- Add switch to select friendly_name of the certificate.

- Use HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH some CMS implementestions get the oid
wrong when they do evelopeddata.
- Use HX509_CMS_EV_NO_KU_CHECK since some clients send certs that are
not enveloped certs.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24196 ec53bebd-3082-4978-b11e-865c3cabbd6b

diff --git a/kdc/pkinit.c b/kdc/pkinit.c
index 3dadfbb01be01c629dbb989182d7d689f0997496..7ae590945b09c3e38929513a2b594e1cba106071 100644 (file)
--- a/kdc/pkinit.c
+++ b/kdc/pkinit.c
@@ -527,6 +527,7 @@ _kdc_pk_rd_padata(krb5_context context,
 
        ret = hx509_cms_verify_signed(kdc_identity->hx509ctx,
                                      kdc_identity->verify_ctx,
+                                     HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH,
                                      signed_content.data,
                                      signed_content.length,
                                      NULL,
@@ -793,7 +794,8 @@ pk_mk_pa_reply_enckey(krb5_context context,
            goto out;
        
        hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
-       hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
+       if (config->pkinit_kdc_friendly_name)
+           hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name);
        
        ret = hx509_certs_find(kdc_identity->hx509ctx,
                               kdc_identity->certs,
@@ -832,7 +834,7 @@ pk_mk_pa_reply_enckey(krb5_context context,
     }
 
     ret = hx509_cms_envelope_1(kdc_identity->hx509ctx,
-                              0,
+                              HX509_CMS_EV_NO_KU_CHECK,
                               client_params->cert,
                               signed_data.data, signed_data.length,
                               envelopedAlg,
@@ -861,6 +863,7 @@ out:
 
 static krb5_error_code
 pk_mk_pa_reply_dh(krb5_context context,
+                 krb5_kdc_configuration *config,
                   DH *kdc_dh,
                  pk_client_params *client_params,
                   krb5_keyblock *reply_key,
@@ -924,7 +927,8 @@ pk_mk_pa_reply_dh(krb5_context context,
            goto out;
        
        hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
-       hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
+       if (config->pkinit_kdc_friendly_name)
+           hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name);
        
        ret = hx509_certs_find(kdc_identity->hx509ctx,
                               kdc_identity->certs,
@@ -1071,7 +1075,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
            if (ret)
                return ret;
 
-           ret = pk_mk_pa_reply_dh(context, client_params->dh,
+           ret = pk_mk_pa_reply_dh(context, config, client_params->dh,
                                    client_params,
                                    &client_params->reply_key,
                                    &info,
@@ -1641,7 +1645,8 @@ _kdc_pk_initialize(krb5_context context,
        }
        
        hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
-       hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
+       if (config->pkinit_kdc_friendly_name)
+           hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name);
        
        ret = hx509_certs_find(kdc_identity->hx509ctx,
                               kdc_identity->certs,