kdc: support pkinit_kdc_revoke for pkinit anchors

Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 36db57cb36a5790487487654349bbfbff3de6b35..8a6add4d22c38ee90ab735cc7cd62dc35fb85227 100644 (file)
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -579,7 +579,11 @@ pa_pkinit_validate(astgs_request_t r, const PA_DATA *pa)
 
     ret = _kdc_pk_rd_padata(r, pa, &pkp);
     if (ret || pkp == NULL) {
-       ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+       if (ret == HX509_CERT_REVOKED) {
+           ret = KRB5_KDC_ERR_CLIENT_NOT_TRUSTED;      
+       } else {
+           ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+       }
        _kdc_r_log(r, 4, "Failed to decode PKINIT PA-DATA -- %s",
                   r->cname);
        goto out;

diff --git a/kdc/pkinit.c b/kdc/pkinit.c
index 2779070a02c0cb8b2a247352e9b448ea63d2e891..88aa2887fb7f7ee915395ffd2c7be1122f84774c 100644 (file)
--- a/kdc/pkinit.c
+++ b/kdc/pkinit.c
@@ -464,6 +464,8 @@ _kdc_pk_rd_padata(astgs_request_t priv,
     hx509_verify_attach_anchors(cp->verify_ctx, trust_anchors);
     hx509_certs_free(&trust_anchors);
 
+    hx509_verify_attach_revoke(cp->verify_ctx, kdc_identity->revokectx);
+
     if (config->pkinit_allow_proxy_certs)
        hx509_verify_set_proxy_certificate(cp->verify_ctx, 1);