From fab1e4f8553dcf8a573c41bb8ea93912a622aae0 Mon Sep 17 00:00:00 2001

From: Matt Rogers <mrogers@redhat.com>

Date: Wed, 15 Mar 2017 19:57:15 -0400

Subject: [PATCH] Add the certauth dbmatch module

Add and enable the "dbmatch" builtin module.  Add the

pkinit_client_cert_match() and crypto_req_cert_matching_data() helper

functions.  Add dbmatch tests to t_pkinit.py.  Add documentation to

krb5_conf.rst, pkinit.rst, and kadmin_local.rst.

[ghudson@mit.edu: simplified code, edited docs]

ticket: 8562 (new)

(cherry picked from commit 89634ca049e698d7dd2554f5c49bfc499be96188)

---

 doc/admin/admin_commands/kadmin_local.rst     |  7 +++

 doc/admin/conf_files/krb5_conf.rst            |  5 ++

 doc/admin/pkinit.rst                          | 20 +++++++

 src/plugins/preauth/pkinit/pkinit.h           |  7 +++

 src/plugins/preauth/pkinit/pkinit_crypto.h    |  6 ++

 .../preauth/pkinit/pkinit_crypto_openssl.c    | 18 ++++++

 src/plugins/preauth/pkinit/pkinit_matching.c  | 37 +++++++++++++

 src/plugins/preauth/pkinit/pkinit_srv.c       | 55 +++++++++++++++++++

 src/tests/t_pkinit.py                         | 37 +++++++++++++

 9 files changed, 192 insertions(+)

diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst

index 0e955faf2..cefe6054b 100644

--- a/doc/admin/admin_commands/kadmin_local.rst

+++ b/doc/admin/admin_commands/kadmin_local.rst

@@ -661,6 +661,13 @@ KDC:

     *principal*.  The *value* is a JSON string representing an array

     of objects, each having optional ``type`` and ``username`` fields.

+**pkinit_cert_match**

+    Specifies a matching expression that defines the certificate

+    attributes required for the client certificate used by the

+    principal during PKINIT authentication.  The matching expression

+    is in the same format as those used by the **pkinit_cert_match**

+    option in :ref:`krb5.conf(5)`.  (New in release 1.16.)

+

 This command requires the **modify** privilege.

 Alias: **setstr**

diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst

index cc996f11a..d428124c9 100644

--- a/doc/admin/conf_files/krb5_conf.rst

+++ b/doc/admin/conf_files/krb5_conf.rst

@@ -883,6 +883,11 @@ following built-in modules exist for this interface:

     Extended Key Usage attribute consistent with the

     **pkinit_eku_checking** value for the realm.

+**dbmatch**

+    This module authorizes or rejects the certificate according to

+    whether it matches the **pkinit_cert_match** string attribute on

+    the client principal, if that attribute is present.

+

 PKINIT options

 --------------

diff --git a/doc/admin/pkinit.rst b/doc/admin/pkinit.rst

index 460d75d1e..c601c5c9e 100644

--- a/doc/admin/pkinit.rst

+++ b/doc/admin/pkinit.rst

@@ -223,6 +223,26 @@ time as follows::

     kadmin -q 'add_principal +requires_preauth -nokey YOUR_PRINCNAME'

+By default, the KDC requires PKINIT client certificates to have the

+standard Extended Key Usage and Subject Alternative Name attributes

+for PKINIT.  Starting in release 1.16, it is possible to authorize

+client certificates based on the subject or other criteria instead of

+the standard PKINIT Subject Alternative Name, by setting the

+**pkinit_cert_match** string attribute on each client principal entry.

+For example::

+

+    kadmin set_string user@REALM pkinit_cert_match "<SUBJECT>CN=user@REALM$"

+

+The **pkinit_cert_match** string attribute follows the syntax used by

+the :ref:`krb5.conf(5)` **pkinit_cert_match** relation.  To allow the

+use of non-PKINIT client certificates, it will also be necessary to

+disable key usage checking using the **pkinit_eku_checking** relation;

+for example::

+

+    [kdcdefaults]

+        pkinit_eku_checking = none

+

+

 Configuring the clients

 -----------------------

diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h

index a49f3078e..430b3f334 100644

--- a/src/plugins/preauth/pkinit/pkinit.h

+++ b/src/plugins/preauth/pkinit/pkinit.h

@@ -292,6 +292,13 @@ krb5_error_code pkinit_cert_matching

 	pkinit_identity_crypto_context id_cryptoctx,

 	krb5_principal princ);

+krb5_error_code pkinit_client_cert_match

+	(krb5_context context,

+	pkinit_plg_crypto_context plgctx,

+	pkinit_req_crypto_context reqctx,

+	const char *match_rule,

+	krb5_boolean *matched);

+

 /*

  * Client's list of identities for which it needs PINs or passwords

  */

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h

index b6e4e0ac3..149923b1d 100644

--- a/src/plugins/preauth/pkinit/pkinit_crypto.h

+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h

@@ -637,4 +637,10 @@ krb5_error_code

 crypto_encode_der_cert(krb5_context context, pkinit_req_crypto_context reqctx,

 		       uint8_t **der_out, size_t *der_len);

+krb5_error_code

+crypto_req_cert_matching_data(krb5_context context,

+			      pkinit_plg_crypto_context plgctx,

+			      pkinit_req_crypto_context reqctx,

+			      pkinit_cert_matching_data **md_out);

+

 #endif	/* _PKINIT_CRYPTO_H */

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c

index 3949eb9c2..534161b19 100644

--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c

+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c

@@ -6099,3 +6099,21 @@ crypto_encode_der_cert(krb5_context context, pkinit_req_crypto_context reqctx,

     *der_len = len;

     return 0;

 }

+

+/*

+ * Get the certificate matching data from the request certificate.

+ */

+krb5_error_code

+crypto_req_cert_matching_data(krb5_context context,

+                              pkinit_plg_crypto_context plgctx,

+                              pkinit_req_crypto_context reqctx,

+                              pkinit_cert_matching_data **md_out)

+{

+    *md_out = NULL;

+

+    if (reqctx == NULL || reqctx->received_cert == NULL)

+        return ENOENT;

+

+    return get_matching_data(context, plgctx, reqctx, reqctx->received_cert,

+                             md_out);

+}

diff --git a/src/plugins/preauth/pkinit/pkinit_matching.c b/src/plugins/preauth/pkinit/pkinit_matching.c

index d929fb3c0..c2a4c084d 100644

--- a/src/plugins/preauth/pkinit/pkinit_matching.c

+++ b/src/plugins/preauth/pkinit/pkinit_matching.c

@@ -724,3 +724,40 @@ cleanup:

     crypto_cert_free_matching_data_list(context, matchdata);

     return retval;

 }

+

+krb5_error_code

+pkinit_client_cert_match(krb5_context context,

+                         pkinit_plg_crypto_context plgctx,

+                         pkinit_req_crypto_context reqctx,

+                         const char *match_rule,

+                         krb5_boolean *matched)

+{

+    krb5_error_code ret;

+    pkinit_cert_matching_data *md = NULL;

+    rule_component *rc = NULL;

+    int comp_match = 0;

+    rule_set *rs = NULL;

+

+    *matched = FALSE;

+    ret = parse_rule_set(context, match_rule, &rs);

+    if (ret)

+        goto cleanup;

+

+    ret = crypto_req_cert_matching_data(context, plgctx, reqctx, &md);

+    if (ret)

+        goto cleanup;

+

+    for (rc = rs->crs; rc != NULL; rc = rc->next) {

+        comp_match = component_match(context, rc, md);

+        if ((comp_match && rs->relation == relation_or) ||

+            (!comp_match && rs->relation == relation_and)) {

+            break;

+        }

+    }

+    *matched = comp_match;

+

+cleanup:

+    free_rule_set(context, rs);

+    crypto_cert_free_matching_data(context, md);

+    return ret;

+}

diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c

index 42ad45fe4..7d86e597e 100644

--- a/src/plugins/preauth/pkinit/pkinit_srv.c

+++ b/src/plugins/preauth/pkinit/pkinit_srv.c

@@ -1537,6 +1537,56 @@ certauth_pkinit_eku_initvt(krb5_context context, int maj_ver, int min_ver,

     return 0;

 }

+/*

+ * Do certificate auth based on a match expression in the pkinit_cert_match

+ * attribute string.  An expression should be in the same form as those used

+ * for the pkinit_cert_match configuration option.

+ */

+static krb5_error_code

+dbmatch_authorize(krb5_context context, krb5_certauth_moddata moddata,

+                  const uint8_t *cert, size_t cert_len,

+                  krb5_const_principal princ, const void *opts,

+                  const krb5_db_entry *db_entry, char ***authinds_out)

+{

+    krb5_error_code ret;

+    const struct certauth_req_opts *req_opts = opts;

+    char *pattern;

+    krb5_boolean matched;

+

+    *authinds_out = NULL;

+

+    /* Fetch the matching pattern.  Pass if it isn't specified. */

+    ret = req_opts->cb->get_string(context, req_opts->rock,

+                                   "pkinit_cert_match", &pattern);

+    if (ret)

+        return ret;

+    if (pattern == NULL)

+        return KRB5_PLUGIN_NO_HANDLE;

+

+    /* Check the certificate against the match expression. */

+    ret = pkinit_client_cert_match(context, req_opts->plgctx->cryptoctx,

+                                   req_opts->reqctx->cryptoctx, pattern,

+                                   &matched);

+    req_opts->cb->free_string(context, req_opts->rock, pattern);

+    if (ret)

+        return ret;

+    return matched ? 0 : KRB5KDC_ERR_CERTIFICATE_MISMATCH;

+}

+

+static krb5_error_code

+certauth_dbmatch_initvt(krb5_context context, int maj_ver, int min_ver,

+                        krb5_plugin_vtable vtable)

+{

+    krb5_certauth_vtable vt;

+

+    if (maj_ver != 1)

+        return KRB5_PLUGIN_VER_NOTSUPP;

+    vt = (krb5_certauth_vtable)vtable;

+    vt->name = "dbmatch";

+    vt->authorize = dbmatch_authorize;

+    return 0;

+}

+

 static krb5_error_code

 load_certauth_plugins(krb5_context context, certauth_handle **handle_out)

 {

@@ -1556,6 +1606,11 @@ load_certauth_plugins(krb5_context context, certauth_handle **handle_out)

     if (ret)

         goto cleanup;

+    ret = k5_plugin_register(context, PLUGIN_INTERFACE_CERTAUTH, "dbmatch",

+                             certauth_dbmatch_initvt);

+    if (ret)

+        goto cleanup;

+

     ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_CERTAUTH, &modules);

     if (ret)

         goto cleanup;

diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py

index 64ff2393a..5a0624de7 100755

--- a/src/tests/t_pkinit.py

+++ b/src/tests/t_pkinit.py

@@ -305,6 +305,43 @@ realm.run(['./responder', '-X', 'X509_user_identity=%s' % p12_enc_identity,

 realm.klist(realm.user_princ)

 realm.run([kvno, realm.host_princ])

+# Match a single rule.

+rule = '<SAN>^user@KRBTEST.COM$'

+realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule])

+realm.kinit(realm.user_princ,

+            flags=['-X', 'X509_user_identity=%s' % p12_identity])

+realm.klist(realm.user_princ)

+

+# Match a combined rule (default prefix is &&).

+rule = '<SUBJECT>CN=user$<KU>digitalSignature,keyEncipherment'

+realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule])

+realm.kinit(realm.user_princ,

+            flags=['-X', 'X509_user_identity=%s' % p12_identity])

+realm.klist(realm.user_princ)

+

+# Fail an && rule.

+rule = '&&<SUBJECT>O=OTHER.COM<SAN>^user@KRBTEST.COM$'

+realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule])

+msg = 'kinit: Certificate mismatch while getting initial credentials'

+realm.kinit(realm.user_princ,

+            flags=['-X', 'X509_user_identity=%s' % p12_identity],

+            expected_code=1, expected_msg=msg)

+

+# Pass an || rule.

+rule = '||<SUBJECT>O=KRBTEST.COM<SAN>^otheruser@KRBTEST.COM$'

+realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule])

+realm.kinit(realm.user_princ,

+            flags=['-X', 'X509_user_identity=%s' % p12_identity])

+realm.klist(realm.user_princ)

+

+# Fail an || rule.

+rule = '||<SUBJECT>O=OTHER.COM<SAN>^otheruser@KRBTEST.COM$'

+realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule])

+msg = 'kinit: Certificate mismatch while getting initial credentials'

+realm.kinit(realm.user_princ,

+            flags=['-X', 'X509_user_identity=%s' % p12_identity],

+            expected_code=1, expected_msg=msg)

+

 if not have_soft_pkcs11:

     skip_rest('PKINIT PKCS11 tests', 'soft-pkcs11.so not found')