Home
last modified time | relevance | path

Searched full:pkinit (Results 1 – 25 of 206) sorted by relevance

123456789

/freebsd/crypto/krb5/src/plugins/preauth/pkinit/
H A Dpkinit_trace.h2 /* plugins/preauth/pkinit/pkinit_trace.h - PKINIT tracing macros */
39 TRACE(c, "PKINIT client found acceptable EKU in KDC cert")
41 TRACE(c, "PKINIT client found no acceptable EKU in KDC cert")
43 TRACE(c, "PKINIT client skipping EKU check due to configuration")
45 TRACE(c, "PKINIT client received freshness token from KDC")
47 TRACE(c, "PKINIT client has no configured identity; giving up")
49 TRACE(c, "PKINIT client checksum mismatch: expected {cksum}, " \
52 TRACE(c, "PKINIT client verified DH reply")
54 TRACE(c, "PKINIT client could not verify DH reply")
56 TRACE(c, "PKINIT client computed checksums: {hexdata} {hexdata}", \
[all …]
H A Ddeps8 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
19 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
27 pkcs11.h pkinit.h pkinit_accessor.h pkinit_crypto.h \
33 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
40 $(top_srcdir)/include/socket-utils.h pkcs11.h pkinit.h \
44 $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-int-pkinit.h \
49 pkinit.h pkinit_accessor.h pkinit_crypto.h pkinit_kdf_test.c \
53 $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-int-pkinit.h \
58 pkinit.h pkinit_accessor.h pkinit_constants.c pkinit_crypto.h \
64 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
[all …]
H A DMakefile.in1 mydir=plugins$(S)preauth$(S)pkinit
5 LIBBASE=pkinit
8 RELDIR=../plugins/preauth/pkinit
71 $(OUTPRE)$(PKINITLIB).dll: pkinit.def $(OBJS)
72 link /dll $(LOPTS) -def:pkinit.def -out:$*.dll $(OBJS) $(WINLIBS)
/freebsd/contrib/pam-krb5/tests/module/
H A Dpkinit-t.c2 * PKINIT authentication tests for the pam-krb5 module.
4 * This test case includes tests that require a PKINIT certificate, but which
49 run_script("data/scripts/pkinit/basic", &config); in main()
50 run_script("data/scripts/pkinit/basic-debug", &config); in main()
51 run_script("data/scripts/pkinit/prompt-use", &config); in main()
52 run_script("data/scripts/pkinit/prompt-try", &config); in main()
53 run_script("data/scripts/pkinit/try-pkinit", &config); in main()
57 run_script("data/scripts/pkinit/try-pkinit-debug", &config); in main()
59 run_script("data/scripts/pkinit/try-pkinit-debug-mit", &config); in main()
64 run_script("data/scripts/pkinit/preauth-opt-mit", &config); in main()
[all …]
/freebsd/crypto/heimdal/lib/asn1/
H A Dpkinit.asn13 PKINIT DEFINITIONS ::= BEGIN
10 id-pkinit OBJECT IDENTIFIER ::=
12 kerberosv5 (2) pkinit (3) }
14 id-pkauthdata OBJECT IDENTIFIER ::= { id-pkinit 1 }
15 id-pkdhkeydata OBJECT IDENTIFIER ::= { id-pkinit 2 }
16 id-pkrkeydata OBJECT IDENTIFIER ::= { id-pkinit 3 }
17 id-pkekuoid OBJECT IDENTIFIER ::= { id-pkinit 4 }
18 id-pkkdcekuoid OBJECT IDENTIFIER ::= { id-pkinit 5 }
20 id-pkinit-kdf OBJECT IDENTIFIER ::= { id-pkinit 6 }
21 id-pkinit-kdf-ah-sha1 OBJECT IDENTIFIER ::= { id-pkinit-kdf 1 }
[all …]
H A DChangeLog3 * pkinit.asn1: add id-pkinit-kdf
5 * pkinit.asn1: add PkinitSP80056AOtherInfo
39 * pkinit.asn1: Fold in pk-init-alg-agilty.
124 * pkinit.asn1: Make the pkinit nonce signed (like the kerberos
148 * pkinit.asn1: add MS-UPN-SAN
203 * pkinit.asn1: add id-pkinit-ms-eku
205 * pkinit.asn1: fill in more bits of id-pkinit-ms-san
520 * pkinit.asn1: Add ExternalPrincipalIdentifiers, shared between
584 * Makefile.am: Add id-pkinit-ms-san.
586 * pkinit.asn1: Add id-pkinit-ms-san.
[all …]
/freebsd/crypto/heimdal/
H A DChangeLog.2006135 * lib/krb5/pkinit.c: sprinkle more _krb5_pk_copy_error
137 * lib/krb5/pkinit.c: Copy more hx509 error strings to krb5 error
149 * kdc/pkinit.c (_kdc_add_inital_verified_cas): new function, adds
158 * kdc/pkinit.c (_kdc_pk_rd_padata): leak less memory for
161 * kdc/pkinit.c: Parse and use PA-PK-AS-REQ.trustedCertifiers
163 * kdc/pkinit.c: Add comment that the anchors in the signed data
193 * lib/krb5/verify_krb5_conf.c: add more pkinit options.
195 * lib/krb5/pkinit.c: Store what PK-INIT type we used to know reply
209 * kdc/pkinit.c: Need better code in the DH parameter rejection
219 * lib/krb5/pkinit.c (build_auth_pack): set supportedCMSTypes.
[all …]
H A DChangeLog.20044 now (used in pkinit)
183 * lib/krb5/pkinit.c: unexport krb5_get_init_creds_opt_free_pkinit
214 * lib/krb5/pkinit.c: match new error names
235 * lib/asn1/k5.asn1: sync enctypes with pkinit branch
243 * kdc/pkinit.c: use ETYPE_DES3_CBC_NONE_CMS
258 * lib/krb5/pkinit.c: free openssl engine deal with
262 * kdc/pkinit.c: free openssl engine deal with RecipientIdentifier
271 * lib/krb5/pkinit.c: filter out dup openssl engine keys, parse
274 * lib/krb5/pkinit.c: stop using AlgorithmIdentifierNonOpt, add
279 * kdc/pkinit.c: improve error logging
[all …]
H A DChangeLog.2005223 * lib/krb5/pkinit.c (_krb5_dh_group_ok): if not enough bits are
226 * kdc/pkinit.c (get_dh_param): Pass down config so this function
236 * lib/krb5/pkinit.c: Add option to require binding between reply
243 * lib/krb5/pkinit.c: Try both ReplyKey and ReplyKey-Win2k for the
277 * lib/krb5/pkinit.c: rename element private to opt_private to make
291 * lib/krb5/pkinit.c: Inline short functions, share more code,
305 * kdc/pkinit.c: Removing PK-INIT-19 support.
307 * lib/krb5/pkinit.c: Removing PK-INIT-19 support.
309 * lib/krb5/pkinit.c (_krb5_dh_group_ok): return DH group name on
313 * kdc/pkinit.c: Save DH group name and print it on success.
[all …]
/freebsd/contrib/pam-krb5/tests/config/
H A DREADME46 pkinit-cert
48 Certificate and private key (concatenated together) for PKINIT
49 authentication for the user listed in the pkinit-principal file.
50 Optional; PKINIT checks will be skipped if this file isn't present.
52 pkinit-principal
54 Principal to use to test PKINIT authentication. Must be the Kerberos
56 pkinit-cert. Optional; PKINIT checks will be skipped if this file
/freebsd/crypto/heimdal/lib/hdb/
H A Dhdb.asn159 HDB-Ext-PKINIT-acl ::= SEQUENCE OF SEQUENCE {
65 HDB-Ext-PKINIT-hash ::= SEQUENCE OF SEQUENCE {
70 HDB-Ext-PKINIT-cert ::= SEQUENCE OF SEQUENCE {
104 pkinit-acl[0] HDB-Ext-PKINIT-acl,
105 pkinit-cert-hash[1] HDB-Ext-PKINIT-hash,
112 pkinit-cert[8] HDB-Ext-PKINIT-cert,
/freebsd/crypto/heimdal/lib/krb5/
H A Dpkinit.c46 #ifdef PKINIT
125 N_("PKINIT: parsing BN failed %s", ""), field); in integer_to_BN()
195 { "PKINIT EKU" }, in find_cert()
459 N_("pkinit: failed to generate DH key", "")); in build_auth_pack()
736 krb5_abortx(context, "internal pkinit error"); in pk_mk_padata()
801 krb5_abortx(context, "internal pkinit error"); in pk_mk_padata()
837 N_("PKINIT: No user certificate given", "")); in _krb5_pk_mk_padata()
979 N_("PKINIT decoding reply key failed", "")); in get_reply_key_win()
986 N_("PKINIT enckey nonce is wrong", "")); in get_reply_key_win()
1003 N_("PKINIT failed copying reply key", "")); in get_reply_key_win()
[all …]
/freebsd/crypto/krb5/src/lib/krb5/krb/
H A Ddeps8 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
19 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
30 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
41 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
53 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
64 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
76 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
88 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
100 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
111 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
[all …]
/freebsd/crypto/krb5/src/lib/crypto/krb/
H A Ddeps8 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
18 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
29 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
39 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
50 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
61 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
72 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
83 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
94 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
105 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
[all …]
/freebsd/crypto/krb5/src/lib/krb5/os/
H A Ddeps9 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
20 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
30 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
42 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
55 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
66 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
77 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
88 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
100 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
111 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
[all …]
/freebsd/crypto/krb5/src/lib/crypto/crypto_tests/
H A Ddeps8 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
19 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
30 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
40 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
50 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
62 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
72 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
82 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
93 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
104 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
[all …]
/freebsd/crypto/krb5/src/lib/krb5/ccache/
H A Ddeps9 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
20 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
31 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
42 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
53 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
64 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
76 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
87 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
98 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
109 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
[all …]
/freebsd/contrib/pam-krb5/
H A DTODO20 same logic for attempting PKINIT first and then falling back to
60 * The PKINIT code for Heimdal involves too many #ifdefs right now for my
61 taste. Find a way to restructure it to only wrap the main PKINIT
76 * Document PKINIT configuration with MIT in krb5.conf. It looks like the
97 * Figure out why the pin-mit script for module/pkinit prompts twice and
100 * Find a way of testing the PKINIT identity selection for MIT Kerberos
/freebsd/crypto/krb5/src/lib/crypto/builtin/des/
H A Ddeps8 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
20 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
31 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
41 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
52 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
64 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
74 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
86 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
98 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
109 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
[all …]
/freebsd/crypto/krb5/src/lib/krad/
H A Ddeps8 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
19 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
31 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
43 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
54 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
65 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
77 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
90 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
102 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
113 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
[all …]
/freebsd/contrib/pam-krb5/ci/
H A Dkdc-setup-mit18 apt-get install krb5-admin-server krb5-kdc krb5-pkinit openssl
45 # Enable anonymous PKINIT.
55 # Create the root CA for PKINIT.
81 cat client.pem clientkey.pem >tests/config/pkinit-cert
83 echo 'testuser@MIT.TEST' >tests/config/pkinit-principal
102 kinit -X X509_user_identity=FILE:tests/config/pkinit-cert testuser@MIT.TEST
/freebsd/crypto/krb5/src/lib/krb5/keytab/
H A Ddeps8 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
18 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
29 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
40 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
51 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
63 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
74 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
85 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
96 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
107 $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
/freebsd/crypto/krb5/src/lib/gssapi/krb5/
H A Ddeps12 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
28 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
43 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
58 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
73 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
88 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
103 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
118 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
134 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
149 $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
[all …]
/freebsd/contrib/pam-krb5/module/
H A Dauth.c5 * PKINIT. The only external interface is pamk5_password_auth, which calls
37 * If the PKINIT smart card error statuses aren't defined, define them to 0.
38 * This will cause the right thing to happen with the logic around PKINIT.
140 * PKINIT. It also configures FAST if requested and the Kerberos libraries
174 * Set options for PKINIT. Only used with MIT Kerberos; Heimdal's in set_credential_options()
175 * implementation of PKINIT uses a separate API instead of setting in set_credential_options()
511 * Attempt authentication via PKINIT. Currently, this uses an API specific to
512 * Heimdal. Once MIT Kerberos supports PKINIT, some of the details may need
520 * PKINIT is just one of many pre-authentication mechanisms that could be
522 * and the possibility that some users may be authenticated via PKINIT and
[all …]
/freebsd/lib/libpam/modules/pam_krb5/
H A Dpam-krb5.8389 its credentials as the FAST armor. This requires anonymous PKINIT be
390 enabled for the local realm, that PKINIT be configured on the local
391 system, and that the Kerberos library support FAST and anonymous PKINIT.
399 If anonymous PKINIT is not available or fails, FAST will not be used and
406 anonymous PKINIT if that cache could not be used.
418 rather than anonymous PKINIT. This allows use of FAST with a realm that
419 doesn't support PKINIT or doesn't support anonymous authentication.
435 To use anonymous PKINIT to protect the FAST exchange, use the \fIanon_fast\fR
437 ticket cache is required, but requires PKINIT be available and configured
441 back on attempting anonymous PKINIT if that cache could not be used.
[all …]

123456789