[krbdev.mit.edu #8561] git commit

Greg Hudson via RT rt-comment at krbdev.mit.edu
Thu Mar 23 13:34:00 EDT 2017 

Add certauth pluggable interface

Add the header include/krb5/certauth_plugin.h, defining a pluggable
interface to control authorization of PKINIT client certificates.

Add the "pkinit_san" and "pkinit_eku" builtin certauth modules and
related PKINIT crypto X.509 helper functions.  Add authorize_cert() as
the entry function for certauth plugin module checks called in
pkinit_server_verify_padata().  Modify kdcpreauth_moddata to hold the
list of certauth module handles, and load the modules when the PKINIT
kdcpreauth server plugin is initialized.  Change
crypto_retrieve_X509_sans() to return ENOENT when no SAN is found.

Add test modules in plugins/certauth/test.  Create t_certauth.py with
basic certauth tests.  Add plugin interface documentation in
doc/plugindev/certauth.rst and doc/admin/krb5_conf.rst.

[ghudson at mit.edu: simplified code, edited docs]

https://github.com/krb5/krb5/commit/b619ce84470519bea65470be3263cd85fba94f57
Author: Matt Rogers <mrogers at redhat.com>
Committer: Greg Hudson <ghudson at mit.edu>
Commit: b619ce84470519bea65470be3263cd85fba94f57
Branch: master
 doc/admin/conf_files/krb5_conf.rst                 |   21 ++
 doc/plugindev/certauth.rst                         |   27 ++
 doc/plugindev/index.rst                            |    1 +
 src/Makefile.in                                    |    1 +
 src/configure.in                                   |    1 +
 src/include/Makefile.in                            |    1 +
 src/include/k5-int.h                               |    3 +-
 src/include/krb5/certauth_plugin.h                 |  103 ++++++
 src/lib/krb5/krb/plugin.c                          |    3 +-
 src/plugins/certauth/test/Makefile.in              |   20 ++
 src/plugins/certauth/test/certauth_test.exports    |    2 +
 src/plugins/certauth/test/deps                     |   14 +
 src/plugins/certauth/test/main.c                   |  209 ++++++++++++
 src/plugins/preauth/pkinit/pkinit_crypto.h         |    4 +
 src/plugins/preauth/pkinit/pkinit_crypto_openssl.c |   30 ++
 src/plugins/preauth/pkinit/pkinit_srv.c            |  335 +++++++++++++++++---
 src/plugins/preauth/pkinit/pkinit_trace.h          |    5 +
 src/tests/Makefile.in                              |    1 +
 src/tests/t_certauth.py                            |   47 +++
 19 files changed, 786 insertions(+), 42 deletions(-)

More information about the krb5-bugs mailing list