Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
ret = _kdc_pk_rd_padata(r, pa, &pkp);
if (ret || pkp == NULL) {
- ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+ if (ret == HX509_CERT_REVOKED) {
+ ret = KRB5_KDC_ERR_CLIENT_NOT_TRUSTED;
+ } else {
+ ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+ }
_kdc_r_log(r, 4, "Failed to decode PKINIT PA-DATA -- %s",
r->cname);
goto out;
hx509_verify_attach_anchors(cp->verify_ctx, trust_anchors);
hx509_certs_free(&trust_anchors);
+ hx509_verify_attach_revoke(cp->verify_ctx, kdc_identity->revokectx);
+
if (config->pkinit_allow_proxy_certs)
hx509_verify_set_proxy_certificate(cp->verify_ctx, 1);