diff --git a/kdc/config.c b/kdc/config.c index f91f26fe6..bd32fd96d 100644 --- a/kdc/config.c +++ b/kdc/config.c @@ -432,7 +432,7 @@ configure(int argc, char **argv) "enable-pkinit", NULL); if (enable_pkinit) { - const char *key_file, *certificate_file, *ca_dir; + const char *key_file, *certificate_file, *x509_anchors; key_file = krb5_config_get_string(context, NULL, "kdc", @@ -448,14 +448,14 @@ configure(int argc, char **argv) if (certificate_file == NULL) krb5_errx(context, 1, "pkinit enabled but no certificate"); - ca_dir = krb5_config_get_string(context, NULL, - "kdc", - "pki-ca-dir", - NULL); - if (ca_dir == NULL) - krb5_errx(context, 1, "pkinit enabled but no CA directory"); + x509_anchors = krb5_config_get_string(context, NULL, + "kdc", + "pki-anchors", + NULL); + if (x509_anchors == NULL) + krb5_errx(context, 1, "pkinit enabled but no X509 anchors"); - pk_initialize(certificate_file, key_file, ca_dir); + pk_initialize(certificate_file, key_file, x509_anchors); } #endif diff --git a/kuser/kinit.c b/kuser/kinit.c index 856acc861..6776c6227 100644 --- a/kuser/kinit.c +++ b/kuser/kinit.c @@ -68,7 +68,7 @@ int convert_524 = 0; int fcache_version; char *pk_cert_file = NULL; char *pk_key_file = NULL; -char *pk_ca_dir = NULL; +char *pk_x509_anchors = NULL; int pk_use_dh = -1; static char *krb4_cc_name; @@ -153,7 +153,7 @@ static struct getargs args[] = { { "private-key", 'K', arg_string, &pk_key_file, "principal's private key", "filename" }, - { "ca-dir", 'D', arg_string, &pk_ca_dir, + { "x509-anchors", 'D', arg_string, &pk_x509_anchors, "directory with CA certificates", "directory" }, { "pkinit-use-dh", 0, arg_flag, &pk_use_dh, @@ -468,7 +468,7 @@ get_new_tickets(krb5_context context, ret = krb5_get_init_creds_opt_set_pkinit(context, opt, pk_cert_file, pk_key_file, - pk_ca_dir, + pk_x509_anchors, flags, NULL); if (ret) @@ -793,10 +793,10 @@ main (int argc, char **argv) krb5_principal_get_realm(context, principal), "afslog", TRUE, &do_afslog); - if (pk_ca_dir == NULL) + if (pk_x509_anchors == NULL) krb5_appdefault_string(context, "kinit", krb5_principal_get_realm(context, principal), - "pkinit-ca-dir", NULL, &pk_ca_dir); + "pkinit-anchors", NULL, &pk_x509_anchors); #ifdef PKINIT if(pk_use_dh == -1) diff --git a/lib/krb5/pkinit.c b/lib/krb5/pkinit.c index ae530379a..cb41a29f7 100644 --- a/lib/krb5/pkinit.c +++ b/lib/krb5/pkinit.c @@ -1611,7 +1611,7 @@ _krb5_pk_load_openssl_id(krb5_context context, struct krb5_pk_identity **ret_id, const char *cert_file, const char *key_file, - const char *ca_dir, + const char *x509_anchors, char *password) { struct krb5_pk_identity *id = NULL; @@ -1637,7 +1637,7 @@ _krb5_pk_load_openssl_id(krb5_context context, krb5_set_error_string(context, "key file missing"); return HEIM_PKINIT_NO_PRIVATE_KEY; } - if (ca_dir == NULL) { + if (x509_anchors == NULL) { krb5_set_error_string(context, "No root ca directory given\n"); return HEIM_PKINIT_NO_VALID_CA; } @@ -1697,16 +1697,16 @@ _krb5_pk_load_openssl_id(krb5_context context, goto out; } /* read ca certificates */ - dir = opendir(ca_dir); + dir = opendir(x509_anchors); if (dir == NULL) { ret = errno; krb5_set_error_string(context, "open directory %s: %s", - ca_dir, strerror(ret)); + x509_anchors, strerror(ret)); goto out; } - asprintf(&dirname, "%s%s", ca_dir, - ca_dir[strlen(ca_dir) - 1] == '/' ? "" : "/"); + asprintf(&dirname, "%s%s", x509_anchors, + x509_anchors[strlen(x509_anchors) - 1] == '/' ? "" : "/"); trusted_certs = sk_X509_new_null(); while ((file = readdir(dir)) != NULL) { @@ -1809,7 +1809,7 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context, krb5_get_init_creds_opt *opt, const char *cert_file, const char *key_file, - const char *ca_dir, + const char *x509_anchors, int flags, char *password) { @@ -1832,7 +1832,7 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context, &opt->private->pk_init_ctx->id, cert_file, key_file, - ca_dir, + x509_anchors, password); if (ret) { free(opt->private->pk_init_ctx);