git.samba.org / asn / mit-krb5.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 7027788) | patch
Add certauth pluggable interface
authorMatt Rogers <mrogers@redhat.com>
Tue, 28 Feb 2017 20:55:24 +0000 (15:55 -0500)
committerGreg Hudson <ghudson@mit.edu>
Thu, 23 Mar 2017 17:11:09 +0000 (13:11 -0400)
commitb619ce84470519bea65470be3263cd85fba94f57
tree697178fa4f7eb7c1b2e1ccb6de6503fb7cf7ad13tree
parent7027788ae6adbd06d5a16de6ee62e489a4dca68bcommit | diff
Add certauth pluggable interface

Add the header include/krb5/certauth_plugin.h, defining a pluggable
interface to control authorization of PKINIT client certificates.

Add the "pkinit_san" and "pkinit_eku" builtin certauth modules and
related PKINIT crypto X.509 helper functions.  Add authorize_cert() as
the entry function for certauth plugin module checks called in
pkinit_server_verify_padata().  Modify kdcpreauth_moddata to hold the
list of certauth module handles, and load the modules when the PKINIT
kdcpreauth server plugin is initialized.  Change
crypto_retrieve_X509_sans() to return ENOENT when no SAN is found.

Add test modules in plugins/certauth/test.  Create t_certauth.py with
basic certauth tests.  Add plugin interface documentation in
doc/plugindev/certauth.rst and doc/admin/krb5_conf.rst.

[ghudson@mit.edu: simplified code, edited docs]

ticket: 8561 (new)
19 files changed:
doc/admin/conf_files/krb5_conf.rst diff | blob | history
doc/plugindev/certauth.rst [new file with mode: 0644] blob
doc/plugindev/index.rst diff | blob | history
src/Makefile.in diff | blob | history
src/configure.in diff | blob | history
src/include/Makefile.in diff | blob | history
src/include/k5-int.h diff | blob | history
src/include/krb5/certauth_plugin.h [new file with mode: 0644] blob
src/lib/krb5/krb/plugin.c diff | blob | history
src/plugins/certauth/test/Makefile.in [new file with mode: 0644] blob
src/plugins/certauth/test/certauth_test.exports [new file with mode: 0644] blob
src/plugins/certauth/test/deps [new file with mode: 0644] blob
src/plugins/certauth/test/main.c [new file with mode: 0644] blob
src/plugins/preauth/pkinit/pkinit_crypto.h diff | blob | history
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c diff | blob | history
src/plugins/preauth/pkinit/pkinit_srv.c diff | blob | history
src/plugins/preauth/pkinit/pkinit_trace.h diff | blob | history
src/tests/Makefile.in diff | blob | history
src/tests/t_certauth.py [new file with mode: 0644] blob
guru meditation