Blame SOURCES/Add-certauth-pluggable-interface.patch

e58a44
From 5a0b9b43a070c273ae4ee39ee460fa759ff9d934 Mon Sep 17 00:00:00 2001
fab64b
From: Matt Rogers <mrogers@redhat.com>
fab64b
Date: Tue, 28 Feb 2017 15:55:24 -0500
fab64b
Subject: [PATCH] Add certauth pluggable interface
fab64b
fab64b
Add the header include/krb5/certauth_plugin.h, defining a pluggable
fab64b
interface to control authorization of PKINIT client certificates.
fab64b
fab64b
Add the "pkinit_san" and "pkinit_eku" builtin certauth modules and
fab64b
related PKINIT crypto X.509 helper functions.  Add authorize_cert() as
fab64b
the entry function for certauth plugin module checks called in
fab64b
pkinit_server_verify_padata().  Modify kdcpreauth_moddata to hold the
fab64b
list of certauth module handles, and load the modules when the PKINIT
fab64b
kdcpreauth server plugin is initialized.  Change
fab64b
crypto_retrieve_X509_sans() to return ENOENT when no SAN is found.
fab64b
fab64b
Add test modules in plugins/certauth/test.  Create t_certauth.py with
fab64b
basic certauth tests.  Add plugin interface documentation in
fab64b
doc/plugindev/certauth.rst and doc/admin/krb5_conf.rst.
fab64b
fab64b
[ghudson@mit.edu: simplified code, edited docs]
fab64b
fab64b
ticket: 8561 (new)
fab64b
(cherry picked from commit b619ce84470519bea65470be3263cd85fba94f57)
e58a44
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
fab64b
---
fab64b
 doc/admin/conf_files/krb5_conf.rst                 |  21 ++
fab64b
 doc/plugindev/certauth.rst                         |  27 ++
fab64b
 doc/plugindev/index.rst                            |   1 +
fab64b
 src/Makefile.in                                    |   1 +
fab64b
 src/configure.in                                   |   1 +
fab64b
 src/include/Makefile.in                            |   1 +
fab64b
 src/include/k5-int.h                               |   3 +-
fab64b
 src/include/krb5/certauth_plugin.h                 | 103 +++++++
fab64b
 src/lib/krb5/krb/plugin.c                          |   3 +-
fab64b
 src/plugins/certauth/test/Makefile.in              |  20 ++
fab64b
 src/plugins/certauth/test/certauth_test.exports    |   2 +
fab64b
 src/plugins/certauth/test/deps                     |  14 +
fab64b
 src/plugins/certauth/test/main.c                   | 209 +++++++++++++
fab64b
 src/plugins/preauth/pkinit/pkinit_crypto.h         |   4 +
fab64b
 src/plugins/preauth/pkinit/pkinit_crypto_openssl.c |  30 ++
fab64b
 src/plugins/preauth/pkinit/pkinit_srv.c            | 335 ++++++++++++++++++---
fab64b
 src/plugins/preauth/pkinit/pkinit_trace.h          |   5 +
fab64b
 src/tests/Makefile.in                              |   1 +
fab64b
 src/tests/t_certauth.py                            |  47 +++
fab64b
 19 files changed, 786 insertions(+), 42 deletions(-)
fab64b
 create mode 100644 doc/plugindev/certauth.rst
fab64b
 create mode 100644 src/include/krb5/certauth_plugin.h
fab64b
 create mode 100644 src/plugins/certauth/test/Makefile.in
fab64b
 create mode 100644 src/plugins/certauth/test/certauth_test.exports
fab64b
 create mode 100644 src/plugins/certauth/test/deps
fab64b
 create mode 100644 src/plugins/certauth/test/main.c
fab64b
 create mode 100644 src/tests/t_certauth.py
fab64b
fab64b
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
fab64b
index 653aad613..c0e4349c0 100644
fab64b
--- a/doc/admin/conf_files/krb5_conf.rst
fab64b
+++ b/doc/admin/conf_files/krb5_conf.rst
fab64b
@@ -858,6 +858,27 @@ built-in modules exist for this interface:
fab64b
     This module authorizes a principal to a local account if the
fab64b
     principal name maps to the local account name.
fab64b
 
fab64b
+.. _certauth:
fab64b
+
fab64b
+certauth interface
fab64b
+##################
fab64b
+
fab64b
+The certauth section (introduced in release 1.16) controls modules for
fab64b
+the certificate authorization interface, which determines whether a
fab64b
+certificate is allowed to preauthenticate a user via PKINIT.  The
fab64b
+following built-in modules exist for this interface:
fab64b
+
fab64b
+**pkinit_san**
fab64b
+    This module authorizes the certificate if it contains a PKINIT
fab64b
+    Subject Alternative Name for the requested client principal, or a
fab64b
+    Microsoft UPN SAN matching the principal if **pkinit_allow_upn**
fab64b
+    is set to true for the realm.
fab64b
+
fab64b
+**pkinit_eku**
fab64b
+    This module rejects the certificate if it does not contain an
fab64b
+    Extended Key Usage attribute consistent with the
fab64b
+    **pkinit_eku_checking** value for the realm.
fab64b
+
fab64b
 
fab64b
 PKINIT options
fab64b
 --------------
fab64b
diff --git a/doc/plugindev/certauth.rst b/doc/plugindev/certauth.rst
fab64b
new file mode 100644
fab64b
index 000000000..8a7f7c5eb
fab64b
--- /dev/null
fab64b
+++ b/doc/plugindev/certauth.rst
fab64b
@@ -0,0 +1,27 @@
fab64b
+.. _certauth_plugin:
fab64b
+
fab64b
+PKINIT certificate authorization interface (certauth)
fab64b
+=====================================================
fab64b
+
fab64b
+The certauth interface was first introduced in release 1.16.  It
fab64b
+allows customization of the X.509 certificate attribute requirements
fab64b
+placed on certificates used by PKINIT enabled clients.  For a detailed
fab64b
+description of the certauth interface, see the header file
fab64b
+``<krb5/certauth_plugin.h>``
fab64b
+
fab64b
+A certauth module implements the **authorize** method to determine
fab64b
+whether a client's certificate is authorized to authenticate a client
fab64b
+principal.  **authorize** receives the DER-encoded certificate, the
fab64b
+requested client principal, and a pointer to the client's
fab64b
+krb5_db_entry (for modules that link against libkdb5).  It returns the
fab64b
+authorization status and optionally outputs a list of authentication
fab64b
+indicator strings to be added to the ticket.  A module must use its
fab64b
+own internal or library-provided ASN.1 certificate decoder.
fab64b
+
fab64b
+A module can optionally create and destroy module data with the
fab64b
+**init** and **fini** methods.  Module data objects last for the
fab64b
+lifetime of the KDC process.
fab64b
+
fab64b
+If a module allocates and returns a list of authentication indicators
fab64b
+from **authorize**, it must also implement the **free_ind** method
fab64b
+to free the list.
fab64b
diff --git a/doc/plugindev/index.rst b/doc/plugindev/index.rst
fab64b
index 3fb921778..67dbc2790 100644
fab64b
--- a/doc/plugindev/index.rst
fab64b
+++ b/doc/plugindev/index.rst
fab64b
@@ -31,5 +31,6 @@ Contents
fab64b
    profile.rst
fab64b
    gssapi.rst
fab64b
    internal.rst
fab64b
+   certauth.rst
fab64b
 
fab64b
 .. TODO: GSSAPI mechanism plugins
fab64b
diff --git a/src/Makefile.in b/src/Makefile.in
fab64b
index 2ebf2fb4d..b0249778c 100644
fab64b
--- a/src/Makefile.in
fab64b
+++ b/src/Makefile.in
fab64b
@@ -17,6 +17,7 @@ SUBDIRS=util include lib \
fab64b
 	plugins/pwqual/test \
fab64b
 	plugins/authdata/greet_server \
fab64b
 	plugins/authdata/greet_client \
fab64b
+	plugins/certauth/test \
fab64b
 	plugins/kdb/db2 \
fab64b
 	@ldap_plugin_dir@ \
fab64b
 	plugins/kdb/test \
fab64b
diff --git a/src/configure.in b/src/configure.in
fab64b
index acf3a458b..24f653f0d 100644
fab64b
--- a/src/configure.in
fab64b
+++ b/src/configure.in
fab64b
@@ -1451,6 +1451,7 @@ dnl	ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test
fab64b
 
fab64b
 	kdc slave config-files build-tools man doc include
fab64b
 
fab64b
+	plugins/certauth/test
fab64b
 	plugins/hostrealm/test
fab64b
 	plugins/localauth/test
fab64b
 	plugins/kadm5_hook/test
fab64b
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
fab64b
index f5b921833..0239338a1 100644
fab64b
--- a/src/include/Makefile.in
fab64b
+++ b/src/include/Makefile.in
fab64b
@@ -140,6 +140,7 @@ install-headers-unix install: krb5/krb5.h profile.h
fab64b
 	$(INSTALL_DATA) $(srcdir)/krb5.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5.h
fab64b
 	$(INSTALL_DATA) $(srcdir)/kdb.h $(DESTDIR)$(KRB5_INCDIR)$(S)kdb.h
fab64b
 	$(INSTALL_DATA) krb5/krb5.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)krb5.h
fab64b
+	$(INSTALL_DATA) $(srcdir)/krb5/certauth_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)certauth_plugin.h
fab64b
 	$(INSTALL_DATA) $(srcdir)/krb5/ccselect_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)ccselect_plugin.h
fab64b
 	$(INSTALL_DATA) $(srcdir)/krb5/clpreauth_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)clpreauth_plugin.h
fab64b
 	$(INSTALL_DATA) $(srcdir)/krb5/hostrealm_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)hostrealm_plugin.h
fab64b
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
fab64b
index 173cb0264..cea644d0a 100644
fab64b
--- a/src/include/k5-int.h
fab64b
+++ b/src/include/k5-int.h
fab64b
@@ -1156,7 +1156,8 @@ struct plugin_interface {
fab64b
 #define PLUGIN_INTERFACE_AUDIT       7
fab64b
 #define PLUGIN_INTERFACE_TLS         8
fab64b
 #define PLUGIN_INTERFACE_KDCAUTHDATA 9
fab64b
-#define PLUGIN_NUM_INTERFACES        10
fab64b
+#define PLUGIN_INTERFACE_CERTAUTH    10
fab64b
+#define PLUGIN_NUM_INTERFACES        11
fab64b
 
fab64b
 /* Retrieve the plugin module of type interface_id and name modname,
fab64b
  * storing the result into module. */
fab64b
diff --git a/src/include/krb5/certauth_plugin.h b/src/include/krb5/certauth_plugin.h
fab64b
new file mode 100644
fab64b
index 000000000..f22fc1e84
fab64b
--- /dev/null
fab64b
+++ b/src/include/krb5/certauth_plugin.h
fab64b
@@ -0,0 +1,103 @@
fab64b
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
fab64b
+/* include/krb5/certauth_plugin.h - certauth plugin header. */
fab64b
+/*
fab64b
+ * Copyright (C) 2017 by Red Hat, Inc.
fab64b
+ * All rights reserved.
fab64b
+ *
fab64b
+ * Redistribution and use in source and binary forms, with or without
fab64b
+ * modification, are permitted provided that the following conditions
fab64b
+ * are met:
fab64b
+ *
fab64b
+ * * Redistributions of source code must retain the above copyright
fab64b
+ *   notice, this list of conditions and the following disclaimer.
fab64b
+ *
fab64b
+ * * Redistributions in binary form must reproduce the above copyright
fab64b
+ *   notice, this list of conditions and the following disclaimer in
fab64b
+ *   the documentation and/or other materials provided with the
fab64b
+ *   distribution.
fab64b
+ *
fab64b
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
fab64b
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
fab64b
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
fab64b
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
fab64b
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
fab64b
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
fab64b
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
fab64b
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
fab64b
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
fab64b
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
fab64b
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
fab64b
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
fab64b
+ */
fab64b
+
fab64b
+/*
fab64b
+ * Certificate authorization plugin interface.  The PKINIT server module uses
fab64b
+ * this interface to check client certificate attributes after the certificate
fab64b
+ * signature has been verified.
fab64b
+ */
fab64b
+#ifndef KRB5_CERTAUTH_PLUGIN_H
fab64b
+#define KRB5_CERTAUTH_PLUGIN_H
fab64b
+
fab64b
+#include <krb5/krb5.h>
fab64b
+#include <krb5/plugin.h>
fab64b
+
fab64b
+/* Abstract module data type. */
fab64b
+typedef struct krb5_certauth_moddata_st *krb5_certauth_moddata;
fab64b
+
fab64b
+typedef struct _krb5_db_entry_new krb5_db_entry;
fab64b
+
fab64b
+/*
fab64b
+ * Optional: Initialize module data.
fab64b
+ */
fab64b
+typedef krb5_error_code
fab64b
+(*krb5_certauth_init_fn)(krb5_context context,
fab64b
+                         krb5_certauth_moddata *moddata_out);
fab64b
+
fab64b
+/*
fab64b
+ * Optional: Clean up the module data.
fab64b
+ */
fab64b
+typedef void
fab64b
+(*krb5_certauth_fini_fn)(krb5_context context, krb5_certauth_moddata moddata);
fab64b
+
fab64b
+/*
fab64b
+ * Mandatory:
fab64b
+ * Return 0 if the DER-encoded cert is authorized for PKINIT authentication by
fab64b
+ * princ; otherwise return one of the following error codes:
fab64b
+ * - KRB5KDC_ERR_CLIENT_NAME_MISMATCH - incorrect SAN value
fab64b
+ * - KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE - incorrect EKU
fab64b
+ * - KRB5KDC_ERR_CERTIFICATE_MISMATCH - other extension error
fab64b
+ * - KRB5_PLUGIN_NO_HANDLE - the module has no opinion about cert
fab64b
+ *
fab64b
+ * - opts is used by built-in modules to receive internal data, and must be
fab64b
+ *   ignored by other modules.
fab64b
+ * - db_entry receives the client principal database entry, and can be ignored
fab64b
+ *   by modules that do not link with libkdb5.
fab64b
+ * - *authinds_out optionally returns a null-terminated list of authentication
fab64b
+ *   indicator strings upon KRB5_PLUGIN_NO_HANDLE or accepted authorization.
fab64b
+ */
fab64b
+typedef krb5_error_code
fab64b
+(*krb5_certauth_authorize_fn)(krb5_context context,
fab64b
+                              krb5_certauth_moddata moddata,
fab64b
+                              const uint8_t *cert, size_t cert_len,
fab64b
+                              krb5_const_principal princ, const void *opts,
fab64b
+                              const krb5_db_entry *db_entry,
fab64b
+                              char ***authinds_out);
fab64b
+
fab64b
+/*
fab64b
+ * Free indicators allocated by a module.  Mandatory if authorize returns
fab64b
+ * authentication indicators.
fab64b
+ */
fab64b
+typedef void
fab64b
+(*krb5_certauth_free_indicator_fn)(krb5_context context,
fab64b
+                                   krb5_certauth_moddata moddata,
fab64b
+                                   char **authinds);
fab64b
+
fab64b
+typedef struct krb5_certauth_vtable_st {
fab64b
+    char *name;
fab64b
+    krb5_certauth_init_fn init;
fab64b
+    krb5_certauth_fini_fn fini;
fab64b
+    krb5_certauth_authorize_fn authorize;
fab64b
+    krb5_certauth_free_indicator_fn free_ind;
fab64b
+} *krb5_certauth_vtable;
fab64b
+
fab64b
+#endif /* KRB5_CERTAUTH_PLUGIN_H */
fab64b
diff --git a/src/lib/krb5/krb/plugin.c b/src/lib/krb5/krb/plugin.c
fab64b
index 7d64b7c7e..17dd6bd30 100644
fab64b
--- a/src/lib/krb5/krb/plugin.c
fab64b
+++ b/src/lib/krb5/krb/plugin.c
fab64b
@@ -57,7 +57,8 @@ const char *interface_names[] = {
fab64b
     "hostrealm",
fab64b
     "audit",
fab64b
     "tls",
fab64b
-    "kdcauthdata"
fab64b
+    "kdcauthdata",
fab64b
+    "certauth"
fab64b
 };
fab64b
 
fab64b
 /* Return the context's interface structure for id, or NULL if invalid. */
fab64b
diff --git a/src/plugins/certauth/test/Makefile.in b/src/plugins/certauth/test/Makefile.in
fab64b
new file mode 100644
fab64b
index 000000000..d3524084c
fab64b
--- /dev/null
fab64b
+++ b/src/plugins/certauth/test/Makefile.in
fab64b
@@ -0,0 +1,20 @@
fab64b
+mydir=plugins$(S)certauth$(S)test
fab64b
+BUILDTOP=$(REL)..$(S)..$(S)..
fab64b
+
fab64b
+LIBBASE=certauth_test
fab64b
+LIBMAJOR=0
fab64b
+LIBMINOR=0
fab64b
+RELDIR=../plugins/certauth/test
fab64b
+SHLIB_EXPDEPS=$(KRB5_BASE_DEPLIBS)
fab64b
+SHLIB_EXPLIBS=$(KRB5_BASE_LIBS)
fab64b
+
fab64b
+STLIBOBJS=main.o
fab64b
+
fab64b
+SRCS=$(srcdir)/main.c
fab64b
+
fab64b
+all-unix: all-libs
fab64b
+install-unix:
fab64b
+clean-unix:: clean-libs clean-libobjs
fab64b
+
fab64b
+@libnover_frag@
fab64b
+@libobj_frag@
fab64b
diff --git a/src/plugins/certauth/test/certauth_test.exports b/src/plugins/certauth/test/certauth_test.exports
fab64b
new file mode 100644
fab64b
index 000000000..1c8cd24e2
fab64b
--- /dev/null
fab64b
+++ b/src/plugins/certauth/test/certauth_test.exports
fab64b
@@ -0,0 +1,2 @@
fab64b
+certauth_test1_initvt
fab64b
+certauth_test2_initvt
fab64b
diff --git a/src/plugins/certauth/test/deps b/src/plugins/certauth/test/deps
fab64b
new file mode 100644
fab64b
index 000000000..2974b3b57
fab64b
--- /dev/null
fab64b
+++ b/src/plugins/certauth/test/deps
fab64b
@@ -0,0 +1,14 @@
fab64b
+#
fab64b
+# Generated makefile dependencies follow.
fab64b
+#
fab64b
+main.so main.po $(OUTPRE)main.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
fab64b
+  $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
fab64b
+  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
fab64b
+  $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
fab64b
+  $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
fab64b
+  $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
fab64b
+  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
fab64b
+  $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
fab64b
+  $(top_srcdir)/include/krb5/certauth_plugin.h $(top_srcdir)/include/krb5/plugin.h \
fab64b
+  $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
fab64b
+  main.c
fab64b
diff --git a/src/plugins/certauth/test/main.c b/src/plugins/certauth/test/main.c
fab64b
new file mode 100644
fab64b
index 000000000..7ef7377fb
fab64b
--- /dev/null
fab64b
+++ b/src/plugins/certauth/test/main.c
fab64b
@@ -0,0 +1,209 @@
fab64b
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
fab64b
+/* plugins/certauth/main.c - certauth plugin test modules. */
fab64b
+/*
fab64b
+ * Copyright (C) 2017 by Red Hat, Inc.
fab64b
+ * All rights reserved.
fab64b
+ *
fab64b
+ * Redistribution and use in source and binary forms, with or without
fab64b
+ * modification, are permitted provided that the following conditions
fab64b
+ * are met:
fab64b
+ *
fab64b
+ * * Redistributions of source code must retain the above copyright
fab64b
+ *   notice, this list of conditions and the following disclaimer.
fab64b
+ *
fab64b
+ * * Redistributions in binary form must reproduce the above copyright
fab64b
+ *   notice, this list of conditions and the following disclaimer in
fab64b
+ *   the documentation and/or other materials provided with the
fab64b
+ *   distribution.
fab64b
+ *
fab64b
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
fab64b
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
fab64b
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
fab64b
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
fab64b
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
fab64b
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
fab64b
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
fab64b
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
fab64b
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
fab64b
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
fab64b
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
fab64b
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
fab64b
+ */
fab64b
+
fab64b
+#include <k5-int.h>
fab64b
+#include "krb5/certauth_plugin.h"
fab64b
+
fab64b
+struct krb5_certauth_moddata_st {
fab64b
+    int initialized;
fab64b
+};
fab64b
+
fab64b
+/* Test module 1 returns OK with an indicator. */
fab64b
+static krb5_error_code
fab64b
+test1_authorize(krb5_context context, krb5_certauth_moddata moddata,
fab64b
+                const uint8_t *cert, size_t cert_len,
fab64b
+                krb5_const_principal princ, const void *opts,
fab64b
+                const krb5_db_entry *db_entry, char ***authinds_out)
fab64b
+{
fab64b
+    char **ais = NULL;
fab64b
+
fab64b
+    ais = calloc(2, sizeof(*ais));
fab64b
+    assert(ais != NULL);
fab64b
+    ais[0] = strdup("test1");
fab64b
+    assert(ais[0] != NULL);
fab64b
+    *authinds_out = ais;
fab64b
+    return KRB5_PLUGIN_NO_HANDLE;
fab64b
+}
fab64b
+
fab64b
+static void
fab64b
+test_free_ind(krb5_context context, krb5_certauth_moddata moddata,
fab64b
+              char **authinds)
fab64b
+{
fab64b
+    size_t i;
fab64b
+
fab64b
+    if (authinds == NULL)
fab64b
+        return;
fab64b
+    for (i = 0; authinds[i] != NULL; i++)
fab64b
+        free(authinds[i]);
fab64b
+    free(authinds);
fab64b
+}
fab64b
+
fab64b
+/* A basic moddata test. */
fab64b
+static krb5_error_code
fab64b
+test2_init(krb5_context context, krb5_certauth_moddata *moddata_out)
fab64b
+{
fab64b
+    krb5_certauth_moddata mod;
fab64b
+
fab64b
+    mod = calloc(1, sizeof(*mod));
fab64b
+    assert(mod != NULL);
fab64b
+    mod->initialized = 1;
fab64b
+    *moddata_out = mod;
fab64b
+    return 0;
fab64b
+}
fab64b
+
fab64b
+static void
fab64b
+test2_fini(krb5_context context, krb5_certauth_moddata moddata)
fab64b
+{
fab64b
+    free(moddata);
fab64b
+}
fab64b
+
fab64b
+/* Return true if cert appears to contain the CN name, based on a search of the
fab64b
+ * DER encoding. */
fab64b
+static krb5_boolean
fab64b
+has_cn(krb5_context context, const uint8_t *cert, size_t cert_len,
fab64b
+       const char *name)
fab64b
+{
fab64b
+    krb5_boolean match = FALSE;
fab64b
+    uint8_t name_len, cntag[5] = "\x06\x03\x55\x04\x03";
fab64b
+    const uint8_t *c;
fab64b
+    struct k5buf buf;
fab64b
+    size_t c_left;
fab64b
+
fab64b
+    /* Construct a DER search string of the CN AttributeType encoding followed
fab64b
+     * by a UTF8String encoding containing name as the AttributeValue. */
fab64b
+    k5_buf_init_dynamic(&buf;;
fab64b
+    k5_buf_add_len(&buf, cntag, sizeof(cntag));
fab64b
+    k5_buf_add(&buf, "\x0C");
fab64b
+    assert(strlen(name) < 128);
fab64b
+    name_len = strlen(name);
fab64b
+    k5_buf_add_len(&buf, &name_len, 1);
fab64b
+    k5_buf_add_len(&buf, name, name_len);
fab64b
+    assert(k5_buf_status(&buf) == 0);
fab64b
+
fab64b
+    /* Check for the CN needle in the certificate haystack. */
fab64b
+    c_left = cert_len;
fab64b
+    c = memchr(cert, *cntag, c_left);
fab64b
+    while (c != NULL) {
fab64b
+        c_left = cert_len - (c - cert);
fab64b
+        if (buf.len > c_left)
fab64b
+            break;
fab64b
+        if (memcmp(c, buf.data, buf.len) == 0) {
fab64b
+            match = TRUE;
fab64b
+            break;
fab64b
+        }
fab64b
+        assert(c_left >= 1);
fab64b
+        c = memchr(c + 1, *cntag, c_left - 1);
fab64b
+    }
fab64b
+
fab64b
+    k5_buf_free(&buf;;
fab64b
+    return match;
fab64b
+}
fab64b
+
fab64b
+/*
fab64b
+ * Test module 2 returns OK if princ matches the CN part of the subject name,
fab64b
+ * and returns indicators of the module name and princ.
fab64b
+ */
fab64b
+static krb5_error_code
fab64b
+test2_authorize(krb5_context context, krb5_certauth_moddata moddata,
fab64b
+                const uint8_t *cert, size_t cert_len,
fab64b
+                krb5_const_principal princ, const void *opts,
fab64b
+                const krb5_db_entry *db_entry, char ***authinds_out)
fab64b
+{
fab64b
+    krb5_error_code ret;
fab64b
+    char *name = NULL, **ais = NULL;
fab64b
+
fab64b
+    *authinds_out = NULL;
fab64b
+
fab64b
+    assert(moddata != NULL && moddata->initialized);
fab64b
+
fab64b
+    ret = krb5_unparse_name_flags(context, princ,
fab64b
+                                  KRB5_PRINCIPAL_UNPARSE_NO_REALM, &name);
fab64b
+    if (ret)
fab64b
+        goto cleanup;
fab64b
+
fab64b
+    if (!has_cn(context, cert, cert_len, name)) {
fab64b
+        ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH;
fab64b
+        goto cleanup;
fab64b
+    }
fab64b
+
fab64b
+    /* Create an indicator list with the module name and CN. */
fab64b
+    ais = calloc(3, sizeof(*ais));
fab64b
+    assert(ais != NULL);
fab64b
+    ais[0] = strdup("test2");
fab64b
+    ais[1] = strdup(name);
fab64b
+    assert(ais[0] != NULL && ais[1] != NULL);
fab64b
+    *authinds_out = ais;
fab64b
+
fab64b
+    ais = NULL;
fab64b
+
fab64b
+cleanup:
fab64b
+    krb5_free_unparsed_name(context, name);
fab64b
+    return ret;
fab64b
+}
fab64b
+
fab64b
+krb5_error_code
fab64b
+certauth_test1_initvt(krb5_context context, int maj_ver, int min_ver,
fab64b
+                      krb5_plugin_vtable vtable);
fab64b
+krb5_error_code
fab64b
+certauth_test1_initvt(krb5_context context, int maj_ver, int min_ver,
fab64b
+                      krb5_plugin_vtable vtable)
fab64b
+{
fab64b
+    krb5_certauth_vtable vt;
fab64b
+
fab64b
+    if (maj_ver != 1)
fab64b
+        return KRB5_PLUGIN_VER_NOTSUPP;
fab64b
+    vt = (krb5_certauth_vtable)vtable;
fab64b
+    vt->name = "test1";
fab64b
+    vt->authorize = test1_authorize;
fab64b
+    vt->free_ind = test_free_ind;
fab64b
+    return 0;
fab64b
+}
fab64b
+
fab64b
+krb5_error_code
fab64b
+certauth_test2_initvt(krb5_context context, int maj_ver, int min_ver,
fab64b
+                      krb5_plugin_vtable vtable);
fab64b
+krb5_error_code
fab64b
+certauth_test2_initvt(krb5_context context, int maj_ver, int min_ver,
fab64b
+                      krb5_plugin_vtable vtable)
fab64b
+{
fab64b
+    krb5_certauth_vtable vt;
fab64b
+
fab64b
+    if (maj_ver != 1)
fab64b
+        return KRB5_PLUGIN_VER_NOTSUPP;
fab64b
+    vt = (krb5_certauth_vtable)vtable;
fab64b
+    vt->name = "test2";
fab64b
+    vt->authorize = test2_authorize;
fab64b
+    vt->init = test2_init;
fab64b
+    vt->fini = test2_fini;
fab64b
+    vt->free_ind = test_free_ind;
fab64b
+    return 0;
fab64b
+}
fab64b
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h
fab64b
index b483affed..49b96b8ee 100644
fab64b
--- a/src/plugins/preauth/pkinit/pkinit_crypto.h
fab64b
+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h
fab64b
@@ -664,4 +664,8 @@ extern const size_t  krb5_pkinit_sha512_oid_len;
fab64b
  */
fab64b
 extern krb5_data const * const supported_kdf_alg_ids[];
fab64b
 
fab64b
+krb5_error_code
fab64b
+crypto_encode_der_cert(krb5_context context, pkinit_req_crypto_context reqctx,
fab64b
+		       uint8_t **der_out, size_t *der_len);
fab64b
+
fab64b
 #endif	/* _PKINIT_CRYPTO_H */
fab64b
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
fab64b
index 8def8c542..a5b010b26 100644
fab64b
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
fab64b
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
fab64b
@@ -2137,6 +2137,7 @@ crypto_retrieve_X509_sans(krb5_context context,
fab64b
 
fab64b
     if (!(ext = X509_get_ext(cert, l)) || !(ialt = X509V3_EXT_d2i(ext))) {
fab64b
         pkiDebug("%s: found no subject alt name extensions\n", __FUNCTION__);
fab64b
+        retval = ENOENT;
fab64b
         goto cleanup;
fab64b
     }
fab64b
     num_sans = sk_GENERAL_NAME_num(ialt);
fab64b
@@ -6176,3 +6177,32 @@ crypto_get_deferred_ids(krb5_context context,
fab64b
     ret = (const pkinit_deferred_id *)deferred;
fab64b
     return ret;
fab64b
 }
fab64b
+
fab64b
+/* Return the received certificate as DER-encoded data. */
fab64b
+krb5_error_code
fab64b
+crypto_encode_der_cert(krb5_context context, pkinit_req_crypto_context reqctx,
fab64b
+                       uint8_t **der_out, size_t *der_len)
fab64b
+{
fab64b
+    int len;
fab64b
+    unsigned char *der, *p;
fab64b
+
fab64b
+    *der_out = NULL;
fab64b
+    *der_len = 0;
fab64b
+
fab64b
+    if (reqctx->received_cert == NULL)
fab64b
+        return EINVAL;
fab64b
+    p = NULL;
fab64b
+    len = i2d_X509(reqctx->received_cert, NULL);
fab64b
+    if (len <= 0)
fab64b
+        return EINVAL;
fab64b
+    p = der = malloc(len);
fab64b
+    if (p == NULL)
fab64b
+        return ENOMEM;
fab64b
+    if (i2d_X509(reqctx->received_cert, &p) <= 0) {
fab64b
+        free(p);
fab64b
+        return EINVAL;
fab64b
+    }
fab64b
+    *der_out = der;
fab64b
+    *der_len = len;
fab64b
+    return 0;
fab64b
+}
fab64b
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
fab64b
index b5638a367..731d14eb8 100644
fab64b
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
fab64b
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
fab64b
@@ -31,6 +31,25 @@
fab64b
 
fab64b
 #include <k5-int.h>
fab64b
 #include "pkinit.h"
fab64b
+#include "krb5/certauth_plugin.h"
fab64b
+
fab64b
+/* Aliases used by the built-in certauth modules */
fab64b
+struct certauth_req_opts {
fab64b
+    krb5_kdcpreauth_callbacks cb;
fab64b
+    krb5_kdcpreauth_rock rock;
fab64b
+    pkinit_kdc_context plgctx;
fab64b
+    pkinit_kdc_req_context reqctx;
fab64b
+};
fab64b
+
fab64b
+typedef struct certauth_module_handle_st {
fab64b
+    struct krb5_certauth_vtable_st vt;
fab64b
+    krb5_certauth_moddata moddata;
fab64b
+} *certauth_handle;
fab64b
+
fab64b
+struct krb5_kdcpreauth_moddata_st {
fab64b
+    pkinit_kdc_context *realm_contexts;
fab64b
+    certauth_handle *certauth_modules;
fab64b
+};
fab64b
 
fab64b
 static krb5_error_code
fab64b
 pkinit_init_kdc_req_context(krb5_context, pkinit_kdc_req_context *blob);
fab64b
@@ -51,6 +70,34 @@ pkinit_find_realm_context(krb5_context context,
fab64b
                           krb5_kdcpreauth_moddata moddata,
fab64b
                           krb5_principal princ);
fab64b
 
fab64b
+static void
fab64b
+free_realm_contexts(krb5_context context, pkinit_kdc_context *realm_contexts)
fab64b
+{
fab64b
+    int i;
fab64b
+
fab64b
+    if (realm_contexts == NULL)
fab64b
+        return;
fab64b
+    for (i = 0; realm_contexts[i] != NULL; i++)
fab64b
+        pkinit_server_plugin_fini_realm(context, realm_contexts[i]);
fab64b
+    pkiDebug("%s: freeing context at %p\n", __FUNCTION__, realm_contexts);
fab64b
+    free(realm_contexts);
fab64b
+}
fab64b
+
fab64b
+static void
fab64b
+free_certauth_handles(krb5_context context, certauth_handle *list)
fab64b
+{
fab64b
+    int i;
fab64b
+
fab64b
+    if (list == NULL)
fab64b
+        return;
fab64b
+    for (i = 0; list[i] != NULL; i++) {
fab64b
+        if (list[i]->vt.fini != NULL)
fab64b
+            list[i]->vt.fini(context, list[i]->moddata);
fab64b
+        free(list[i]);
fab64b
+    }
fab64b
+    free(list);
fab64b
+}
fab64b
+
fab64b
 static krb5_error_code
fab64b
 pkinit_create_edata(krb5_context context,
fab64b
                     pkinit_plg_crypto_context plg_cryptoctx,
fab64b
@@ -123,7 +170,7 @@ verify_client_san(krb5_context context,
fab64b
                   pkinit_kdc_req_context reqctx,
fab64b
                   krb5_kdcpreauth_callbacks cb,
fab64b
                   krb5_kdcpreauth_rock rock,
fab64b
-                  krb5_principal client,
fab64b
+                  krb5_const_principal client,
fab64b
                   int *valid_san)
fab64b
 {
fab64b
     krb5_error_code retval;
fab64b
@@ -134,12 +181,15 @@ verify_client_san(krb5_context context,
fab64b
     char *client_string = NULL, *san_string;
fab64b
 #endif
fab64b
 
fab64b
+    *valid_san = 0;
fab64b
     retval = crypto_retrieve_cert_sans(context, plgctx->cryptoctx,
fab64b
                                        reqctx->cryptoctx, plgctx->idctx,
fab64b
                                        &princs,
fab64b
                                        plgctx->opts->allow_upn ? &upns : NULL,
fab64b
                                        NULL);
fab64b
-    if (retval) {
fab64b
+    if (retval == ENOENT) {
fab64b
+        goto out;
fab64b
+    } else if (retval) {
fab64b
         pkiDebug("%s: error from retrieve_certificate_sans()\n", __FUNCTION__);
fab64b
         retval = KRB5KDC_ERR_CLIENT_NAME_MISMATCH;
fab64b
         goto out;
fab64b
@@ -273,6 +323,73 @@ out:
fab64b
     return retval;
fab64b
 }
fab64b
 
fab64b
+
fab64b
+/* Run the received, verified certificate through certauth modules, to verify
fab64b
+ * that it is authorized to authenticate as client. */
fab64b
+static krb5_error_code
fab64b
+authorize_cert(krb5_context context, certauth_handle *certauth_modules,
fab64b
+               pkinit_kdc_context plgctx, pkinit_kdc_req_context reqctx,
fab64b
+               krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock,
fab64b
+               krb5_principal client)
fab64b
+{
fab64b
+    krb5_error_code ret;
fab64b
+    certauth_handle h;
fab64b
+    struct certauth_req_opts opts;
fab64b
+    krb5_boolean accepted = FALSE;
fab64b
+    uint8_t *cert;
fab64b
+    size_t i, cert_len;
fab64b
+    void *db_ent = NULL;
fab64b
+    char **ais = NULL, **ai = NULL;
fab64b
+
fab64b
+    /* Re-encode the received certificate into DER, which is extra work, but
fab64b
+     * avoids creating an X.509 library dependency in the interface. */
fab64b
+    ret = crypto_encode_der_cert(context, reqctx->cryptoctx, &cert, &cert_len);
fab64b
+    if (ret)
fab64b
+        goto cleanup;
fab64b
+
fab64b
+    /* Set options for the builtin module. */
fab64b
+    opts.plgctx = plgctx;
fab64b
+    opts.reqctx = reqctx;
fab64b
+    opts.cb = cb;
fab64b
+    opts.rock = rock;
fab64b
+
fab64b
+    db_ent = cb->client_entry(context, rock);
fab64b
+
fab64b
+    /*
fab64b
+     * Check the certificate against each certauth module.  For the certificate
fab64b
+     * to be authorized at least one module must return 0, and no module can an
fab64b
+     * error code other than KRB5_PLUGIN_NO_HANDLE (pass).  Add indicators from
fab64b
+     * modules that return 0 or pass.
fab64b
+     */
fab64b
+    ret = KRB5_PLUGIN_NO_HANDLE;
fab64b
+    for (i = 0; certauth_modules != NULL && certauth_modules[i] != NULL; i++) {
fab64b
+        h = certauth_modules[i];
fab64b
+        ret = h->vt.authorize(context, h->moddata, cert, cert_len, client,
fab64b
+                              &opts, db_ent, &ais);
fab64b
+        if (ret == 0)
fab64b
+            accepted = TRUE;
fab64b
+        else if (ret != KRB5_PLUGIN_NO_HANDLE)
fab64b
+            goto cleanup;
fab64b
+
fab64b
+        if (ais != NULL) {
fab64b
+            /* Assert authentication indicators from the module. */
fab64b
+            for (ai = ais; *ai != NULL; ai++) {
fab64b
+                ret = cb->add_auth_indicator(context, rock, *ai);
fab64b
+                if (ret)
fab64b
+                    goto cleanup;
fab64b
+            }
fab64b
+            h->vt.free_ind(context, h->moddata, ais);
fab64b
+            ais = NULL;
fab64b
+        }
fab64b
+    }
fab64b
+
fab64b
+    ret = accepted ? 0 : KRB5KDC_ERR_CLIENT_NAME_MISMATCH;
fab64b
+
fab64b
+cleanup:
fab64b
+    free(cert);
fab64b
+    return ret;
fab64b
+}
fab64b
+
fab64b
 static void
fab64b
 pkinit_server_verify_padata(krb5_context context,
fab64b
                             krb5_data *req_pkt,
fab64b
@@ -295,7 +412,6 @@ pkinit_server_verify_padata(krb5_context context,
fab64b
     pkinit_kdc_req_context reqctx = NULL;
fab64b
     krb5_checksum cksum = {0, 0, 0, NULL};
fab64b
     krb5_data *der_req = NULL;
fab64b
-    int valid_eku = 0, valid_san = 0;
fab64b
     krb5_data k5data;
fab64b
     int is_signed = 1;
fab64b
     krb5_pa_data **e_data = NULL;
fab64b
@@ -388,27 +504,11 @@ pkinit_server_verify_padata(krb5_context context,
fab64b
         goto cleanup;
fab64b
     }
fab64b
     if (is_signed) {
fab64b
-
fab64b
-        retval = verify_client_san(context, plgctx, reqctx, cb, rock,
fab64b
-                                   request->client, &valid_san);
fab64b
-        if (retval)
fab64b
-            goto cleanup;
fab64b
-        if (!valid_san) {
fab64b
-            pkiDebug("%s: did not find an acceptable SAN in user "
fab64b
-                     "certificate\n", __FUNCTION__);
fab64b
-            retval = KRB5KDC_ERR_CLIENT_NAME_MISMATCH;
fab64b
-            goto cleanup;
fab64b
-        }
fab64b
-        retval = verify_client_eku(context, plgctx, reqctx, &valid_eku);
fab64b
+        retval = authorize_cert(context, moddata->certauth_modules, plgctx,
fab64b
+                                reqctx, cb, rock, request->client);
fab64b
         if (retval)
fab64b
             goto cleanup;
fab64b
 
fab64b
-        if (!valid_eku) {
fab64b
-            pkiDebug("%s: did not find an acceptable EKU in user "
fab64b
-                     "certificate\n", __FUNCTION__);
fab64b
-            retval = KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE;
fab64b
-            goto cleanup;
fab64b
-        }
fab64b
     } else { /* !is_signed */
fab64b
         if (!krb5_principal_compare(context, request->client,
fab64b
                                     krb5_anonymous_principal())) {
fab64b
@@ -1245,11 +1345,15 @@ pkinit_find_realm_context(krb5_context context,
fab64b
                           krb5_principal princ)
fab64b
 {
fab64b
     int i;
fab64b
-    pkinit_kdc_context *realm_contexts = (pkinit_kdc_context *)moddata;
fab64b
+    pkinit_kdc_context *realm_contexts;
fab64b
 
fab64b
     if (moddata == NULL)
fab64b
         return NULL;
fab64b
 
fab64b
+    realm_contexts = moddata->realm_contexts;
fab64b
+    if (realm_contexts == NULL)
fab64b
+        return NULL;
fab64b
+
fab64b
     for (i = 0; realm_contexts[i] != NULL; i++) {
fab64b
         pkinit_kdc_context p = realm_contexts[i];
fab64b
 
fab64b
@@ -1331,6 +1435,155 @@ errout:
fab64b
     return retval;
fab64b
 }
fab64b
 
fab64b
+static krb5_error_code
fab64b
+pkinit_san_authorize(krb5_context context, krb5_certauth_moddata moddata,
fab64b
+                     const uint8_t *cert, size_t cert_len,
fab64b
+                     krb5_const_principal princ, const void *opts,
fab64b
+                     const krb5_db_entry *db_entry, char ***authinds_out)
fab64b
+{
fab64b
+    krb5_error_code ret;
fab64b
+    int valid_san;
fab64b
+    const struct certauth_req_opts *req_opts = opts;
fab64b
+
fab64b
+    *authinds_out = NULL;
fab64b
+
fab64b
+    ret = verify_client_san(context, req_opts->plgctx, req_opts->reqctx,
fab64b
+                            req_opts->cb, req_opts->rock, princ, &valid_san);
fab64b
+    if (ret == ENOENT)
fab64b
+        return KRB5_PLUGIN_NO_HANDLE;
fab64b
+    else if (ret)
fab64b
+        return ret;
fab64b
+
fab64b
+    if (!valid_san) {
fab64b
+        pkiDebug("%s: did not find an acceptable SAN in user certificate\n",
fab64b
+                 __FUNCTION__);
fab64b
+        return KRB5KDC_ERR_CLIENT_NAME_MISMATCH;
fab64b
+    }
fab64b
+
fab64b
+    return 0;
fab64b
+}
fab64b
+
fab64b
+static krb5_error_code
fab64b
+pkinit_eku_authorize(krb5_context context, krb5_certauth_moddata moddata,
fab64b
+                     const uint8_t *cert, size_t cert_len,
fab64b
+                     krb5_const_principal princ, const void *opts,
fab64b
+                     const krb5_db_entry *db_entry, char ***authinds_out)
fab64b
+{
fab64b
+    krb5_error_code ret;
fab64b
+    int valid_eku;
fab64b
+    const struct certauth_req_opts *req_opts = opts;
fab64b
+
fab64b
+    *authinds_out = NULL;
fab64b
+
fab64b
+    /* Verify the client EKU. */
fab64b
+    ret = verify_client_eku(context, req_opts->plgctx, req_opts->reqctx,
fab64b
+                            &valid_eku);
fab64b
+    if (ret)
fab64b
+        return ret;
fab64b
+
fab64b
+    if (!valid_eku) {
fab64b
+        pkiDebug("%s: did not find an acceptable EKU in user certificate\n",
fab64b
+                 __FUNCTION__);
fab64b
+        return KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE;
fab64b
+    }
fab64b
+
fab64b
+    return 0;
fab64b
+}
fab64b
+
fab64b
+static krb5_error_code
fab64b
+certauth_pkinit_san_initvt(krb5_context context, int maj_ver, int min_ver,
fab64b
+                           krb5_plugin_vtable vtable)
fab64b
+{
fab64b
+    krb5_certauth_vtable vt;
fab64b
+
fab64b
+    if (maj_ver != 1)
fab64b
+        return KRB5_PLUGIN_VER_NOTSUPP;
fab64b
+    vt = (krb5_certauth_vtable)vtable;
fab64b
+    vt->name = "pkinit_san";
fab64b
+    vt->authorize = pkinit_san_authorize;
fab64b
+    return 0;
fab64b
+}
fab64b
+
fab64b
+static krb5_error_code
fab64b
+certauth_pkinit_eku_initvt(krb5_context context, int maj_ver, int min_ver,
fab64b
+                           krb5_plugin_vtable vtable)
fab64b
+{
fab64b
+    krb5_certauth_vtable vt;
fab64b
+
fab64b
+    if (maj_ver != 1)
fab64b
+        return KRB5_PLUGIN_VER_NOTSUPP;
fab64b
+    vt = (krb5_certauth_vtable)vtable;
fab64b
+    vt->name = "pkinit_eku";
fab64b
+    vt->authorize = pkinit_eku_authorize;
fab64b
+    return 0;
fab64b
+}
fab64b
+
fab64b
+static krb5_error_code
fab64b
+load_certauth_plugins(krb5_context context, certauth_handle **handle_out)
fab64b
+{
fab64b
+    krb5_error_code ret;
fab64b
+    krb5_plugin_initvt_fn *modules = NULL, *mod;
fab64b
+    certauth_handle *list = NULL, h;
fab64b
+    size_t count;
fab64b
+
fab64b
+    /* Register the builtin modules. */
fab64b
+    ret = k5_plugin_register(context, PLUGIN_INTERFACE_CERTAUTH,
fab64b
+                             "pkinit_san", certauth_pkinit_san_initvt);
fab64b
+    if (ret)
fab64b
+        goto cleanup;
fab64b
+
fab64b
+    ret = k5_plugin_register(context, PLUGIN_INTERFACE_CERTAUTH,
fab64b
+                             "pkinit_eku", certauth_pkinit_eku_initvt);
fab64b
+    if (ret)
fab64b
+        goto cleanup;
fab64b
+
fab64b
+    ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_CERTAUTH, &modules);
fab64b
+    if (ret)
fab64b
+        goto cleanup;
fab64b
+
fab64b
+    /* Allocate handle list. */
fab64b
+    for (count = 0; modules[count]; count++);
fab64b
+    list = k5calloc(count + 1, sizeof(*list), &ret;;
fab64b
+    if (list == NULL)
fab64b
+        goto cleanup;
fab64b
+
fab64b
+    /* Initialize each module, ignoring ones that fail. */
fab64b
+    count = 0;
fab64b
+    for (mod = modules; *mod != NULL; mod++) {
fab64b
+        h = k5calloc(1, sizeof(*h), &ret;;
fab64b
+        if (h == NULL)
fab64b
+            goto cleanup;
fab64b
+
fab64b
+        ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&h->vt);
fab64b
+        if (ret) {
fab64b
+            TRACE_CERTAUTH_VTINIT_FAIL(context, ret);
fab64b
+            free(h);
fab64b
+            continue;
fab64b
+        }
fab64b
+        h->moddata = NULL;
fab64b
+        if (h->vt.init != NULL) {
fab64b
+            ret = h->vt.init(context, &h->moddata);
fab64b
+            if (ret) {
fab64b
+                TRACE_CERTAUTH_INIT_FAIL(context, h->vt.name, ret);
fab64b
+                free(h);
fab64b
+                continue;
fab64b
+            }
fab64b
+        }
fab64b
+        list[count++] = h;
fab64b
+        list[count] = NULL;
fab64b
+    }
fab64b
+    list[count] = NULL;
fab64b
+
fab64b
+    ret = 0;
fab64b
+    *handle_out = list;
fab64b
+    list = NULL;
fab64b
+
fab64b
+cleanup:
fab64b
+    k5_plugin_free_modules(context, modules);
fab64b
+    free_certauth_handles(context, list);
fab64b
+    return ret;
fab64b
+}
fab64b
+
fab64b
 static int
fab64b
 pkinit_server_plugin_init(krb5_context context,
fab64b
                           krb5_kdcpreauth_moddata *moddata_out,
fab64b
@@ -1338,6 +1591,8 @@ pkinit_server_plugin_init(krb5_context context,
fab64b
 {
fab64b
     krb5_error_code retval = ENOMEM;
fab64b
     pkinit_kdc_context plgctx, *realm_contexts = NULL;
fab64b
+    certauth_handle *certauth_modules = NULL;
fab64b
+    krb5_kdcpreauth_moddata moddata;
fab64b
     size_t  i, j;
fab64b
     size_t numrealms;
fab64b
 
fab64b
@@ -1368,16 +1623,22 @@ pkinit_server_plugin_init(krb5_context context,
fab64b
         goto errout;
fab64b
     }
fab64b
 
fab64b
-    *moddata_out = (krb5_kdcpreauth_moddata)realm_contexts;
fab64b
-    retval = 0;
fab64b
-    pkiDebug("%s: returning context at %p\n", __FUNCTION__, realm_contexts);
fab64b
+    retval = load_certauth_plugins(context, &certauth_modules);
fab64b
+    if (retval)
fab64b
+        goto errout;
fab64b
+
fab64b
+    moddata = k5calloc(1, sizeof(*moddata), &retval);
fab64b
+    if (moddata == NULL)
fab64b
+        goto errout;
fab64b
+    moddata->realm_contexts = realm_contexts;
fab64b
+    moddata->certauth_modules = certauth_modules;
fab64b
+    *moddata_out = moddata;
fab64b
+    pkiDebug("%s: returning context at %p\n", __FUNCTION__, moddata);
fab64b
+    return 0;
fab64b
 
fab64b
 errout:
fab64b
-    if (retval) {
fab64b
-        pkinit_server_plugin_fini(context,
fab64b
-                                  (krb5_kdcpreauth_moddata)realm_contexts);
fab64b
-    }
fab64b
-
fab64b
+    free_realm_contexts(context, realm_contexts);
fab64b
+    free_certauth_handles(context, certauth_modules);
fab64b
     return retval;
fab64b
 }
fab64b
 
fab64b
@@ -1405,17 +1666,11 @@ static void
fab64b
 pkinit_server_plugin_fini(krb5_context context,
fab64b
                           krb5_kdcpreauth_moddata moddata)
fab64b
 {
fab64b
-    pkinit_kdc_context *realm_contexts = (pkinit_kdc_context *)moddata;
fab64b
-    int i;
fab64b
-
fab64b
-    if (realm_contexts == NULL)
fab64b
+    if (moddata == NULL)
fab64b
         return;
fab64b
-
fab64b
-    for (i = 0; realm_contexts[i] != NULL; i++) {
fab64b
-        pkinit_server_plugin_fini_realm(context, realm_contexts[i]);
fab64b
-    }
fab64b
-    pkiDebug("%s: freeing context at %p\n", __FUNCTION__, realm_contexts);
fab64b
-    free(realm_contexts);
fab64b
+    free_realm_contexts(context, moddata->realm_contexts);
fab64b
+    free_certauth_handles(context, moddata->certauth_modules);
fab64b
+    free(moddata);
fab64b
 }
fab64b
 
fab64b
 static krb5_error_code
fab64b
diff --git a/src/plugins/preauth/pkinit/pkinit_trace.h b/src/plugins/preauth/pkinit/pkinit_trace.h
fab64b
index b3f5cbb20..458d0961e 100644
fab64b
--- a/src/plugins/preauth/pkinit/pkinit_trace.h
fab64b
+++ b/src/plugins/preauth/pkinit/pkinit_trace.h
fab64b
@@ -91,4 +91,9 @@
fab64b
 #define TRACE_PKINIT_OPENSSL_ERROR(c, msg)              \
fab64b
     TRACE(c, "PKINIT OpenSSL error: {str}", msg)
fab64b
 
fab64b
+#define TRACE_CERTAUTH_VTINIT_FAIL(c, ret)                              \
fab64b
+    TRACE(c, "certauth module failed to init vtable: {kerr}", ret)
fab64b
+#define TRACE_CERTAUTH_INIT_FAIL(c, name, ret)                          \
fab64b
+    TRACE(c, "certauth module {str} failed to init: {kerr}", name, ret)
fab64b
+
fab64b
 #endif /* PKINIT_TRACE_H */
fab64b
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
fab64b
index b55469146..0e93d6b59 100644
fab64b
--- a/src/tests/Makefile.in
fab64b
+++ b/src/tests/Makefile.in
fab64b
@@ -167,6 +167,7 @@ check-pytests: localauth plugorder rdreq responder s2p s4u2proxy unlockiter
fab64b
 	$(RUNPYTEST) $(srcdir)/t_preauth.py $(PYTESTFLAGS)
fab64b
 	$(RUNPYTEST) $(srcdir)/t_princflags.py $(PYTESTFLAGS)
fab64b
 	$(RUNPYTEST) $(srcdir)/t_tabdump.py $(PYTESTFLAGS)
fab64b
+	$(RUNPYTEST) $(srcdir)/t_certauth.py $(PYTESTFLAGS)
fab64b
 
fab64b
 clean:
fab64b
 	$(RM) adata etinfo forward gcred hist hooks hrealm icred kdbtest
fab64b
diff --git a/src/tests/t_certauth.py b/src/tests/t_certauth.py
fab64b
new file mode 100644
fab64b
index 000000000..e64a57b0d
fab64b
--- /dev/null
fab64b
+++ b/src/tests/t_certauth.py
fab64b
@@ -0,0 +1,47 @@
fab64b
+#!/usr/bin/python
fab64b
+from k5test import *
fab64b
+
fab64b
+# Skip this test if pkinit wasn't built.
fab64b
+if not os.path.exists(os.path.join(plugins, 'preauth', 'pkinit.so')):
fab64b
+    skip_rest('certauth tests', 'PKINIT module not built')
fab64b
+
fab64b
+certs = os.path.join(srctop, 'tests', 'dejagnu', 'pkinit-certs')
fab64b
+ca_pem = os.path.join(certs, 'ca.pem')
fab64b
+kdc_pem = os.path.join(certs, 'kdc.pem')
fab64b
+privkey_pem = os.path.join(certs, 'privkey.pem')
fab64b
+user_pem = os.path.join(certs, 'user.pem')
fab64b
+
fab64b
+modpath = os.path.join(buildtop, 'plugins', 'certauth', 'test',
fab64b
+                       'certauth_test.so')
fab64b
+pkinit_krb5_conf = {'realms': {'$realm': {
fab64b
+            'pkinit_anchors': 'FILE:%s' % ca_pem}},
fab64b
+            'plugins': {'certauth': {'module': ['test1:' + modpath,
fab64b
+                                                'test2:' + modpath],
fab64b
+                                     'enable_only': ['test1', 'test2']}}}
fab64b
+pkinit_kdc_conf = {'realms': {'$realm': {
fab64b
+            'default_principal_flags': '+preauth',
fab64b
+            'pkinit_eku_checking': 'none',
fab64b
+            'pkinit_identity': 'FILE:%s,%s' % (kdc_pem, privkey_pem),
fab64b
+            'pkinit_indicator': ['indpkinit1', 'indpkinit2']}}}
fab64b
+
fab64b
+file_identity = 'FILE:%s,%s' % (user_pem, privkey_pem)
fab64b
+
fab64b
+realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf,
fab64b
+                get_creds=False)
fab64b
+
fab64b
+# Let the test module match user to CN=user, with indicators.
fab64b
+realm.kinit(realm.user_princ,
fab64b
+            flags=['-X', 'X509_user_identity=%s' % file_identity])
fab64b
+realm.klist(realm.user_princ)
fab64b
+realm.run([kvno, realm.host_princ])
fab64b
+realm.run(['./adata', realm.host_princ],
fab64b
+          expected_msg='+97: [test1, test2, user, indpkinit1, indpkinit2]')
fab64b
+
fab64b
+# Let the test module mismatch with user2 to CN=user.
fab64b
+realm.addprinc("user2@KRBTEST.COM")
fab64b
+out = realm.kinit("user2@KRBTEST.COM",
fab64b
+                  flags=['-X', 'X509_user_identity=%s' % file_identity],
fab64b
+                  expected_code=1,
fab64b
+                  expected_msg='kinit: Certificate mismatch')
fab64b
+
fab64b
+success("certauth tests")