s4:kerberos Add support for user principal names in certificates

This extends the PKINIT code in Heimdal to ask the HDB layer if the
User Principal Name name in the certificate is an alias (perhaps just
by case change) of the name given in the AS-REQ.  (This was a TODO in
the Heimdal KDC)

The testsuite is extended to test this behaviour, and the other PKINIT
certficate (using the standard method to specify a principal name in a
certificate) is updated to use a Administrator (not administrator).
(This fixes the kinit test).

Andrew Bartlett

3 files changed, 27 insertions, 19 deletions

diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index 43d54bf702..53e9f54537 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -1053,6 +1053,7 @@ _kdc_as_rep(krb5_context context,
 
 	    ret = _kdc_pk_check_client(context,
 				       config,
+				       clientdb, 
 				       client,
 				       pkp,
 				       &client_cert);
diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c
index 22734be811..644eae0fe4 100644
--- a/source4/heimdal/kdc/pkinit.c
+++ b/source4/heimdal/kdc/pkinit.c
@@ -1613,11 +1613,12 @@ match_ms_upn_san(krb5_context context,
 		 krb5_kdc_configuration *config,
 		 hx509_context hx509ctx,
 		 hx509_cert client_cert,
-		 krb5_const_principal match)
+		 HDB *clientdb,
+		 hdb_entry_ex *client)
 {
     hx509_octet_string_list list;
     krb5_principal principal = NULL;
-    int ret, found = 0;
+    int ret;
     MS_UPN_SAN upn;
     size_t size;
 
@@ -1651,32 +1652,32 @@ match_ms_upn_san(krb5_context context,
 	goto out;
     }
 
-    /*
-     * This is very wrong, but will do for now, should really and a
-     * plugin to the windc layer to very this ACL.
-    */
-    strupr(principal->realm);
-
-    if (krb5_principal_compare(context, principal, match) == TRUE)
-	found = 1;
+    if (clientdb->hdb_check_pkinit_ms_upn_match) {
+	ret = clientdb->hdb_check_pkinit_ms_upn_match(context, clientdb, client, principal);
+    } else {
+	    
+	/*
+	 * This is very wrong, but will do for a fallback
+	 */
+	strupr(principal->realm);
+	    
+	if (krb5_principal_compare(context, principal, client->entry.principal) == FALSE)
+	    ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
+    }
 
 out:
     if (principal)
 	krb5_free_principal(context, principal);
     hx509_free_octet_string_list(&list);
-    if (ret)
-	return ret;
-
-    if (!found)
-	return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
 
-    return 0;
+    return ret;
 }
 
 krb5_error_code
 _kdc_pk_check_client(krb5_context context,
 		     krb5_kdc_configuration *config,
-		     const hdb_entry_ex *client,
+		     HDB *clientdb,
+		     hdb_entry_ex *client,
 		     pk_client_params *cp,
 		     char **subject_name)
 {
@@ -1745,7 +1746,8 @@ _kdc_pk_check_client(krb5_context context,
 	ret = match_ms_upn_san(context, config,
 			       kdc_identity->hx509ctx,
 			       cp->cert,
-			       client->entry.principal);
+			       clientdb, 
+			       client);
 	if (ret == 0) {
 	    kdc_log(context, config, 5,
 		    "Found matching MS UPN SAN in certificate");
diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h
index f490dbf2f0..8eba864fd3 100644
--- a/source4/heimdal/lib/hdb/hdb.h
+++ b/source4/heimdal/lib/hdb/hdb.h
@@ -220,9 +220,14 @@ typedef struct HDB{
      * Check is delegation is allowed.
      */
     krb5_error_code (*hdb_check_constrained_delegation)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal);
+
+    /**
+     * Check if this name is an alias for the supplied client for PKINIT userPrinicpalName logins
+     */
+    krb5_error_code (*hdb_check_pkinit_ms_upn_match)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal);
 }HDB;
 
-#define HDB_INTERFACE_VERSION	5
+#define HDB_INTERFACE_VERSION	6
 
 struct hdb_so_method {
     int version;