krb5_error_code
pkinit_kdcdefault_boolean(krb5_context context, const char *realmname,
const char *option, int default_value, int *ret_value)
{
char *string = NULL;
krb5_error_code retval;
retval = pkinit_kdcdefault_string(context, realmname, option, &string);
if (retval == 0) {
*ret_value = _krb5_conf_boolean(string);
free(string);
} else
*ret_value = default_value;
return 0;
}
krb5_error_code
pkinit_kdcdefault_integer(krb5_context context, const char *realmname,
const char *option, int default_value, int *ret_value)
{
char *string = NULL;
krb5_error_code retval;
retval = pkinit_kdcdefault_string(context, realmname, option, &string);
if (retval == 0) {
char *endptr;
long l;
l = strtol(string, &endptr, 0);
if (endptr == string)
*ret_value = default_value;
else
*ret_value = l;
free(string);
} else
*ret_value = default_value;
return 0;
}
static krb5_error_code
pkinit_init_kdc_profile(krb5_context context, pkinit_kdc_context plgctx)
{
krb5_error_code retval;
char *eku_string = NULL;
pkiDebug("%s: entered for realm %s\n", __FUNCTION__, plgctx->realmname);
retval = pkinit_kdcdefault_string(context, plgctx->realmname,
"pkinit_identity",
&plgctx->idopts->identity);
if (retval != 0 || NULL == plgctx->idopts->identity) {
retval = EINVAL;
krb5_set_error_message(context, retval,
"No pkinit_identity supplied for realm %s",
plgctx->realmname);
goto errout;
}
retval = pkinit_kdcdefault_strings(context, plgctx->realmname,
"pkinit_anchors",
&plgctx->idopts->anchors);
if (retval != 0 || NULL == plgctx->idopts->anchors) {
retval = EINVAL;
krb5_set_error_message(context, retval,
"No pkinit_anchors supplied for realm %s",
plgctx->realmname);
goto errout;
}
pkinit_kdcdefault_strings(context, plgctx->realmname,
"pkinit_pool",
&plgctx->idopts->intermediates);
pkinit_kdcdefault_strings(context, plgctx->realmname,
"pkinit_revoke",
&plgctx->idopts->crls);
pkinit_kdcdefault_string(context, plgctx->realmname,
"pkinit_kdc_ocsp",
&plgctx->idopts->ocsp);
pkinit_kdcdefault_string(context, plgctx->realmname,
"pkinit_mappings_file",
&plgctx->idopts->dn_mapping_file);
pkinit_kdcdefault_integer(context, plgctx->realmname,
"pkinit_dh_min_bits",
PKINIT_DEFAULT_DH_MIN_BITS,
&plgctx->opts->dh_min_bits);
if (plgctx->opts->dh_min_bits < 1024) {
pkiDebug("%s: invalid value (%d) for pkinit_dh_min_bits, "
"using default value (%d) instead\n", __FUNCTION__,
plgctx->opts->dh_min_bits, PKINIT_DEFAULT_DH_MIN_BITS);
plgctx->opts->dh_min_bits = PKINIT_DEFAULT_DH_MIN_BITS;
}
pkinit_kdcdefault_boolean(context, plgctx->realmname,
"pkinit_allow_upn",
0, &plgctx->opts->allow_upn);
pkinit_kdcdefault_boolean(context, plgctx->realmname,
"pkinit_require_crl_checking",
0, &plgctx->opts->require_crl_checking);
pkinit_kdcdefault_string(context, plgctx->realmname,
"pkinit_eku_checking",
&eku_string);
if (eku_string != NULL) {
if (strcasecmp(eku_string, "kpClientAuth") == 0) {
plgctx->opts->require_eku = 1;
plgctx->opts->accept_secondary_eku = 0;
} else if (strcasecmp(eku_string, "scLogin") == 0) {
plgctx->opts->require_eku = 1;
plgctx->opts->accept_secondary_eku = 1;
} else if (strcasecmp(eku_string, "none") == 0) {
plgctx->opts->require_eku = 0;
plgctx->opts->accept_secondary_eku = 0;
} else {
pkiDebug("%s: Invalid value for pkinit_eku_checking: '%s'\n",
__FUNCTION__, eku_string);
}
free(eku_string);
}
return 0;
errout:
pkinit_fini_kdc_profile(context, plgctx);
return retval;
}
static krb5_error_code
pkinit_init_kdc_profile(krb5_context context, pkinit_kdc_context plgctx)
{
krb5_error_code retval;
char *eku_string = NULL;
pkiDebug("%s: entered for realm %s\n", __FUNCTION__, plgctx->realmname);
retval = pkinit_kdcdefault_string(context, plgctx->realmname,
KRB5_CONF_PKINIT_IDENTITY,
&plgctx->idopts->identity);
if (retval != 0 || NULL == plgctx->idopts->identity) {
retval = EINVAL;
krb5_set_error_message(context, retval,
"No pkinit_identity supplied for realm %s",
plgctx->realmname);
goto errout;
}
retval = pkinit_kdcdefault_strings(context, plgctx->realmname,
KRB5_CONF_PKINIT_ANCHORS,
&plgctx->idopts->anchors);
if (retval != 0 || NULL == plgctx->idopts->anchors) {
retval = EINVAL;
krb5_set_error_message(context, retval,
"No pkinit_anchors supplied for realm %s",
plgctx->realmname);
goto errout;
}
pkinit_kdcdefault_strings(context, plgctx->realmname,
KRB5_CONF_PKINIT_POOL,
&plgctx->idopts->intermediates);
pkinit_kdcdefault_strings(context, plgctx->realmname,
KRB5_CONF_PKINIT_REVOKE,
&plgctx->idopts->crls);
pkinit_kdcdefault_string(context, plgctx->realmname,
KRB5_CONF_PKINIT_KDC_OCSP,
&plgctx->idopts->ocsp);
pkinit_kdcdefault_string(context, plgctx->realmname,
KRB5_CONF_PKINIT_MAPPING_FILE,
&plgctx->idopts->dn_mapping_file);
pkinit_kdcdefault_integer(context, plgctx->realmname,
KRB5_CONF_PKINIT_DH_MIN_BITS,
PKINIT_DEFAULT_DH_MIN_BITS,
&plgctx->opts->dh_min_bits);
if (plgctx->opts->dh_min_bits < PKINIT_DEFAULT_DH_MIN_BITS) {
pkiDebug("%s: invalid value (%d) for pkinit_dh_min_bits, "
"using default value (%d) instead\n", __FUNCTION__,
plgctx->opts->dh_min_bits, PKINIT_DEFAULT_DH_MIN_BITS);
plgctx->opts->dh_min_bits = PKINIT_DEFAULT_DH_MIN_BITS;
}
pkinit_kdcdefault_boolean(context, plgctx->realmname,
KRB5_CONF_PKINIT_ALLOW_UPN,
0, &plgctx->opts->allow_upn);
pkinit_kdcdefault_boolean(context, plgctx->realmname,
KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING,
0, &plgctx->opts->require_crl_checking);
pkinit_kdcdefault_string(context, plgctx->realmname,
KRB5_CONF_PKINIT_EKU_CHECKING,
&eku_string);
if (eku_string != NULL) {
if (strcasecmp(eku_string, "kpClientAuth") == 0) {
plgctx->opts->require_eku = 1;
plgctx->opts->accept_secondary_eku = 0;
} else if (strcasecmp(eku_string, "scLogin") == 0) {
plgctx->opts->require_eku = 1;
plgctx->opts->accept_secondary_eku = 1;
} else if (strcasecmp(eku_string, "none") == 0) {
plgctx->opts->require_eku = 0;
plgctx->opts->accept_secondary_eku = 0;
} else {
pkiDebug("%s: Invalid value for pkinit_eku_checking: '%s'\n",
__FUNCTION__, eku_string);
}
free(eku_string);
}
return 0;
errout:
pkinit_fini_kdc_profile(context, plgctx);
return retval;
}
