From d34700b4d98b611298935403a48af3ee7f228235 Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Tue, 10 Aug 2021 16:24:49 +1000
Subject: [PATCH] krb5: add extra sanity check in pk_verify_sign()

Assert either PKINIT signer certificate was validated, or caller requested no
KDC certificate validation.
---
 lib/krb5/pkinit.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/krb5/pkinit.c b/lib/krb5/pkinit.c
index 7f114884d..0198400d9 100644
--- a/lib/krb5/pkinit.c
+++ b/lib/krb5/pkinit.c
@@ -859,6 +859,10 @@ pk_verify_sign(krb5_context context,
 	return ret;
     }
 
+    heim_assert((verify_flags & HX509_CMS_VSE_VALIDATED) ||
+	(id->flags & PKINIT_NO_KDC_ANCHOR),
+	"Either PKINIT signer must be validated, or NO_KDC_ANCHOR must be set");
+
     if ((verify_flags & HX509_CMS_VSE_VALIDATED) == 0)
 	goto out;