summaryrefslogtreecommitdiffstats
path: root/third_party/heimdal/kdc/kx509.c
diff options
context:
space:
mode:
Diffstat (limited to 'third_party/heimdal/kdc/kx509.c')
-rw-r--r--third_party/heimdal/kdc/kx509.c1080
1 files changed, 1080 insertions, 0 deletions
diff --git a/third_party/heimdal/kdc/kx509.c b/third_party/heimdal/kdc/kx509.c
new file mode 100644
index 0000000..6efd94e
--- /dev/null
+++ b/third_party/heimdal/kdc/kx509.c
@@ -0,0 +1,1080 @@
+/*
+ * Copyright (c) 2006 - 2019 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kdc_locl.h"
+#include <hex.h>
+#include <rfc2459_asn1.h>
+#include <hx509.h>
+#include <hx509_err.h>
+#include <kx509_err.h>
+
+#include <stdarg.h>
+
+/*
+ * This file implements the kx509 service.
+ *
+ * The protocol, its shortcomings, and its future are described in
+ * lib/krb5/hx509.c. See also lib/asn1/kx509.asn1.
+ *
+ * The service handles requests, decides whether to issue a certificate, and
+ * does so by populating a "template" to generate a TBSCertificate and signing
+ * it with a configured CA issuer certificate and private key. See ca.c for
+ * details.
+ *
+ * A "template" is a Certificate that has ${variable} references in its
+ * subjectName, and may have EKUs.
+ *
+ * Some SANs may be included in issued certificates. See below.
+ *
+ * Besides future protocol improvements described in lib/krb5/hx509.c, here is
+ * a list of KDC functionality we'd like to add:
+ *
+ * - support templates as strings (rather than filenames) in configuration?
+ * - lookup an hx509 template for the client principal in its HDB entry?
+ * - lookup subjectName, SANs for a principal in its HDB entry
+ * - lookup a host-based client principal's HDB entry and add its canonical
+ * name / aliases as dNSName SANs
+ * (this would have to be if requested by the client, perhaps; see
+ * commentary about the protocol in lib/krb5/kx509.c)
+ * - add code to build a template on the fly
+ *
+ * (just SANs, with empty subjectName?
+ * or
+ * CN=component0,CN=component1,..,CN=componentN,DC=<from-REALM>
+ * and set KU and EKUs)
+ *
+ * Processing begins in _kdc_do_kx509().
+ *
+ * The sequence of events in _kdc_do_kx509() is:
+ *
+ * - parse outer request
+ * - authenticate request
+ * - extract CSR and AP-REQ Authenticator authz-data elements
+ * - characterize request as one of
+ * - default client cert req (no cert exts requested, client user princ)
+ * - default server cert req (no cert exts requested, client service princ)
+ * - client cert req (cert exts requested denoting client use)
+ * - server cert req (cert exts requested denoting server use)
+ * - mixed cert req (cert exts requested denoting client and server use)
+ * - authorize request based only on the request's details
+ * - there is a default authorizer, and a plugin authorizer
+ * - get configuration sub-tree corresponding to the request as characterized
+ * - missing configuration sub-tree -> reject (we have multiple ways to
+ * express "no")
+ * - get common config params from that sub-tree
+ * - set TBS template and details from CSR and such
+ * - issue certificate by signing TBS
+ */
+
+#ifdef KX509
+
+static const unsigned char version_2_0[4] = {0 , 0, 2, 0};
+
+/*
+ * Taste the request to see if it's a kx509 request.
+ */
+krb5_error_code
+_kdc_try_kx509_request(kx509_req_context r)
+{
+ const unsigned char *p = (const void *)(uintptr_t)r->request.data;
+ size_t len = r->request.length;
+ size_t sz;
+
+ if (len < sizeof(version_2_0))
+ return -1;
+ if (memcmp(version_2_0, p, sizeof(version_2_0)) != 0)
+ return -1;
+ p += sizeof(version_2_0);
+ len -= sizeof(version_2_0);
+ if (len == 0)
+ return -1;
+ memset(&r->req, 0, sizeof(r->req));
+ return decode_Kx509Request(p, len, &r->req, &sz);
+}
+
+static krb5_boolean
+get_bool_param(krb5_context context,
+ krb5_boolean def,
+ const char *crealm,
+ const char *name)
+{
+ krb5_boolean global_default;
+
+ global_default = krb5_config_get_bool_default(context, NULL, def, "kdc",
+ name, NULL);
+ if (!crealm)
+ return global_default;
+ return krb5_config_get_bool_default(context, NULL, global_default,
+ "kdc", "realms", crealm, name, NULL);
+}
+
+/*
+ * Verify the HMAC in the request.
+ */
+static krb5_error_code
+verify_req_hash(krb5_context context,
+ const Kx509Request *req,
+ krb5_keyblock *key)
+{
+ unsigned char digest[SHA_DIGEST_LENGTH];
+ HMAC_CTX ctx;
+
+ if (req->pk_hash.length != sizeof(digest)) {
+ krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED,
+ "pk-hash has wrong length: %lu",
+ (unsigned long)req->pk_hash.length);
+ return KRB5KDC_ERR_PREAUTH_FAILED;
+ }
+
+ HMAC_CTX_init(&ctx);
+ if (HMAC_Init_ex(&ctx, key->keyvalue.data, key->keyvalue.length,
+ EVP_sha1(), NULL) == 0) {
+ HMAC_CTX_cleanup(&ctx);
+ return krb5_enomem(context);
+ }
+ if (sizeof(digest) != HMAC_size(&ctx))
+ krb5_abortx(context, "runtime error, hmac buffer wrong size in kx509");
+ HMAC_Update(&ctx, version_2_0, sizeof(version_2_0));
+ if (req->pk_key.length)
+ HMAC_Update(&ctx, req->pk_key.data, req->pk_key.length);
+ else
+ HMAC_Update(&ctx, req->authenticator.data, req->authenticator.length);
+ HMAC_Final(&ctx, digest, 0);
+ HMAC_CTX_cleanup(&ctx);
+
+ if (ct_memcmp(req->pk_hash.data, digest, sizeof(digest)) != 0) {
+ krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED,
+ "kx509 request MAC mismatch");
+ return KRB5KDC_ERR_PREAUTH_FAILED;
+ }
+ return 0;
+}
+
+/*
+ * Set the HMAC in the response.
+ */
+static krb5_error_code
+calculate_reply_hash(krb5_context context,
+ krb5_keyblock *key,
+ Kx509Response *rep)
+{
+ krb5_error_code ret = 0;
+ HMAC_CTX ctx;
+
+ HMAC_CTX_init(&ctx);
+
+ if (HMAC_Init_ex(&ctx, key->keyvalue.data, key->keyvalue.length,
+ EVP_sha1(), NULL) == 0)
+ ret = krb5_enomem(context);
+
+ if (ret == 0)
+ ret = krb5_data_alloc(rep->hash, HMAC_size(&ctx));
+ if (ret) {
+ HMAC_CTX_cleanup(&ctx);
+ return krb5_enomem(context);
+ }
+
+ HMAC_Update(&ctx, version_2_0, sizeof(version_2_0));
+ {
+ int32_t t = rep->error_code;
+ unsigned char encint[sizeof(t) + 1];
+ size_t k;
+
+ /*
+ * RFC6717 says this about how the error-code is included in the HMAC:
+ *
+ * o DER representation of the error-code exclusive of the tag and
+ * length, if it is present.
+ *
+ * So we use der_put_integer(), which encodes from the right.
+ *
+ * RFC6717 does not constrain the error-code's range. We assume it to
+ * be a 32-bit, signed integer, for which we'll need no more than 5
+ * bytes.
+ */
+ ret = der_put_integer(&encint[sizeof(encint) - 1],
+ sizeof(encint), &t, &k);
+ if (ret == 0)
+ HMAC_Update(&ctx, &encint[sizeof(encint)] - k, k);
+ }
+ if (rep->certificate)
+ HMAC_Update(&ctx, rep->certificate->data, rep->certificate->length);
+ if (rep->e_text)
+ HMAC_Update(&ctx, (unsigned char *)*rep->e_text, strlen(*rep->e_text));
+
+ HMAC_Final(&ctx, rep->hash->data, 0);
+ HMAC_CTX_cleanup(&ctx);
+
+ return 0;
+}
+
+static void
+frees(char **s)
+{
+ free(*s);
+ *s = NULL;
+}
+
+/* Check that a krbtgt's second component is a local realm */
+static krb5_error_code
+is_local_realm(krb5_context context,
+ kx509_req_context reqctx,
+ const char *realm)
+{
+ krb5_error_code ret;
+ krb5_principal tgs;
+ HDB *db;
+ hdb_entry *ent = NULL;
+
+ ret = krb5_make_principal(context, &tgs, realm, KRB5_TGS_NAME, realm,
+ NULL);
+ if (ret)
+ return ret;
+ if (ret == 0)
+ ret = _kdc_db_fetch(context, reqctx->config, tgs, HDB_F_GET_KRBTGT,
+ NULL, &db, &ent);
+ if (ent)
+ _kdc_free_ent(context, db, ent);
+ krb5_free_principal(context, tgs);
+ if (ret == HDB_ERR_NOENTRY || ret == HDB_ERR_NOT_FOUND_HERE)
+ return KRB5KRB_AP_ERR_NOT_US;
+ return ret;
+}
+
+/*
+ * Since we're using the HDB as a keytab we have to check that the client used
+ * an acceptable name for the kx509 service.
+ *
+ * We accept two names: kca_service/hostname and krbtgt/REALM.
+ *
+ * We allow cross-realm requests.
+ *
+ * Maybe x-realm support should be configurable. Requiring INITIAL tickets
+ * does NOT preclude x-realm support! (Cross-realm TGTs can be INITIAL.)
+ *
+ * Support for specific client realms is configurable by configuring issuer
+ * credentials and TBS templates on a per-realm basis and configuring no
+ * default. But maybe we should have an explicit configuration parameter
+ * to enable support for clients from different realms than the service.
+ */
+static krb5_error_code
+kdc_kx509_verify_service_principal(krb5_context context,
+ kx509_req_context reqctx,
+ krb5_principal sprincipal)
+{
+ krb5_error_code ret = 0;
+ krb5_principal principal = NULL;
+ char *expected = NULL;
+ char localhost[MAXHOSTNAMELEN];
+
+ if (krb5_principal_get_num_comp(context, sprincipal) != 2)
+ goto err;
+
+ /* Check if sprincipal is a krbtgt/REALM name */
+ if (strcmp(krb5_principal_get_comp_string(context, sprincipal, 0),
+ KRB5_TGS_NAME) == 0) {
+ const char *r = krb5_principal_get_comp_string(context, sprincipal, 1);
+ if ((ret = is_local_realm(context, reqctx, r)))
+ kdc_audit_addreason((kdc_request_t)reqctx,
+ "Client used wrong krbtgt for kx509");
+ goto out;
+ }
+
+ /* Must be hostbased kca_service name then */
+ ret = gethostname(localhost, sizeof(localhost) - 1);
+ if (ret != 0) {
+ ret = errno;
+ kdc_log(context, reqctx->config, 0, "Failed to get local hostname");
+ kdc_audit_addreason((kdc_request_t)reqctx,
+ "Failed to get local hostname");
+ return ret;
+ }
+ localhost[sizeof(localhost) - 1] = '\0';
+
+ ret = krb5_make_principal(context, &principal, "", "kca_service",
+ localhost, NULL);
+ if (ret)
+ goto out;
+
+ if (krb5_principal_compare_any_realm(context, sprincipal, principal))
+ goto out; /* found a match */
+
+err:
+ ret = krb5_unparse_name(context, sprincipal, &expected);
+ if (ret)
+ goto out;
+
+ ret = KRB5KDC_ERR_SERVER_NOMATCH;
+ kdc_audit_addreason((kdc_request_t)reqctx, "Client used wrong kx509 "
+ "service principal (expected %s)", expected);
+
+out:
+ krb5_xfree(expected);
+ krb5_free_principal(context, principal);
+
+ return ret;
+}
+
+static krb5_error_code
+encode_reply(krb5_context context,
+ kx509_req_context reqctx,
+ Kx509Response *r)
+{
+ krb5_error_code ret;
+ krb5_data data;
+ size_t size;
+
+ reqctx->reply->data = NULL;
+ reqctx->reply->length = 0;
+ ASN1_MALLOC_ENCODE(Kx509Response, data.data, data.length, r, &size, ret);
+ if (ret)
+ return ret;
+ if (size != data.length)
+ krb5_abortx(context, "ASN1 internal error");
+
+ ret = krb5_data_alloc(reqctx->reply, data.length + sizeof(version_2_0));
+ if (ret == 0) {
+ memcpy(reqctx->reply->data, version_2_0, sizeof(version_2_0));
+ memcpy(((unsigned char *)reqctx->reply->data) + sizeof(version_2_0),
+ data.data, data.length);
+ }
+ free(data.data);
+ return ret;
+}
+
+/* Make an error response, and log the error message as well */
+static krb5_error_code
+mk_error_response(krb5_context context,
+ kx509_req_context reqctx,
+ int level,
+ int32_t code,
+ const char *fmt,
+ ...)
+{
+ krb5_error_code ret = code;
+ krb5_error_code ret2;
+ Kx509Response rep;
+ const char *msg;
+ char *freeme0 = NULL;
+ char *freeme1 = NULL;
+ va_list ap;
+
+ if (code != 0) {
+ /* Log errors where _kdc_audit_trail() is not enough */
+ if (code == ENOMEM)
+ level = 0;
+ if (level < 3) {
+ va_start(ap, fmt);
+ kdc_vlog(context, reqctx->config, level, fmt, ap);
+ va_end(ap);
+ }
+
+ va_start(ap, fmt);
+ kdc_audit_vaddreason((kdc_request_t)reqctx, fmt, ap);
+ va_end(ap);
+ }
+
+ if (!reqctx->config->enable_kx509)
+ code = KRB5KDC_ERR_POLICY;
+
+ /* Make sure we only send RFC4120 and friends wire protocol error codes */
+ if (code) {
+ if (code == KX509_ERR_NONE) {
+ code = 0;
+ } else if (code > KX509_ERR_NONE && code <= KX509_ERR_SRV_OVERLOADED) {
+ code -= KX509_ERR_NONE;
+ } else {
+ if (code < KRB5KDC_ERR_NONE || code >= KRB5_ERR_RCSID)
+ code = KRB5KRB_ERR_GENERIC;
+ code -= KRB5KDC_ERR_NONE;
+ code += kx509_krb5_error_base;
+ }
+ }
+
+ va_start(ap, fmt);
+ if (vasprintf(&freeme0, fmt, ap) == -1 || freeme0 == NULL)
+ msg = "Could not format error message (out of memory)";
+ else
+ msg = freeme0;
+ va_end(ap);
+
+ if (!reqctx->config->enable_kx509 &&
+ asprintf(&freeme1, "kx509 service is disabled (%s)", msg) > -1 &&
+ freeme1 != NULL) {
+ msg = freeme1;
+ }
+
+ rep.hash = NULL;
+ rep.certificate = NULL;
+ rep.error_code = code;
+ if (ALLOC(rep.e_text))
+ *rep.e_text = (void *)(uintptr_t)msg;
+
+ if (reqctx->key) {
+ if (ALLOC(rep.hash) != NULL &&
+ calculate_reply_hash(context, reqctx->key, &rep)) {
+ free(rep.hash);
+ rep.hash = NULL;
+ }
+ }
+
+ if ((ret2 = encode_reply(context, reqctx, &rep)))
+ ret = ret2;
+ if (rep.hash)
+ krb5_data_free(rep.hash);
+ free(rep.e_text);
+ free(rep.hash);
+ free(freeme0);
+ free(freeme1);
+ return ret;
+}
+
+/* Wrap a bare public (RSA) key with a CSR (not signed it, since we can't) */
+static krb5_error_code
+make_csr(krb5_context context, kx509_req_context reqctx, krb5_data *key)
+{
+ krb5_error_code ret;
+ SubjectPublicKeyInfo spki;
+ heim_any any;
+
+ ret = hx509_request_init(context->hx509ctx, &reqctx->csr);
+ if (ret)
+ return ret;
+
+ memset(&spki, 0, sizeof(spki));
+ spki.subjectPublicKey.data = key->data;
+ spki.subjectPublicKey.length = key->length * 8;
+
+ ret = der_copy_oid(&asn1_oid_id_pkcs1_rsaEncryption,
+ &spki.algorithm.algorithm);
+
+ any.data = "\x05\x00";
+ any.length = 2;
+ spki.algorithm.parameters = &any;
+
+ if (ret == 0)
+ ret = hx509_request_set_SubjectPublicKeyInfo(context->hx509ctx,
+ reqctx->csr, &spki);
+ der_free_oid(&spki.algorithm.algorithm);
+ if (ret)
+ hx509_request_free(&reqctx->csr);
+
+ /*
+ * TODO: Move a lot of the templating stuff here so we can let clients
+ * leave out extensions they don't want.
+ */
+ return ret;
+}
+
+/* Update a CSR with desired Certificate Extensions */
+static krb5_error_code
+update_csr(krb5_context context, kx509_req_context reqctx, Extensions *exts)
+{
+ krb5_error_code ret = 0;
+ size_t i, k;
+
+ if (exts == NULL)
+ return 0;
+
+ for (i = 0; ret == 0 && i < exts->len; i++) {
+ Extension *e = &exts->val[i];
+
+ if (der_heim_oid_cmp(&e->extnID, &asn1_oid_id_x509_ce_keyUsage) == 0) {
+ KeyUsage ku;
+
+ ret = decode_KeyUsage(e->extnValue.data, e->extnValue.length, &ku,
+ NULL);
+ if (ret)
+ return ret;
+ ret = hx509_request_set_ku(context->hx509ctx, reqctx->csr, ku);
+ } else if (der_heim_oid_cmp(&e->extnID,
+ &asn1_oid_id_x509_ce_extKeyUsage) == 0) {
+ ExtKeyUsage eku;
+
+ ret = decode_ExtKeyUsage(e->extnValue.data, e->extnValue.length,
+ &eku, NULL);
+ for (k = 0; ret == 0 && k < eku.len; k++) {
+ ret = hx509_request_add_eku(context->hx509ctx, reqctx->csr,
+ &eku.val[k]);
+ }
+ free_ExtKeyUsage(&eku);
+ } else if (der_heim_oid_cmp(&e->extnID,
+ &asn1_oid_id_x509_ce_subjectAltName) == 0) {
+ GeneralNames san;
+
+ ret = decode_GeneralNames(e->extnValue.data, e->extnValue.length,
+ &san, NULL);
+ for (k = 0; ret == 0 && k < san.len; k++) {
+ ret = hx509_request_add_GeneralName(context->hx509ctx,
+ reqctx->csr, &san.val[k]);
+ }
+ free_GeneralNames(&san);
+ }
+ }
+ if (ret) {
+ const char *emsg = krb5_get_error_message(context, ret);
+ kdc_log(context, reqctx->config, 1,
+ "Error handling requested extensions: %s", emsg);
+ kdc_audit_addreason((kdc_request_t)reqctx,
+ "Error handling requested extensions: %s",
+ emsg);
+ krb5_free_error_message(context, emsg);
+ }
+ return ret;
+}
+
+
+/*
+ * Parse the `pk_key' from the request as a CSR or raw public key, and if the
+ * latter, wrap it in a non-signed CSR.
+ */
+static krb5_error_code
+get_csr(krb5_context context, kx509_req_context reqctx)
+{
+ krb5_error_code ret;
+ RSAPublicKey rsapkey;
+ heim_octet_string pk_key = reqctx->req.pk_key;
+ size_t size;
+
+ ret = decode_Kx509CSRPlus(pk_key.data, pk_key.length, &reqctx->csr_plus,
+ &size);
+ if (ret == 0) {
+ reqctx->have_csr = 1;
+ reqctx->send_chain = 1;
+
+ /* Parse CSR */
+ ret = hx509_request_parse_der(context->hx509ctx, &reqctx->csr_plus.csr,
+ &reqctx->csr);
+ /*
+ * Handle any additional Certificate Extensions requested out of band
+ * of the CSR.
+ */
+ if (ret == 0)
+ return update_csr(context, reqctx, reqctx->csr_plus.exts);
+ kdc_audit_addreason((kdc_request_t)reqctx, "Invalid CSR");
+ return ret;
+ }
+ reqctx->send_chain = 0;
+ reqctx->have_csr = 0;
+
+ /* Check if proof of possession is required by configuration */
+ if (!get_bool_param(context, FALSE, reqctx->realm, "require_csr")) {
+ kdc_audit_addreason((kdc_request_t)reqctx,
+ "CSRs required but client did not send one");
+ krb5_set_error_message(context, KX509_STATUS_CLIENT_USE_CSR,
+ "CSRs required but kx509 client did not send "
+ "one");
+ return KX509_STATUS_CLIENT_USE_CSR;
+ }
+
+ /* Attempt to decode pk_key as RSAPublicKey */
+ ret = decode_RSAPublicKey(reqctx->req.pk_key.data,
+ reqctx->req.pk_key.length,
+ &rsapkey, &size);
+ free_RSAPublicKey(&rsapkey);
+ if (ret == 0 && size == reqctx->req.pk_key.length)
+ return make_csr(context, reqctx, &pk_key); /* Make pretend CSR */
+
+ /* Not an RSAPublicKey or garbage follows it */
+ if (ret == 0) {
+ ret = KRB5KDC_ERR_NULL_KEY;
+ kdc_audit_addreason((kdc_request_t)reqctx,
+ "Request has garbage after key");
+ krb5_set_error_message(context, ret, "Request has garbage after key");
+ return ret;
+ }
+
+ kdc_audit_addreason((kdc_request_t)reqctx,
+ "Could not decode CSR or RSA subject public key");
+ krb5_set_error_message(context, ret,
+ "Could not decode CSR or RSA subject public key");
+ return ret;
+}
+
+/*
+ * Host-based principal _clients_ might ask for a cert for their host -- but
+ * which services are permitted to do that? This function answers that
+ * question.
+ */
+static int
+check_authz_svc_ok(krb5_context context, const char *svc)
+{
+ const char *def[] = { "host", "HTTP", 0 };
+ const char * const *svcs;
+ char **strs;
+
+ strs = krb5_config_get_strings(context, NULL, "kdc",
+ "kx509_permitted_hostbased_services", NULL);
+ for (svcs = strs ? (const char * const *)strs : def; svcs[0]; svcs++) {
+ if (strcmp(svcs[0], svc) == 0) {
+ krb5_config_free_strings(strs);
+ return 1;
+ }
+ }
+ krb5_config_free_strings(strs);
+ return 0;
+}
+
+static krb5_error_code
+check_authz(krb5_context context,
+ kx509_req_context reqctx,
+ krb5_principal cprincipal)
+{
+ krb5_error_code ret;
+ const char *comp0 = krb5_principal_get_comp_string(context, cprincipal, 0);
+ const char *comp1 = krb5_principal_get_comp_string(context, cprincipal, 1);
+ unsigned int ncomp = krb5_principal_get_num_comp(context, cprincipal);
+ hx509_san_type san_type;
+ KeyUsage ku, ku_allowed;
+ size_t i;
+ const heim_oid *eku_whitelist[] = {
+ &asn1_oid_id_pkix_kp_serverAuth,
+ &asn1_oid_id_pkix_kp_clientAuth,
+ &asn1_oid_id_pkekuoid,
+ &asn1_oid_id_pkinit_ms_eku
+ };
+ char *cprinc = NULL;
+ char *s = NULL;
+
+ /*
+ * In the no-CSR case we'll derive cert contents from client name and its
+ * HDB entry -- authorization is implied.
+ */
+ if (!reqctx->have_csr)
+ return 0;
+ ret = kdc_authorize_csr(context, reqctx->config->app, reqctx->csr,
+ cprincipal);
+ if (ret == 0) {
+ kdc_audit_setkv_bool((kdc_request_t)reqctx, "authorized", TRUE);
+
+ ret = hx509_request_get_san(reqctx->csr, 0, &san_type, &s);
+ if (ret == 0) {
+ const char *san_type_s;
+
+ /* This should be an hx509 function... */
+ switch (san_type) {
+ case HX509_SAN_TYPE_EMAIL: san_type_s = "rfc822Name"; break;
+ case HX509_SAN_TYPE_DNSNAME: san_type_s = "dNSName"; break;
+ case HX509_SAN_TYPE_DN: san_type_s = "DN"; break;
+ case HX509_SAN_TYPE_REGISTERED_ID: san_type_s = "registeredID"; break;
+ case HX509_SAN_TYPE_XMPP: san_type_s = "xMPPName"; break;
+ case HX509_SAN_TYPE_PKINIT: san_type_s = "krb5PrincipalName"; break;
+ case HX509_SAN_TYPE_MS_UPN: san_type_s = "ms-UPN"; break;
+ default: san_type_s = "unknown"; break;
+ }
+ kdc_audit_addkv((kdc_request_t)reqctx, 0, "san0_type", "%s",
+ san_type_s);
+ kdc_audit_addkv((kdc_request_t)reqctx, 0, "san0", "%s", s);
+ }
+ frees(&s);
+ ret = hx509_request_get_eku(reqctx->csr, 0, &s);
+ if (ret == 0)
+ kdc_audit_addkv((kdc_request_t)reqctx, 0, "eku0", "%s", s);
+ free(s);
+ return 0;
+ }
+ if (ret != KRB5_PLUGIN_NO_HANDLE) {
+ kdc_audit_addreason((kdc_request_t)reqctx,
+ "Requested extensions rejected by plugin");
+ return ret;
+ }
+
+ /* Default authz */
+ if ((ret = krb5_unparse_name(context, cprincipal, &cprinc)))
+ return ret;
+
+ for (i = 0; ret == 0; i++) {
+
+ frees(&s);
+ ret = hx509_request_get_san(reqctx->csr, i, &san_type, &s);
+ if (ret)
+ break;
+ switch (san_type) {
+ case HX509_SAN_TYPE_DNSNAME:
+ if (ncomp != 2 || strcasecmp(comp1, s) != 0 ||
+ strchr(s, '.') == NULL ||
+ !check_authz_svc_ok(context, comp0)) {
+ kdc_audit_addreason((kdc_request_t)reqctx,
+ "Requested extensions rejected by "
+ "default policy (dNSName SAN "
+ "does not match client)");
+ goto eacces;
+ }
+ break;
+ case HX509_SAN_TYPE_PKINIT:
+ if (strcmp(cprinc, s) != 0) {
+ kdc_audit_addreason((kdc_request_t)reqctx,
+ "Requested extensions rejected by "
+ "default policy (PKINIT SAN "
+ "does not match client)");
+ goto eacces;
+ }
+ break;
+ default:
+ kdc_audit_addreason((kdc_request_t)reqctx,
+ "Requested extensions rejected by "
+ "default policy (non-default SAN "
+ "requested)");
+ goto eacces;
+ }
+ }
+ frees(&s);
+ if (ret == HX509_NO_ITEM)
+ ret = 0;
+ if (ret)
+ goto out;
+
+ for (i = 0; ret == 0; i++) {
+ heim_oid oid;
+ size_t k;
+
+ frees(&s);
+ ret = hx509_request_get_eku(reqctx->csr, i, &s);
+ if (ret)
+ break;
+
+ if ((ret = der_parse_heim_oid(s, ".", &oid))) {
+ goto out;
+ }
+ for (k = 0; k < sizeof(eku_whitelist)/sizeof(eku_whitelist[0]); k++) {
+ if (der_heim_oid_cmp(eku_whitelist[k], &oid) == 0)
+ break;
+ }
+ der_free_oid(&oid);
+ if (k == sizeof(eku_whitelist)/sizeof(eku_whitelist[0])) {
+ kdc_audit_addreason((kdc_request_t)reqctx,
+ "Requested EKU rejected by default policy");
+ goto eacces;
+ }
+ }
+ if (ret == HX509_NO_ITEM)
+ ret = 0;
+ if (ret)
+ goto out;
+
+ memset(&ku_allowed, 0, sizeof(ku_allowed));
+ ku_allowed.digitalSignature = 1;
+ ku_allowed.nonRepudiation = 1;
+ ret = hx509_request_get_ku(context->hx509ctx, reqctx->csr, &ku);
+ if (ret)
+ goto out;
+ if (KeyUsage2int(ku) != (KeyUsage2int(ku) & KeyUsage2int(ku_allowed)))
+ goto eacces;
+
+ kdc_audit_setkv_bool((kdc_request_t)reqctx, "authorized", TRUE);
+ free(cprinc);
+ return 0;
+
+eacces:
+ ret = EACCES;
+ goto out2;
+
+out:
+ /* XXX Display error code */
+ kdc_audit_addreason((kdc_request_t)reqctx,
+ "Error handling requested extensions");
+out2:
+ free(cprinc);
+ free(s);
+ return ret;
+}
+
+static int
+chain_add1_func(hx509_context context, void *d, hx509_cert c)
+{
+ heim_octet_string os;
+ Certificates *cs = d;
+ Certificate c2;
+ int ret;
+
+ ret = hx509_cert_binary(context, c, &os);
+ if (ret)
+ return ret;
+ ret = decode_Certificate(os.data, os.length, &c2, NULL);
+ der_free_octet_string(&os);
+ if (ret)
+ return ret;
+ ret = add_Certificates(cs, &c2);
+ free_Certificate(&c2);
+ return ret;
+}
+
+static krb5_error_code
+encode_cert_and_chain(hx509_context hx509ctx,
+ hx509_certs certs,
+ krb5_data *out)
+{
+ krb5_error_code ret;
+ Certificates cs;
+ size_t len;
+
+ cs.len = 0;
+ cs.val = 0;
+
+ ret = hx509_certs_iter_f(hx509ctx, certs, chain_add1_func, &cs);
+ if (ret == 0)
+ ASN1_MALLOC_ENCODE(Certificates, out->data, out->length,
+ &cs, &len, ret);
+ free_Certificates(&cs);
+ return ret;
+}
+
+/*
+ * Process a request, produce a reply.
+ */
+
+krb5_error_code
+_kdc_do_kx509(kx509_req_context r)
+{
+ krb5_error_code ret = 0;
+ krb5_ticket *ticket = NULL;
+ krb5_flags ap_req_options;
+ krb5_principal cprincipal = NULL;
+ krb5_principal sprincipal = NULL;
+ krb5_keytab id = NULL;
+ Kx509Response rep;
+ hx509_certs certs = NULL;
+ int is_probe = 0;
+
+ r->csr_plus.csr.data = NULL;
+ r->csr_plus.exts = NULL;
+ r->sname = NULL;
+ r->cname = NULL;
+ r->realm = NULL;
+ r->key = NULL;
+ r->csr = NULL;
+ r->ac = NULL;
+
+ /*
+ * In order to support authenticated error messages we defer checking
+ * whether the kx509 service is enabled until after accepting the AP-REQ.
+ */
+
+ krb5_data_zero(r->reply);
+ memset(&rep, 0, sizeof(rep));
+
+ if (r->req.authenticator.length == 0) {
+ /*
+ * Unauthenticated kx509 service availability probe.
+ *
+ * mk_error_response() will check whether the service is enabled and
+ * possibly change the error code and message.
+ */
+ is_probe = 1;
+ kdc_audit_addkv((kdc_request_t)r, 0, "probe", "unauthenticated");
+ ret = mk_error_response(r->context, r, 4, 0,
+ "kx509 service is available");
+ goto out;
+ }
+
+ /* Authenticate the request (consume the AP-REQ) */
+ ret = krb5_kt_resolve(r->context, "HDBGET:", &id);
+ if (ret) {
+ const char *msg = krb5_get_error_message(r->context, ret);
+ ret = mk_error_response(r->context, r, 1,
+ KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN,
+ "Can't open HDB/keytab for kx509: %s",
+ msg);
+ krb5_free_error_message(r->context, msg);
+ goto out;
+ }
+
+ ret = krb5_rd_req(r->context,
+ &r->ac,
+ &r->req.authenticator,
+ NULL,
+ id,
+ &ap_req_options,
+ &ticket);
+ if (ret == 0)
+ ret = krb5_auth_con_getkey(r->context, r->ac, &r->key);
+ if (ret == 0 && r->key == NULL)
+ ret = KRB5KDC_ERR_NULL_KEY;
+ /*
+ * Provided we got the session key, errors past this point will be
+ * authenticated.
+ */
+ if (ret == 0)
+ ret = krb5_ticket_get_client(r->context, ticket, &cprincipal);
+
+ /* Optional: check if Ticket is INITIAL */
+ if (ret == 0 &&
+ !ticket->ticket.flags.initial &&
+ !get_bool_param(r->context, TRUE,
+ krb5_principal_get_realm(r->context, cprincipal),
+ "require_initial_kca_tickets")) {
+ ret = mk_error_response(r->context, r, 4, KRB5KDC_ERR_POLICY,
+ "Client used non-INITIAL tickets, but kx509 "
+ "service is configured to require INITIAL "
+ "tickets");
+ goto out;
+ }
+
+ if (ret == 0)
+ ret = krb5_unparse_name(r->context, cprincipal, &r->cname);
+
+ /* Check that the service name is a valid kx509 service name */
+ if (ret == 0)
+ ret = krb5_ticket_get_server(r->context, ticket, &sprincipal);
+ if (ret == 0)
+ r->realm = krb5_principal_get_realm(r->context, sprincipal);
+ if (ret == 0)
+ ret = krb5_unparse_name(r->context, sprincipal, &r->sname);
+ if (ret == 0)
+ ret = kdc_kx509_verify_service_principal(r->context, r, sprincipal);
+ if (ret) {
+ ret = mk_error_response(r->context, r, 4, ret,
+ "kx509 client used incorrect service name");
+ goto out;
+ }
+
+ /* Authenticate the rest of the request */
+ ret = verify_req_hash(r->context, &r->req, r->key);
+ if (ret) {
+ ret = mk_error_response(r->context, r, 4, ret,
+ "Incorrect request HMAC on kx509 request");
+ goto out;
+ }
+
+ if (r->req.pk_key.length == 0) {
+ /*
+ * The request is an authenticated kx509 service availability probe.
+ *
+ * mk_error_response() will check whether the service is enabled and
+ * possibly change the error code and message.
+ */
+ is_probe = 1;
+ kdc_audit_addkv((kdc_request_t)r, 0, "probe", "authenticated");
+ ret = mk_error_response(r->context, r, 4, 0,
+ "kx509 authenticated probe request");
+ goto out;
+ }
+
+ /* Extract and parse CSR or a DER-encoded RSA public key */
+ ret = get_csr(r->context, r);
+ if (ret) {
+ const char *msg = krb5_get_error_message(r->context, ret);
+ ret = mk_error_response(r->context, r, 3, ret,
+ "Failed to parse CSR: %s", msg);
+ krb5_free_error_message(r->context, msg);
+ goto out;
+ }
+
+ /* Authorize the request */
+ ret = check_authz(r->context, r, cprincipal);
+ if (ret) {
+ const char *msg = krb5_get_error_message(r->context, ret);
+ ret = mk_error_response(r->context, r, 3, ret,
+ "Rejected by policy: %s", msg);
+ krb5_free_error_message(r->context, msg);
+ goto out;
+ }
+
+ /* Issue the certificate */
+ ALLOC(rep.hash);
+ ALLOC(rep.certificate);
+ if (rep.certificate == NULL || rep.hash == NULL) {
+ ret = mk_error_response(r->context, r, 0, ENOMEM,
+ "Could allocate memory for response");
+ goto out;
+ }
+
+ krb5_data_zero(rep.hash);
+ krb5_data_zero(rep.certificate);
+ krb5_ticket_get_times(r->context, ticket, &r->ticket_times);
+ ret = kdc_issue_certificate(r->context, r->config->app, r->logf, r->csr,
+ cprincipal, &r->ticket_times, 0 /*req_life*/,
+ r->send_chain, &certs);
+ if (ret) {
+ int level = 1;
+ const char *msg = krb5_get_error_message(r->context, ret);
+
+ if (ret == KRB5KDC_ERR_POLICY)
+ level = 4; /* _kdc_audit_trail() logs at level 3 */
+ ret = mk_error_response(r->context, r, level, ret,
+ "Certificate isuance failed: %s", msg);
+ krb5_free_error_message(r->context, msg);
+ goto out;
+ }
+
+ ret = encode_cert_and_chain(r->context->hx509ctx, certs, rep.certificate);
+ if (ret) {
+ const char *msg = krb5_get_error_message(r->context, ret);
+ ret = mk_error_response(r->context, r, 1, ret,
+ "Could not encode certificate and chain: %s",
+ msg);
+ krb5_free_error_message(r->context, msg);
+ goto out;
+ }
+
+ /* Authenticate the response */
+ ret = calculate_reply_hash(r->context, r->key, &rep);
+ if (ret) {
+ ret = mk_error_response(r->context, r, 1, ret,
+ "Failed to compute response HMAC");
+ goto out;
+ }
+
+ /* Encode and output reply */
+ ret = encode_reply(r->context, r, &rep);
+ if (ret)
+ /* Can't send an error message either in this case, surely */
+ kdc_audit_addreason((kdc_request_t)r, "Could not encode response");
+
+out:
+ hx509_certs_free(&certs);
+ if (ret == 0 && !is_probe)
+ kdc_audit_setkv_bool((kdc_request_t)r, "cert_issued", TRUE);
+ else
+ kdc_audit_setkv_bool((kdc_request_t)r, "cert_issued", FALSE);
+ if (r->ac)
+ krb5_auth_con_free(r->context, r->ac);
+ if (ticket)
+ krb5_free_ticket(r->context, ticket);
+ if (id)
+ krb5_kt_close(r->context, id);
+ if (sprincipal)
+ krb5_free_principal(r->context, sprincipal);
+ if (cprincipal)
+ krb5_free_principal(r->context, cprincipal);
+ if (r->key)
+ krb5_free_keyblock (r->context, r->key);
+ hx509_request_free(&r->csr);
+ free_Kx509CSRPlus(&r->csr_plus);
+ free_Kx509Response(&rep);
+ free_Kx509Request(&r->req);
+
+ return ret;
+}
+
+#endif /* KX509 */