From 4828d9e4e476d705e28db1cbdca1469da7337f10 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Sun, 23 Apr 2006 21:30:17 +0000
Subject: [PATCH] (pk_verify_host): Add begining of finding
 subjectAltName_otherName pk-init-san and verifing it.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17192 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/krb5/pkinit.c | 41 ++++++++++++++++++++++++++++++++++++++---
 1 file changed, 38 insertions(+), 3 deletions(-)

diff --git a/lib/krb5/pkinit.c b/lib/krb5/pkinit.c
index 0f20d072f..3aedbe4b6 100644
--- a/lib/krb5/pkinit.c
+++ b/lib/krb5/pkinit.c
@@ -713,7 +713,7 @@ pk_verify_host(krb5_context context,
 	       struct krb5_pk_init_ctx_data *ctx,
 	       struct krb5_pk_cert *host)
 {
-    krb5_error_code ret;
+    krb5_error_code ret = 0;
 
     if (ctx->require_eku) {
 	ret = hx509_cert_check_eku(ctx->id->hx509ctx, host->cert,
@@ -724,10 +724,45 @@ pk_verify_host(krb5_context context,
 	}
     }
     if (ctx->require_krbtgt_otherName) {
-	/* XXX */
+	hx509_octet_string_list list;
+	krb5_error_code ret;
+	int i;
+
+	ret = hx509_cert_find_subjectAltName_otherName(host->cert,
+						       oid_id_pkinit_san(),
+						       &list);
+	if (ret) {
+	    krb5_clear_error_string(context);
+	    return ret;
+	}
+
+	for (i = 0; i < list.len; i++) {
+	    KRB5PrincipalName r;
+	    ret = decode_KRB5PrincipalName(list.val[i].data,
+					   list.val[i].length,
+					   &r,
+					   NULL);
+	    if (ret) {
+		krb5_clear_error_string(context);
+		break;
+	    }
+
+#if 0
+	    if (r.principalName.name.len != 2) {
+		krb5_clear_error_string(context);
+		ret = EINVAL;
+	    }
+#endif
+	    /* XXX verify realm */
+
+	    free_KRB5PrincipalName(&r);
+	    if (ret)
+		break;
+	}
+	hx509_free_octet_string_list(&list);
     }
 
-    return 0;
+    return ret;
 }
 
 static krb5_error_code