| blob | 6efd94e3a12dddefd1f0fba1b27831e872a90311 |
1 /*
2 * Copyright (c) 2006 - 2019 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
35 #include <hex.h>
36 #include <rfc2459_asn1.h>
37 #include <hx509.h>
38 #include <hx509_err.h>
39 #include <kx509_err.h>
41 #include <stdarg.h>
43 /*
44 * This file implements the kx509 service.
45 *
46 * The protocol, its shortcomings, and its future are described in
47 * lib/krb5/hx509.c. See also lib/asn1/kx509.asn1.
48 *
49 * The service handles requests, decides whether to issue a certificate, and
50 * does so by populating a "template" to generate a TBSCertificate and signing
51 * it with a configured CA issuer certificate and private key. See ca.c for
52 * details.
53 *
54 * A "template" is a Certificate that has ${variable} references in its
55 * subjectName, and may have EKUs.
56 *
57 * Some SANs may be included in issued certificates. See below.
58 *
59 * Besides future protocol improvements described in lib/krb5/hx509.c, here is
60 * a list of KDC functionality we'd like to add:
61 *
62 * - support templates as strings (rather than filenames) in configuration?
63 * - lookup an hx509 template for the client principal in its HDB entry?
64 * - lookup subjectName, SANs for a principal in its HDB entry
65 * - lookup a host-based client principal's HDB entry and add its canonical
66 * name / aliases as dNSName SANs
67 * (this would have to be if requested by the client, perhaps; see
68 * commentary about the protocol in lib/krb5/kx509.c)
69 * - add code to build a template on the fly
70 *
71 * (just SANs, with empty subjectName?
72 * or
73 * CN=component0,CN=component1,..,CN=componentN,DC=<from-REALM>
74 * and set KU and EKUs)
75 *
76 * Processing begins in _kdc_do_kx509().
77 *
78 * The sequence of events in _kdc_do_kx509() is:
79 *
80 * - parse outer request
81 * - authenticate request
82 * - extract CSR and AP-REQ Authenticator authz-data elements
83 * - characterize request as one of
84 * - default client cert req (no cert exts requested, client user princ)
85 * - default server cert req (no cert exts requested, client service princ)
86 * - client cert req (cert exts requested denoting client use)
87 * - server cert req (cert exts requested denoting server use)
88 * - mixed cert req (cert exts requested denoting client and server use)
89 * - authorize request based only on the request's details
90 * - there is a default authorizer, and a plugin authorizer
91 * - get configuration sub-tree corresponding to the request as characterized
92 * - missing configuration sub-tree -> reject (we have multiple ways to
93 * express "no")
94 * - get common config params from that sub-tree
95 * - set TBS template and details from CSR and such
96 * - issue certificate by signing TBS
97 */
99 #ifdef KX509
103 /*
104 * Taste the request to see if it's a kx509 request.
105 */
106 krb5_error_code
108 {
123 }
125 static krb5_boolean
127 krb5_boolean def,
130 {
131 krb5_boolean global_default;
139 }
141 /*
142 * Verify the HMAC in the request.
143 */
144 static krb5_error_code
148 {
150 HMAC_CTX ctx;
157 }
164 }
170 else
179 }
181 }
183 /*
184 * Set the HMAC in the response.
185 */
186 static krb5_error_code
190 {
192 HMAC_CTX ctx;
205 }
208 {
213 /*
214 * RFC6717 says this about how the error-code is included in the HMAC:
215 *
216 * o DER representation of the error-code exclusive of the tag and
217 * length, if it is present.
218 *
219 * So we use der_put_integer(), which encodes from the right.
220 *
221 * RFC6717 does not constrain the error-code's range. We assume it to
222 * be a 32-bit, signed integer, for which we'll need no more than 5
223 * bytes.
224 */
229 }
239 }
241 static void
243 {
246 }
248 /* Check that a krbtgt's second component is a local realm */
249 static krb5_error_code
251 kx509_req_context reqctx,
253 {
254 krb5_error_code ret;
255 krb5_principal tgs;
260 NULL);
272 }
274 /*
275 * Since we're using the HDB as a keytab we have to check that the client used
276 * an acceptable name for the kx509 service.
277 *
278 * We accept two names: kca_service/hostname and krbtgt/REALM.
279 *
280 * We allow cross-realm requests.
281 *
282 * Maybe x-realm support should be configurable. Requiring INITIAL tickets
283 * does NOT preclude x-realm support! (Cross-realm TGTs can be INITIAL.)
284 *
285 * Support for specific client realms is configurable by configuring issuer
286 * credentials and TBS templates on a per-realm basis and configuring no
287 * default. But maybe we should have an explicit configuration parameter
288 * to enable support for clients from different realms than the service.
289 */
290 static krb5_error_code
292 kx509_req_context reqctx,
293 krb5_principal sprincipal)
294 {
303 /* Check if sprincipal is a krbtgt/REALM name */
311 }
313 /* Must be hostbased kca_service name then */
321 }
332 err:
341 out:
346 }
348 static krb5_error_code
350 kx509_req_context reqctx,
352 {
353 krb5_error_code ret;
354 krb5_data data;
370 }
373 }
375 /* Make an error response, and log the error message as well */
376 static krb5_error_code
378 kx509_req_context reqctx,
382 ...)
383 {
385 krb5_error_code ret2;
386 Kx509Response rep;
393 /* Log errors where _kdc_audit_trail() is not enough */
400 }
405 }
410 /* Make sure we only send RFC4120 and friends wire protocol error codes */
421 }
422 }
427 else
435 }
448 }
449 }
460 }
462 /* Wrap a bare public (RSA) key with a CSR (not signed it, since we can't) */
463 static krb5_error_code
465 {
466 krb5_error_code ret;
467 SubjectPublicKeyInfo spki;
468 heim_any any;
492 /*
493 * TODO: Move a lot of the templating stuff here so we can let clients
494 * leave out extensions they don't want.
495 */
497 }
499 /* Update a CSR with desired Certificate Extensions */
500 static krb5_error_code
502 {
513 KeyUsage ku;
516 NULL);
522 ExtKeyUsage eku;
529 }
533 GeneralNames san;
540 }
542 }
543 }
550 emsg);
552 }
554 }
557 /*
558 * Parse the `pk_key' from the request as a CSR or raw public key, and if the
559 * latter, wrap it in a non-signed CSR.
560 */
561 static krb5_error_code
563 {
564 krb5_error_code ret;
565 RSAPublicKey rsapkey;
575 /* Parse CSR */
578 /*
579 * Handle any additional Certificate Extensions requested out of band
580 * of the CSR.
581 */
586 }
590 /* Check if proof of possession is required by configuration */
595 "CSRs required but kx509 client did not send "
598 }
600 /* Attempt to decode pk_key as RSAPublicKey */
608 /* Not an RSAPublicKey or garbage follows it */
615 }
622 }
624 /*
625 * Host-based principal _clients_ might ask for a cert for their host -- but
626 * which services are permitted to do that? This function answers that
627 * question.
628 */
629 static int
631 {
642 }
643 }
646 }
648 static krb5_error_code
650 kx509_req_context reqctx,
651 krb5_principal cprincipal)
652 {
653 krb5_error_code ret;
657 hx509_san_type san_type;
664 &asn1_oid_id_pkinit_ms_eku
665 };
669 /*
670 * In the no-CSR case we'll derive cert contents from client name and its
671 * HDB entry -- authorization is implied.
672 */
676 cprincipal);
684 /* This should be an hx509 function... */
694 }
696 san_type_s);
698 }
705 }
710 }
712 /* Default authz */
728 "Requested extensions rejected by "
729 "default policy (dNSName SAN "
732 }
737 "Requested extensions rejected by "
738 "default policy (PKINIT SAN "
741 }
745 "Requested extensions rejected by "
746 "default policy (non-default SAN "
749 }
750 }
758 heim_oid oid;
768 }
772 }
778 }
779 }
798 eacces:
802 out:
803 /* XXX Display error code */
806 out2:
810 }
812 static int
814 {
815 heim_octet_string os;
817 Certificate c2;
830 }
832 static krb5_error_code
834 hx509_certs certs,
836 {
837 krb5_error_code ret;
838 Certificates cs;
850 }
852 /*
853 * Process a request, produce a reply.
854 */
856 krb5_error_code
858 {
861 krb5_flags ap_req_options;
865 Kx509Response rep;
878 /*
879 * In order to support authenticated error messages we defer checking
880 * whether the kx509 service is enabled until after accepting the AP-REQ.
881 */
887 /*
888 * Unauthenticated kx509 service availability probe.
889 *
890 * mk_error_response() will check whether the service is enabled and
891 * possibly change the error code and message.
892 */
898 }
900 /* Authenticate the request (consume the AP-REQ) */
905 KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN,
907 msg);
910 }
915 NULL,
916 id,
923 /*
924 * Provided we got the session key, errors past this point will be
925 * authenticated.
926 */
930 /* Optional: check if Ticket is INITIAL */
937 "Client used non-INITIAL tickets, but kx509 "
938 "service is configured to require INITIAL "
941 }
946 /* Check that the service name is a valid kx509 service name */
959 }
961 /* Authenticate the rest of the request */
967 }
970 /*
971 * The request is an authenticated kx509 service availability probe.
972 *
973 * mk_error_response() will check whether the service is enabled and
974 * possibly change the error code and message.
975 */
981 }
983 /* Extract and parse CSR or a DER-encoded RSA public key */
991 }
993 /* Authorize the request */
1001 }
1003 /* Issue the certificate */
1010 }
1028 }
1035 msg);
1038 }
1040 /* Authenticate the response */
1046 }
1048 /* Encode and output reply */
1051 /* Can't send an error message either in this case, surely */
1054 out:
1058 else
1078 }