Allow turning off sending trustedCertifiers in the request.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@20752 ec53bebd-3082-4978-b11e-865c3cabbd6b

lib/krb5/pkinit.c

@@ -83,10 +83,11 @@ struct krb5_pk_init_ctx_data {
     struct krb5_dh_moduli **m;
     hx509_peer_info peer;
     int type;
-    int require_binding;
-    int require_eku;
-    int require_krbtgt_otherName;
-    int require_hostname_match;
+    unsigned int require_binding:1;
+    unsigned int require_eku:1;
+    unsigned int require_krbtgt_otherName:1;
+    unsigned int require_hostname_match:1;
+    unsigned int trustedCertifiers:1;
 };
 
 static void
@@ -439,7 +440,6 @@ build_auth_pack(krb5_context context,
 	    return ret;
     }
 
-
     return ret;
 }
 
@@ -588,6 +588,8 @@ pk_mk_padata(krb5_context context,
 	memset(&req, 0, sizeof(req));
 	req.signedAuthPack = buf;	
 
+	if (ctx->trustedCertifiers) {
+
 	    req.trustedCertifiers = calloc(1, sizeof(*req.trustedCertifiers));
 	    if (req.trustedCertifiers == NULL) {
 		krb5_set_error_string(context, "malloc: out of memory");
@@ -601,6 +603,7 @@ pk_mk_padata(krb5_context context,
 		free_PA_PK_AS_REQ(&req);
 		goto out;
 	    }
+	}
 	req.kdcPkId = NULL;
 
 	ASN1_MALLOC_ENCODE(PA_PK_AS_REQ, buf.data, buf.length,
@@ -685,6 +688,14 @@ _krb5_pk_mk_padata(krb5_context context,
 				     "pkinit_require_hostname_match",
 				     NULL);
 
+    ctx->trustedCertifiers = 
+	krb5_config_get_bool_default(context, NULL,
+				     TRUE,
+				     "realms",
+				     req_body->realm,
+				     "pkinit_trustedCertifiers",
+				     NULL);
+
     return pk_mk_padata(context, ctx, req_body, nonce, md);
 }