2 * Copyright (c) 2003 - 2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
40 #include <heim_asn1.h>
41 #include <rfc2459_asn1.h>
43 #include <pkinit_asn1.h>
46 #include "crypto-headers.h"
48 struct pk_client_params {
49 enum krb5_pk_type type;
50 enum { USE_RSA, USE_DH, USE_ECDH } keyex;
65 EncryptionKey reply_key;
68 hx509_certs client_anchors;
69 hx509_verify_ctx verify_ctx;
72 struct pk_principal_mapping {
74 struct pk_allowed_princ {
75 krb5_principal principal;
80 static struct krb5_pk_identity *kdc_identity;
81 static struct pk_principal_mapping principal_mappings;
82 static struct krb5_dh_moduli **moduli;
94 static krb5_error_code
95 pk_check_pkauthenticator_win2k(krb5_context context,
96 PKAuthenticator_Win2k *a,
101 krb5_timeofday (context, &now);
104 if (a->ctime == 0 || abs(a->ctime - now) > context->max_skew) {
105 krb5_clear_error_message(context);
106 return KRB5KRB_AP_ERR_SKEW;
111 static krb5_error_code
112 pk_check_pkauthenticator(krb5_context context,
123 krb5_timeofday (context, &now);
126 if (a->ctime == 0 || abs(a->ctime - now) > context->max_skew) {
127 krb5_clear_error_message(context);
128 return KRB5KRB_AP_ERR_SKEW;
131 ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, &req->req_body, &len, ret);
133 krb5_clear_error_message(context);
137 krb5_abortx(context, "Internal error in ASN.1 encoder");
139 ret = krb5_create_checksum(context,
148 krb5_clear_error_message(context);
152 if (a->paChecksum == NULL) {
153 krb5_clear_error_message(context);
154 ret = KRB5_KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED;
158 if (der_heim_octet_string_cmp(a->paChecksum, &checksum.checksum) != 0) {
159 krb5_clear_error_message(context);
160 ret = KRB5KRB_ERR_GENERIC;
164 free_Checksum(&checksum);
170 _kdc_pk_free_client_param(krb5_context context, pk_client_params *cp)
175 hx509_cert_free(cp->cert);
177 hx509_verify_destroy_ctx(cp->verify_ctx);
178 if (cp->keyex == USE_DH) {
180 DH_free(cp->u.dh.key);
181 if (cp->u.dh.public_key)
182 BN_free(cp->u.dh.public_key);
185 if (cp->keyex == USE_ECDH) {
187 EC_KEY_free(cp->u.ecdh.key);
188 if (cp->u.ecdh.public_key)
189 EC_KEY_free(cp->u.ecdh.public_key);
192 krb5_free_keyblock_contents(context, &cp->reply_key);
193 if (cp->dh_group_name)
194 free(cp->dh_group_name);
196 hx509_peer_info_free(cp->peer);
197 if (cp->client_anchors)
198 hx509_certs_free(&cp->client_anchors);
199 memset(cp, 0, sizeof(*cp));
203 static krb5_error_code
204 generate_dh_keyblock(krb5_context context,
205 pk_client_params *client_params,
206 krb5_enctype enctype)
208 unsigned char *dh_gen_key = NULL;
211 size_t dh_gen_keylen, size;
213 memset(&key, 0, sizeof(key));
215 if (client_params->keyex == USE_DH) {
217 if (client_params->u.dh.public_key == NULL) {
218 ret = KRB5KRB_ERR_GENERIC;
219 krb5_set_error_message(context, ret, "public_key");
223 if (!DH_generate_key(client_params->u.dh.key)) {
224 ret = KRB5KRB_ERR_GENERIC;
225 krb5_set_error_message(context, ret,
226 "Can't generate Diffie-Hellman keys");
230 size = DH_size(client_params->u.dh.key);
232 dh_gen_key = malloc(size);
233 if (dh_gen_key == NULL) {
235 krb5_set_error_message(context, ret, "malloc: out of memory");
239 dh_gen_keylen = DH_compute_key(dh_gen_key,client_params->u.dh.public_key, client_params->u.dh.key);
240 if (dh_gen_keylen == (size_t)-1) {
241 ret = KRB5KRB_ERR_GENERIC;
242 krb5_set_error_message(context, ret,
243 "Can't compute Diffie-Hellman key");
246 if (dh_gen_keylen < size) {
247 size -= dh_gen_keylen;
248 memmove(dh_gen_key + size, dh_gen_key, dh_gen_keylen);
249 memset(dh_gen_key, 0, size);
254 } else if (client_params->keyex == USE_ECDH) {
256 if (client_params->u.ecdh.public_key == NULL) {
257 ret = KRB5KRB_ERR_GENERIC;
258 krb5_set_error_message(context, ret, "public_key");
262 client_params->u.ecdh.key = EC_KEY_new();
263 if (client_params->u.ecdh.key == NULL) {
267 EC_KEY_set_group(client_params->u.ecdh.key,
268 EC_KEY_get0_group(client_params->u.ecdh.public_key));
270 if (EC_KEY_generate_key(client_params->u.ecdh.key) != 1) {
275 size = (EC_GROUP_get_degree(EC_KEY_get0_group(client_params->u.ecdh.key)) + 7) / 8;
276 dh_gen_key = malloc(size);
277 if (dh_gen_key == NULL) {
279 krb5_set_error_message(context, ret,
280 N_("malloc: out of memory", ""));
284 dh_gen_keylen = ECDH_compute_key(dh_gen_key, size,
285 EC_KEY_get0_public_key(client_params->u.ecdh.public_key),
286 client_params->u.ecdh.key, NULL);
288 #endif /* HAVE_OPENSSL */
290 ret = KRB5KRB_ERR_GENERIC;
291 krb5_set_error_message(context, ret,
292 "Diffie-Hellman not selected keys");
296 ret = _krb5_pk_octetstring2key(context,
298 dh_gen_key, dh_gen_keylen,
300 &client_params->reply_key);
305 if (key.keyvalue.data)
306 krb5_free_keyblock_contents(context, &key);
312 integer_to_BN(krb5_context context, const char *field, heim_integer *f)
316 bn = BN_bin2bn((const unsigned char *)f->data, f->length, NULL);
318 krb5_set_error_message(context, KRB5_BADMSGTYPE,
319 "PKINIT: parsing BN failed %s", field);
322 BN_set_negative(bn, f->negative);
326 static krb5_error_code
327 get_dh_param(krb5_context context,
328 krb5_kdc_configuration *config,
329 SubjectPublicKeyInfo *dh_key_info,
330 pk_client_params *client_params)
332 DomainParameters dhparam;
337 memset(&dhparam, 0, sizeof(dhparam));
339 if ((dh_key_info->subjectPublicKey.length % 8) != 0) {
340 ret = KRB5_BADMSGTYPE;
341 krb5_set_error_message(context, ret,
342 "PKINIT: subjectPublicKey not aligned "
343 "to 8 bit boundary");
347 if (dh_key_info->algorithm.parameters == NULL) {
348 krb5_set_error_message(context, KRB5_BADMSGTYPE,
349 "PKINIT missing algorithm parameter "
350 "in clientPublicValue");
351 return KRB5_BADMSGTYPE;
354 ret = decode_DomainParameters(dh_key_info->algorithm.parameters->data,
355 dh_key_info->algorithm.parameters->length,
359 krb5_set_error_message(context, ret, "Can't decode algorithm "
360 "parameters in clientPublicValue");
364 ret = _krb5_dh_group_ok(context, config->pkinit_dh_min_bits,
365 &dhparam.p, &dhparam.g, &dhparam.q, moduli,
366 &client_params->dh_group_name);
368 /* XXX send back proposal of better group */
375 krb5_set_error_message(context, ret, "Cannot create DH structure");
378 ret = KRB5_BADMSGTYPE;
379 p = integer_to_BN(context, "DH prime", &dhparam.p);
380 g = integer_to_BN(context, "DH base", &dhparam.g);
381 q = integer_to_BN(context, "DH p-1 factor", &dhparam.q);
382 if (p == NULL || g == NULL || q == NULL) {
388 if (DH_set0_pqg(dh, p, g, q) != 1) {
399 ret = decode_DHPublicKey(dh_key_info->subjectPublicKey.data,
400 dh_key_info->subjectPublicKey.length / 8,
404 krb5_clear_error_message(context);
408 client_params->u.dh.public_key = integer_to_BN(context,
411 der_free_heim_integer(&glue);
412 if (client_params->u.dh.public_key == NULL) {
413 ret = KRB5_BADMSGTYPE;
418 client_params->u.dh.key = dh;
425 free_DomainParameters(&dhparam);
431 static krb5_error_code
432 get_ecdh_param(krb5_context context,
433 krb5_kdc_configuration *config,
434 SubjectPublicKeyInfo *dh_key_info,
435 pk_client_params *client_params)
438 EC_KEY *public = NULL;
440 const unsigned char *p;
444 if (dh_key_info->algorithm.parameters == NULL) {
445 krb5_set_error_message(context, KRB5_BADMSGTYPE,
446 "PKINIT missing algorithm parameter "
447 "in clientPublicValue");
448 return KRB5_BADMSGTYPE;
451 memset(&ecp, 0, sizeof(ecp));
453 ret = decode_ECParameters(dh_key_info->algorithm.parameters->data,
454 dh_key_info->algorithm.parameters->length, &ecp, &len);
458 if (ecp.element != choice_ECParameters_namedCurve) {
459 ret = KRB5_BADMSGTYPE;
463 if (der_heim_oid_cmp(&ecp.u.namedCurve, &asn1_oid_id_ec_group_secp256r1) == 0)
464 nid = NID_X9_62_prime256v1;
466 ret = KRB5_BADMSGTYPE;
470 /* XXX verify group is ok */
472 public = EC_KEY_new_by_curve_name(nid);
474 p = dh_key_info->subjectPublicKey.data;
475 len = dh_key_info->subjectPublicKey.length / 8;
476 if (o2i_ECPublicKey(&public, &p, len) == NULL) {
477 ret = KRB5_BADMSGTYPE;
478 krb5_set_error_message(context, ret,
479 "PKINIT failed to decode ECDH key");
482 client_params->u.ecdh.public_key = public;
488 free_ECParameters(&ecp);
492 #endif /* HAVE_OPENSSL */
495 _kdc_pk_rd_padata(krb5_context context,
496 krb5_kdc_configuration *config,
499 hdb_entry_ex *client,
500 pk_client_params **ret_params)
502 pk_client_params *cp;
504 heim_oid eContentType = { 0, NULL }, contentInfoOid = { 0, NULL };
505 krb5_data eContent = { 0, NULL };
506 krb5_data signed_content = { 0, NULL };
507 const char *type = "unknown type";
508 hx509_certs trust_anchors;
510 const HDB_Ext_PKINIT_cert *pc;
514 if (!config->enable_pkinit) {
515 kdc_log(context, config, 0, "PK-INIT request but PK-INIT not enabled");
516 krb5_clear_error_message(context);
520 cp = calloc(1, sizeof(*cp));
522 krb5_clear_error_message(context);
527 ret = hx509_certs_init(context->hx509ctx,
528 "MEMORY:trust-anchors",
529 0, NULL, &trust_anchors);
531 krb5_set_error_message(context, ret, "failed to create trust anchors");
535 ret = hx509_certs_merge(context->hx509ctx, trust_anchors,
536 kdc_identity->anchors);
538 hx509_certs_free(&trust_anchors);
539 krb5_set_error_message(context, ret, "failed to create verify context");
543 /* Add any registered certificates for this client as trust anchors */
544 ret = hdb_entry_get_pkinit_cert(&client->entry, &pc);
545 if (ret == 0 && pc != NULL) {
549 for (i = 0; i < pc->len; i++) {
550 ret = hx509_cert_init_data(context->hx509ctx,
551 pc->val[i].cert.data,
552 pc->val[i].cert.length,
556 hx509_certs_add(context->hx509ctx, trust_anchors, cert);
557 hx509_cert_free(cert);
561 ret = hx509_verify_init_ctx(context->hx509ctx, &cp->verify_ctx);
563 hx509_certs_free(&trust_anchors);
564 krb5_set_error_message(context, ret, "failed to create verify context");
568 hx509_verify_set_time(cp->verify_ctx, kdc_time);
569 hx509_verify_attach_anchors(cp->verify_ctx, trust_anchors);
570 hx509_certs_free(&trust_anchors);
572 if (config->pkinit_allow_proxy_certs)
573 hx509_verify_set_proxy_certificate(cp->verify_ctx, 1);
575 if (pa->padata_type == KRB5_PADATA_PK_AS_REQ_WIN) {
576 PA_PK_AS_REQ_Win2k r;
578 type = "PK-INIT-Win2k";
580 if (req->req_body.kdc_options.request_anonymous) {
581 ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED;
582 krb5_set_error_message(context, ret,
583 "Anon not supported in RSA mode");
587 ret = decode_PA_PK_AS_REQ_Win2k(pa->padata_value.data,
588 pa->padata_value.length,
592 krb5_set_error_message(context, ret, "Can't decode "
593 "PK-AS-REQ-Win2k: %d", ret);
597 ret = hx509_cms_unwrap_ContentInfo(&r.signed_auth_pack,
601 free_PA_PK_AS_REQ_Win2k(&r);
603 krb5_set_error_message(context, ret,
604 "Can't unwrap ContentInfo(win): %d", ret);
608 } else if (pa->padata_type == KRB5_PADATA_PK_AS_REQ) {
611 type = "PK-INIT-IETF";
613 ret = decode_PA_PK_AS_REQ(pa->padata_value.data,
614 pa->padata_value.length,
618 krb5_set_error_message(context, ret,
619 "Can't decode PK-AS-REQ: %d", ret);
623 /* XXX look at r.kdcPkId */
624 if (r.trustedCertifiers) {
625 ExternalPrincipalIdentifiers *edi = r.trustedCertifiers;
626 unsigned int i, maxedi;
628 ret = hx509_certs_init(context->hx509ctx,
629 "MEMORY:client-anchors",
631 &cp->client_anchors);
633 krb5_set_error_message(context, ret,
634 "Can't allocate client anchors: %d",
640 * If the client sent more then 10 EDI, don't bother
641 * looking more then 10 of performance reasons.
646 for (i = 0; i < maxedi; i++) {
647 IssuerAndSerialNumber iasn;
652 if (edi->val[i].issuerAndSerialNumber == NULL)
655 ret = hx509_query_alloc(context->hx509ctx, &q);
657 krb5_set_error_message(context, ret,
658 "Failed to allocate hx509_query");
662 ret = decode_IssuerAndSerialNumber(edi->val[i].issuerAndSerialNumber->data,
663 edi->val[i].issuerAndSerialNumber->length,
667 hx509_query_free(context->hx509ctx, q);
670 ret = hx509_query_match_issuer_serial(q, &iasn.issuer, &iasn.serialNumber);
671 free_IssuerAndSerialNumber(&iasn);
673 hx509_query_free(context->hx509ctx, q);
677 ret = hx509_certs_find(context->hx509ctx,
681 hx509_query_free(context->hx509ctx, q);
684 hx509_certs_add(context->hx509ctx,
685 cp->client_anchors, cert);
686 hx509_cert_free(cert);
690 ret = hx509_cms_unwrap_ContentInfo(&r.signedAuthPack,
694 free_PA_PK_AS_REQ(&r);
696 krb5_set_error_message(context, ret,
697 "Can't unwrap ContentInfo: %d", ret);
702 krb5_clear_error_message(context);
703 ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
707 ret = der_heim_oid_cmp(&contentInfoOid, &asn1_oid_id_pkcs7_signedData);
709 ret = KRB5KRB_ERR_GENERIC;
710 krb5_set_error_message(context, ret,
711 "PK-AS-REQ-Win2k invalid content type oid");
716 ret = KRB5KRB_ERR_GENERIC;
717 krb5_set_error_message(context, ret,
718 "PK-AS-REQ-Win2k no signed auth pack");
723 hx509_certs signer_certs;
724 int flags = HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH; /* BTMM */
726 if (req->req_body.kdc_options.request_anonymous)
727 flags |= HX509_CMS_VS_ALLOW_ZERO_SIGNER;
729 ret = hx509_cms_verify_signed(context->hx509ctx,
733 signed_content.length,
735 kdc_identity->certpool,
740 char *s = hx509_get_error_string(context->hx509ctx, ret);
741 krb5_warnx(context, "PKINIT: failed to verify signature: %s: %d",
748 ret = hx509_get_one_cert(context->hx509ctx, signer_certs,
750 hx509_certs_free(&signer_certs);
756 /* Signature is correct, now verify the signed message */
757 if (der_heim_oid_cmp(&eContentType, &asn1_oid_id_pkcs7_data) != 0 &&
758 der_heim_oid_cmp(&eContentType, &asn1_oid_id_pkauthdata) != 0)
760 ret = KRB5_BADMSGTYPE;
761 krb5_set_error_message(context, ret, "got wrong oid for pkauthdata");
765 if (pa->padata_type == KRB5_PADATA_PK_AS_REQ_WIN) {
768 ret = decode_AuthPack_Win2k(eContent.data,
773 krb5_set_error_message(context, ret,
774 "Can't decode AuthPack: %d", ret);
778 ret = pk_check_pkauthenticator_win2k(context,
782 free_AuthPack_Win2k(&ap);
786 cp->type = PKINIT_WIN2K;
787 cp->nonce = ap.pkAuthenticator.nonce;
789 if (ap.clientPublicValue) {
790 ret = KRB5KRB_ERR_GENERIC;
791 krb5_set_error_message(context, ret,
792 "DH not supported for windows");
795 free_AuthPack_Win2k(&ap);
797 } else if (pa->padata_type == KRB5_PADATA_PK_AS_REQ) {
800 ret = decode_AuthPack(eContent.data,
805 krb5_set_error_message(context, ret,
806 "Can't decode AuthPack: %d", ret);
811 if (req->req_body.kdc_options.request_anonymous &&
812 ap.clientPublicValue == NULL) {
814 ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED;
815 krb5_set_error_message(context, ret,
816 "Anon not supported in RSA mode");
820 ret = pk_check_pkauthenticator(context,
828 cp->type = PKINIT_27;
829 cp->nonce = ap.pkAuthenticator.nonce;
831 if (ap.clientPublicValue) {
832 if (der_heim_oid_cmp(&ap.clientPublicValue->algorithm.algorithm, &asn1_oid_id_dhpublicnumber) == 0) {
834 ret = get_dh_param(context, config,
835 ap.clientPublicValue, cp);
837 } else if (der_heim_oid_cmp(&ap.clientPublicValue->algorithm.algorithm, &asn1_oid_id_ecPublicKey) == 0) {
838 cp->keyex = USE_ECDH;
839 ret = get_ecdh_param(context, config,
840 ap.clientPublicValue, cp);
841 #endif /* HAVE_OPENSSL */
843 ret = KRB5_BADMSGTYPE;
844 krb5_set_error_message(context, ret, "PKINIT unknown DH mechanism");
853 ret = hx509_peer_info_alloc(context->hx509ctx,
860 if (ap.supportedCMSTypes) {
861 ret = hx509_peer_info_set_cms_algs(context->hx509ctx,
863 ap.supportedCMSTypes->val,
864 ap.supportedCMSTypes->len);
870 /* assume old client */
871 hx509_peer_info_add_cms_alg(context->hx509ctx, cp->peer,
872 hx509_crypto_des_rsdi_ede3_cbc());
873 hx509_peer_info_add_cms_alg(context->hx509ctx, cp->peer,
874 hx509_signature_rsa_with_sha1());
875 hx509_peer_info_add_cms_alg(context->hx509ctx, cp->peer,
876 hx509_signature_sha1());
880 krb5_abortx(context, "internal pkinit error");
882 kdc_log(context, config, 0, "PK-INIT request of type %s", type);
886 krb5_warn(context, ret, "PKINIT");
888 if (signed_content.data)
889 free(signed_content.data);
890 krb5_data_free(&eContent);
891 der_free_oid(&eContentType);
892 der_free_oid(&contentInfoOid);
894 _kdc_pk_free_client_param(context, cp);
904 static krb5_error_code
905 BN_to_integer(krb5_context context, const BIGNUM *bn, heim_integer *integer)
907 integer->length = BN_num_bytes(bn);
908 integer->data = malloc(integer->length);
909 if (integer->data == NULL) {
910 krb5_clear_error_message(context);
913 BN_bn2bin(bn, integer->data);
914 integer->negative = BN_is_negative(bn);
918 static krb5_error_code
919 pk_mk_pa_reply_enckey(krb5_context context,
920 krb5_kdc_configuration *config,
921 pk_client_params *cp,
923 const krb5_data *req_buffer,
924 krb5_keyblock *reply_key,
925 ContentInfo *content_info,
926 hx509_cert *kdc_cert)
928 const heim_oid *envelopedAlg = NULL, *sdAlg = NULL, *evAlg = NULL;
930 krb5_data buf, signed_data;
934 krb5_data_zero(&buf);
935 krb5_data_zero(&signed_data);
940 * If the message client is a win2k-type but it send pa data
941 * 09-binding it expects a IETF (checksum) reply so there can be
948 if (_kdc_find_padata(req, &i, KRB5_PADATA_PK_AS_09_BINDING) == NULL
949 && config->pkinit_require_binding == 0)
953 sdAlg = &asn1_oid_id_pkcs7_data;
954 evAlg = &asn1_oid_id_pkcs7_data;
955 envelopedAlg = &asn1_oid_id_rsadsi_des_ede3_cbc;
959 sdAlg = &asn1_oid_id_pkrkeydata;
960 evAlg = &asn1_oid_id_pkcs7_signedData;
963 krb5_abortx(context, "internal pkinit error");
967 ReplyKeyPack_Win2k kp;
968 memset(&kp, 0, sizeof(kp));
970 ret = copy_EncryptionKey(reply_key, &kp.replyKey);
972 krb5_clear_error_message(context);
975 kp.nonce = cp->nonce;
977 ASN1_MALLOC_ENCODE(ReplyKeyPack_Win2k,
978 buf.data, buf.length,
980 free_ReplyKeyPack_Win2k(&kp);
982 krb5_crypto ascrypto;
984 memset(&kp, 0, sizeof(kp));
986 ret = copy_EncryptionKey(reply_key, &kp.replyKey);
988 krb5_clear_error_message(context);
992 ret = krb5_crypto_init(context, reply_key, 0, &ascrypto);
994 krb5_clear_error_message(context);
998 ret = krb5_create_checksum(context, ascrypto, 6, 0,
999 req_buffer->data, req_buffer->length,
1002 krb5_clear_error_message(context);
1006 ret = krb5_crypto_destroy(context, ascrypto);
1008 krb5_clear_error_message(context);
1011 ASN1_MALLOC_ENCODE(ReplyKeyPack, buf.data, buf.length, &kp, &size,ret);
1012 free_ReplyKeyPack(&kp);
1015 krb5_set_error_message(context, ret, "ASN.1 encoding of ReplyKeyPack "
1016 "failed (%d)", ret);
1019 if (buf.length != size)
1020 krb5_abortx(context, "Internal ASN.1 encoder error");
1026 ret = hx509_query_alloc(context->hx509ctx, &q);
1030 hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
1031 if (config->pkinit_kdc_friendly_name)
1032 hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name);
1034 ret = hx509_certs_find(context->hx509ctx,
1035 kdc_identity->certs,
1038 hx509_query_free(context->hx509ctx, q);
1042 ret = hx509_cms_create_signed_1(context->hx509ctx,
1051 kdc_identity->certpool,
1056 krb5_data_free(&buf);
1060 if (cp->type == PKINIT_WIN2K) {
1061 ret = hx509_cms_wrap_ContentInfo(&asn1_oid_id_pkcs7_signedData,
1066 krb5_data_free(&signed_data);
1070 ret = hx509_cms_envelope_1(context->hx509ctx,
1071 HX509_CMS_EV_NO_KU_CHECK,
1073 signed_data.data, signed_data.length,
1079 ret = _krb5_pk_mk_ContentInfo(context,
1081 &asn1_oid_id_pkcs7_envelopedData,
1084 if (ret && *kdc_cert) {
1085 hx509_cert_free(*kdc_cert);
1089 krb5_data_free(&buf);
1090 krb5_data_free(&signed_data);
1098 static krb5_error_code
1099 pk_mk_pa_reply_dh(krb5_context context,
1100 krb5_kdc_configuration *config,
1101 pk_client_params *cp,
1102 ContentInfo *content_info,
1103 hx509_cert *kdc_cert)
1105 KDCDHKeyInfo dh_info;
1106 krb5_data signed_data, buf;
1107 ContentInfo contentinfo;
1108 krb5_error_code ret;
1113 memset(&contentinfo, 0, sizeof(contentinfo));
1114 memset(&dh_info, 0, sizeof(dh_info));
1115 krb5_data_zero(&signed_data);
1116 krb5_data_zero(&buf);
1120 if (cp->keyex == USE_DH) {
1121 DH *kdc_dh = cp->u.dh.key;
1122 const BIGNUM *pub_key;
1125 DH_get0_key(kdc_dh, &pub_key, NULL);
1126 ret = BN_to_integer(context, pub_key, &i);
1130 ASN1_MALLOC_ENCODE(DHPublicKey, buf.data, buf.length, &i, &size, ret);
1131 der_free_heim_integer(&i);
1133 krb5_set_error_message(context, ret, "ASN.1 encoding of "
1134 "DHPublicKey failed (%d)", ret);
1137 if (buf.length != size)
1138 krb5_abortx(context, "Internal ASN.1 encoder error");
1140 dh_info.subjectPublicKey.length = buf.length * 8;
1141 dh_info.subjectPublicKey.data = buf.data;
1142 krb5_data_zero(&buf);
1144 } else if (cp->keyex == USE_ECDH) {
1148 len = i2o_ECPublicKey(cp->u.ecdh.key, NULL);
1156 dh_info.subjectPublicKey.length = len * 8;
1157 dh_info.subjectPublicKey.data = p;
1159 len = i2o_ECPublicKey(cp->u.ecdh.key, &p);
1164 krb5_abortx(context, "no keyex selected ?");
1167 dh_info.nonce = cp->nonce;
1169 ASN1_MALLOC_ENCODE(KDCDHKeyInfo, buf.data, buf.length, &dh_info, &size,
1172 krb5_set_error_message(context, ret, "ASN.1 encoding of "
1173 "KdcDHKeyInfo failed (%d)", ret);
1176 if (buf.length != size)
1177 krb5_abortx(context, "Internal ASN.1 encoder error");
1180 * Create the SignedData structure and sign the KdcDHKeyInfo
1184 ret = hx509_query_alloc(context->hx509ctx, &q);
1188 hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
1189 if (config->pkinit_kdc_friendly_name)
1190 hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name);
1192 ret = hx509_certs_find(context->hx509ctx,
1193 kdc_identity->certs,
1196 hx509_query_free(context->hx509ctx, q);
1200 ret = hx509_cms_create_signed_1(context->hx509ctx,
1202 &asn1_oid_id_pkdhkeydata,
1209 kdc_identity->certpool,
1212 kdc_log(context, config, 0, "Failed signing the DH* reply: %d", ret);
1217 ret = _krb5_pk_mk_ContentInfo(context,
1219 &asn1_oid_id_pkcs7_signedData,
1225 if (ret && *kdc_cert) {
1226 hx509_cert_free(*kdc_cert);
1230 krb5_data_free(&buf);
1231 krb5_data_free(&signed_data);
1232 free_KDCDHKeyInfo(&dh_info);
1242 _kdc_pk_mk_pa_reply(krb5_context context,
1243 krb5_kdc_configuration *config,
1244 pk_client_params *cp,
1245 const hdb_entry_ex *client,
1246 krb5_enctype sessionetype,
1248 const krb5_data *req_buffer,
1249 krb5_keyblock **reply_key,
1250 krb5_keyblock *sessionkey,
1253 krb5_error_code ret;
1255 size_t len = 0, size = 0;
1256 krb5_enctype enctype;
1258 hx509_cert kdc_cert = NULL;
1261 if (!config->enable_pkinit) {
1262 krb5_clear_error_message(context);
1266 if (req->req_body.etype.len > 0) {
1267 for (i = 0; i < req->req_body.etype.len; i++)
1268 if (krb5_enctype_valid(context, req->req_body.etype.val[i]) == 0)
1270 if (req->req_body.etype.len <= i) {
1271 ret = KRB5KRB_ERR_GENERIC;
1272 krb5_set_error_message(context, ret,
1273 "No valid enctype available from client");
1276 enctype = req->req_body.etype.val[i];
1278 enctype = ETYPE_DES3_CBC_SHA1;
1280 if (cp->type == PKINIT_27) {
1282 const char *type, *other = "";
1284 memset(&rep, 0, sizeof(rep));
1286 pa_type = KRB5_PADATA_PK_AS_REP;
1288 if (cp->keyex == USE_RSA) {
1293 rep.element = choice_PA_PK_AS_REP_encKeyPack;
1295 ret = krb5_generate_random_keyblock(context, enctype,
1298 free_PA_PK_AS_REP(&rep);
1301 ret = pk_mk_pa_reply_enckey(context,
1310 free_PA_PK_AS_REP(&rep);
1313 ASN1_MALLOC_ENCODE(ContentInfo, rep.u.encKeyPack.data,
1314 rep.u.encKeyPack.length, &info, &size,
1316 free_ContentInfo(&info);
1318 krb5_set_error_message(context, ret, "encoding of Key ContentInfo "
1320 free_PA_PK_AS_REP(&rep);
1323 if (rep.u.encKeyPack.length != size)
1324 krb5_abortx(context, "Internal ASN.1 encoder error");
1326 ret = krb5_generate_random_keyblock(context, sessionetype,
1329 free_PA_PK_AS_REP(&rep);
1336 switch (cp->keyex) {
1337 case USE_DH: type = "dh"; break;
1339 case USE_ECDH: type = "ecdh"; break;
1341 default: krb5_abortx(context, "unknown keyex"); break;
1344 if (cp->dh_group_name)
1345 other = cp->dh_group_name;
1347 rep.element = choice_PA_PK_AS_REP_dhInfo;
1349 ret = generate_dh_keyblock(context, cp, enctype);
1353 ret = pk_mk_pa_reply_dh(context, config,
1358 free_PA_PK_AS_REP(&rep);
1359 krb5_set_error_message(context, ret,
1360 "create pa-reply-dh "
1365 ASN1_MALLOC_ENCODE(ContentInfo, rep.u.dhInfo.dhSignedData.data,
1366 rep.u.dhInfo.dhSignedData.length, &info, &size,
1368 free_ContentInfo(&info);
1370 krb5_set_error_message(context, ret,
1371 "encoding of Key ContentInfo "
1373 free_PA_PK_AS_REP(&rep);
1376 if (rep.u.encKeyPack.length != size)
1377 krb5_abortx(context, "Internal ASN.1 encoder error");
1379 /* XXX KRB-FX-CF2 */
1380 ret = krb5_generate_random_keyblock(context, sessionetype,
1383 free_PA_PK_AS_REP(&rep);
1387 /* XXX Add PA-PKINIT-KX */
1391 #define use_btmm_with_enckey 0
1392 if (use_btmm_with_enckey && rep.element == choice_PA_PK_AS_REP_encKeyPack) {
1393 PA_PK_AS_REP_BTMM btmm;
1396 any.data = rep.u.encKeyPack.data;
1397 any.length = rep.u.encKeyPack.length;
1399 btmm.dhSignedData = NULL;
1400 btmm.encKeyPack = &any;
1402 ASN1_MALLOC_ENCODE(PA_PK_AS_REP_BTMM, buf, len, &btmm, &size, ret);
1404 ASN1_MALLOC_ENCODE(PA_PK_AS_REP, buf, len, &rep, &size, ret);
1407 free_PA_PK_AS_REP(&rep);
1409 krb5_set_error_message(context, ret,
1410 "encode PA-PK-AS-REP failed %d", ret);
1414 krb5_abortx(context, "Internal ASN.1 encoder error");
1416 kdc_log(context, config, 0, "PK-INIT using %s %s", type, other);
1418 } else if (cp->type == PKINIT_WIN2K) {
1419 PA_PK_AS_REP_Win2k rep;
1422 if (cp->keyex != USE_RSA) {
1423 ret = KRB5KRB_ERR_GENERIC;
1424 krb5_set_error_message(context, ret,
1425 "Windows PK-INIT doesn't support DH");
1429 memset(&rep, 0, sizeof(rep));
1431 pa_type = KRB5_PADATA_PK_AS_REP_19;
1432 rep.element = choice_PA_PK_AS_REP_Win2k_encKeyPack;
1434 ret = krb5_generate_random_keyblock(context, enctype,
1437 free_PA_PK_AS_REP_Win2k(&rep);
1440 ret = pk_mk_pa_reply_enckey(context,
1449 free_PA_PK_AS_REP_Win2k(&rep);
1452 ASN1_MALLOC_ENCODE(ContentInfo, rep.u.encKeyPack.data,
1453 rep.u.encKeyPack.length, &info, &size,
1455 free_ContentInfo(&info);
1457 krb5_set_error_message(context, ret, "encoding of Key ContentInfo "
1459 free_PA_PK_AS_REP_Win2k(&rep);
1462 if (rep.u.encKeyPack.length != size)
1463 krb5_abortx(context, "Internal ASN.1 encoder error");
1465 ASN1_MALLOC_ENCODE(PA_PK_AS_REP_Win2k, buf, len, &rep, &size, ret);
1466 free_PA_PK_AS_REP_Win2k(&rep);
1468 krb5_set_error_message(context, ret,
1469 "encode PA-PK-AS-REP-Win2k failed %d", ret);
1473 krb5_abortx(context, "Internal ASN.1 encoder error");
1475 ret = krb5_generate_random_keyblock(context, sessionetype,
1483 krb5_abortx(context, "PK-INIT internal error");
1486 ret = krb5_padata_add(context, md, pa_type, buf, len);
1488 krb5_set_error_message(context, ret,
1489 "Failed adding PA-PK-AS-REP %d", ret);
1494 if (config->pkinit_kdc_ocsp_file) {
1496 if (ocsp.expire == 0 && ocsp.next_update > kdc_time) {
1500 krb5_data_free(&ocsp.data);
1503 ocsp.next_update = kdc_time + 60 * 5;
1505 fd = open(config->pkinit_kdc_ocsp_file, O_RDONLY);
1507 kdc_log(context, config, 0,
1508 "PK-INIT failed to open ocsp data file %d", errno);
1511 ret = fstat(fd, &sb);
1515 kdc_log(context, config, 0,
1516 "PK-INIT failed to stat ocsp data %d", ret);
1520 ret = krb5_data_alloc(&ocsp.data, sb.st_size);
1523 kdc_log(context, config, 0,
1524 "PK-INIT failed to stat ocsp data %d", ret);
1527 ocsp.data.length = sb.st_size;
1528 ret = read(fd, ocsp.data.data, sb.st_size);
1530 if (ret != sb.st_size) {
1531 kdc_log(context, config, 0,
1532 "PK-INIT failed to read ocsp data %d", errno);
1536 ret = hx509_ocsp_verify(context->hx509ctx,
1540 ocsp.data.data, ocsp.data.length,
1543 kdc_log(context, config, 0,
1544 "PK-INIT failed to verify ocsp data %d", ret);
1545 krb5_data_free(&ocsp.data);
1547 } else if (ocsp.expire > 180) {
1548 ocsp.expire -= 180; /* refetch the ocsp before it expire */
1549 ocsp.next_update = ocsp.expire;
1551 ocsp.next_update = kdc_time;
1557 if (ocsp.expire != 0 && ocsp.expire > kdc_time) {
1559 ret = krb5_padata_add(context, md,
1560 KRB5_PADATA_PA_PK_OCSP_RESPONSE,
1561 ocsp.data.data, ocsp.data.length);
1563 krb5_set_error_message(context, ret,
1564 "Failed adding OCSP response %d", ret);
1572 hx509_cert_free(kdc_cert);
1575 *reply_key = &cp->reply_key;
1580 match_rfc_san(krb5_context context,
1581 krb5_kdc_configuration *config,
1582 hx509_context hx509ctx,
1583 hx509_cert client_cert,
1584 krb5_const_principal match)
1586 hx509_octet_string_list list;
1590 memset(&list, 0 , sizeof(list));
1592 ret = hx509_cert_find_subjectAltName_otherName(hx509ctx,
1594 &asn1_oid_id_pkinit_san,
1599 for (i = 0; !found && i < list.len; i++) {
1600 krb5_principal_data principal;
1601 KRB5PrincipalName kn;
1604 ret = decode_KRB5PrincipalName(list.val[i].data,
1608 const char *msg = krb5_get_error_message(context, ret);
1609 kdc_log(context, config, 0,
1610 "Decoding kerberos name in certificate failed: %s", msg);
1611 krb5_free_error_message(context, msg);
1614 if (size != list.val[i].length) {
1615 kdc_log(context, config, 0,
1616 "Decoding kerberos name have extra bits on the end");
1617 return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
1620 principal.name = kn.principalName;
1621 principal.realm = kn.realm;
1623 if (krb5_principal_compare(context, &principal, match) == TRUE)
1625 free_KRB5PrincipalName(&kn);
1629 hx509_free_octet_string_list(&list);
1634 return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
1640 match_ms_upn_san(krb5_context context,
1641 krb5_kdc_configuration *config,
1642 hx509_context hx509ctx,
1643 hx509_cert client_cert,
1645 hdb_entry_ex *client)
1647 hx509_octet_string_list list;
1648 krb5_principal principal = NULL;
1653 memset(&list, 0 , sizeof(list));
1655 ret = hx509_cert_find_subjectAltName_otherName(hx509ctx,
1657 &asn1_oid_id_pkinit_ms_san,
1662 if (list.len != 1) {
1663 kdc_log(context, config, 0,
1664 "More then one PK-INIT MS UPN SAN");
1668 ret = decode_MS_UPN_SAN(list.val[0].data, list.val[0].length, &upn, &size);
1670 kdc_log(context, config, 0, "Decode of MS-UPN-SAN failed");
1673 if (size != list.val[0].length) {
1674 free_MS_UPN_SAN(&upn);
1675 kdc_log(context, config, 0, "Trailing data in ");
1676 ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
1680 kdc_log(context, config, 0, "found MS UPN SAN: %s", upn);
1682 ret = krb5_parse_name(context, upn, &principal);
1683 free_MS_UPN_SAN(&upn);
1685 kdc_log(context, config, 0, "Failed to parse principal in MS UPN SAN");
1689 if (clientdb->hdb_check_pkinit_ms_upn_match) {
1690 ret = clientdb->hdb_check_pkinit_ms_upn_match(context, clientdb, client, principal);
1694 * This is very wrong, but will do for a fallback
1696 strupr(principal->realm);
1698 if (krb5_principal_compare(context, principal, client->entry.principal) == FALSE)
1699 ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
1704 krb5_free_principal(context, principal);
1705 hx509_free_octet_string_list(&list);
1711 _kdc_pk_check_client(krb5_context context,
1712 krb5_kdc_configuration *config,
1714 hdb_entry_ex *client,
1715 pk_client_params *cp,
1716 char **subject_name)
1718 const HDB_Ext_PKINIT_acl *acl;
1719 const HDB_Ext_PKINIT_cert *pc;
1720 krb5_error_code ret;
1724 if (cp->cert == NULL) {
1726 *subject_name = strdup("anonymous client client");
1727 if (*subject_name == NULL)
1732 ret = hx509_cert_get_base_subject(context->hx509ctx,
1738 ret = hx509_name_to_string(name, subject_name);
1739 hx509_name_free(&name);
1743 kdc_log(context, config, 0,
1744 "Trying to authorize PK-INIT subject DN %s",
1747 ret = hdb_entry_get_pkinit_cert(&client->entry, &pc);
1748 if (ret == 0 && pc) {
1752 for (j = 0; j < pc->len; j++) {
1753 ret = hx509_cert_init_data(context->hx509ctx,
1754 pc->val[j].cert.data,
1755 pc->val[j].cert.length,
1759 ret = hx509_cert_cmp(cert, cp->cert);
1760 hx509_cert_free(cert);
1762 kdc_log(context, config, 5,
1763 "Found matching PK-INIT cert in hdb");
1770 if (config->pkinit_princ_in_cert) {
1771 ret = match_rfc_san(context, config,
1774 client->entry.principal);
1776 kdc_log(context, config, 5,
1777 "Found matching PK-INIT SAN in certificate");
1780 ret = match_ms_upn_san(context, config,
1786 kdc_log(context, config, 5,
1787 "Found matching MS UPN SAN in certificate");
1792 ret = hdb_entry_get_pkinit_acl(&client->entry, &acl);
1793 if (ret == 0 && acl != NULL) {
1795 * Cheat here and compare the generated name with the string
1796 * and not the reverse.
1798 for (i = 0; i < acl->len; i++) {
1799 if (strcmp(*subject_name, acl->val[0].subject) != 0)
1802 /* Don't support isser and anchor checking right now */
1803 if (acl->val[0].issuer)
1805 if (acl->val[0].anchor)
1808 kdc_log(context, config, 5,
1809 "Found matching PK-INIT database ACL");
1814 for (i = 0; i < principal_mappings.len; i++) {
1817 b = krb5_principal_compare(context,
1818 client->entry.principal,
1819 principal_mappings.val[i].principal);
1822 if (strcmp(principal_mappings.val[i].subject, *subject_name) != 0)
1824 kdc_log(context, config, 5,
1825 "Found matching PK-INIT FILE ACL");
1829 ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
1830 krb5_set_error_message(context, ret,
1831 "PKINIT no matching principals for %s",
1834 kdc_log(context, config, 5,
1835 "PKINIT no matching principals for %s",
1838 free(*subject_name);
1839 *subject_name = NULL;
1844 static krb5_error_code
1845 add_principal_mapping(krb5_context context,
1846 const char *principal_name,
1847 const char * subject)
1849 struct pk_allowed_princ *tmp;
1850 krb5_principal principal;
1851 krb5_error_code ret;
1853 tmp = realloc(principal_mappings.val,
1854 (principal_mappings.len + 1) * sizeof(*tmp));
1857 principal_mappings.val = tmp;
1859 ret = krb5_parse_name(context, principal_name, &principal);
1863 principal_mappings.val[principal_mappings.len].principal = principal;
1865 principal_mappings.val[principal_mappings.len].subject = strdup(subject);
1866 if (principal_mappings.val[principal_mappings.len].subject == NULL) {
1867 krb5_free_principal(context, principal);
1870 principal_mappings.len++;
1876 _kdc_add_inital_verified_cas(krb5_context context,
1877 krb5_kdc_configuration *config,
1878 pk_client_params *cp,
1881 AD_INITIAL_VERIFIED_CAS cas;
1882 krb5_error_code ret;
1886 memset(&cas, 0, sizeof(cas));
1888 /* XXX add CAs to cas here */
1890 ASN1_MALLOC_ENCODE(AD_INITIAL_VERIFIED_CAS, data.data, data.length,
1894 if (data.length != size)
1895 krb5_abortx(context, "internal asn.1 encoder error");
1897 ret = _kdc_tkt_add_if_relevant_ad(context, tkt,
1898 KRB5_AUTHDATA_INITIAL_VERIFIED_CAS,
1900 krb5_data_free(&data);
1909 load_mappings(krb5_context context, const char *fn)
1911 krb5_error_code ret;
1913 unsigned long lineno = 0;
1920 while (fgets(buf, sizeof(buf), f) != NULL) {
1921 char *subject_name, *p;
1923 buf[strcspn(buf, "\n")] = '\0';
1926 p = buf + strspn(buf, " \t");
1928 if (*p == '#' || *p == '\0')
1931 subject_name = strchr(p, ':');
1932 if (subject_name == NULL) {
1933 krb5_warnx(context, "pkinit mapping file line %lu "
1934 "missing \":\" :%s",
1938 *subject_name++ = '\0';
1940 ret = add_principal_mapping(context, p, subject_name);
1942 krb5_warn(context, ret, "failed to add line %lu \":\" :%s\n",
1956 krb5_kdc_pk_initialize(krb5_context context,
1957 krb5_kdc_configuration *config,
1958 const char *user_id,
1959 const char *anchors,
1965 krb5_error_code ret;
1967 file = krb5_config_get_string(context, NULL,
1968 "libdefaults", "moduli", NULL);
1970 ret = _krb5_parse_moduli(context, file, &moduli);
1972 krb5_err(context, 1, ret, "PKINIT: failed to load modidi file");
1974 principal_mappings.len = 0;
1975 principal_mappings.val = NULL;
1977 ret = _krb5_pk_load_id(context,
1987 krb5_warn(context, ret, "PKINIT: ");
1988 config->enable_pkinit = 0;
1996 ret = hx509_query_alloc(context->hx509ctx, &q);
1998 krb5_warnx(context, "PKINIT: out of memory");
2002 hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
2003 if (config->pkinit_kdc_friendly_name)
2004 hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name);
2006 ret = hx509_certs_find(context->hx509ctx,
2007 kdc_identity->certs,
2010 hx509_query_free(context->hx509ctx, q);
2012 if (hx509_cert_check_eku(context->hx509ctx, cert,
2013 &asn1_oid_id_pkkdcekuoid, 0)) {
2016 ret = hx509_cert_get_subject(cert, &name);
2018 hx509_name_to_string(name, &str);
2019 krb5_warnx(context, "WARNING Found KDC certificate (%s)"
2020 "is missing the PK-INIT KDC EKU, this is bad for "
2021 "interoperability.", str);
2022 hx509_name_free(&name);
2026 hx509_cert_free(cert);
2028 krb5_warnx(context, "PKINIT: failed to find a signing "
2029 "certifiate with a public key");
2032 if (krb5_config_get_bool_default(context,
2036 "pkinit_allow_proxy_certificate",
2038 config->pkinit_allow_proxy_certs = 1;
2040 file = krb5_config_get_string(context,
2043 "pkinit_mappings_file",
2046 asprintf(&fn, "%s/pki-mapping", hdb_db_dir(context));
2050 load_mappings(context, file);