git.samba.org / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ea41dcc)
libcli/security: Add SID_FRESH_PUBLIC_KEY_IDENTITY
authorAndrew Bartlett <abartlet@samba.org>
Mon, 26 Feb 2024 22:09:38 +0000 (11:09 +1300)
committerAndrew Bartlett <abartlet@samba.org>
Wed, 28 Feb 2024 03:44:37 +0000 (03:44 +0000)
This allows an ACL level check (rather than only an all-or-nothing KDC configuration)
that PKINIT freshness was used during the AS-REQ.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
libcli/security/dom_sid.h patch | blob | history
libcli/security/util_sid.c patch | blob | history
librpc/idl/security.idl patch | blob | history

diff --git a/libcli/security/dom_sid.h b/libcli/security/dom_sid.h
index 343001e87eec11ab6f277a1462e1c66322f06efc..5e1c5d909585aa2ed814d86dc1c5fe126e19ae5d 100644 (file)
--- a/libcli/security/dom_sid.h
+++ b/libcli/security/dom_sid.h
@@ -43,6 +43,7 @@ extern const struct dom_sid global_sid_Network;
 extern const struct dom_sid global_sid_Asserted_Identity;
 extern const struct dom_sid global_sid_Asserted_Identity_Service;
 extern const struct dom_sid global_sid_Asserted_Identity_Authentication_Authority;
+extern const struct dom_sid global_sid_Fresh_Public_Key_Identity;
 extern const struct dom_sid global_sid_Creator_Owner;
 extern const struct dom_sid global_sid_Creator_Group;
 extern const struct dom_sid global_sid_Owner_Rights;
diff --git a/libcli/security/util_sid.c b/libcli/security/util_sid.c
index 54a2fc35fda7493e0383b7adc3eabb208107c360..0942b2fe259d5ea6c4e6683649774e01f9023302 100644 (file)
--- a/libcli/security/util_sid.c
+++ b/libcli/security/util_sid.c
@@ -83,6 +83,10 @@ const struct dom_sid global_sid_Asserted_Identity_Authentication_Authority = /*
 const struct dom_sid global_sid_Asserted_Identity_Service =    /* Asserted Identity Service */
 { 1, 1, {0,0,0,0,0,18}, {2,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
 
+/* S-1-18-3 */
+const struct dom_sid global_sid_Fresh_Public_Key_Identity =    /* Fresh Public Key Identity */
+{ 1, 1, {0,0,0,0,0,18}, {3,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+
 /* S-1-5-2 */
 const struct dom_sid global_sid_Network =                      /* Network rids */
 { 1, 1, {0,0,0,0,0,5}, {2,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index 8783b67815764ac473573c8ea6f63d9b439c2a31..d5e65032652d61623eaee008ac24b5660a71d53d 100644 (file)
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -324,6 +324,14 @@ interface security
         */
        const string SID_SERVICE_ASSERTED_IDENTITY = "S-1-18-2";
 
+       /*
+        * This is added during the AS-REQ/AS-REP exchange after the
+        * PKINIT Freshness extension is used (shows current
+        * possession, rather than just a saved signature, of the
+        * client pulic key).
+        */
+       const string SID_FRESH_PUBLIC_KEY_IDENTITY = "S-1-18-3";
+
        const string SID_COMPOUNDED_AUTHENTICATION = "S-1-5-21-0-0-0-496";
        const string SID_CLAIMS_VALID = "S-1-5-21-0-0-0-497";
 
Samba Shared Repository