Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make certauth eku module restrictive-only #694

Merged
merged 3 commits into from Aug 29, 2017
Merged

Make certauth eku module restrictive-only #694

merged 3 commits into from Aug 29, 2017

Conversation

greghudson
Copy link
Member

[I noticed this when looking into feedback on the certauth interface. The impact isn't as bad as I initially thought, because a PKINIT client cert with the EKU will typically also contain a PKINIT SAN, and the san module will reject the cert if PKINIT SANs are present and don't match. But it would still have been a CVE bug, so it's fortunate that I ran into this before the release.]

The PKINIT certauth eku module should never authoritatively authorize
a certificate, because an extended key usage does not establish a
relationship between the certificate and any specific user; it only
establishes that the certificate was created for PKINIT client
authentication. Therefore, pkinit_eku_authorize() should return
KRB5_PLUGIN_NO_HANDLE on success, not 0.

@greghudson greghudson force-pushed the pkinit-eku branch 3 times, most recently from 7fd1190 to b7af544 Compare August 25, 2017 18:32
@greghudson
Copy link
Member Author

I combined in a fix for the san module, which was explicitly rejecting certs too aggressively, and added a test case using a no-extensions client cert. (A generic client cert doesn't actually trigger the san module bug because it has no SANs at all, but it is one of the primary use cases for the dbmatch module, so it seemed like a problem that we didn't have a test case for it.)

@pedrohc
Copy link

pedrohc commented Aug 25, 2017

CVE-2017-7562 was issued for this bug.

frozencemetery
frozencemetery approved these changes Aug 29, 2017
View reviewed changes
Copy link
Contributor

@frozencemetery frozencemetery left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look good. Fix already backported to Fedora.

@greghudson
Fix certauth built-in module returns
07243f8 
The PKINIT certauth eku module should never authoritatively authorize
a certificate, because an extended key usage does not establish a
relationship between the certificate and any specific user; it only
establishes that the certificate was created for PKINIT client
authentication.  Therefore, pkinit_eku_authorize() should return
KRB5_PLUGIN_NO_HANDLE on success, not 0.

The certauth san module should pass if it does not find any SANs of
the types it can match against; the presence of other types of SANs
should not cause it to explicitly deny a certificate.  Check for an
empty result from crypto_retrieve_cert_sans() in verify_client_san(),
instead of returning ENOENT from crypto_retrieve_cert_sans() when
there are no SANs at all.

ticket: 8561
@greghudson
Add test cert with no extensions
0d23835 
Add commands to make-certs.sh to generate a test client certificate
with no certificate extensions.  Re-run make-certs.sh.

ticket: 8562
@greghudson
Add PKINIT test case for generic client cert
8c5d508 
In t_pkinit.py, add a test case where a client cert with no extensions
is authorized via subject and issuer using a pkinit_cert_match string
attribute.

ticket: 8562
@greghudson greghudson merged commit 8c5d508 into krb5:master Aug 29, 2017
@greghudson greghudson deleted the pkinit-eku branch August 29, 2017 23:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frozencemetery frozencemetery frozencemetery approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@greghudson @pedrohc @frozencemetery