From 9956ae0200d0aa673aef064b583768c69940d66f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= Date: Tue, 7 Nov 2006 17:24:57 +0000 Subject: [PATCH] Catch error string from hx509_cms_verify_signed. Check for id-pKKdcEkuOID and warn if its not there. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@18933 ec53bebd-3082-4978-b11e-865c3cabbd6b --- kdc/pkinit.c | 36 ++++++++++++++++++++++++++++++++++-- 1 file changed, 34 insertions(+), 2 deletions(-) diff --git a/kdc/pkinit.c b/kdc/pkinit.c index eaa70bb2a..ae2cd1e71 100644 --- a/kdc/pkinit.c +++ b/kdc/pkinit.c @@ -528,8 +528,10 @@ _kdc_pk_rd_padata(krb5_context context, &eContent, &signer_certs); if (ret) { - kdc_log(context, config, 0, - "PK-INIT failed to verify signature %d", ret); + char *s = hx509_get_error_string(kdc_identity->hx509ctx, ret); + krb5_warnx(context, "PKINIT: failed to verify signature: %s: %d", + s, ret); + free(s); goto out; } @@ -1376,6 +1378,36 @@ _kdc_pk_initialize(krb5_context context, return ret; } + { + hx509_query *q; + hx509_cert cert; + + ret = hx509_query_alloc(kdc_identity->hx509ctx, &q); + if (ret) { + krb5_warnx(context, "PKINIT: out of memory"); + return ENOMEM; + } + + hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY); + hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE); + + ret = hx509_certs_find(kdc_identity->hx509ctx, + kdc_identity->certs, + q, + &cert); + hx509_query_free(kdc_identity->hx509ctx, q); + if (ret == 0) { + if (hx509_cert_check_eku(kdc_identity->hx509ctx, cert, + oid_id_pkkdcekuoid(), 0)) + krb5_warnx(context, "WARNING Found KDC certificate " + "is missing the PK-INIT KDC EKU, this is bad for " + "interoperability."); + hx509_cert_free(cert); + } else + krb5_warnx(context, "PKINIT: failed to find a signing " + "certifiate with a public key"); + } + ret = krb5_config_get_bool_default(context, NULL, FALSE,