preauth/pkinit/pkinit_identity.c

	pkinit_identity.c revision 159d09a20817016f09b3ea28d1bdada4a336bb91
bb5e3b2f129cc39517b925419c22f69a378ec023eh/*
9e2cd38c103ae52a41b09823a11c9b5c059555f0eh * COPYRIGHT (C) 2007
bb5e3b2f129cc39517b925419c22f69a378ec023eh * THE REGENTS OF THE UNIVERSITY OF MICHIGAN
bb5e3b2f129cc39517b925419c22f69a378ec023eh * ALL RIGHTS RESERVED
bb5e3b2f129cc39517b925419c22f69a378ec023eh *
bb5e3b2f129cc39517b925419c22f69a378ec023eh * Permission is granted to use, copy, create derivative works
bb5e3b2f129cc39517b925419c22f69a378ec023eh * and redistribute this software and such derivative works
bb5e3b2f129cc39517b925419c22f69a378ec023eh * for any purpose, so long as the name of The University of
bb5e3b2f129cc39517b925419c22f69a378ec023eh * Michigan is not used in any advertising or publicity
bb5e3b2f129cc39517b925419c22f69a378ec023eh * pertaining to the use of distribution of this software
bb5e3b2f129cc39517b925419c22f69a378ec023eh * without specific, written prior authorization.  If the
bb5e3b2f129cc39517b925419c22f69a378ec023eh * above copyright notice or any other identification of the
bb5e3b2f129cc39517b925419c22f69a378ec023eh * University of Michigan is included in any copy of any
bb5e3b2f129cc39517b925419c22f69a378ec023eh * portion of this software, then the disclaimer below must
bb5e3b2f129cc39517b925419c22f69a378ec023eh * also be included.
bb5e3b2f129cc39517b925419c22f69a378ec023eh *
bb5e3b2f129cc39517b925419c22f69a378ec023eh * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
bb5e3b2f129cc39517b925419c22f69a378ec023eh * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
bb5e3b2f129cc39517b925419c22f69a378ec023eh * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
bb5e3b2f129cc39517b925419c22f69a378ec023eh * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
bb5e3b2f129cc39517b925419c22f69a378ec023eh * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
bb5e3b2f129cc39517b925419c22f69a378ec023eh * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
bb5e3b2f129cc39517b925419c22f69a378ec023eh * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
bb5e3b2f129cc39517b925419c22f69a378ec023eh * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
bb5e3b2f129cc39517b925419c22f69a378ec023eh * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
bb5e3b2f129cc39517b925419c22f69a378ec023eh * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
bb5e3b2f129cc39517b925419c22f69a378ec023eh * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
bb5e3b2f129cc39517b925419c22f69a378ec023eh * SUCH DAMAGES.
bb5e3b2f129cc39517b925419c22f69a378ec023eh */
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh#include <errno.h>
bb5e3b2f129cc39517b925419c22f69a378ec023eh#include <string.h>
bb5e3b2f129cc39517b925419c22f69a378ec023eh#include <stdio.h>
bb5e3b2f129cc39517b925419c22f69a378ec023eh#include <stdlib.h>
bb5e3b2f129cc39517b925419c22f69a378ec023eh#include <dlfcn.h>
bb5e3b2f129cc39517b925419c22f69a378ec023eh#include <unistd.h>
bb5e3b2f129cc39517b925419c22f69a378ec023eh#include <dirent.h>
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh#include <libintl.h>
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh#include "pkinit.h"
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023ehstatic void
bb5e3b2f129cc39517b925419c22f69a378ec023ehfree_list(char **list)
bb5e3b2f129cc39517b925419c22f69a378ec023eh{
bb5e3b2f129cc39517b925419c22f69a378ec023eh    int i;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (list == NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh    return;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
da14cebe459d3275048785f25bd869cb09b5307fEric Cheng    for (i = 0; list[i] != NULL; i++)
e7801d59e8ceda0cde8ebdfdddd7582ee2ea96efsowmini    free(list[i]);
bb5e3b2f129cc39517b925419c22f69a378ec023eh     free(list);
bb5e3b2f129cc39517b925419c22f69a378ec023eh}
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023ehstatic krb5_error_code
bb5e3b2f129cc39517b925419c22f69a378ec023ehcopy_list(char ***dst, char **src)
bb5e3b2f129cc39517b925419c22f69a378ec023eh{
bb5e3b2f129cc39517b925419c22f69a378ec023eh    int i;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    char **newlist;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (dst == NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh    return EINVAL;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    *dst = NULL;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (src == NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh    return 0;
193974072f41a843678abf5f61979c748687e66bSherry Moore
bb5e3b2f129cc39517b925419c22f69a378ec023eh    for (i = 0; src[i] != NULL; i++);
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    newlist = calloc(1, (i + 1) * sizeof(*newlist));
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (newlist == NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh    return ENOMEM;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    for (i = 0; src[i] != NULL; i++) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh    newlist[i] = strdup(src[i]);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (newlist[i] == NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh        goto cleanup;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    }
bb5e3b2f129cc39517b925419c22f69a378ec023eh    newlist[i] = NULL;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    *dst = newlist;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    return 0;
bb5e3b2f129cc39517b925419c22f69a378ec023ehcleanup:
bb5e3b2f129cc39517b925419c22f69a378ec023eh    free_list(newlist);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    return ENOMEM;
bb5e3b2f129cc39517b925419c22f69a378ec023eh}
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023ehchar *
bb5e3b2f129cc39517b925419c22f69a378ec023ehidtype2string(int idtype)
bb5e3b2f129cc39517b925419c22f69a378ec023eh{
bb5e3b2f129cc39517b925419c22f69a378ec023eh/* Solaris Kerberos: Removed "break"s (lint) */
bb5e3b2f129cc39517b925419c22f69a378ec023eh    switch(idtype) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh    case IDTYPE_FILE: return "FILE";
bb5e3b2f129cc39517b925419c22f69a378ec023eh    case IDTYPE_DIR: return "DIR";
bb5e3b2f129cc39517b925419c22f69a378ec023eh    case IDTYPE_PKCS11: return "PKCS11";
bb5e3b2f129cc39517b925419c22f69a378ec023eh    case IDTYPE_PKCS12: return "PKCS12";
bb5e3b2f129cc39517b925419c22f69a378ec023eh    case IDTYPE_ENVVAR: return "ENV";
bb5e3b2f129cc39517b925419c22f69a378ec023eh    default: return "INVALID";
bb5e3b2f129cc39517b925419c22f69a378ec023eh    }
bb5e3b2f129cc39517b925419c22f69a378ec023eh}
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023ehchar *
bb5e3b2f129cc39517b925419c22f69a378ec023ehcatype2string(int catype)
bb5e3b2f129cc39517b925419c22f69a378ec023eh{
bb5e3b2f129cc39517b925419c22f69a378ec023eh/* Solaris Kerberos: Removed "break"s (lint) */
bb5e3b2f129cc39517b925419c22f69a378ec023eh    switch(catype) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh    case CATYPE_ANCHORS: return "ANCHORS";
bb5e3b2f129cc39517b925419c22f69a378ec023eh    case CATYPE_INTERMEDIATES: return "INTERMEDIATES";
bb5e3b2f129cc39517b925419c22f69a378ec023eh    case CATYPE_CRLS: return "CRLS";
bb5e3b2f129cc39517b925419c22f69a378ec023eh    default: return "INVALID";
bb5e3b2f129cc39517b925419c22f69a378ec023eh    }
bb5e3b2f129cc39517b925419c22f69a378ec023eh}
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023ehkrb5_error_code
bb5e3b2f129cc39517b925419c22f69a378ec023ehpkinit_init_identity_opts(pkinit_identity_opts **idopts)
bb5e3b2f129cc39517b925419c22f69a378ec023eh{
bb5e3b2f129cc39517b925419c22f69a378ec023eh    pkinit_identity_opts *opts = NULL;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    *idopts = NULL;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    opts = (pkinit_identity_opts *) calloc(1, sizeof(pkinit_identity_opts));
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (opts == NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh    return ENOMEM;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    opts->identity = NULL;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    opts->anchors = NULL;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    opts->intermediates = NULL;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    opts->crls = NULL;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    opts->ocsp = NULL;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    opts->dn_mapping_file = NULL;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    opts->cert_filename = NULL;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    opts->key_filename = NULL;
bb5e3b2f129cc39517b925419c22f69a378ec023eh#ifndef WITHOUT_PKCS11
bb5e3b2f129cc39517b925419c22f69a378ec023eh    opts->p11_module_name = NULL;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    opts->slotid = PK_NOSLOT;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    opts->token_label = NULL;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    opts->cert_id_string = NULL;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    opts->cert_label = NULL;
bb5e3b2f129cc39517b925419c22f69a378ec023eh#endif
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    *idopts = opts;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    return 0;
bb5e3b2f129cc39517b925419c22f69a378ec023eh}
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023ehkrb5_error_code
bb5e3b2f129cc39517b925419c22f69a378ec023ehpkinit_dup_identity_opts(pkinit_identity_opts *src_opts,
bb5e3b2f129cc39517b925419c22f69a378ec023eh             pkinit_identity_opts **dest_opts)
bb5e3b2f129cc39517b925419c22f69a378ec023eh{
bb5e3b2f129cc39517b925419c22f69a378ec023eh    pkinit_identity_opts *newopts;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    krb5_error_code retval;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    *dest_opts = NULL;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    retval = pkinit_init_identity_opts(&newopts);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (retval)
bb5e3b2f129cc39517b925419c22f69a378ec023eh    return retval;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    retval = ENOMEM;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (src_opts->identity != NULL) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh    newopts->identity = strdup(src_opts->identity);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (newopts->identity == NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh        goto cleanup;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    }
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    retval = copy_list(&newopts->anchors, src_opts->anchors);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (retval)
bb5e3b2f129cc39517b925419c22f69a378ec023eh    goto cleanup;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    retval = copy_list(&newopts->intermediates,src_opts->intermediates);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (retval)
bb5e3b2f129cc39517b925419c22f69a378ec023eh    goto cleanup;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    retval = copy_list(&newopts->crls, src_opts->crls);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (retval)
bb5e3b2f129cc39517b925419c22f69a378ec023eh    goto cleanup;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (src_opts->ocsp != NULL) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh    newopts->ocsp = strdup(src_opts->ocsp);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (newopts->ocsp == NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh        goto cleanup;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    }
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (src_opts->cert_filename != NULL) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh    newopts->cert_filename = strdup(src_opts->cert_filename);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (newopts->cert_filename == NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh        goto cleanup;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    }
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (src_opts->key_filename != NULL) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh    newopts->key_filename = strdup(src_opts->key_filename);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (newopts->key_filename == NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh        goto cleanup;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    }
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh#ifndef WITHOUT_PKCS11
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (src_opts->p11_module_name != NULL) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh    newopts->p11_module_name = strdup(src_opts->p11_module_name);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (newopts->p11_module_name == NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh        goto cleanup;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    }
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    newopts->slotid = src_opts->slotid;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (src_opts->token_label != NULL) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh    newopts->token_label = strdup(src_opts->token_label);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (newopts->token_label == NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh        goto cleanup;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    }
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (src_opts->cert_id_string != NULL) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh    newopts->cert_id_string = strdup(src_opts->cert_id_string);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (newopts->cert_id_string == NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh        goto cleanup;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    }
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (src_opts->cert_label != NULL) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh    newopts->cert_label = strdup(src_opts->cert_label);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (newopts->cert_label == NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh        goto cleanup;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    }
bb5e3b2f129cc39517b925419c22f69a378ec023eh#endif
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    *dest_opts = newopts;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    return 0;
bb5e3b2f129cc39517b925419c22f69a378ec023ehcleanup:
bb5e3b2f129cc39517b925419c22f69a378ec023eh    pkinit_fini_identity_opts(newopts);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    return retval;
bb5e3b2f129cc39517b925419c22f69a378ec023eh}
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023ehvoid
bb5e3b2f129cc39517b925419c22f69a378ec023ehpkinit_fini_identity_opts(pkinit_identity_opts *idopts)
bb5e3b2f129cc39517b925419c22f69a378ec023eh{
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (idopts == NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh    return;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (idopts->identity != NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh    free(idopts->identity);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    free_list(idopts->anchors);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    free_list(idopts->intermediates);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    free_list(idopts->crls);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    free_list(idopts->identity_alt);
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (idopts->cert_filename != NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh    free(idopts->cert_filename);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (idopts->key_filename != NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh    free(idopts->key_filename);
bb5e3b2f129cc39517b925419c22f69a378ec023eh#ifndef WITHOUT_PKCS11
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (idopts->p11_module_name != NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh    free(idopts->p11_module_name);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (idopts->token_label != NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh    free(idopts->token_label);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (idopts->cert_id_string != NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh    free(idopts->cert_id_string);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (idopts->cert_label != NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh    free(idopts->cert_label);
bb5e3b2f129cc39517b925419c22f69a378ec023eh#endif
bb5e3b2f129cc39517b925419c22f69a378ec023eh    free(idopts);
bb5e3b2f129cc39517b925419c22f69a378ec023eh}
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh#ifndef WITHOUT_PKCS11
bb5e3b2f129cc39517b925419c22f69a378ec023eh/* ARGSUSED */
bb5e3b2f129cc39517b925419c22f69a378ec023ehstatic krb5_error_code
bb5e3b2f129cc39517b925419c22f69a378ec023ehparse_pkcs11_options(krb5_context context,
bb5e3b2f129cc39517b925419c22f69a378ec023eh             pkinit_identity_opts *idopts,
bb5e3b2f129cc39517b925419c22f69a378ec023eh             const char *residual)
bb5e3b2f129cc39517b925419c22f69a378ec023eh{
bb5e3b2f129cc39517b925419c22f69a378ec023eh    char *s, *cp, *vp;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    krb5_error_code retval = ENOMEM;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (residual == NULL || residual[0] == '\0')
bb5e3b2f129cc39517b925419c22f69a378ec023eh    return 0;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    /* Split string into attr=value substrings */
bb5e3b2f129cc39517b925419c22f69a378ec023eh    s = strdup(residual);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (s == NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh    return retval;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    for ((cp = strtok(s, ":")); cp; (cp = strtok(NULL, ":"))) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh    vp = strchr(cp, '=');
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    /* If there is no "=", this is a pkcs11 module name */
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (vp == NULL) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh        if (idopts->p11_module_name != NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh        free(idopts->p11_module_name);
bb5e3b2f129cc39517b925419c22f69a378ec023eh        idopts->p11_module_name = strdup(cp);
bb5e3b2f129cc39517b925419c22f69a378ec023eh        if (idopts->p11_module_name == NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh        goto cleanup;
bb5e3b2f129cc39517b925419c22f69a378ec023eh        continue;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    }
bb5e3b2f129cc39517b925419c22f69a378ec023eh    *vp++ = '\0';
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (!strcmp(cp, "module_name")) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh        if (idopts->p11_module_name != NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh        free(idopts->p11_module_name);
bb5e3b2f129cc39517b925419c22f69a378ec023eh        idopts->p11_module_name = strdup(vp);
bb5e3b2f129cc39517b925419c22f69a378ec023eh        if (idopts->p11_module_name == NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh        goto cleanup;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    } else if (!strcmp(cp, "slotid")) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh        long slotid = strtol(vp, NULL, 10);
bb5e3b2f129cc39517b925419c22f69a378ec023eh        if ((slotid == LONG_MIN || slotid == LONG_MAX) && errno != 0) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh        retval = EINVAL;
bb5e3b2f129cc39517b925419c22f69a378ec023eh        goto cleanup;
bb5e3b2f129cc39517b925419c22f69a378ec023eh        }
bb5e3b2f129cc39517b925419c22f69a378ec023eh        if ((long) (int) slotid != slotid) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh        retval = EINVAL;
bb5e3b2f129cc39517b925419c22f69a378ec023eh        goto cleanup;
bb5e3b2f129cc39517b925419c22f69a378ec023eh        }
bb5e3b2f129cc39517b925419c22f69a378ec023eh        idopts->slotid = slotid;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    } else if (!strcmp(cp, "token")) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh        if (idopts->token_label != NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh        free(idopts->token_label);
bb5e3b2f129cc39517b925419c22f69a378ec023eh        idopts->token_label = strdup(vp);
bb5e3b2f129cc39517b925419c22f69a378ec023eh        if (idopts->token_label == NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh        goto cleanup;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    } else if (!strcmp(cp, "certid")) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh        if (idopts->cert_id_string != NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh        free(idopts->cert_id_string);
bb5e3b2f129cc39517b925419c22f69a378ec023eh        idopts->cert_id_string = strdup(vp);
bb5e3b2f129cc39517b925419c22f69a378ec023eh        if (idopts->cert_id_string == NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh        goto cleanup;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    } else if (!strcmp(cp, "certlabel")) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh        if (idopts->cert_label != NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh        free(idopts->cert_label);
bb5e3b2f129cc39517b925419c22f69a378ec023eh        idopts->cert_label = strdup(vp);
bb5e3b2f129cc39517b925419c22f69a378ec023eh        if (idopts->cert_label == NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh        goto cleanup;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    }
bb5e3b2f129cc39517b925419c22f69a378ec023eh    }
bb5e3b2f129cc39517b925419c22f69a378ec023eh    retval = 0;
bb5e3b2f129cc39517b925419c22f69a378ec023ehcleanup:
bb5e3b2f129cc39517b925419c22f69a378ec023eh    free(s);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    return retval;
bb5e3b2f129cc39517b925419c22f69a378ec023eh}
bb5e3b2f129cc39517b925419c22f69a378ec023eh#endif
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh/* ARGSUSED */
bb5e3b2f129cc39517b925419c22f69a378ec023ehstatic krb5_error_code
bb5e3b2f129cc39517b925419c22f69a378ec023ehparse_fs_options(krb5_context context,
bb5e3b2f129cc39517b925419c22f69a378ec023eh         pkinit_identity_opts *idopts,
bb5e3b2f129cc39517b925419c22f69a378ec023eh         const char *residual)
bb5e3b2f129cc39517b925419c22f69a378ec023eh{
bb5e3b2f129cc39517b925419c22f69a378ec023eh    char *certname, *keyname;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    krb5_error_code retval = ENOMEM;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (residual == NULL || residual[0] == '\0')
bb5e3b2f129cc39517b925419c22f69a378ec023eh    return 0;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    certname = strdup(residual);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (certname == NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh    goto cleanup;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    certname = strtok(certname, ",");
bb5e3b2f129cc39517b925419c22f69a378ec023eh    keyname = strtok(NULL, ",");
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    idopts->cert_filename = strdup(certname);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (idopts->cert_filename == NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh    goto cleanup;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    idopts->key_filename = strdup(keyname ? keyname : certname);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (idopts->key_filename == NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh    goto cleanup;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    retval = 0;
bb5e3b2f129cc39517b925419c22f69a378ec023ehcleanup:
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (certname != NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh    free(certname);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    return retval;
bb5e3b2f129cc39517b925419c22f69a378ec023eh}
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh/* ARGSUSED */
bb5e3b2f129cc39517b925419c22f69a378ec023ehstatic krb5_error_code
bb5e3b2f129cc39517b925419c22f69a378ec023ehparse_pkcs12_options(krb5_context context,
bb5e3b2f129cc39517b925419c22f69a378ec023eh             pkinit_identity_opts *idopts,
bb5e3b2f129cc39517b925419c22f69a378ec023eh             const char *residual)
bb5e3b2f129cc39517b925419c22f69a378ec023eh{
bb5e3b2f129cc39517b925419c22f69a378ec023eh    krb5_error_code retval = ENOMEM;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (residual == NULL || residual[0] == '\0')
bb5e3b2f129cc39517b925419c22f69a378ec023eh    return 0;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    idopts->cert_filename = strdup(residual);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (idopts->cert_filename == NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh    goto cleanup;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    idopts->key_filename = strdup(residual);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (idopts->key_filename == NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh    goto cleanup;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    pkiDebug("%s: cert_filename '%s' key_filename '%s'\n",
bb5e3b2f129cc39517b925419c22f69a378ec023eh         __FUNCTION__, idopts->cert_filename,
bb5e3b2f129cc39517b925419c22f69a378ec023eh         idopts->key_filename);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    retval = 0;
bb5e3b2f129cc39517b925419c22f69a378ec023ehcleanup:
bb5e3b2f129cc39517b925419c22f69a378ec023eh    return retval;
bb5e3b2f129cc39517b925419c22f69a378ec023eh}
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023ehstatic krb5_error_code
bb5e3b2f129cc39517b925419c22f69a378ec023ehprocess_option_identity(krb5_context context,
bb5e3b2f129cc39517b925419c22f69a378ec023eh            pkinit_plg_crypto_context plg_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh            pkinit_req_crypto_context req_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh            pkinit_identity_opts *idopts,
bb5e3b2f129cc39517b925419c22f69a378ec023eh            pkinit_identity_crypto_context id_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh            const char *value)
922d2c76afbee21520ffa2088c4e60dcb80d3945eh{
bb5e3b2f129cc39517b925419c22f69a378ec023eh    const char *residual;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    int idtype;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    krb5_error_code retval = 0;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    pkiDebug("%s: processing value '%s'\n",
bb5e3b2f129cc39517b925419c22f69a378ec023eh         __FUNCTION__, value ? value : "NULL");
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (value == NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh    return EINVAL;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    residual = strchr(value, ':');
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (residual != NULL) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh    unsigned int typelen;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    residual++; /* skip past colon */
bb5e3b2f129cc39517b925419c22f69a378ec023eh    typelen = residual - value;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (strncmp(value, "FILE:", typelen) == 0) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh        idtype = IDTYPE_FILE;
bb5e3b2f129cc39517b925419c22f69a378ec023eh#ifndef WITHOUT_PKCS11
bb5e3b2f129cc39517b925419c22f69a378ec023eh    } else if (strncmp(value, "PKCS11:", typelen) == 0) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh        idtype = IDTYPE_PKCS11;
bb5e3b2f129cc39517b925419c22f69a378ec023eh#endif
bb5e3b2f129cc39517b925419c22f69a378ec023eh    } else if (strncmp(value, "PKCS12:", typelen) == 0) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh        idtype = IDTYPE_PKCS12;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    } else if (strncmp(value, "DIR:", typelen) == 0) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh        idtype = IDTYPE_DIR;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    } else if (strncmp(value, "ENV:", typelen) == 0) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh        idtype = IDTYPE_ENVVAR;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    } else {
bb5e3b2f129cc39517b925419c22f69a378ec023eh        pkiDebug("%s: Unsupported type while processing '%s'\n",
bb5e3b2f129cc39517b925419c22f69a378ec023eh             __FUNCTION__, value);
bb5e3b2f129cc39517b925419c22f69a378ec023eh        krb5_set_error_message(context, KRB5_PREAUTH_FAILED,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                   "Unsupported type while processing '%s'\n",
bb5e3b2f129cc39517b925419c22f69a378ec023eh                   value);
bb5e3b2f129cc39517b925419c22f69a378ec023eh        return KRB5_PREAUTH_FAILED;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    }
bb5e3b2f129cc39517b925419c22f69a378ec023eh    } else {
bb5e3b2f129cc39517b925419c22f69a378ec023eh    idtype = IDTYPE_FILE;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    residual = value;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    }
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    idopts->idtype = idtype;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    pkiDebug("%s: idtype is %s\n", __FUNCTION__, idtype2string(idopts->idtype));
bb5e3b2f129cc39517b925419c22f69a378ec023eh    switch (idtype) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh    case IDTYPE_ENVVAR: {
bb5e3b2f129cc39517b925419c22f69a378ec023eh        /* Solaris Kerberos: Improved error messages */
bb5e3b2f129cc39517b925419c22f69a378ec023eh        char *envvar = getenv(residual);
bb5e3b2f129cc39517b925419c22f69a378ec023eh        if (envvar == NULL) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh            krb5_set_error_message(context, EINVAL,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                gettext("failed to find environmental variable \'%s\'"),
bb5e3b2f129cc39517b925419c22f69a378ec023eh                residual);
bb5e3b2f129cc39517b925419c22f69a378ec023eh            return EINVAL;
bb5e3b2f129cc39517b925419c22f69a378ec023eh        }
bb5e3b2f129cc39517b925419c22f69a378ec023eh        return process_option_identity(context, plg_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                       req_cryptoctx, idopts, id_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                       envvar);
bb5e3b2f129cc39517b925419c22f69a378ec023eh        /* Solaris Kerberos: not reached */
bb5e3b2f129cc39517b925419c22f69a378ec023eh    }
bb5e3b2f129cc39517b925419c22f69a378ec023eh    case IDTYPE_FILE:
bb5e3b2f129cc39517b925419c22f69a378ec023eh    retval = parse_fs_options(context, idopts, residual);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    break;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    case IDTYPE_PKCS12:
bb5e3b2f129cc39517b925419c22f69a378ec023eh    retval = parse_pkcs12_options(context, idopts, residual);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    break;
bb5e3b2f129cc39517b925419c22f69a378ec023eh#ifndef WITHOUT_PKCS11
bb5e3b2f129cc39517b925419c22f69a378ec023eh    case IDTYPE_PKCS11:
bb5e3b2f129cc39517b925419c22f69a378ec023eh    retval = parse_pkcs11_options(context, idopts, residual);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    break;
bb5e3b2f129cc39517b925419c22f69a378ec023eh#endif
bb5e3b2f129cc39517b925419c22f69a378ec023eh    case IDTYPE_DIR:
bb5e3b2f129cc39517b925419c22f69a378ec023eh    idopts->cert_filename = strdup(residual);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (idopts->cert_filename == NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh        retval = ENOMEM;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    break;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    default:
bb5e3b2f129cc39517b925419c22f69a378ec023eh    krb5_set_error_message(context, KRB5_PREAUTH_FAILED,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                   "Internal error parsing X509_user_identity\n");
bb5e3b2f129cc39517b925419c22f69a378ec023eh    retval = EINVAL;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    break;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    }
bb5e3b2f129cc39517b925419c22f69a378ec023eh    return retval;
bb5e3b2f129cc39517b925419c22f69a378ec023eh}
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023ehstatic krb5_error_code
bb5e3b2f129cc39517b925419c22f69a378ec023ehprocess_option_ca_crl(krb5_context context,
bb5e3b2f129cc39517b925419c22f69a378ec023eh              pkinit_plg_crypto_context plg_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh              pkinit_req_crypto_context req_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh              pkinit_identity_opts *idopts,
bb5e3b2f129cc39517b925419c22f69a378ec023eh              pkinit_identity_crypto_context id_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh              const char *value,
bb5e3b2f129cc39517b925419c22f69a378ec023eh              int catype)
bb5e3b2f129cc39517b925419c22f69a378ec023eh{
bb5e3b2f129cc39517b925419c22f69a378ec023eh    char *residual;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    unsigned int typelen;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    int idtype;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    pkiDebug("%s: processing catype %s, value '%s'\n",
bb5e3b2f129cc39517b925419c22f69a378ec023eh         __FUNCTION__, catype2string(catype), value);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    residual = strchr(value, ':');
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (residual == NULL) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh    pkiDebug("No type given for '%s'\n", value);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    return EINVAL;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    }
bb5e3b2f129cc39517b925419c22f69a378ec023eh    residual++; /* skip past colon */
bb5e3b2f129cc39517b925419c22f69a378ec023eh    typelen = residual - value;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (strncmp(value, "FILE:", typelen) == 0) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh    idtype = IDTYPE_FILE;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    } else if (strncmp(value, "DIR:", typelen) == 0) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh    idtype = IDTYPE_DIR;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    } else {
bb5e3b2f129cc39517b925419c22f69a378ec023eh    return ENOTSUP;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    }
bb5e3b2f129cc39517b925419c22f69a378ec023eh    return crypto_load_cas_and_crls(context,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                    plg_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                    req_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                    idopts, id_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                    idtype, catype, residual);
bb5e3b2f129cc39517b925419c22f69a378ec023eh}
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023ehstatic krb5_error_code
bb5e3b2f129cc39517b925419c22f69a378ec023ehpkinit_identity_process_option(krb5_context context,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                   pkinit_plg_crypto_context plg_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                   pkinit_req_crypto_context req_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                   pkinit_identity_opts *idopts,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                   pkinit_identity_crypto_context id_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                   int attr,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                   const char *value)
bb5e3b2f129cc39517b925419c22f69a378ec023eh{
bb5e3b2f129cc39517b925419c22f69a378ec023eh    krb5_error_code retval = 0;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    switch (attr) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh    case PKINIT_ID_OPT_USER_IDENTITY:
bb5e3b2f129cc39517b925419c22f69a378ec023eh        retval = process_option_identity(context, plg_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                         req_cryptoctx, idopts,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                         id_cryptoctx, value);
bb5e3b2f129cc39517b925419c22f69a378ec023eh        break;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    case PKINIT_ID_OPT_ANCHOR_CAS:
bb5e3b2f129cc39517b925419c22f69a378ec023eh        retval = process_option_ca_crl(context, plg_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                       req_cryptoctx, idopts,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                       id_cryptoctx, value,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                       CATYPE_ANCHORS);
bb5e3b2f129cc39517b925419c22f69a378ec023eh        break;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    case PKINIT_ID_OPT_INTERMEDIATE_CAS:
bb5e3b2f129cc39517b925419c22f69a378ec023eh        retval = process_option_ca_crl(context, plg_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                       req_cryptoctx, idopts,
799aa485da68fdaa1850eaf833ad108e5af82adbKonstantin Ananyev                       id_cryptoctx,
799aa485da68fdaa1850eaf833ad108e5af82adbKonstantin Ananyev                       value, CATYPE_INTERMEDIATES);
799aa485da68fdaa1850eaf833ad108e5af82adbKonstantin Ananyev        break;
799aa485da68fdaa1850eaf833ad108e5af82adbKonstantin Ananyev    case PKINIT_ID_OPT_CRLS:
799aa485da68fdaa1850eaf833ad108e5af82adbKonstantin Ananyev        retval = process_option_ca_crl(context, plg_cryptoctx,
799aa485da68fdaa1850eaf833ad108e5af82adbKonstantin Ananyev                       req_cryptoctx, idopts,
799aa485da68fdaa1850eaf833ad108e5af82adbKonstantin Ananyev                       id_cryptoctx,
799aa485da68fdaa1850eaf833ad108e5af82adbKonstantin Ananyev                       value, CATYPE_CRLS);
799aa485da68fdaa1850eaf833ad108e5af82adbKonstantin Ananyev        break;
799aa485da68fdaa1850eaf833ad108e5af82adbKonstantin Ananyev    case PKINIT_ID_OPT_OCSP:
799aa485da68fdaa1850eaf833ad108e5af82adbKonstantin Ananyev        retval = ENOTSUP;
e9f896cf06d03b269a2e209d54371788c513a7dbeh        break;
e9f896cf06d03b269a2e209d54371788c513a7dbeh    default:
e9f896cf06d03b269a2e209d54371788c513a7dbeh        retval = EINVAL;
e9f896cf06d03b269a2e209d54371788c513a7dbeh        break;
799aa485da68fdaa1850eaf833ad108e5af82adbKonstantin Ananyev    }
799aa485da68fdaa1850eaf833ad108e5af82adbKonstantin Ananyev    return retval;
799aa485da68fdaa1850eaf833ad108e5af82adbKonstantin Ananyev}
799aa485da68fdaa1850eaf833ad108e5af82adbKonstantin Ananyev
799aa485da68fdaa1850eaf833ad108e5af82adbKonstantin Ananyevkrb5_error_code
799aa485da68fdaa1850eaf833ad108e5af82adbKonstantin Ananyevpkinit_identity_initialize(krb5_context context,
799aa485da68fdaa1850eaf833ad108e5af82adbKonstantin Ananyev               pkinit_plg_crypto_context plg_cryptoctx,
799aa485da68fdaa1850eaf833ad108e5af82adbKonstantin Ananyev               pkinit_req_crypto_context req_cryptoctx,
e9f896cf06d03b269a2e209d54371788c513a7dbeh               pkinit_identity_opts *idopts,
799aa485da68fdaa1850eaf833ad108e5af82adbKonstantin Ananyev               pkinit_identity_crypto_context id_cryptoctx,
799aa485da68fdaa1850eaf833ad108e5af82adbKonstantin Ananyev               int do_matching,
799aa485da68fdaa1850eaf833ad108e5af82adbKonstantin Ananyev               krb5_principal princ)
799aa485da68fdaa1850eaf833ad108e5af82adbKonstantin Ananyev{
e9f896cf06d03b269a2e209d54371788c513a7dbeh    krb5_error_code retval = EINVAL;
e9f896cf06d03b269a2e209d54371788c513a7dbeh    int i;
e9f896cf06d03b269a2e209d54371788c513a7dbeh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    pkiDebug("%s: %p %p %p\n", __FUNCTION__, context, idopts, id_cryptoctx);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (idopts == NULL || id_cryptoctx == NULL)
bb5e3b2f129cc39517b925419c22f69a378ec023eh    goto errout;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    /*
bb5e3b2f129cc39517b925419c22f69a378ec023eh     * If identity was specified, use that.  (For the kdc, this
bb5e3b2f129cc39517b925419c22f69a378ec023eh     * is specified as pkinit_identity in the kdc.conf.  For users,
bb5e3b2f129cc39517b925419c22f69a378ec023eh     * this is specified on the command line via X509_user_identity.)
bb5e3b2f129cc39517b925419c22f69a378ec023eh     * If a user did not specify identity on the command line,
bb5e3b2f129cc39517b925419c22f69a378ec023eh     * then we will try alternatives which may have been specified
bb5e3b2f129cc39517b925419c22f69a378ec023eh     * in the config file.
bb5e3b2f129cc39517b925419c22f69a378ec023eh     */
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (idopts->identity != NULL) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh    retval = pkinit_identity_process_option(context, plg_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                        req_cryptoctx, idopts,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                        id_cryptoctx,
799aa485da68fdaa1850eaf833ad108e5af82adbKonstantin Ananyev                        PKINIT_ID_OPT_USER_IDENTITY,
799aa485da68fdaa1850eaf833ad108e5af82adbKonstantin Ananyev                        idopts->identity);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    } else if (idopts->identity_alt != NULL) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh    for (i = 0; retval != 0 && idopts->identity_alt[i] != NULL; i++)
bb5e3b2f129cc39517b925419c22f69a378ec023eh        retval = pkinit_identity_process_option(context, plg_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                            req_cryptoctx, idopts,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                            id_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                            PKINIT_ID_OPT_USER_IDENTITY,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                            idopts->identity_alt[i]);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    } else {
bb5e3b2f129cc39517b925419c22f69a378ec023eh    pkiDebug("%s: no user identity options specified\n", __FUNCTION__);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    goto errout;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    }
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (retval)
bb5e3b2f129cc39517b925419c22f69a378ec023eh    goto errout;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    retval = crypto_load_certs(context, plg_cryptoctx, req_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                   idopts, id_cryptoctx, princ);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (retval)
bb5e3b2f129cc39517b925419c22f69a378ec023eh    goto errout;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (do_matching) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh    retval = pkinit_cert_matching(context, plg_cryptoctx, req_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                      id_cryptoctx, princ);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (retval) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh        pkiDebug("%s: No matching certificate found\n", __FUNCTION__);
bb5e3b2f129cc39517b925419c22f69a378ec023eh        (void) crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                  id_cryptoctx);
bb5e3b2f129cc39517b925419c22f69a378ec023eh        goto errout;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    }
bb5e3b2f129cc39517b925419c22f69a378ec023eh    } else {
bb5e3b2f129cc39517b925419c22f69a378ec023eh    /* Tell crypto code to use the "default" */
bb5e3b2f129cc39517b925419c22f69a378ec023eh    retval = crypto_cert_select_default(context, plg_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                        req_cryptoctx, id_cryptoctx);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (retval) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh        pkiDebug("%s: Failed while selecting default certificate\n",
bb5e3b2f129cc39517b925419c22f69a378ec023eh             __FUNCTION__);
bb5e3b2f129cc39517b925419c22f69a378ec023eh        (void) crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                  id_cryptoctx);
bb5e3b2f129cc39517b925419c22f69a378ec023eh        goto errout;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    }
bb5e3b2f129cc39517b925419c22f69a378ec023eh    }
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    retval = crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                   id_cryptoctx);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (retval)
bb5e3b2f129cc39517b925419c22f69a378ec023eh        goto errout;
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh    for (i = 0; idopts->anchors != NULL && idopts->anchors[i] != NULL; i++) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh    retval = pkinit_identity_process_option(context, plg_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                        req_cryptoctx, idopts,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                        id_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                        PKINIT_ID_OPT_ANCHOR_CAS,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                        idopts->anchors[i]);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (retval)
bb5e3b2f129cc39517b925419c22f69a378ec023eh        goto errout;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    }
bb5e3b2f129cc39517b925419c22f69a378ec023eh    for (i = 0; idopts->intermediates != NULL
bb5e3b2f129cc39517b925419c22f69a378ec023eh        && idopts->intermediates[i] != NULL; i++) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh    retval = pkinit_identity_process_option(context, plg_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                        req_cryptoctx, idopts,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                        id_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                        PKINIT_ID_OPT_INTERMEDIATE_CAS,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                        idopts->intermediates[i]);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (retval)
bb5e3b2f129cc39517b925419c22f69a378ec023eh        goto errout;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    }
bb5e3b2f129cc39517b925419c22f69a378ec023eh    for (i = 0; idopts->crls != NULL && idopts->crls[i] != NULL; i++) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh    retval = pkinit_identity_process_option(context, plg_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                        req_cryptoctx, idopts,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                        id_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                        PKINIT_ID_OPT_CRLS,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                        idopts->crls[i]);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (retval)
bb5e3b2f129cc39517b925419c22f69a378ec023eh        goto errout;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    }
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (idopts->ocsp != NULL) {
bb5e3b2f129cc39517b925419c22f69a378ec023eh    retval = pkinit_identity_process_option(context, plg_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                        req_cryptoctx, idopts,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                        id_cryptoctx,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                        PKINIT_ID_OPT_OCSP,
bb5e3b2f129cc39517b925419c22f69a378ec023eh                        idopts->ocsp);
bb5e3b2f129cc39517b925419c22f69a378ec023eh    if (retval)
bb5e3b2f129cc39517b925419c22f69a378ec023eh        goto errout;
bb5e3b2f129cc39517b925419c22f69a378ec023eh    }
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eherrout:
bb5e3b2f129cc39517b925419c22f69a378ec023eh    return retval;
bb5e3b2f129cc39517b925419c22f69a378ec023eh}
bb5e3b2f129cc39517b925419c22f69a378ec023eh
bb5e3b2f129cc39517b925419c22f69a378ec023eh