[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] Enforce EKU requirements for client tokens during PKINIT

Attached is a patch against the 1.0.1 tree.  Sorry about that, but it  
took several weeks to figure out my company's policy re: open source  
contributions.  In short, I'm free to contribute so long as I'm not  
writing a substantial portion of the total package.  I don't think  
that will be a problem.  :)

This patch adds a capability to filter certificates on a token based  
on EKU.

Windows PKINIT *requires* id-pkinit-ms-eku to be asserted in the  
client's cert.  This is documented in the manual (section 4.26.2,  
"The client certificates need to have the extended keyusage  
“Microsoft Smartcardlogin” (openssl have the oid shortname  
msSmartcardLogin).") but wasn't enforced in the library.  This shows  
up when using tokens like the DoD Common Access Card, which have *2*  
certs with digitalSignature asserted--one with msSmartcardLogin and  
one without.  The library was consistently selecting the first  
certificate on the token, which 99% of the time is the one without  
msSmartcardLogin, resulting in failed logons.

Also, the requirement for the IETF EKU, id-pkekuoid, was not  
enforced.  This patch enforces it, but I've not been able to test it.

I didn't add any config options, choosing instead to leverage  
pkinit_require_eku and pkinit_win2k.

I'm most uncomfortable with altering the interface for  
_krb_pk_create_sign() (see below) but I couldn't find a way around  
it.  Since it's and internal function and only invoked from one  
place, I think it's OK.

Without this patch (or something like it), using the DoD CAC or  
upcoming PIV will be impossible.  I'll note that MIT Kerb 1.6.3 has  
similar (but more flexible) capabilities via pkinit_cert_match <EKU>.

Summary of changes:

- Defined a new match type, HX509_QUERY_MATCH_EKU
- Added eku field to the hx509_query_data struct.
- Added new public function, hx509_query_match_on_eku(hx509_query *,  
const heim_oid *) which sets the query flag and loads the requested  
EKU into the query.
- Added EKU query support to _hx509_query_match_cert()
- Added args to _krb5_pk_create_sign() to pass the wink2_compat and  
require_eku flags since the context isn't available.
- Changed invocation of _krb5_pk_create_sign() in pk_mk_padata() to  
pass the win2k_compat and require_eku flags.
- Changed _krb5_pk_create_sign() to call hx509_query_match_eku() if  
win2k_compat or require_eku are set.  If win2k_compat is set or both  
are set, msSmartcardLogin is used for the query.  If win2k_compat is  
not set but require_eku is set, id-pkekuoid is used instead.

I suspect this patch will apply to the new tree as well.

-- Tim