[Heimdal-source-changes] [heimdal/heimdal] 8af2d7: hx509: Add missing CSR extension request support
Nico Williams
noreply at github.com
Ons Okt 9 06:33:13 CEST 2019
Branch: refs/heads/master
Home: https://github.com/heimdal/heimdal
Commit: 8af2d79d35a2a8223c19ed99a49d184e92447927
https://github.com/heimdal/heimdal/commit/8af2d79d35a2a8223c19ed99a49d184e92447927
Author: Nicolas Williams <nico at twosigma.com>
Date: 2019-10-08 (Tue, 08 Oct 2019)
Changed paths:
M lib/asn1/pkcs10.asn1
M lib/asn1/pkcs9.asn1
M lib/asn1/rfc2459.asn1
M lib/hx509/ca.c
M lib/hx509/hxtool-commands.in
M lib/hx509/hxtool.c
M lib/hx509/libhx509-exports.def
M lib/hx509/name.c
M lib/hx509/req.c
M lib/hx509/test_name.c
M lib/hx509/test_req.in
M lib/hx509/version-script.map
M lib/roken/parse_units.c
Log Message:
-----------
hx509: Add missing CSR extension request support
This is necessary in order to add proper support for CSRs in kx509,
where the KDC can examine all requested KUs/EKUs/SANs, check
authorization, and issue a certificate with all those extensions if
authorized.
This is the convention used by OpenSSL, of encoding all the KU, EKUs,
and SANs being requested as Extensions as they would appear in the
TBSCertificate, then putting those in as a single Attribute in the CSR's
Attributes list with attribute OID {id-pkcs-9, 14}.
- expose all hx509_request_*() functions
- finish support in hx509_request_parse*() for KU, EKU, and SAN CSR
attributes
- finish support in hx509_request_to_pkcs10() for encoding all
requested KU, EKU, and SAN extensions as a CSR extReq (extension request)
- add hx509_request_add_*() support for:
- id-pkinit-san and ms-upn-pkinit-san
- XMPP (Jabber) SAN
- registeredID (useless but trivial)
- add hxtool request-create options for all supported SANs
- add hxtool request-create options for KeyUsage
- add hxtool request-create options for ExtKeyUsage
- add hxtool request-print support for all these things
- fix bugs in existing id-pkinit-san handling
Possible future improvements
- add HX509_TRACE env var and support (it would be nice to be able to
observe why some certificate is rejected, or not matched in a query)
- add testing that CSR creating and printing round-trip for all KUs,
EKUs, and SANs
(probably in tests/kdc/check-pkinit.in)
- add testing that OpenSSL can print a CSR made by hxtool and
vice-versa
- hxtool ca: add KU sanity checking (via hx509_ca_sign() and/or friends)
(don't allow encrypt for signing-only algs)
(don't allow encrypt for RSA at all, or for RSA with small e exponents)
- hxtool request-print: warn about all unknown attributes and
extensions
- hxtool ca: MAYBE add support for adding requested extensions from the
--req=CSR
("Maybe" because CA operators should really verify and authorize all
requested attributes, and should acknowledge that they have, and the
simplest way to do this is to make them add all the corresponding
CLI arguments to the hxtool ca command, but too, that is
error-prone, thus it's not clear yet which approach is best.
Perhaps interactively prompt for yes/no for each attribute.)
- add additional SAN types:
- iPAddress (useless?)
- dNSSrv (useful!)
- directoryName (useless, but trivial)
- uniformResourceIdentifier (useful)
- it would be nice if the ASN.1 compiler could generate print
functions..., and/or even better, to-JSON functions
- it would be nice if we had a known-OID db, including the names of the
types they refer to in certificate extensions, otherName SANs and CSR
attributes, then we could generate a CSR and certificate printer for
all known options even when they are not supported by the rest of
Heimdal
- and we could also get friendly names for OIDs, and we could
resolve their arc names
- longer term, we could also stand to add some ASN.1 information
object system functionality, just enough to make
lib/hx509/asn1_print awesome by being able to automatically decode
all heim_any and OCTET STRING content (better than its current
--inner option)
Commit: 6f9eb81243fea2aca71ce9464e5c3c7ae280f53f
https://github.com/heimdal/heimdal/commit/6f9eb81243fea2aca71ce9464e5c3c7ae280f53f
Author: Nicolas Williams <nico at twosigma.com>
Date: 2019-10-08 (Tue, 08 Oct 2019)
Changed paths:
M lib/krb5/auth_context.c
M lib/krb5/build_auth.c
Log Message:
-----------
krb5: copy AD from auth_context to Authenticator
If the caller provides authz data in the auth context, then we should
copy it to the Authenticator when making an AP-REQ!
Compare: https://github.com/heimdal/heimdal/compare/6a7e7eace67c...6f9eb81243fe
More information about the Heimdal-source-changes
mailing list