libcli/security: Add SID_FRESH_PUBLIC_KEY_IDENTITY

This allows an ACL level check (rather than only an all-or-nothing KDC configuration)
that PKINIT freshness was used during the AS-REQ.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

libcli/security/dom_sid.h

@@ -43,6 +43,7 @@ extern const struct dom_sid global_sid_Network;
 extern const struct dom_sid global_sid_Asserted_Identity;
 extern const struct dom_sid global_sid_Asserted_Identity_Service;
 extern const struct dom_sid global_sid_Asserted_Identity_Authentication_Authority;
+extern const struct dom_sid global_sid_Fresh_Public_Key_Identity;
 extern const struct dom_sid global_sid_Creator_Owner;
 extern const struct dom_sid global_sid_Creator_Group;
 extern const struct dom_sid global_sid_Owner_Rights;

libcli/security/util_sid.c

@@ -83,6 +83,10 @@ const struct dom_sid global_sid_Asserted_Identity_Authentication_Authority =	/*
 const struct dom_sid global_sid_Asserted_Identity_Service =	/* Asserted Identity Service */
 { 1, 1, {0,0,0,0,0,18}, {2,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
 
+/* S-1-18-3 */
+const struct dom_sid global_sid_Fresh_Public_Key_Identity =	/* Fresh Public Key Identity */
+{ 1, 1, {0,0,0,0,0,18}, {3,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+
 /* S-1-5-2 */
 const struct dom_sid global_sid_Network =			/* Network rids */
 { 1, 1, {0,0,0,0,0,5}, {2,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};

librpc/idl/security.idl

@@ -324,6 +324,14 @@ interface security
 	 */
 	const string SID_SERVICE_ASSERTED_IDENTITY = "S-1-18-2";
 
+	/*
+	 * This is added during the AS-REQ/AS-REP exchange after the
+	 * PKINIT Freshness extension is used (shows current
+	 * possession, rather than just a saved signature, of the
+	 * client pulic key).
+	 */
+	const string SID_FRESH_PUBLIC_KEY_IDENTITY = "S-1-18-3";
+
 	const string SID_COMPOUNDED_AUTHENTICATION = "S-1-5-21-0-0-0-496";
 	const string SID_CLAIMS_VALID = "S-1-5-21-0-0-0-497";