static krb5_error_code pkinit_identity_process_option(krb5_context context, pkinit_plg_crypto_context plg_cryptoctx, pkinit_req_crypto_context req_cryptoctx, pkinit_identity_opts *idopts, pkinit_identity_crypto_context id_cryptoctx, int attr, const char *value) { krb5_error_code retval = 0; switch (attr) { case PKINIT_ID_OPT_USER_IDENTITY: retval = process_option_identity(context, plg_cryptoctx, req_cryptoctx, idopts, id_cryptoctx, value); break; case PKINIT_ID_OPT_ANCHOR_CAS: retval = process_option_ca_crl(context, plg_cryptoctx, req_cryptoctx, idopts, id_cryptoctx, value, CATYPE_ANCHORS); break; case PKINIT_ID_OPT_INTERMEDIATE_CAS: retval = process_option_ca_crl(context, plg_cryptoctx, req_cryptoctx, idopts, id_cryptoctx, value, CATYPE_INTERMEDIATES); break; case PKINIT_ID_OPT_CRLS: retval = process_option_ca_crl(context, plg_cryptoctx, req_cryptoctx, idopts, id_cryptoctx, value, CATYPE_CRLS); break; case PKINIT_ID_OPT_OCSP: retval = ENOTSUP; break; default: retval = EINVAL; break; } return retval; }
krb5_error_code pkinit_identity_initialize(krb5_context context, pkinit_plg_crypto_context plg_cryptoctx, pkinit_req_crypto_context req_cryptoctx, pkinit_identity_opts *idopts, pkinit_identity_crypto_context id_cryptoctx, int do_matching, krb5_principal princ) { krb5_error_code retval = EINVAL; int i; pkiDebug("%s: %p %p %p\n", __FUNCTION__, context, idopts, id_cryptoctx); if (!(princ && krb5_principal_compare_any_realm (context, princ, krb5_anonymous_principal()))) { if (idopts == NULL || id_cryptoctx == NULL) goto errout; /* * If identity was specified, use that. (For the kdc, this * is specified as pkinit_identity in the kdc.conf. For users, * this is specified on the command line via X509_user_identity.) * If a user did not specify identity on the command line, * then we will try alternatives which may have been specified * in the config file. */ if (idopts->identity != NULL) { retval = process_option_identity(context, plg_cryptoctx, req_cryptoctx, idopts, id_cryptoctx, idopts->identity); } else if (idopts->identity_alt != NULL) { for (i = 0; retval != 0 && idopts->identity_alt[i] != NULL; i++) { retval = process_option_identity(context, plg_cryptoctx, req_cryptoctx, idopts, id_cryptoctx, idopts->identity_alt[i]); } } else { pkiDebug("%s: no user identity options specified\n", __FUNCTION__); goto errout; } if (retval) goto errout; retval = crypto_load_certs(context, plg_cryptoctx, req_cryptoctx, idopts, id_cryptoctx, princ); if (retval) goto errout; if (do_matching) { retval = pkinit_cert_matching(context, plg_cryptoctx, req_cryptoctx, id_cryptoctx, princ); if (retval) { pkiDebug("%s: No matching certificate found\n", __FUNCTION__); crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx, id_cryptoctx); goto errout; } } else { /* Tell crypto code to use the "default" */ retval = crypto_cert_select_default(context, plg_cryptoctx, req_cryptoctx, id_cryptoctx); if (retval) { pkiDebug("%s: Failed while selecting default certificate\n", __FUNCTION__); crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx, id_cryptoctx); goto errout; } } retval = crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx, id_cryptoctx); if (retval) goto errout; } /* Not anonymous principal */ for (i = 0; idopts->anchors != NULL && idopts->anchors[i] != NULL; i++) { retval = process_option_ca_crl(context, plg_cryptoctx, req_cryptoctx, idopts, id_cryptoctx, idopts->anchors[i], CATYPE_ANCHORS); if (retval) goto errout; } for (i = 0; idopts->intermediates != NULL && idopts->intermediates[i] != NULL; i++) { retval = process_option_ca_crl(context, plg_cryptoctx, req_cryptoctx, idopts, id_cryptoctx, idopts->intermediates[i], CATYPE_INTERMEDIATES); if (retval) goto errout; } for (i = 0; idopts->crls != NULL && idopts->crls[i] != NULL; i++) { retval = process_option_ca_crl(context, plg_cryptoctx, req_cryptoctx, idopts, id_cryptoctx, idopts->crls[i], CATYPE_CRLS); if (retval) goto errout; } if (idopts->ocsp != NULL) { retval = ENOTSUP; goto errout; } errout: return retval; }