal_ext(context, &princ, 0, NULL,
+ input_name_buffer->length,
+ input_name_buffer->value, 0);
+ if (code)
+ goto cleanup;
+ is_cert = 1;
} else {
#ifndef NO_PASSWORD
uid_t uid;
KG_INIT_NAME_NO_COPY, &name);
if (code)
goto cleanup;
+ name->is_cert = is_cert;
+
princ = NULL;
ad_context = NULL;
service = host = NULL;
OM_uint32 major_status;
krb5_error_code code;
krb5_creds in_creds, *out_creds = NULL;
+ krb5_data *subject_cert = NULL;
*output_cred = NULL;
memset(&in_creds, 0, sizeof(in_creds));
- in_creds.client = user->princ;
+ if (user->is_cert)
+ subject_cert = user->princ->data;
+ else
+ in_creds.client = user->princ;
in_creds.server = impersonator_cred->name->princ;
if (impersonator_cred->req_enctypes != NULL)
code = krb5_get_credentials_for_user(context,
KRB5_GC_CANONICALIZE | KRB5_GC_NO_STORE,
impersonator_cred->ccache,
- &in_creds,
- NULL, &out_creds);
+ &in_creds, subject_cert, &out_creds);
if (code != 0) {
krb5_free_authdata(context, in_creds.authdata);
*minor_status = code;
GSS_C_NT_USER_NAME
GSS_KRB5_NT_PRINCIPAL_NAME
GSS_KRB5_NT_ENTERPRISE_NAME
+GSS_KRB5_NT_X509_CERT
GSS_KRB5_CRED_NO_CI_FLAGS_X
GSS_KRB5_GET_CRED_IMPERSONATOR
GSS_C_MA_MECH_CONCRETE
GSS_C_SEC_CONTEXT_SASL_SSF @149 DATA
; Added in 1.17
GSS_KRB5_NT_ENTERPRISE_NAME @150 DATA
+; Added in 1.19
+ GSS_KRB5_NT_X509_CERT @151 DATA
nametype = (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME;
else if (*str == 'e')
nametype = (gss_OID)GSS_KRB5_NT_ENTERPRISE_NAME;
+ else if (*str == 'c')
+ nametype = (gss_OID)GSS_KRB5_NT_X509_CERT;
else if (*str == 'h')
nametype = GSS_C_NT_HOSTBASED_SERVICE;
if (nametype == NULL || str[1] != ':')
- errout("names must begin with u: or p: or e: or h:");
+ errout("names must begin with u: or p: or e: or c: or h:");
buf.value = (char *)str + 2;
buf.length = strlen(str) - 2;
major = gss_import_name(&minor, &buf, nametype, &name);
return "{ 1 2 840 113554 1 2 2 1 }";
case 'e': /* GSS_KRB5_NT_ENTERPRISE_NAME */
return "{ 1 2 840 113554 1 2 2 6 }";
+ case 'c': /* GSS_KRB5_NT_X509_CERT */
+ return "{ 1 2 840 113554 1 2 2 7 }";
case 'h': /* GSS_C_NT_HOSTBASED_SERVICE */
return "{ 1 2 840 113554 1 2 1 4 }";
}
r1.run([kvno, '-U', 'enterprise@abc', '-F', cert_path, r1.user_princ],
expected_trace=msgs)
+shutil.copyfile(savefile, r1.ccache)
+
+mark('S4U2Self using X509 certificate (GSSAPI)')
+
+r1.run(['./t_s4u', 'c:other', '-', r1.keytab])
+r1.run(['./t_s4u', 'c:user@UREALM', '-', r1.keytab])
+
+r1.run(['./t_s4u', '--spnego', 'c:other', '-', r1.keytab])
+r1.run(['./t_s4u', '--spnego', 'c:user@UREALM', '-', r1.keytab])
+
r1.stop()
r2.stop()
projects / thirdparty / krb5.git / commitdiff
