oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Try searchin the key by to use by first looking for for PK-INIT

Browse Source 
EKU, then the Microsoft smart card EKU and last, no special EKU at all.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@22673 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2008-03-10 15:00:05 +00:00
parent 1828420cc3
commit 0968e71694
1 changed files with 60 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
lib/krb5/pkinit.c
View File

@@ -139,17 +139,59 @@ integer_to_BN(krb5_context context, const char *field, const heim_integer *f)
return bn; return bn;
} }
struct certfind {
const char *type;
const heim_oid *oid;
};
/*
* Try searchin the key by to use by first looking for for PK-INIT
* EKU, then the Microsoft smart card EKU and last, no special EKU at all.
*/
static krb5_error_code static krb5_error_code
_krb5_pk_create_sign(krb5_context context, find_cert(krb5_context context, struct krb5_pk_identity *id,
hx509_query *q, hx509_cert *cert)
{
struct certfind cf[3] = {
{ "PKINIT EKU" },
{ "MS EKU" },
{ "no" }
};
int i, ret;
cf[0].oid = oid_id_pkekuoid();
cf[1].oid = oid_id_pkinit_ms_eku();
cf[2].oid = NULL;
for (i = 0; i < sizeof(cf)/sizeof(cf[0]); i++) {
ret = hx509_query_match_eku(q, cf[i].oid);
if (ret) {
_krb5_pk_copy_error(context, id->hx509ctx, ret,
"Failed setting %s OID", cf[i].type);
return ret;
}
ret = hx509_certs_find(id->hx509ctx, id->certs, q, cert);
if (ret == 0)
break;
_krb5_pk_copy_error(context, id->hx509ctx, ret,
"Failed cert for finding %s OID", cf[i].type);
}
return ret;
}
static krb5_error_code
create_signature(krb5_context context,
const heim_oid *eContentType, const heim_oid *eContentType,
krb5_data *eContent, krb5_data *eContent,
struct krb5_pk_identity *id, struct krb5_pk_identity *id,
hx509_peer_info peer, hx509_peer_info peer,
krb5_data *sd_data) krb5_data *sd_data)
{ {
hx509_cert cert; hx509_cert cert = NULL;
hx509_query *q; hx509_query *q = NULL;
int ret; int ret;
ret = hx509_query_alloc(id->hx509ctx, &q); ret = hx509_query_alloc(id->hx509ctx, &q);
@@ -162,13 +204,10 @@ _krb5_pk_create_sign(krb5_context context,
hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY); hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE); hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
ret = hx509_certs_find(id->hx509ctx, id->certs, q, &cert); ret = find_cert(context, id, q, &cert);
hx509_query_free(id->hx509ctx, q); hx509_query_free(id->hx509ctx, q);
if (ret) { if (ret)
_krb5_pk_copy_error(context, id->hx509ctx, ret,
"Find certificate to signed CMS data");
return ret; return ret;
}
ret = hx509_cms_create_signed_1(id->hx509ctx, ret = hx509_cms_create_signed_1(id->hx509ctx,
0, 0,
@@ -181,13 +220,16 @@ _krb5_pk_create_sign(krb5_context context,
NULL, NULL,
id->certs, id->certs,
sd_data); sd_data);
if (ret)
_krb5_pk_copy_error(context, id->hx509ctx, ret, "create CMS signedData");
hx509_cert_free(cert); hx509_cert_free(cert);
if (ret) {
_krb5_pk_copy_error(context, id->hx509ctx, ret,
"Create CMS signedData");
return ret; return ret;
} }
return 0;
}
static int static int
cert2epi(hx509_context context, void *ctx, hx509_cert c) cert2epi(hx509_context context, void *ctx, hx509_cert c)
{ {
@@ -543,12 +585,8 @@ pk_mk_padata(krb5_context context,
} else } else
krb5_abortx(context, "internal pkinit error"); krb5_abortx(context, "internal pkinit error");
ret = _krb5_pk_create_sign(context, ret = create_signature(context, oid, &buf, ctx->id,
oid, ctx->peer, &sd_buf);
&buf,
ctx->id,
ctx->peer,
&sd_buf);
krb5_data_free(&buf); krb5_data_free(&buf);
if (ret) if (ret)
goto out; goto out;