oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Allow passing in related certificates used to build the chain.

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@16850 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2006-03-28 04:38:14 +00:00
parent 27a38bba47
commit cd6acf1200
3 changed files with 41 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
kdc/config.c
View File

@@ -501,7 +501,8 @@ configure(krb5_context context, int argc, char **argv)
"enable-pkinit",
NULL);
if (config->enable_pkinit) {
const char *user_id, *x509_anchors;
const char *user_id, *anchors;
char **chain;
user_id = krb5_config_get_string(context, NULL,
"kdc",
@@ -510,14 +511,21 @@ configure(krb5_context context, int argc, char **argv)
if (user_id == NULL)
krb5_errx(context, 1, "pkinit enabled but no identity");
x509_anchors = krb5_config_get_string(context, NULL,
"kdc",
"pki-anchors",
NULL);
if (x509_anchors == NULL)
anchors = krb5_config_get_string(context, NULL,
"kdc",
"pki-anchors",
NULL);
if (anchors == NULL)
krb5_errx(context, 1, "pkinit enabled but no X509 anchors");
_kdc_pk_initialize(context, config, user_id, x509_anchors);
chain = krb5_config_get_strings(context, NULL,
"kdc",
"pki-chain",
NULL);
_kdc_pk_initialize(context, config, user_id, anchors, chain);
krb5_config_free_strings(chain);
config->enable_pkinit_princ_in_cert =
krb5_config_get_bool_default(context,

7
kdc/pkinit.c
View File

@@ -51,6 +51,7 @@ struct krb5_pk_identity {
hx509_verify_ctx verify_ctx;
hx509_certs certs;
hx509_certs anchors;
hx509_certs chain;
};
enum pkinit_type {
@@ -1233,7 +1234,8 @@ krb5_error_code
_kdc_pk_initialize(krb5_context context,
krb5_kdc_configuration *config,
const char *user_id,
const char *x509_anchors)
const char *anchors,
char **chain)
{
const char *file;
krb5_error_code ret;
@@ -1254,7 +1256,8 @@ _kdc_pk_initialize(krb5_context context,
ret = _krb5_pk_load_openssl_id(context,
&kdc_identity,
user_id,
x509_anchors,
anchors,
chain,
NULL,
NULL,
NULL);

21
lib/krb5/pkinit.c
View File

@@ -68,6 +68,7 @@ struct krb5_pk_identity {
hx509_verify_ctx verify_ctx;
hx509_certs certs;
hx509_certs anchors;
hx509_certs chain;
};
struct krb5_pk_cert {
@@ -1147,6 +1148,7 @@ _krb5_pk_load_openssl_id(krb5_context context,
struct krb5_pk_identity **ret_id,
const char *user_id,
const char *anchor_id,
const char **chain,
krb5_prompter_fct prompter,
void *prompter_data,
char *password)
@@ -1204,6 +1206,22 @@ _krb5_pk_load_openssl_id(krb5_context context,
if (ret)
goto out;
ret = hx509_certs_init(id->hx509ctx, "MEMORY:pkinit-cert-chain",
0, NULL, &id->chain);
if (ret)
goto out;
while (chain && *chain) {
ret = hx509_certs_append(id->hx509ctx, id->chain, NULL, *chain);
if (ret) {
krb5_set_error_string(context,
"pkinit failed to load chain %s",
*chain);
goto out;
}
chain++;
}
ret = hx509_verify_init_ctx(id->hx509ctx, &id->verify_ctx);
if (ret)
goto out;
@@ -1215,6 +1233,7 @@ out:
hx509_verify_destroy_ctx(id->verify_ctx);
hx509_certs_free(&id->certs);
hx509_certs_free(&id->anchors);
hx509_certs_free(&id->chain);
hx509_context_free(&id->hx509ctx);
free(id);
} else
@@ -1499,6 +1518,7 @@ _krb5_get_init_creds_opt_free_pkinit(krb5_get_init_creds_opt *opt)
hx509_verify_destroy_ctx(ctx->id->verify_ctx);
hx509_certs_free(&ctx->id->certs);
hx509_certs_free(&ctx->id->anchors);
hx509_certs_free(&ctx->id->chain);
hx509_context_free(&ctx->id->hx509ctx);
if (ctx->clientDHNonce) {
@@ -1548,6 +1568,7 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context,
&opt->opt_private->pk_init_ctx->id,
user_id,
x509_anchors,
NULL,
prompter,
prompter_data,
password);