From 750a09bca2183415be3ca3b8784e3417f484794b Mon Sep 17 00:00:00 2001 From: James Lee Date: Wed, 4 Dec 2013 13:22:04 -0500 Subject: [PATCH] kx509: Create certs for principals with slashes kx509 fails to create certs for principals with slashes in them. For example: client% kinit foo/admin foo/admin@EXAMPLE.COM's Password: client% kx509 Timed out waiting on KCA The KCA reports: "Principal is not a user." However, there is a use case set out in this post: https://thestaticvoid.com/post/2012/10/25/protecting-puppet-with-kerberos/ that would create a kx509 cert for a host principal for authenticating against a secure HTTP service. This commit modifies the certificate creation code to allow principals with slashes in them. --- kdc/kx509.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/kdc/kx509.c b/kdc/kx509.c index e6055f576..fb393bd59 100644 --- a/kdc/kx509.c +++ b/kdc/kx509.c @@ -143,22 +143,26 @@ build_certificate(krb5_context context, krb5_principal principal, krb5_data *certificate) { + char *name = NULL; hx509_ca_tbs tbs = NULL; hx509_env env = NULL; hx509_cert cert = NULL; hx509_cert signer = NULL; int ret; - if (krb5_principal_get_comp_string(context, principal, 1) != NULL) { - kdc_log(context, config, 0, "Principal is not a user"); - return EINVAL; - } - - ret = hx509_env_add(context->hx509ctx, &env, "principal-name", - krb5_principal_get_comp_string(context, principal, 0)); + ret = krb5_unparse_name_flags(context, principal, + KRB5_PRINCIPAL_UNPARSE_NO_REALM, + &name); if (ret) goto out; + ret = hx509_env_add(context->hx509ctx, &env, "principal-name", + name); + if (ret) + goto out; + + krb5_xfree(name); + { hx509_certs certs; hx509_query *q; @@ -262,6 +266,8 @@ build_certificate(krb5_context context, return 0; out: + if (name) + krb5_xfree(name); if (env) hx509_env_free(&env); if (tbs)