pkinit_identity.c revision 159d09a20817016f09b3ea28d1bdada4a336bb91
9e2cd38c103ae52a41b09823a11c9b5c059555f0eh * COPYRIGHT (C) 2007
bb5e3b2f129cc39517b925419c22f69a378ec023eh * THE REGENTS OF THE UNIVERSITY OF MICHIGAN
bb5e3b2f129cc39517b925419c22f69a378ec023eh * ALL RIGHTS RESERVED
bb5e3b2f129cc39517b925419c22f69a378ec023eh * Permission is granted to use, copy, create derivative works
bb5e3b2f129cc39517b925419c22f69a378ec023eh * and redistribute this software and such derivative works
bb5e3b2f129cc39517b925419c22f69a378ec023eh * for any purpose, so long as the name of The University of
bb5e3b2f129cc39517b925419c22f69a378ec023eh * Michigan is not used in any advertising or publicity
bb5e3b2f129cc39517b925419c22f69a378ec023eh * pertaining to the use of distribution of this software
bb5e3b2f129cc39517b925419c22f69a378ec023eh * without specific, written prior authorization. If the
bb5e3b2f129cc39517b925419c22f69a378ec023eh * above copyright notice or any other identification of the
bb5e3b2f129cc39517b925419c22f69a378ec023eh * University of Michigan is included in any copy of any
bb5e3b2f129cc39517b925419c22f69a378ec023eh * portion of this software, then the disclaimer below must
bb5e3b2f129cc39517b925419c22f69a378ec023eh * also be included.
bb5e3b2f129cc39517b925419c22f69a378ec023eh * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
bb5e3b2f129cc39517b925419c22f69a378ec023eh * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
bb5e3b2f129cc39517b925419c22f69a378ec023eh * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
bb5e3b2f129cc39517b925419c22f69a378ec023eh * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
bb5e3b2f129cc39517b925419c22f69a378ec023eh * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
bb5e3b2f129cc39517b925419c22f69a378ec023eh * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
bb5e3b2f129cc39517b925419c22f69a378ec023eh * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
bb5e3b2f129cc39517b925419c22f69a378ec023eh * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
bb5e3b2f129cc39517b925419c22f69a378ec023eh * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
bb5e3b2f129cc39517b925419c22f69a378ec023eh * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
bb5e3b2f129cc39517b925419c22f69a378ec023eh * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
bb5e3b2f129cc39517b925419c22f69a378ec023eh * SUCH DAMAGES.
bb5e3b2f129cc39517b925419c22f69a378ec023ehstatic void
bb5e3b2f129cc39517b925419c22f69a378ec023eh/* Solaris Kerberos: Removed "break"s (lint) */
bb5e3b2f129cc39517b925419c22f69a378ec023eh default: return "INVALID";
bb5e3b2f129cc39517b925419c22f69a378ec023eh/* Solaris Kerberos: Removed "break"s (lint) */
bb5e3b2f129cc39517b925419c22f69a378ec023eh default: return "INVALID";
bb5e3b2f129cc39517b925419c22f69a378ec023eh opts = (pkinit_identity_opts *) calloc(1, sizeof(pkinit_identity_opts));
bb5e3b2f129cc39517b925419c22f69a378ec023eh retval = copy_list(&newopts->anchors, src_opts->anchors);
bb5e3b2f129cc39517b925419c22f69a378ec023eh retval = copy_list(&newopts->intermediates,src_opts->intermediates);
bb5e3b2f129cc39517b925419c22f69a378ec023eh newopts->cert_filename = strdup(src_opts->cert_filename);
bb5e3b2f129cc39517b925419c22f69a378ec023eh newopts->p11_module_name = strdup(src_opts->p11_module_name);
bb5e3b2f129cc39517b925419c22f69a378ec023eh newopts->cert_id_string = strdup(src_opts->cert_id_string);
bb5e3b2f129cc39517b925419c22f69a378ec023eh/* ARGSUSED */
bb5e3b2f129cc39517b925419c22f69a378ec023eh const char *residual)
bb5e3b2f129cc39517b925419c22f69a378ec023eh /* Split string into attr=value substrings */
bb5e3b2f129cc39517b925419c22f69a378ec023eh for ((cp = strtok(s, ":")); cp; (cp = strtok(NULL, ":"))) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh /* If there is no "=", this is a pkcs11 module name */
bb5e3b2f129cc39517b925419c22f69a378ec023eh if ((slotid == LONG_MIN || slotid == LONG_MAX) && errno != 0) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh/* ARGSUSED */
bb5e3b2f129cc39517b925419c22f69a378ec023eh const char *residual)
bb5e3b2f129cc39517b925419c22f69a378ec023eh idopts->key_filename = strdup(keyname ? keyname : certname);
bb5e3b2f129cc39517b925419c22f69a378ec023eh/* ARGSUSED */
bb5e3b2f129cc39517b925419c22f69a378ec023eh const char *residual)
bb5e3b2f129cc39517b925419c22f69a378ec023eh const char *value)
bb5e3b2f129cc39517b925419c22f69a378ec023eh const char *residual;
bb5e3b2f129cc39517b925419c22f69a378ec023eh unsigned int typelen;
bb5e3b2f129cc39517b925419c22f69a378ec023eh "Unsupported type while processing '%s'\n",
bb5e3b2f129cc39517b925419c22f69a378ec023eh pkiDebug("%s: idtype is %s\n", __FUNCTION__, idtype2string(idopts->idtype));
bb5e3b2f129cc39517b925419c22f69a378ec023eh switch (idtype) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh /* Solaris Kerberos: Improved error messages */
bb5e3b2f129cc39517b925419c22f69a378ec023eh /* Solaris Kerberos: not reached */
bb5e3b2f129cc39517b925419c22f69a378ec023eh retval = parse_pkcs12_options(context, idopts, residual);
bb5e3b2f129cc39517b925419c22f69a378ec023eh retval = parse_pkcs11_options(context, idopts, residual);
bb5e3b2f129cc39517b925419c22f69a378ec023eh "Internal error parsing X509_user_identity\n");
bb5e3b2f129cc39517b925419c22f69a378ec023eh const char *value,
bb5e3b2f129cc39517b925419c22f69a378ec023eh unsigned int typelen;
bb5e3b2f129cc39517b925419c22f69a378ec023eh const char *value)
bb5e3b2f129cc39517b925419c22f69a378ec023eh switch (attr) {
799aa485da68fdaa1850eaf833ad108e5af82adbKonstantin Ananyev retval = process_option_ca_crl(context, plg_cryptoctx,
799aa485da68fdaa1850eaf833ad108e5af82adbKonstantin Ananyevpkinit_identity_initialize(krb5_context context,
799aa485da68fdaa1850eaf833ad108e5af82adbKonstantin Ananyev pkinit_identity_crypto_context id_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh pkiDebug("%s: %p %p %p\n", __FUNCTION__, context, idopts, id_cryptoctx);
bb5e3b2f129cc39517b925419c22f69a378ec023eh * If identity was specified, use that. (For the kdc, this
bb5e3b2f129cc39517b925419c22f69a378ec023eh * is specified as pkinit_identity in the kdc.conf. For users,
bb5e3b2f129cc39517b925419c22f69a378ec023eh * this is specified on the command line via X509_user_identity.)
bb5e3b2f129cc39517b925419c22f69a378ec023eh * If a user did not specify identity on the command line,
bb5e3b2f129cc39517b925419c22f69a378ec023eh * then we will try alternatives which may have been specified
bb5e3b2f129cc39517b925419c22f69a378ec023eh * in the config file.
bb5e3b2f129cc39517b925419c22f69a378ec023eh retval = pkinit_identity_process_option(context, plg_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh for (i = 0; retval != 0 && idopts->identity_alt[i] != NULL; i++)
bb5e3b2f129cc39517b925419c22f69a378ec023eh retval = pkinit_identity_process_option(context, plg_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh pkiDebug("%s: no user identity options specified\n", __FUNCTION__);
bb5e3b2f129cc39517b925419c22f69a378ec023eh retval = crypto_load_certs(context, plg_cryptoctx, req_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh retval = pkinit_cert_matching(context, plg_cryptoctx, req_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh pkiDebug("%s: No matching certificate found\n", __FUNCTION__);
bb5e3b2f129cc39517b925419c22f69a378ec023eh (void) crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh /* Tell crypto code to use the "default" */
bb5e3b2f129cc39517b925419c22f69a378ec023eh retval = crypto_cert_select_default(context, plg_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh pkiDebug("%s: Failed while selecting default certificate\n",
bb5e3b2f129cc39517b925419c22f69a378ec023eh (void) crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh retval = crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh for (i = 0; idopts->anchors != NULL && idopts->anchors[i] != NULL; i++) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh retval = pkinit_identity_process_option(context, plg_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh retval = pkinit_identity_process_option(context, plg_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh for (i = 0; idopts->crls != NULL && idopts->crls[i] != NULL; i++) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh retval = pkinit_identity_process_option(context, plg_cryptoctx,