| commit | 15b2094079631e229de82aa82d7335b2af8340c2 | |
| author | Nicolas Williams <nico@twosigma.com> | |
| Wed, 24 Mar 2021 20:57:15 +0000 (24 15:57 -0500) | ||
| committer | Nicolas Williams <nico@twosigma.com> | |
| Thu, 25 Mar 2021 00:12:00 +0000 (24 19:12 -0500) | ||
| tree | 68ab2fdf11a166f6ba6894a3442966407ed462d4 | treesnapshot (tar.gz zip) |
| parent | f0e628c2cfa611ec360638fcdeb1daf7cda45605 | commitdiff |
hx509: Add Heimdal cert ext for ticket max_life
This adds support for using a Heimdal-specific PKIX extension to derive
a maximum Kerberos ticket lifetime from a client's PKINIT certificate:
- a `--pkinit-max-life` to the `hxtool ca` command
- `hx509_ca_tbs_set_pkinit_max_life()`
- `hx509_cert_get_pkinit_max_life()`
- `HX509_CA_TEMPLATE_PKINIT_MAX_LIFE`
There are two extensions. One is an EKU, which if present means that
the maximum ticket lifetime should be derived from the notAfter minus
notBefore. The other is a certificate extension whose value is a
maximum ticket lifetime in seconds. The latter is preferred.
This adds support for using a Heimdal-specific PKIX extension to derive
a maximum Kerberos ticket lifetime from a client's PKINIT certificate:
- a `--pkinit-max-life` to the `hxtool ca` command
- `hx509_ca_tbs_set_pkinit_max_life()`
- `hx509_cert_get_pkinit_max_life()`
- `HX509_CA_TEMPLATE_PKINIT_MAX_LIFE`
There are two extensions. One is an EKU, which if present means that
the maximum ticket lifetime should be derived from the notAfter minus
notBefore. The other is a certificate extension whose value is a
maximum ticket lifetime in seconds. The latter is preferred.