Fix kx509 to include realm

2013-12-04 16:15:33 -06:00
parent d069763ac1
commit 5807540e1b
1 changed files with 43 additions and 0 deletions
--- a/kdc/kx509.c
+++ b/kdc/kx509.c
@@ -144,10 +144,12 @@ build_certificate(krb5_context context,
 		  krb5_data *certificate)
 {
    char *name = NULL;
+    const char *kx509_ca;
    hx509_ca_tbs tbs = NULL;
    hx509_env env = NULL;
    hx509_cert cert = NULL;
    hx509_cert signer = NULL;
+    krb5_boolean def_bool;
    int ret;

    ret = krb5_unparse_name_flags(context, principal,
@@ -156,11 +158,39 @@ build_certificate(krb5_context context,
    if (ret)
 	goto out;

+    ret = hx509_env_add(context->hx509ctx, &env, "principal-name-without-realm",
+			name);
+    krb5_xfree(name);
+    name = NULL;
+    if (ret)
+	goto out;
+
+    /*
+     * Include the realm in the principal-name env var; the template
+     * might not use $principal-name-realm after all.
+     */
+    ret = krb5_unparse_name(context, principal, &name);
+    if (ret)
+	goto out;
+
    ret = hx509_env_add(context->hx509ctx, &env, "principal-name",
 			name);
    if (ret)
 	goto out;

+    ret = hx509_env_add(context->hx509ctx, &env, "principal-name-realm",
+			krb5_principal_get_realm(context, principal));
+    if (ret)
+	goto out;
+
+    /* Pick an issuer based on the crealm if we can */
+    kx509_ca = krb5_config_get_string(context, NULL, "kdc",
+                                      krb5_principal_get_realm(context,
+                                                               principal),
+                                      "kx509_ca", NULL);
+    if (kx509_ca == NULL)
+        kx509_ca = config->kx509_ca;
+
    {
 	hx509_certs certs;
 	hx509_query *q;
@@ -245,6 +275,19 @@ build_certificate(krb5_context context,
 	    goto out;
    }

+    def_bool = krb5_config_get_bool_default(context, NULL, TRUE, "kdc",
+                                            "kx509_include_pkinit_san",
+                                            NULL);
+    if (krb5_config_get_bool_default(context, NULL, def_bool, "kdc",
+                                     krb5_principal_get_realm(context,
+                                                              principal),
+                                     "kx509_include_pkinit_san",
+                                     NULL)) {
+        ret = hx509_ca_tbs_add_san_pkinit(context->hx509ctx, tbs, name);
+        if (ret)
+            goto out;
+    }
+
    hx509_ca_tbs_set_notAfter(context->hx509ctx, tbs, endtime);

    hx509_ca_tbs_subject_expand(context->hx509ctx, tbs, env);