From 38aa80e35b6b1e16b081fa9c005c03b1e6994204 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Kacper=20Bostr=C3=B6m?= Date: Thu, 5 May 2022 13:03:27 +0200 Subject: [PATCH] kdc: support pkinit_kdc_revoke for pkinit anchors Reviewed-by: Joseph Sutton --- kdc/kerberos5.c | 6 +++++- kdc/pkinit.c | 2 ++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index 36db57cb36..8a6add4d22 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -579,7 +579,11 @@ pa_pkinit_validate(astgs_request_t r, const PA_DATA *pa) ret = _kdc_pk_rd_padata(r, pa, &pkp); if (ret || pkp == NULL) { - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; + if (ret == HX509_CERT_REVOKED) { + ret = KRB5_KDC_ERR_CLIENT_NOT_TRUSTED; + } else { + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; + } _kdc_r_log(r, 4, "Failed to decode PKINIT PA-DATA -- %s", r->cname); goto out; diff --git a/kdc/pkinit.c b/kdc/pkinit.c index 2779070a02..88aa2887fb 100644 --- a/kdc/pkinit.c +++ b/kdc/pkinit.c @@ -464,6 +464,8 @@ _kdc_pk_rd_padata(astgs_request_t priv, hx509_verify_attach_anchors(cp->verify_ctx, trust_anchors); hx509_certs_free(&trust_anchors); + hx509_verify_attach_revoke(cp->verify_ctx, kdc_identity->revokectx); + if (config->pkinit_allow_proxy_certs) hx509_verify_set_proxy_certificate(cp->verify_ctx, 1); -- 2.34.1