226
if (c->enable_pkinit) {
227
const char *user_id, *anchors, *file;
228
char **pool_list, **revoke_list;
231
krb5_config_get_string(context, NULL,
232
"kdc", "pkinit_identity", NULL);
234
krb5_errx(context, 1, "pkinit enabled but no identity");
236
anchors = krb5_config_get_string(context, NULL,
237
"kdc", "pkinit_anchors", NULL);
239
krb5_errx(context, 1, "pkinit enabled but no X509 anchors");
242
krb5_config_get_strings(context, NULL,
243
"kdc", "pkinit_pool", NULL);
246
krb5_config_get_strings(context, NULL,
247
"kdc", "pkinit_revoke", NULL);
249
file = krb5_config_get_string(context, NULL,
250
"kdc", "pkinit_kdc_ocsp", NULL);
252
c->pkinit_kdc_ocsp_file = strdup(file);
253
if (c->pkinit_kdc_ocsp_file == NULL)
254
krb5_errx(context, 1, "out of memory");
257
file = krb5_config_get_string(context, NULL,
258
"kdc", "pkinit_kdc_friendly_name", NULL);
260
c->pkinit_kdc_friendly_name = strdup(file);
261
if (c->pkinit_kdc_friendly_name == NULL)
262
krb5_errx(context, 1, "out of memory");
266
_kdc_pk_initialize(context, c, user_id, anchors,
267
pool_list, revoke_list);
269
krb5_config_free_strings(pool_list);
270
krb5_config_free_strings(revoke_list);
272
c->pkinit_princ_in_cert =
273
krb5_config_get_bool_default(context, NULL,
274
c->pkinit_princ_in_cert,
276
"pkinit_principal_in_certificate",
279
c->pkinit_require_binding =
280
krb5_config_get_bool_default(context, NULL,
281
c->pkinit_require_binding,
283
"pkinit_win2k_require_binding",
226
c->pkinit_kdc_identity =
227
krb5_config_get_string(context, NULL,
228
"kdc", "pkinit_identity", NULL);
229
c->pkinit_kdc_anchors =
230
krb5_config_get_string(context, NULL,
231
"kdc", "pkinit_anchors", NULL);
232
c->pkinit_kdc_cert_pool =
233
krb5_config_get_strings(context, NULL,
234
"kdc", "pkinit_pool", NULL);
235
c->pkinit_kdc_revoke =
236
krb5_config_get_strings(context, NULL,
237
"kdc", "pkinit_revoke", NULL);
238
c->pkinit_kdc_ocsp_file =
239
krb5_config_get_string(context, NULL,
240
"kdc", "pkinit_kdc_ocsp", NULL);
241
c->pkinit_kdc_friendly_name =
242
krb5_config_get_string(context, NULL,
243
"kdc", "pkinit_kdc_friendly_name", NULL);
244
c->pkinit_princ_in_cert =
245
krb5_config_get_bool_default(context, NULL,
246
c->pkinit_princ_in_cert,
248
"pkinit_principal_in_certificate",
250
c->pkinit_require_binding =
251
krb5_config_get_bool_default(context, NULL,
252
c->pkinit_require_binding,
254
"pkinit_win2k_require_binding",
287
256
c->pkinit_dh_min_bits =
288
257
krb5_config_get_int_default(context, NULL,
290
259
"kdc", "pkinit_dh_min_bits", NULL);
267
krb5_kdc_pkinit_config(krb5_context context, krb5_kdc_configuration *config)
271
config->enable_pkinit = 1;
273
if (config->pkinit_kdc_identity == NULL) {
274
if (config->pkinit_kdc_friendly_name == NULL)
275
config->pkinit_kdc_friendly_name =
276
strdup("O=System Identity,CN=com.apple.kerberos.kdc");
277
config->pkinit_kdc_identity = strdup("KEYCHAIN:");
279
if (config->pkinit_kdc_anchors == NULL)
280
config->pkinit_kdc_anchors = strdup("KEYCHAIN:");
282
#endif /* __APPLE__ */
284
if (config->enable_pkinit) {
285
if (config->pkinit_kdc_identity == NULL)
286
krb5_errx(context, 1, "pkinit enabled but no identity");
288
if (config->pkinit_kdc_anchors == NULL)
289
krb5_errx(context, 1, "pkinit enabled but no X509 anchors");
291
krb5_kdc_pk_initialize(context, config,
292
config->pkinit_kdc_identity,
293
config->pkinit_kdc_anchors,
294
config->pkinit_kdc_cert_pool,
295
config->pkinit_kdc_revoke);