82
64
krb5_data *clientDHNonce;
83
65
struct krb5_dh_moduli **m;
84
66
hx509_peer_info peer;
67
enum krb5_pk_type type;
86
68
unsigned int require_binding:1;
87
69
unsigned int require_eku:1;
88
70
unsigned int require_krbtgt_otherName:1;
94
_krb5_pk_copy_error(krb5_context context,
95
hx509_context hx509ctx,
76
pk_copy_error(krb5_context context,
77
hx509_context hx509ctx,
99
81
__attribute__ ((format (printf, 4, 5)));
143
static krb5_error_code
144
_krb5_pk_create_sign(krb5_context context,
145
const heim_oid *eContentType,
147
struct krb5_pk_identity *id,
148
hx509_peer_info peer,
130
* Try searchin the key by to use by first looking for for PK-INIT
131
* EKU, then the Microsoft smart card EKU and last, no special EKU at all.
134
static krb5_error_code
135
find_cert(krb5_context context, struct krb5_pk_identity *id,
136
hx509_query *q, hx509_cert *cert)
138
struct certfind cf[3] = {
145
cf[0].oid = oid_id_pkekuoid();
146
cf[1].oid = oid_id_pkinit_ms_eku();
149
for (i = 0; i < sizeof(cf)/sizeof(cf[0]); i++) {
150
ret = hx509_query_match_eku(q, cf[i].oid);
152
pk_copy_error(context, id->hx509ctx, ret,
153
"Failed setting %s OID", cf[i].type);
157
ret = hx509_certs_find(id->hx509ctx, id->certs, q, cert);
160
pk_copy_error(context, id->hx509ctx, ret,
161
"Failed cert for finding %s OID", cf[i].type);
167
static krb5_error_code
168
create_signature(krb5_context context,
169
const heim_oid *eContentType,
171
struct krb5_pk_identity *id,
172
hx509_peer_info peer,
175
hx509_cert cert = NULL;
176
hx509_query *q = NULL;
155
179
ret = hx509_query_alloc(id->hx509ctx, &q);
157
_krb5_pk_copy_error(context, id->hx509ctx, ret,
181
pk_copy_error(context, id->hx509ctx, ret,
158
182
"Allocate query to find signing certificate");
162
186
hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
163
187
hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
165
ret = hx509_certs_find(id->hx509ctx, id->certs, q, &cert);
189
ret = find_cert(context, id, q, &cert);
166
190
hx509_query_free(id->hx509ctx, q);
168
_krb5_pk_copy_error(context, id->hx509ctx, ret,
169
"Find certificate to signed CMS data");
173
194
ret = hx509_cms_create_signed_1(id->hx509ctx,
185
_krb5_pk_copy_error(context, id->hx509ctx, ret, "create CMS signedData");
186
205
hx509_cert_free(cert);
207
pk_copy_error(context, id->hx509ctx, ret,
208
"Create CMS signedData");
512
536
&ap, &size, ret);
513
537
free_AuthPack_Win2k(&ap);
515
krb5_set_error_string(context, "AuthPack_Win2k: %d", ret);
539
krb5_set_error_string(context, "AuthPack_Win2k: %d",
518
543
if (buf.length != size)
519
544
krb5_abortx(context, "internal ASN1 encoder error");
521
546
oid = oid_id_pkcs7_data();
522
} else if (ctx->type == COMPAT_IETF) {
547
} else if (ctx->type == PKINIT_27) {
525
550
memset(&ap, 0, sizeof(ap));
533
558
ASN1_MALLOC_ENCODE(AuthPack, buf.data, buf.length, &ap, &size, ret);
534
559
free_AuthPack(&ap);
536
krb5_set_error_string(context, "AuthPack: %d", ret);
561
krb5_set_error_string(context, "AuthPack: %d", (int)ret);
539
564
if (buf.length != size)
544
569
krb5_abortx(context, "internal pkinit error");
546
ret = _krb5_pk_create_sign(context,
571
ret = create_signature(context, oid, &buf, ctx->id,
552
573
krb5_data_free(&buf);
609
630
krb5_abortx(context, "internal pkinit error");
611
krb5_set_error_string(context, "PA-PK-AS-REQ %d", ret);
632
krb5_set_error_string(context, "PA-PK-AS-REQ %d", (int)ret);
614
635
if (buf.length != size)
621
if (ret == 0 && ctx->type == COMPAT_WIN2K)
642
if (ret == 0 && ctx->type == PKINIT_WIN2K)
622
643
krb5_padata_add(context, md, KRB5_PADATA_PK_AS_09_BINDING, NULL, 0);
654
675
"pkinit_win2k_require_binding",
656
ctx->type = COMPAT_WIN2K;
677
ctx->type = PKINIT_WIN2K;
658
ctx->type = COMPAT_IETF;
679
ctx->type = PKINIT_27;
660
681
ctx->require_eku =
661
682
krb5_config_get_bool_default(context, NULL,
718
_krb5_pk_copy_error(context, id->hx509ctx, ret,
739
pk_copy_error(context, id->hx509ctx, ret,
719
740
"CMS verify signed failed");
730
751
ret = hx509_get_one_cert(id->hx509ctx, signer_certs, &(*signer)->cert);
732
_krb5_pk_copy_error(context, id->hx509ctx, ret,
753
pk_copy_error(context, id->hx509ctx, ret,
733
754
"Failed to get on of the signer certs");
971
_krb5_pk_copy_error(context, ctx->id->hx509ctx, ret,
992
pk_copy_error(context, ctx->id->hx509ctx, ret,
972
993
"Failed to unenvelope CMS data in PK-INIT reply");
1035
if (type == COMPAT_WIN2K) {
1056
if (type == PKINIT_WIN2K) {
1036
1057
if (der_heim_oid_cmp(&contentType, oid_id_pkcs7_data()) != 0) {
1037
1058
krb5_set_error_string(context, "PKINIT: reply key, wrong oid");
1038
1059
ret = KRB5KRB_AP_ERR_MSG_TYPE;
1052
1073
ret = get_reply_key(context, &content, req_buffer, key);
1053
1074
if (ret != 0 && ctx->require_binding == 0)
1054
1075
ret = get_reply_key_win(context, &content, nonce, key);
1057
1078
ret = get_reply_key(context, &content, req_buffer, key);
1262
1283
/* Check for IETF PK-INIT first */
1263
if (ctx->type == COMPAT_IETF) {
1284
if (ctx->type == PKINIT_27) {
1264
1285
PA_PK_AS_REP rep;
1265
1286
heim_octet_string os, data;
1308
1329
nonce, pa, key);
1310
1331
case choice_PA_PK_AS_REP_encKeyPack:
1311
ret = pk_rd_pa_reply_enckey(context, COMPAT_IETF, &data, &oid, realm,
1332
ret = pk_rd_pa_reply_enckey(context, PKINIT_27, &data, &oid, realm,
1312
1333
ctx, etype, hi, nonce, req_buffer, pa, key);
1360
ret = pk_rd_pa_reply_enckey(context, COMPAT_WIN2K, &data, &oid, realm,
1381
ret = pk_rd_pa_reply_enckey(context, PKINIT_WIN2K, &data, &oid, realm,
1361
1382
ctx, etype, hi, nonce, req_buffer, pa, key);
1362
1383
der_free_octet_string(&data);
1363
1384
der_free_oid(&oid);
1487
1508
ret = hx509_certs_init(id->hx509ctx, user_id, 0, lock, &id->certs);
1489
_krb5_pk_copy_error(context, id->hx509ctx, ret,
1510
pk_copy_error(context, id->hx509ctx, ret,
1490
1511
"Failed to init cert certs");
1494
1515
ret = hx509_certs_init(id->hx509ctx, anchor_id, 0, NULL, &id->anchors);
1496
_krb5_pk_copy_error(context, id->hx509ctx, ret,
1517
pk_copy_error(context, id->hx509ctx, ret,
1497
1518
"Failed to init anchors");
1501
1522
ret = hx509_certs_init(id->hx509ctx, "MEMORY:pkinit-cert-chain",
1502
1523
0, NULL, &id->certpool);
1504
_krb5_pk_copy_error(context, id->hx509ctx, ret,
1525
pk_copy_error(context, id->hx509ctx, ret,
1505
1526
"Failed to init chain");
1510
1531
ret = hx509_certs_append(id->hx509ctx, id->certpool,
1511
1532
NULL, *chain_list);
1513
_krb5_pk_copy_error(context, id->hx509ctx, ret,
1534
pk_copy_error(context, id->hx509ctx, ret,
1514
1535
"Failed to laod chain %s",
1521
1542
if (revoke_list) {
1522
1543
ret = hx509_revoke_init(id->hx509ctx, &id->revokectx);
1524
_krb5_pk_copy_error(context, id->hx509ctx, ret,
1545
pk_copy_error(context, id->hx509ctx, ret,
1525
1546
"Failed init revoke list");
1534
_krb5_pk_copy_error(context, id->hx509ctx, ret,
1555
pk_copy_error(context, id->hx509ctx, ret,
1535
1556
"Failed load revoke list");
1543
1564
ret = hx509_verify_init_ctx(id->hx509ctx, &id->verify_ctx);
1545
_krb5_pk_copy_error(context, id->hx509ctx, ret,
1566
pk_copy_error(context, id->hx509ctx, ret,
1546
1567
"Failed init verify context");
1635
pk_copy_error(krb5_context context,
1636
hx509_context hx509ctx,
1645
vasprintf(&f, fmt, va);
1648
krb5_clear_error_string(context);
1652
s = hx509_get_error_string(hx509ctx, hxret);
1654
krb5_clear_error_string(context);
1658
krb5_set_error_string(context, "%s: %s", f, s);
1609
1663
#endif /* PKINIT */
2044
_krb5_pk_copy_error(krb5_context context,
2045
hx509_context hx509ctx,
2054
vasprintf(&f, fmt, va);
2057
krb5_clear_error_string(context);
2061
s = hx509_get_error_string(hx509ctx, hxret);
2063
krb5_clear_error_string(context);
2067
krb5_set_error_string(context, "%s: %s", f, s);