pkinit_identity.c revision 159d09a20817016f09b3ea28d1bdada4a336bb91
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * COPYRIGHT (C) 2007
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * THE REGENTS OF THE UNIVERSITY OF MICHIGAN
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * ALL RIGHTS RESERVED
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * Permission is granted to use, copy, create derivative works
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * and redistribute this software and such derivative works
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * for any purpose, so long as the name of The University of
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * Michigan is not used in any advertising or publicity
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * pertaining to the use of distribution of this software
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * without specific, written prior authorization. If the
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * above copyright notice or any other identification of the
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * University of Michigan is included in any copy of any
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * portion of this software, then the disclaimer below must
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * also be included.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * SUCH DAMAGES.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan newlist = calloc(1, (i + 1) * sizeof(*newlist));
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/* Solaris Kerberos: Removed "break"s (lint) */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan default: return "INVALID";
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/* Solaris Kerberos: Removed "break"s (lint) */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan case CATYPE_INTERMEDIATES: return "INTERMEDIATES";
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan default: return "INVALID";
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalanpkinit_init_identity_opts(pkinit_identity_opts **idopts)
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan opts = (pkinit_identity_opts *) calloc(1, sizeof(pkinit_identity_opts));
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalanpkinit_dup_identity_opts(pkinit_identity_opts *src_opts,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan retval = copy_list(&newopts->anchors, src_opts->anchors);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan retval = copy_list(&newopts->intermediates,src_opts->intermediates);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan retval = copy_list(&newopts->crls, src_opts->crls);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan newopts->cert_filename = strdup(src_opts->cert_filename);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan newopts->key_filename = strdup(src_opts->key_filename);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan newopts->p11_module_name = strdup(src_opts->p11_module_name);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan newopts->token_label = strdup(src_opts->token_label);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan newopts->cert_id_string = strdup(src_opts->cert_id_string);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan newopts->cert_label = strdup(src_opts->cert_label);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalanpkinit_fini_identity_opts(pkinit_identity_opts *idopts)
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/* ARGSUSED */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan /* Split string into attr=value substrings */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan for ((cp = strtok(s, ":")); cp; (cp = strtok(NULL, ":"))) {
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan /* If there is no "=", this is a pkcs11 module name */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan if ((slotid == LONG_MIN || slotid == LONG_MAX) && errno != 0) {
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/* ARGSUSED */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan idopts->key_filename = strdup(keyname ? keyname : certname);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/* ARGSUSED */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkiDebug("%s: cert_filename '%s' key_filename '%s'\n",
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan const char *value)
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan unsigned int typelen;
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan } else if (strncmp(value, "PKCS11:", typelen) == 0) {
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan } else if (strncmp(value, "PKCS12:", typelen) == 0) {
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan } else if (strncmp(value, "DIR:", typelen) == 0) {
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan } else if (strncmp(value, "ENV:", typelen) == 0) {
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkiDebug("%s: Unsupported type while processing '%s'\n",
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan krb5_set_error_message(context, KRB5_PREAUTH_FAILED,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan "Unsupported type while processing '%s'\n",
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkiDebug("%s: idtype is %s\n", __FUNCTION__, idtype2string(idopts->idtype));
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan /* Solaris Kerberos: Improved error messages */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan gettext("failed to find environmental variable \'%s\'"),
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan return process_option_identity(context, plg_cryptoctx,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan /* Solaris Kerberos: not reached */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan retval = parse_fs_options(context, idopts, residual);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan retval = parse_pkcs12_options(context, idopts, residual);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan retval = parse_pkcs11_options(context, idopts, residual);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan krb5_set_error_message(context, KRB5_PREAUTH_FAILED,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan "Internal error parsing X509_user_identity\n");
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan const char *value,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan unsigned int typelen;
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkiDebug("%s: processing catype %s, value '%s'\n",
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan } else if (strncmp(value, "DIR:", typelen) == 0) {
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalanpkinit_identity_process_option(krb5_context context,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan const char *value)
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan retval = process_option_identity(context, plg_cryptoctx,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan retval = process_option_ca_crl(context, plg_cryptoctx,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan retval = process_option_ca_crl(context, plg_cryptoctx,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan retval = process_option_ca_crl(context, plg_cryptoctx,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkiDebug("%s: %p %p %p\n", __FUNCTION__, context, idopts, id_cryptoctx);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * If identity was specified, use that. (For the kdc, this
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * is specified as pkinit_identity in the kdc.conf. For users,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * this is specified on the command line via X509_user_identity.)
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * If a user did not specify identity on the command line,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * then we will try alternatives which may have been specified
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * in the config file.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan retval = pkinit_identity_process_option(context, plg_cryptoctx,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan for (i = 0; retval != 0 && idopts->identity_alt[i] != NULL; i++)
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan retval = pkinit_identity_process_option(context, plg_cryptoctx,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkiDebug("%s: no user identity options specified\n", __FUNCTION__);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan retval = crypto_load_certs(context, plg_cryptoctx, req_cryptoctx,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan retval = pkinit_cert_matching(context, plg_cryptoctx, req_cryptoctx,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkiDebug("%s: No matching certificate found\n", __FUNCTION__);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan (void) crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan /* Tell crypto code to use the "default" */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan retval = crypto_cert_select_default(context, plg_cryptoctx,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkiDebug("%s: Failed while selecting default certificate\n",
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan (void) crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan retval = crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan for (i = 0; idopts->anchors != NULL && idopts->anchors[i] != NULL; i++) {
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan retval = pkinit_identity_process_option(context, plg_cryptoctx,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan retval = pkinit_identity_process_option(context, plg_cryptoctx,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan for (i = 0; idopts->crls != NULL && idopts->crls[i] != NULL; i++) {
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan retval = pkinit_identity_process_option(context, plg_cryptoctx,