ret = hx509_cms_verify_signed(kdc_identity->hx509ctx,
kdc_identity->verify_ctx,
+ HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH,
signed_content.data,
signed_content.length,
NULL,
goto out;
hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
- hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
+ if (config->pkinit_kdc_friendly_name)
+ hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name);
ret = hx509_certs_find(kdc_identity->hx509ctx,
kdc_identity->certs,
}
ret = hx509_cms_envelope_1(kdc_identity->hx509ctx,
- 0,
+ HX509_CMS_EV_NO_KU_CHECK,
client_params->cert,
signed_data.data, signed_data.length,
envelopedAlg,
static krb5_error_code
pk_mk_pa_reply_dh(krb5_context context,
+ krb5_kdc_configuration *config,
DH *kdc_dh,
pk_client_params *client_params,
krb5_keyblock *reply_key,
goto out;
hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
- hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
+ if (config->pkinit_kdc_friendly_name)
+ hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name);
ret = hx509_certs_find(kdc_identity->hx509ctx,
kdc_identity->certs,
if (ret)
return ret;
- ret = pk_mk_pa_reply_dh(context, client_params->dh,
+ ret = pk_mk_pa_reply_dh(context, config, client_params->dh,
client_params,
&client_params->reply_key,
&info,
}
hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
- hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
+ if (config->pkinit_kdc_friendly_name)
+ hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name);
ret = hx509_certs_find(kdc_identity->hx509ctx,
kdc_identity->certs,