- Add switch to select friendly_name of the certificate.
- Use HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH some CMS implementestions get the oid wrong when they do evelopeddata. - Use HX509_CMS_EV_NO_KU_CHECK since some clients send certs that are not enveloped certs. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24196 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
15
kdc/pkinit.c
15
kdc/pkinit.c
@@ -527,6 +527,7 @@ _kdc_pk_rd_padata(krb5_context context,
|
|||||||
|
|
||||||
ret = hx509_cms_verify_signed(kdc_identity->hx509ctx,
|
ret = hx509_cms_verify_signed(kdc_identity->hx509ctx,
|
||||||
kdc_identity->verify_ctx,
|
kdc_identity->verify_ctx,
|
||||||
|
HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH,
|
||||||
signed_content.data,
|
signed_content.data,
|
||||||
signed_content.length,
|
signed_content.length,
|
||||||
NULL,
|
NULL,
|
||||||
@@ -793,7 +794,8 @@ pk_mk_pa_reply_enckey(krb5_context context,
|
|||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
|
hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
|
||||||
hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
|
if (config->pkinit_kdc_friendly_name)
|
||||||
|
hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name);
|
||||||
|
|
||||||
ret = hx509_certs_find(kdc_identity->hx509ctx,
|
ret = hx509_certs_find(kdc_identity->hx509ctx,
|
||||||
kdc_identity->certs,
|
kdc_identity->certs,
|
||||||
@@ -832,7 +834,7 @@ pk_mk_pa_reply_enckey(krb5_context context,
|
|||||||
}
|
}
|
||||||
|
|
||||||
ret = hx509_cms_envelope_1(kdc_identity->hx509ctx,
|
ret = hx509_cms_envelope_1(kdc_identity->hx509ctx,
|
||||||
0,
|
HX509_CMS_EV_NO_KU_CHECK,
|
||||||
client_params->cert,
|
client_params->cert,
|
||||||
signed_data.data, signed_data.length,
|
signed_data.data, signed_data.length,
|
||||||
envelopedAlg,
|
envelopedAlg,
|
||||||
@@ -861,6 +863,7 @@ out:
|
|||||||
|
|
||||||
static krb5_error_code
|
static krb5_error_code
|
||||||
pk_mk_pa_reply_dh(krb5_context context,
|
pk_mk_pa_reply_dh(krb5_context context,
|
||||||
|
krb5_kdc_configuration *config,
|
||||||
DH *kdc_dh,
|
DH *kdc_dh,
|
||||||
pk_client_params *client_params,
|
pk_client_params *client_params,
|
||||||
krb5_keyblock *reply_key,
|
krb5_keyblock *reply_key,
|
||||||
@@ -924,7 +927,8 @@ pk_mk_pa_reply_dh(krb5_context context,
|
|||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
|
hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
|
||||||
hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
|
if (config->pkinit_kdc_friendly_name)
|
||||||
|
hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name);
|
||||||
|
|
||||||
ret = hx509_certs_find(kdc_identity->hx509ctx,
|
ret = hx509_certs_find(kdc_identity->hx509ctx,
|
||||||
kdc_identity->certs,
|
kdc_identity->certs,
|
||||||
@@ -1071,7 +1075,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
|
|||||||
if (ret)
|
if (ret)
|
||||||
return ret;
|
return ret;
|
||||||
|
|
||||||
ret = pk_mk_pa_reply_dh(context, client_params->dh,
|
ret = pk_mk_pa_reply_dh(context, config, client_params->dh,
|
||||||
client_params,
|
client_params,
|
||||||
&client_params->reply_key,
|
&client_params->reply_key,
|
||||||
&info,
|
&info,
|
||||||
@@ -1641,7 +1645,8 @@ _kdc_pk_initialize(krb5_context context,
|
|||||||
}
|
}
|
||||||
|
|
||||||
hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
|
hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
|
||||||
hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
|
if (config->pkinit_kdc_friendly_name)
|
||||||
|
hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name);
|
||||||
|
|
||||||
ret = hx509_certs_find(kdc_identity->hx509ctx,
|
ret = hx509_certs_find(kdc_identity->hx509ctx,
|
||||||
kdc_identity->certs,
|
kdc_identity->certs,
|
||||||
|
|||||||
Reference in New Issue
Block a user