From 5807540e1b2f49d8cedd427caf54c921d7af2f20 Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@cryptonector.com>
Date: Wed, 4 Dec 2013 16:15:33 -0600
Subject: [PATCH] Fix kx509 to include realm

---
 kdc/kx509.c | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/kdc/kx509.c b/kdc/kx509.c
index 25861fbca..274c1df50 100644
--- a/kdc/kx509.c
+++ b/kdc/kx509.c
@@ -144,10 +144,12 @@ build_certificate(krb5_context context,
 		  krb5_data *certificate)
 {
     char *name = NULL;
+    const char *kx509_ca;
     hx509_ca_tbs tbs = NULL;
     hx509_env env = NULL;
     hx509_cert cert = NULL;
     hx509_cert signer = NULL;
+    krb5_boolean def_bool;
     int ret;
 
     ret = krb5_unparse_name_flags(context, principal,
@@ -156,11 +158,39 @@ build_certificate(krb5_context context,
     if (ret)
 	goto out;
 
+    ret = hx509_env_add(context->hx509ctx, &env, "principal-name-without-realm",
+			name);
+    krb5_xfree(name);
+    name = NULL;
+    if (ret)
+	goto out;
+
+    /*
+     * Include the realm in the principal-name env var; the template
+     * might not use $principal-name-realm after all.
+     */
+    ret = krb5_unparse_name(context, principal, &name);
+    if (ret)
+	goto out;
+
     ret = hx509_env_add(context->hx509ctx, &env, "principal-name",
 			name);
     if (ret)
 	goto out;
 
+    ret = hx509_env_add(context->hx509ctx, &env, "principal-name-realm",
+			krb5_principal_get_realm(context, principal));
+    if (ret)
+	goto out;
+
+    /* Pick an issuer based on the crealm if we can */
+    kx509_ca = krb5_config_get_string(context, NULL, "kdc",
+                                      krb5_principal_get_realm(context,
+                                                               principal),
+                                      "kx509_ca", NULL);
+    if (kx509_ca == NULL)
+        kx509_ca = config->kx509_ca;
+
     {
 	hx509_certs certs;
 	hx509_query *q;
@@ -245,6 +275,19 @@ build_certificate(krb5_context context,
 	    goto out;
     }
 
+    def_bool = krb5_config_get_bool_default(context, NULL, TRUE, "kdc",
+                                            "kx509_include_pkinit_san",
+                                            NULL);
+    if (krb5_config_get_bool_default(context, NULL, def_bool, "kdc",
+                                     krb5_principal_get_realm(context,
+                                                              principal),
+                                     "kx509_include_pkinit_san",
+                                     NULL)) {
+        ret = hx509_ca_tbs_add_san_pkinit(context->hx509ctx, tbs, name);
+        if (ret)
+            goto out;
+    }
+
     hx509_ca_tbs_set_notAfter(context->hx509ctx, tbs, endtime);
 
     hx509_ca_tbs_subject_expand(context->hx509ctx, tbs, env);