kx509: Create certs for principals with slashes

kx509 fails to create certs for principals with slashes in them. For example: client% kinit foo/admin foo/admin@EXAMPLE.COM's Password: client% kx509 Timed out waiting on KCA The KCA reports: "Principal is not a user." However, there is a use case set out in this post: https://thestaticvoid.com/post/2012/10/25/protecting-puppet-with-kerberos/ that would create a kx509 cert for a host principal for authenticating against a secure HTTP service. This commit modifies the certificate creation code to allow principals with slashes in them.
2013-12-04 13:22:04 -05:00
parent 6b2ebfcf8a
commit 750a09bca2
1 changed files with 13 additions and 7 deletions
--- a/kdc/kx509.c
+++ b/kdc/kx509.c
@@ -143,22 +143,26 @@ build_certificate(krb5_context context,
 		  krb5_principal principal,
 		  krb5_data *certificate)
 {
+    char *name = NULL;
    hx509_ca_tbs tbs = NULL;
    hx509_env env = NULL;
    hx509_cert cert = NULL;
    hx509_cert signer = NULL;
    int ret;

-    if (krb5_principal_get_comp_string(context, principal, 1) != NULL) {
-	kdc_log(context, config, 0, "Principal is not a user");
-	return EINVAL;
-    }
-
-    ret = hx509_env_add(context->hx509ctx, &env, "principal-name",
-			krb5_principal_get_comp_string(context, principal, 0));
+    ret = krb5_unparse_name_flags(context, principal,
+				  KRB5_PRINCIPAL_UNPARSE_NO_REALM,
+				  &name);
    if (ret)
 	goto out;

+    ret = hx509_env_add(context->hx509ctx, &env, "principal-name",
+			name);
+    if (ret)
+	goto out;
+
+    krb5_xfree(name);
+
    {
 	hx509_certs certs;
 	hx509_query *q;
@@ -262,6 +266,8 @@ build_certificate(krb5_context context,

    return 0;
 out:
+    if (name)
+	krb5_xfree(name);
    if (env)
 	hx509_env_free(&env);
    if (tbs)