[Heimdal-source-changes] [heimdal/heimdal] 8af2d7: hx509: Add missing CSR extension request support

Nico Williams noreply at github.com
Ons Okt 9 06:33:13 CEST 2019 

  Branch: refs/heads/master
  Home:   https://github.com/heimdal/heimdal
  Commit: 8af2d79d35a2a8223c19ed99a49d184e92447927
      https://github.com/heimdal/heimdal/commit/8af2d79d35a2a8223c19ed99a49d184e92447927
  Author: Nicolas Williams <nico at twosigma.com>
  Date:   2019-10-08 (Tue, 08 Oct 2019)

  Changed paths:
    M lib/asn1/pkcs10.asn1
    M lib/asn1/pkcs9.asn1
    M lib/asn1/rfc2459.asn1
    M lib/hx509/ca.c
    M lib/hx509/hxtool-commands.in
    M lib/hx509/hxtool.c
    M lib/hx509/libhx509-exports.def
    M lib/hx509/name.c
    M lib/hx509/req.c
    M lib/hx509/test_name.c
    M lib/hx509/test_req.in
    M lib/hx509/version-script.map
    M lib/roken/parse_units.c

  Log Message:
  -----------
  hx509: Add missing CSR extension request support

This is necessary in order to add proper support for CSRs in kx509,
where the KDC can examine all requested KUs/EKUs/SANs, check
authorization, and issue a certificate with all those extensions if
authorized.

This is the convention used by OpenSSL, of encoding all the KU, EKUs,
and SANs being requested as Extensions as they would appear in the
TBSCertificate, then putting those in as a single Attribute in the CSR's
Attributes list with attribute OID {id-pkcs-9, 14}.

 - expose all hx509_request_*() functions
 - finish support in hx509_request_parse*() for KU, EKU, and SAN CSR
   attributes
 - finish support in hx509_request_to_pkcs10() for encoding all
   requested KU, EKU, and SAN extensions as a CSR extReq (extension request)
 - add hx509_request_add_*() support for:
    - id-pkinit-san and ms-upn-pkinit-san
    - XMPP (Jabber) SAN
    - registeredID (useless but trivial)
 - add hxtool request-create options for all supported SANs
 - add hxtool request-create options for KeyUsage
 - add hxtool request-create options for ExtKeyUsage
 - add hxtool request-print support for all these things
 - fix bugs in existing id-pkinit-san handling

Possible future improvements

 - add HX509_TRACE env var and support (it would be nice to be able to
   observe why some certificate is rejected, or not matched in a query)
 - add testing that CSR creating and printing round-trip for all KUs,
   EKUs, and SANs
   (probably in tests/kdc/check-pkinit.in)
 - add testing that OpenSSL can print a CSR made by hxtool and
   vice-versa
 - hxtool ca: add KU sanity checking (via hx509_ca_sign() and/or friends)
   (don't allow encrypt for signing-only algs)
   (don't allow encrypt for RSA at all, or for RSA with small e exponents)
 - hxtool request-print: warn about all unknown attributes and
   extensions
 - hxtool ca: MAYBE add support for adding requested extensions from the
   --req=CSR
   ("Maybe" because CA operators should really verify and authorize all
    requested attributes, and should acknowledge that they have, and the
    simplest way to do this is to make them add all the corresponding
    CLI arguments to the hxtool ca command, but too, that is
    error-prone, thus it's not clear yet which approach is best.
    Perhaps interactively prompt for yes/no for each attribute.)
 - add additional SAN types:
    - iPAddress                 (useless?)
    - dNSSrv                    (useful!)
    - directoryName             (useless, but trivial)
    - uniformResourceIdentifier (useful)
 - it would be nice if the ASN.1 compiler could generate print
   functions..., and/or even better, to-JSON functions
 - it would be nice if we had a known-OID db, including the names of the
   types they refer to in certificate extensions, otherName SANs and CSR
   attributes, then we could generate a CSR and certificate printer for
   all known options even when they are not supported by the rest of
   Heimdal
    - and we could also get friendly names for OIDs, and we could
      resolve their arc names
    - longer term, we could also stand to add some ASN.1 information
      object system functionality, just enough to make
      lib/hx509/asn1_print awesome by being able to automatically decode
      all heim_any and OCTET STRING content (better than its current
      --inner option)


  Commit: 6f9eb81243fea2aca71ce9464e5c3c7ae280f53f
      https://github.com/heimdal/heimdal/commit/6f9eb81243fea2aca71ce9464e5c3c7ae280f53f
  Author: Nicolas Williams <nico at twosigma.com>
  Date:   2019-10-08 (Tue, 08 Oct 2019)

  Changed paths:
    M lib/krb5/auth_context.c
    M lib/krb5/build_auth.c

  Log Message:
  -----------
  krb5: copy AD from auth_context to Authenticator

If the caller provides authz data in the auth context, then we should
copy it to the Authenticator when making an AP-REQ!


Compare: https://github.com/heimdal/heimdal/compare/6a7e7eace67c...6f9eb81243fe

More information about the Heimdal-source-changes mailing list