oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Send over what trust anchors the client have configured.

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17364 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2006-04-29 21:29:28 +00:00
parent 90a97065b2
commit 92ed76e969
1 changed files with 112 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

115
lib/krb5/pkinit.c
View File

@@ -162,6 +162,104 @@ _krb5_pk_create_sign(krb5_context context,
return ret; return ret;
} }
static int
cert2epi(hx509_context context, void *ctx, hx509_cert c)
{
ExternalPrincipalIdentifiers *ids = ctx;
ExternalPrincipalIdentifier id;
hx509_name subject = NULL;
void *p;
int ret;
memset(&id, 0, sizeof(id));
ret = hx509_cert_get_subject(c, &subject);
if (ret)
return ret;
id.subjectName = calloc(1, sizeof(*id.subjectName));
if (id.subjectName == NULL) {
hx509_name_free(&subject);
free_ExternalPrincipalIdentifier(&id);
return ENOMEM;
}
ret = hx509_name_to_der_name(subject, &id.subjectName->data,
&id.subjectName->length);
hx509_name_free(&subject);
if (ret) {
free_ExternalPrincipalIdentifier(&id);
return ret;
}
id.issuerAndSerialNumber = calloc(1, sizeof(*id.issuerAndSerialNumber));
if (id.issuerAndSerialNumber == NULL) {
free_ExternalPrincipalIdentifier(&id);
return ENOMEM;
}
{
IssuerAndSerialNumber iasn;
hx509_name issuer;
size_t size;
memset(&iasn, 0, sizeof(iasn));
ret = hx509_cert_get_issuer(c, &issuer);
if (ret) {
free_ExternalPrincipalIdentifier(&id);
return ret;
}
ret = hx509_name_to_Name(issuer, &iasn.issuer);
hx509_name_free(&issuer);
if (ret) {
free_ExternalPrincipalIdentifier(&id);
return ret;
}
ret = hx509_cert_get_serialnumber(c, &iasn.serialNumber);
if (ret) {
free_IssuerAndSerialNumber(&iasn);
free_ExternalPrincipalIdentifier(&id);
return ret;
}
ASN1_MALLOC_ENCODE(IssuerAndSerialNumber,
id.issuerAndSerialNumber->data,
id.issuerAndSerialNumber->length,
&iasn, &size, ret);
free_IssuerAndSerialNumber(&iasn);
if (ret)
return ret;
if (id.issuerAndSerialNumber->length != size)
abort();
}
id.subjectKeyIdentifier = NULL;
p = realloc(ids->val, sizeof(ids->val[0]) * (ids->len + 1));
if (p == NULL) {
free_ExternalPrincipalIdentifier(&id);
return ENOMEM;
}
ids->val = p;
ids->val[ids->len] = id;
ids->len++;
return 0;
}
static krb5_error_code
build_edi(krb5_context context,
hx509_context hx509ctx,
hx509_certs certs,
ExternalPrincipalIdentifiers *ids)
{
return hx509_certs_iter(hx509ctx, certs, cert2epi, ids);
}
static krb5_error_code static krb5_error_code
build_auth_pack(krb5_context context, build_auth_pack(krb5_context context,
unsigned nonce, unsigned nonce,
@@ -447,8 +545,19 @@ pk_mk_padata(krb5_context context,
memset(&req, 0, sizeof(req)); memset(&req, 0, sizeof(req));
req.signedAuthPack = buf; req.signedAuthPack = buf;
/* XXX tell the kdc what CAs the client is willing to accept */ req.trustedCertifiers = calloc(1, sizeof(*req.trustedCertifiers));
req.trustedCertifiers = NULL; if (req.trustedCertifiers == NULL) {
krb5_set_error_string(context, "malloc: out of memory");
free_PA_PK_AS_REQ(&req);
goto out;
}
ret = build_edi(context, ctx->id->hx509ctx,
ctx->id->anchors, req.trustedCertifiers);
if (ret) {
krb5_set_error_string(context, "pk-init: failed to build trustedCertifiers");
free_PA_PK_AS_REQ(&req);
goto out;
}
req.kdcPkId = NULL; req.kdcPkId = NULL;
ASN1_MALLOC_ENCODE(PA_PK_AS_REQ, buf.data, buf.length, ASN1_MALLOC_ENCODE(PA_PK_AS_REQ, buf.data, buf.length,
@@ -1750,7 +1859,7 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context,
} }
if (DH_generate_key(opt->opt_private->pk_init_ctx->dh) != 1) { if (DH_generate_key(opt->opt_private->pk_init_ctx->dh) != 1) {
krb5_set_error_string(context, "malloc: out of memory"); krb5_set_error_string(context, "pkinit: failed to generate DH key");
_krb5_get_init_creds_opt_free_pkinit(opt); _krb5_get_init_creds_opt_free_pkinit(opt);
return ENOMEM; return ENOMEM;
} }