Add _krb5_pk_enterprise_cert that figures out the enterprise name to

use for PK-INIT from the certs. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24616 ec53bebd-3082-4978-b11e-865c3cabbd6b
2009-02-04 22:10:31 +00:00
parent 2a3d7edf56
commit 62a968de1b
1 changed files with 100 additions and 0 deletions
--- a/lib/krb5/pkinit.c
+++ b/lib/krb5/pkinit.c
@@ -2198,3 +2198,103 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context,
    return EINVAL;
 #endif
 }
+
+#ifdef PKINIT
+
+static int
+match_ms_san(hx509_context context, hx509_cert cert, void *ctx)
+{
+    hx509_octet_string_list list;
+    char **result = ctx;
+    int ret;
+
+    if (*result) 
+	return 0;
+
+    ret = hx509_cert_find_subjectAltName_otherName(context,
+						   cert,
+						   oid_id_pkinit_ms_san(),
+						   &list);
+    if (ret)
+	return 0;
+
+    if (list.len > 0 && list.val[0].length > 0) {
+
+	ret = decode_MS_UPN_SAN(list.val[0].data, list.val[0].length,
+				result, NULL);
+	if (ret)
+	    *result = NULL;
+    }
+    hx509_free_octet_string_list(&list);	   
+
+    if (*result == NULL)
+	return 0;
+    return 1;
+}
+
+#endif
+
+/*
+ * Private since it need to be redesigned using krb5_get_init_creds()
+ */
+
+krb5_error_code  KRB5_LIB_FUNCTION
+_krb5_pk_enterprise_cert(krb5_context context,
+			 const char *user_id,
+			 krb5_const_realm realm,
+			 krb5_principal *principal)
+{
+#ifdef PKINIT
+    krb5_error_code ret;
+    char *enterprise_name = NULL;
+    hx509_context hx509ctx;
+    hx509_certs certs, result;
+    hx509_query *q;
+
+    *principal = NULL;
+    
+    if (user_id == NULL)
+	return ENOENT;
+
+    ret = hx509_context_init(&hx509ctx);
+    if (ret)
+	return ret;
+
+    ret = hx509_certs_init(hx509ctx, user_id, 0, NULL, &certs);
+    if (ret) {
+	pk_copy_error(context, hx509ctx, ret,
+		      "Failed to init cert certs");
+	return ret;
+    }
+
+    ret = hx509_query_alloc(hx509ctx, &q);
+
+    hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
+    hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
+    hx509_query_match_eku(q, oid_id_pkinit_ms_eku());
+    hx509_query_match_cmp_func(q, match_ms_san, &enterprise_name);
+
+    ret = hx509_certs_filter(hx509ctx, certs, q, &result);
+    hx509_query_free(hx509ctx, q);
+    hx509_certs_free(&certs);
+
+    if (enterprise_name == NULL)
+	return ENOENT; /* XXX */
+
+    ret = krb5_make_principal(context, principal, realm,
+			      enterprise_name, NULL);
+    free(enterprise_name);
+    hx509_context_free(&hx509ctx);
+    if (ret)
+	return ret;
+
+
+    krb5_principal_set_type(context, *principal, KRB5_NT_ENTERPRISE_PRINCIPAL);
+    
+    return ret;
+#else
+    krb5_set_error_message(context, EINVAL,
+			   N_("no support for PKINIT compiled in", ""));
+    return EINVAL;
+#endif
+}