From 6d2fc59777c18b15c8568a26aa7f8ba4882afbef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Mon, 15 Dec 2008 04:31:32 +0000
Subject: [PATCH] - Add switch to select friendly_name of the certificate. -
 Use HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH some CMS implementestions get the
 oid wrong when they do evelopeddata. - Use HX509_CMS_EV_NO_KU_CHECK since
 some clients send certs that are not enveloped certs.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24196 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 kdc/pkinit.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/kdc/pkinit.c b/kdc/pkinit.c
index 3dadfbb01..7ae590945 100644
--- a/kdc/pkinit.c
+++ b/kdc/pkinit.c
@@ -527,6 +527,7 @@ _kdc_pk_rd_padata(krb5_context context,
 
 	ret = hx509_cms_verify_signed(kdc_identity->hx509ctx,
 				      kdc_identity->verify_ctx,
+				      HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH,
 				      signed_content.data,
 				      signed_content.length,
 				      NULL,
@@ -793,7 +794,8 @@ pk_mk_pa_reply_enckey(krb5_context context,
 	    goto out;
 	
 	hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
-	hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
+	if (config->pkinit_kdc_friendly_name)
+	    hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name);
 	
 	ret = hx509_certs_find(kdc_identity->hx509ctx,
 			       kdc_identity->certs,
@@ -832,7 +834,7 @@ pk_mk_pa_reply_enckey(krb5_context context,
     }
 
     ret = hx509_cms_envelope_1(kdc_identity->hx509ctx,
-			       0,
+			       HX509_CMS_EV_NO_KU_CHECK,
 			       client_params->cert,
 			       signed_data.data, signed_data.length,
 			       envelopedAlg,
@@ -861,6 +863,7 @@ out:
 
 static krb5_error_code
 pk_mk_pa_reply_dh(krb5_context context,
+		  krb5_kdc_configuration *config,
                   DH *kdc_dh,
       		  pk_client_params *client_params,
                   krb5_keyblock *reply_key,
@@ -924,7 +927,8 @@ pk_mk_pa_reply_dh(krb5_context context,
 	    goto out;
 	
 	hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
-	hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
+	if (config->pkinit_kdc_friendly_name)
+	    hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name);
 	
 	ret = hx509_certs_find(kdc_identity->hx509ctx,
 			       kdc_identity->certs,
@@ -1071,7 +1075,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
 	    if (ret)
 		return ret;
 
-	    ret = pk_mk_pa_reply_dh(context, client_params->dh,
+	    ret = pk_mk_pa_reply_dh(context, config, client_params->dh,
 				    client_params,
 				    &client_params->reply_key,
 				    &info,
@@ -1641,7 +1645,8 @@ _kdc_pk_initialize(krb5_context context,
 	}
 	
 	hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
-	hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
+	if (config->pkinit_kdc_friendly_name)
+	    hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name);
 	
 	ret = hx509_certs_find(kdc_identity->hx509ctx,
 			       kdc_identity->certs,