Allow passing in related certificates used to build the chain.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@16850 ec53bebd-3082-4978-b11e-865c3cabbd6b

lib/krb5/pkinit.c

@@ -68,6 +68,7 @@ struct krb5_pk_identity {
     hx509_verify_ctx verify_ctx;
     hx509_certs certs;
     hx509_certs anchors;
+    hx509_certs chain;
 };
 
 struct krb5_pk_cert {
@@ -1147,6 +1148,7 @@ _krb5_pk_load_openssl_id(krb5_context context,
 			 struct krb5_pk_identity **ret_id,
 			 const char *user_id,
 			 const char *anchor_id,
+			 const char **chain,
 			 krb5_prompter_fct prompter,
 			 void *prompter_data,
 			 char *password)
@@ -1204,6 +1206,22 @@ _krb5_pk_load_openssl_id(krb5_context context,
     if (ret)
 	goto out;
 
+    ret = hx509_certs_init(id->hx509ctx, "MEMORY:pkinit-cert-chain", 
+			   0, NULL, &id->chain);
+    if (ret)
+	goto out;
+
+    while (chain && *chain) {
+	ret = hx509_certs_append(id->hx509ctx, id->chain, NULL, *chain);
+	if (ret) {
+	    krb5_set_error_string(context,
+				  "pkinit failed to load chain %s",
+				  *chain);
+	    goto out;
+	}
+	chain++;
+    }
+
     ret = hx509_verify_init_ctx(id->hx509ctx, &id->verify_ctx);
     if (ret)
 	goto out;
@@ -1215,6 +1233,7 @@ out:
 	hx509_verify_destroy_ctx(id->verify_ctx);
 	hx509_certs_free(&id->certs);
 	hx509_certs_free(&id->anchors);
+	hx509_certs_free(&id->chain);
 	hx509_context_free(&id->hx509ctx);
 	free(id);
     } else
@@ -1499,6 +1518,7 @@ _krb5_get_init_creds_opt_free_pkinit(krb5_get_init_creds_opt *opt)
 	hx509_verify_destroy_ctx(ctx->id->verify_ctx);
 	hx509_certs_free(&ctx->id->certs);
 	hx509_certs_free(&ctx->id->anchors);
+	hx509_certs_free(&ctx->id->chain);
 	hx509_context_free(&ctx->id->hx509ctx);
 
 	if (ctx->clientDHNonce) {
@@ -1548,6 +1568,7 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context,
 				   &opt->opt_private->pk_init_ctx->id,
 				   user_id,
 				   x509_anchors,
+				   NULL,
 				   prompter,
 				   prompter_data,
 				   password);