krb5: add extra sanity check in pk_verify_sign()

Assert either PKINIT signer certificate was validated, or caller requested no KDC certificate validation.
2021-08-10 16:24:49 +10:00
parent ef1d63a997
commit d34700b4d9
1 changed files with 4 additions and 0 deletions
--- a/lib/krb5/pkinit.c
+++ b/lib/krb5/pkinit.c
@@ -859,6 +859,10 @@ pk_verify_sign(krb5_context context,
 	return ret;
    }

+    heim_assert((verify_flags & HX509_CMS_VSE_VALIDATED) ||
+	(id->flags & PKINIT_NO_KDC_ANCHOR),
+	"Either PKINIT signer must be validated, or NO_KDC_ANCHOR must be set");
+
    if ((verify_flags & HX509_CMS_VSE_VALIDATED) == 0)
 	goto out;