diff options
| author | Greg Hudson <ghudson@mit.edu> | 2012-04-26 21:46:57 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2012-04-26 21:46:57 +0000 |
| commit | 7150b8eab9fb4bf643dd1a7ac4f5be3ca455dfcb (patch) | |
| tree | 4134a3be28c14b2357f3b8811abd61cb8329a809 /src/kdc | |
| parent | 7385d4bc68f58a766e5a7dcc17ce4aba2acaf2af (diff) | |
| download | krb5-7150b8eab9fb4bf643dd1a7ac4f5be3ca455dfcb.tar.gz krb5-7150b8eab9fb4bf643dd1a7ac4f5be3ca455dfcb.tar.xz krb5-7150b8eab9fb4bf643dd1a7ac4f5be3ca455dfcb.zip | |
Remove orphaned Apple PKINIT support
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25830 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/kdc')
| -rw-r--r-- | src/kdc/do_as_req.c | 21 | ||||
| -rw-r--r-- | src/kdc/kdc_preauth.c | 505 | ||||
| -rw-r--r-- | src/kdc/pkinit_apple_server.c | 241 | ||||
| -rw-r--r-- | src/kdc/pkinit_server.h | 112 |
4 files changed, 0 insertions, 879 deletions
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 9234924b91..979239e5f6 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -73,15 +73,6 @@ #include "adm_proto.h" #include "extern.h" -#if APPLE_PKINIT -#define AS_REQ_DEBUG 0 -#if AS_REQ_DEBUG -#define asReqDebug(args...) printf(args) -#else -#define asReqDebug(args...) -#endif -#endif /* APPLE_PKINIT */ - static krb5_error_code prepare_error_as(struct kdc_request_state *, krb5_kdc_req *, int, krb5_pa_data **, krb5_boolean, krb5_principal, @@ -254,13 +245,6 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) goto egress; } -#if APPLE_PKINIT - asReqDebug("process_as_req reply realm %s name %s\n", - reply.client->realm.data, reply.client->data->data); -#endif /* APPLE_PKINIT */ - - - errcode = handle_authdata(kdc_context, state->c_flags, state->client, @@ -475,11 +459,6 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, state->req_pkt = req_pkt; state->from = from; -#if APPLE_PKINIT - asReqDebug("process_as_req top realm %s name %s\n", - request->client->realm.data, request->client->data->data); -#endif /* APPLE_PKINIT */ - if (state->request->msg_type != KRB5_AS_REQ) { state->status = "msg_type mismatch"; errcode = KRB5_BADMSGTYPE; diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index 31c2e144cd..7cc0ccb28a 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -81,10 +81,6 @@ #include "extern.h" #include <stdio.h> #include "adm_proto.h" -#if APPLE_PKINIT -#include "pkinit_server.h" -#include "pkinit_cert_store.h" -#endif /* APPLE_PKINIT */ #include <syslog.h> @@ -149,58 +145,8 @@ return_pw_salt(krb5_context, krb5_pa_data *padata, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq); -#if APPLE_PKINIT -/* PKINIT preauth support */ -static krb5_error_code get_pkinit_edata( - krb5_context context, - krb5_kdc_req *request, - krb5_db_entry *client, - krb5_db_entry *server, - preauth_get_entry_data_proc get_entry_data, - void *pa_module_context, - krb5_pa_data *pa_data); -static krb5_error_code verify_pkinit_request( - krb5_context context, - krb5_db_entry *client, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_enc_tkt_part *enc_tkt_reply, - krb5_pa_data *data, - preauth_get_entry_data_proc get_entry_data, - void *pa_module_context, - void **pa_request_context, - krb5_data **e_data, - krb5_authdata ***authz_data); -static krb5_error_code return_pkinit_response( - krb5_context context, - krb5_pa_data * padata, - krb5_db_entry *client, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_kdc_rep *reply, - krb5_key_data *client_key, - krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa, - preauth_get_entry_data_proc get_entry_data, - void *pa_module_context, - void **pa_request_context); -#endif /* APPLE_PKINIT */ static preauth_system static_preauth_systems[] = { -#if APPLE_PKINIT - { - "pkinit", - KRB5_PADATA_PK_AS_REQ, - PA_SUFFICIENT, - NULL, /* pa_sys_context */ - NULL, /* init */ - NULL, /* fini */ - get_pkinit_edata, - verify_pkinit_request, - return_pkinit_response, - NULL /* free_modreq */ - }, -#endif /* APPLE_PKINIT */ { "FAST", KRB5_PADATA_FX_FAST, @@ -1646,457 +1592,6 @@ cleanup: return retval; } - - -#if APPLE_PKINIT -/* PKINIT preauth support */ -#define PKINIT_DEBUG 0 -#if PKINIT_DEBUG -#define kdcPkinitDebug(args...) printf(args) -#else -#define kdcPkinitDebug(args...) -#endif - -/* - * get_edata() - our only job is to determine whether this KDC is capable of - * performing PKINIT. We infer that from the presence or absence of any - * KDC signing cert. - */ -static krb5_error_code get_pkinit_edata( - krb5_context context, - krb5_kdc_req *request, - krb5_db_entry *client, - krb5_db_entry *server, - preauth_get_entry_data_proc pkinit_get_entry_data, - void *pa_module_context, - krb5_pa_data *pa_data) -{ - krb5_pkinit_signing_cert_t cert = NULL; - krb5_error_code err = krb5_pkinit_get_kdc_cert(0, NULL, NULL, &cert); - - kdcPkinitDebug("get_pkinit_edata: kdc cert %s\n", err ? "NOT FOUND" : "FOUND"); - if(cert) { - krb5_pkinit_release_cert(cert); - } - return err; -} - -/* - * This is 0 only for testing until the KDC DB contains - * the hash of the client cert - */ -#define REQUIRE_CLIENT_CERT_MATCH 1 - -static krb5_error_code verify_pkinit_request( - krb5_context context, - krb5_db_entry *client, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_enc_tkt_part *enc_tkt_reply, - krb5_pa_data *data, - preauth_get_entry_data_proc pkinit_get_entry_data, - void *pa_module_context, - void **pa_request_context, - krb5_data **e_data, - krb5_authdata ***authz_data) -{ - krb5_error_code krtn; - krb5_data pa_data; - krb5_data *der_req = NULL; - krb5_boolean valid_cksum; - char *cert_hash = NULL; - unsigned cert_hash_len; - unsigned key_dex; - unsigned cert_match = 0; - krb5_keyblock decrypted_key, *mkey_ptr; - - /* the data we get from the AS-REQ */ - krb5_timestamp client_ctime = 0; - krb5_ui_4 client_cusec = 0; - krb5_timestamp kdc_ctime = 0; - krb5_int32 kdc_cusec = 0; - krb5_ui_4 nonce = 0; - krb5_checksum pa_cksum; - krb5int_cert_sig_status cert_sig_status; - krb5_data client_cert = {0, 0, NULL}; - - krb5_kdc_req *tmp_as_req = NULL; - - kdcPkinitDebug("verify_pkinit_request\n"); - - decrypted_key.contents = NULL; - pa_data.data = (char *)data->contents; - pa_data.length = data->length; - krtn = krb5int_pkinit_as_req_parse(context, &pa_data, - &client_ctime, &client_cusec, - &nonce, &pa_cksum, - &cert_sig_status, - NULL, NULL,/* num_cms_types, cms_types */ - &client_cert, /* signer_cert */ - /* remaining fields unused (for now) */ - NULL, NULL,/* num_all_certs, all_certs */ - NULL, NULL,/* num_trusted_CAs, trusted_CAs */ - NULL); /* kdc_cert */ - if(krtn) { - kdcPkinitDebug("pa_pk_as_req_parse returned %d; PKINIT aborting.\n", - (int)krtn); - return krtn; - } -#if PKINIT_DEBUG - if(cert_sig_status != pki_cs_good) { - kdcPkinitDebug("verify_pkinit_request: cert_sig_status %d\n", - (int)cert_sig_status); - } -#endif /* PKINIT_DEBUG */ - - /* - * Verify signature and cert. - * FIXME: The spec calls for an e-data with error-specific type to be - * returned on error here. TD_TRUSTED_CERTIFIERS - * to be returned to the client here. There is no way for a preauth - * module to pass back e-data to process_as_req at this time. We - * might want to add such capability via an out param to check_padata - * and to its callees. - */ - switch(cert_sig_status) { - case pki_cs_good: - break; - case pki_cs_sig_verify_fail: - /* no e-data */ - krtn = KDC_ERR_INVALID_SIG; - goto cleanup; - case pki_cs_no_root: - case pki_cs_unknown_root: - case pki_cs_untrusted: - /* - * Can't verify to known root. - * e-data TD_TRUSTED_CERTIFIERS - */ - kdcPkinitDebug("verify_pkinit_request: KDC_ERR_CANT_VERIFY_CERTIFICATE\n"); - krtn = KDC_ERR_CANT_VERIFY_CERTIFICATE; - goto cleanup; - case pki_cs_bad_leaf: - case pki_cs_expired: - case pki_cs_not_valid_yet: - /* - * Problems with client cert itself. - * e-data type TD_INVALID_CERTIFICATES - */ - krtn = KDC_ERR_INVALID_CERTIFICATE; - goto cleanup; - case pki_cs_revoked: - /* e-data type TD-INVALID-CERTIFICATES */ - krtn = KDC_ERR_REVOKED_CERTIFICATE; - goto cleanup; - case pki_bad_key_use: - krtn = KDC_ERR_INCONSISTENT_KEY_PURPOSE; - /* no e-data */ - goto cleanup; - case pki_bad_digest: - /* undefined (explicitly!) e-data */ - krtn = KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED; - goto cleanup; - case pki_bad_cms: - case pki_cs_other_err: - default: - krtn = KRB5KDC_ERR_PREAUTH_FAILED; - goto cleanup; - } - - krtn = krb5_us_timeofday(context, &kdc_ctime, &kdc_cusec); - if(krtn) { - goto cleanup; - } - if (labs(kdc_ctime - client_ctime) > context->clockskew) { - kdcPkinitDebug("verify_pkinit_request: clock skew violation client %d svr %d\n", - (int)client_ctime, (int)kdc_ctime); - krtn = KRB5KRB_AP_ERR_SKEW; - goto cleanup; - } - - /* - * The KDC may have modified the request after decoding it. - * We need to compute the checksum on the data that - * came from the client. Therefore, we use the original - * packet contents. - */ - krtn = decode_krb5_as_req(req_pkt, &tmp_as_req); - if(krtn) { - kdcPkinitDebug("decode_krb5_as_req returned %d\n", (int)krtn); - goto cleanup; - } - - /* calculate and compare checksum */ - krtn = encode_krb5_kdc_req_body(tmp_as_req, &der_req); - if(krtn) { - kdcPkinitDebug("encode_krb5_kdc_req_body returned %d\n", (int)krtn); - goto cleanup; - } - krtn = krb5_c_verify_checksum(context, NULL, 0, der_req, - &pa_cksum, &valid_cksum); - if(krtn) { - kdcPkinitDebug("krb5_c_verify_checksum returned %d\n", (int)krtn); - goto cleanup; - } - if(!valid_cksum) { - kdcPkinitDebug("verify_pkinit_request: checksum error\n"); - krtn = KRB5KRB_AP_ERR_BAD_INTEGRITY; - goto cleanup; - } - -#if REQUIRE_CLIENT_CERT_MATCH - /* look up in the KDB to ensure correct client/cert binding */ - cert_hash = krb5_pkinit_cert_hash_str(&client_cert); - if(cert_hash == NULL) { - krtn = ENOMEM; - goto cleanup; - } - cert_hash_len = strlen(cert_hash); - for(key_dex=0; key_dex<client->n_key_data; key_dex++) { - krb5_key_data *key_data = &client->key_data[key_dex]; - kdcPkinitDebug("--- key %u type[0] %u length[0] %u type[1] %u length[1] %u\n", - key_dex, - key_data->key_data_type[0], key_data->key_data_length[0], - key_data->key_data_type[1], key_data->key_data_length[1]); - if(key_data->key_data_type[1] != KRB5_KDB_SALTTYPE_CERTHASH) { - continue; - } - - /* - * Unfortunately this key is stored encrypted even though it's - * not sensitive... - */ - krtn = krb5_dbe_decrypt_key_data(context, NULL, key_data, - &decrypted_key, NULL); - if(krtn) { - kdcPkinitDebug("verify_pkinit_request: error decrypting cert hash block\n"); - break; - } - if((decrypted_key.contents != NULL) && - (cert_hash_len == decrypted_key.length) && - !memcmp(decrypted_key.contents, cert_hash, cert_hash_len)) { - cert_match = 1; - break; - } - } - if(decrypted_key.contents) { - krb5_free_keyblock_contents(context, &decrypted_key); - } - if(!cert_match) { - kdcPkinitDebug("verify_pkinit_request: client cert does not match\n"); - krtn = KDC_ERR_CLIENT_NOT_TRUSTED; - goto cleanup; - } -#endif /* REQUIRE_CLIENT_CERT_MATCH */ - krtn = 0; - setflag(enc_tkt_reply->flags, TKT_FLG_PRE_AUTH); - -cleanup: - if(pa_cksum.contents) { - free(pa_cksum.contents); - } - if (tmp_as_req) { - krb5_free_kdc_req(context, tmp_as_req); - } - if (der_req) { - krb5_free_data(context, der_req); - } - if(cert_hash) { - free(cert_hash); - } - if(client_cert.data) { - free(client_cert.data); - } - kdcPkinitDebug("verify_pkinit_request: returning %d\n", (int)krtn); - return krtn; -} - -static krb5_error_code return_pkinit_response( - krb5_context context, - krb5_pa_data * padata, - krb5_db_entry *client, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_kdc_rep *reply, - krb5_key_data *client_key, - krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa, - preauth_get_entry_data_proc pkinit_get_entry_data, - void *pa_module_context, - void **pa_request_context) -{ - krb5_error_code krtn; - krb5_data pa_data; - krb5_pkinit_signing_cert_t signing_cert = NULL; - krb5_checksum as_req_checksum = {0}; - krb5_data *encoded_as_req = NULL; - krb5int_algorithm_id *cms_types = NULL; - krb5_ui_4 num_cms_types = 0; - - /* the data we get from the AS-REQ */ - krb5_ui_4 nonce = 0; - krb5_data client_cert = {0}; - - /* - * Trusted CA list and specific KC cert optionally obtained via - * krb5int_pkinit_as_req_parse(). All are DER-encoded - * issuerAndSerialNumbers. - */ - krb5_data *trusted_CAs = NULL; - krb5_ui_4 num_trusted_CAs; - krb5_data kdc_cert = {0}; - - if (padata == NULL) { - /* Client has to send us something */ - return 0; - } - - kdcPkinitDebug("return_pkinit_response\n"); - pa_data.data = (char *)padata->contents; - pa_data.length = padata->length; - - /* - * We've already verified; just obtain the fields we need to create a response - */ - krtn = krb5int_pkinit_as_req_parse(context, - &pa_data, - NULL, NULL, &nonce, /* ctime, cusec, nonce */ - NULL, NULL, /* pa_cksum, cert_status */ - &num_cms_types, &cms_types, - &client_cert, /* signer_cert: we encrypt for this */ - /* remaining fields unused (for now) */ - NULL, NULL, /* num_all_certs, all_certs */ - &num_trusted_CAs, &trusted_CAs, - &kdc_cert); - if(krtn) { - kdcPkinitDebug("pa_pk_as_req_parse returned %d; PKINIT aborting.\n", - (int)krtn); - goto cleanup; - } - if(client_cert.data == NULL) { - kdcPkinitDebug("pa_pk_as_req_parse failed to give a client_cert; aborting.\n"); - krtn = KRB5KDC_ERR_PREAUTH_FAILED; - goto cleanup; - } - - if(krb5_pkinit_get_kdc_cert(num_trusted_CAs, trusted_CAs, - (kdc_cert.data ? &kdc_cert : NULL), - &signing_cert)) { - /* - * Since get_pkinit_edata was able to obtain *some* KDC cert, - * this means that we can't satisfy the client's requirement. - * FIXME - particular error status for this? - */ - kdcPkinitDebug("return_pkinit_response: NO appropriate signing cert!\n"); - krtn = KRB5KDC_ERR_PREAUTH_FAILED; - goto cleanup; - } - - /* - * Cook up keyblock for caller and for outgoing AS-REP. - * FIXME how much is known to be valid about encrypting_key? - * Will encrypting_key->enctype always be valid here? Seems that - * if we allow for clients without a shared secret (i.e. preauth - * by PKINIT only) there won't be a valid encrypting_key set up - * here for us. - */ - krb5_free_keyblock_contents(context, encrypting_key); - krb5_c_make_random_key(context, encrypting_key->enctype, encrypting_key); - - /* calculate checksum of incoming AS-REQ */ - krtn = encode_krb5_as_req(request, &encoded_as_req); - if(krtn) { - kdcPkinitDebug("encode_krb5_as_req returned %d; PKINIT aborting.\n", (int)krtn); - goto cleanup; - } - krtn = krb5_c_make_checksum(context, context->kdc_req_sumtype, - encrypting_key, KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, - encoded_as_req, &as_req_checksum); - if(krtn) { - goto cleanup; - } - - /* - * FIXME: here we assume that the client has one cert - the one that - * signed the AuthPack in the request (and that we therefore obtained from - * krb5int_pkinit_as_req_parse()), and the one we're using to encrypt the - * ReplyKeyPack with here. This may need rethinking. - */ - krtn = krb5int_pkinit_as_rep_create(context, - encrypting_key, &as_req_checksum, - signing_cert, TRUE, - &client_cert, - num_cms_types, cms_types, - num_trusted_CAs, trusted_CAs, - (kdc_cert.data ? &kdc_cert : NULL), - &pa_data); - if(krtn) { - kdcPkinitDebug("pa_pk_as_rep_create returned %d; PKINIT aborting.\n", - (int)krtn); - goto cleanup; - } - - *send_pa = (krb5_pa_data *)malloc(sizeof(krb5_pa_data)); - if(*send_pa == NULL) { - krtn = ENOMEM; - free(pa_data.data); - goto cleanup; - } - (*send_pa)->magic = KV5M_PA_DATA; - (*send_pa)->pa_type = KRB5_PADATA_PK_AS_REP; - (*send_pa)->length = pa_data.length; - (*send_pa)->contents = (krb5_octet *)pa_data.data; - krtn = 0; - -#if PKINIT_DEBUG - fprintf(stderr, "return_pkinit_response: SUCCESS\n"); - fprintf(stderr, "nonce 0x%x enctype %d keydata %02x %02x %02x %02x...\n", - (int)nonce, (int)encrypting_key->enctype, - encrypting_key->contents[0], encrypting_key->contents[1], - encrypting_key->contents[2], encrypting_key->contents[3]); -#endif - -cleanup: - /* all of this was allocd by krb5int_pkinit_as_req_parse() */ - if(signing_cert) { - krb5_pkinit_release_cert(signing_cert); - } - if(cms_types) { - unsigned dex; - krb5int_algorithm_id *alg_id; - - for(dex=0; dex<num_cms_types; dex++) { - alg_id = &cms_types[dex]; - if(alg_id->algorithm.data) { - free(alg_id->algorithm.data); - } - if(alg_id->parameters.data) { - free(alg_id->parameters.data); - } - } - free(cms_types); - } - if(trusted_CAs) { - unsigned dex; - for(dex=0; dex<num_trusted_CAs; dex++) { - free(trusted_CAs[dex].data); - } - free(trusted_CAs); - } - if(kdc_cert.data) { - free(kdc_cert.data); - } - if(client_cert.data) { - free(client_cert.data); - } - if(encoded_as_req) { - krb5_free_data(context, encoded_as_req); - } - return krtn; -} - -#endif /* APPLE_PKINIT */ - /* * Returns TRUE if the PAC should be included */ diff --git a/src/kdc/pkinit_apple_server.c b/src/kdc/pkinit_apple_server.c deleted file mode 100644 index 4252edabd6..0000000000 --- a/src/kdc/pkinit_apple_server.c +++ /dev/null @@ -1,241 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* - * Copyright (c) 2004-2008 Apple Inc. All Rights Reserved. - * - * Export of this software from the United States of America may require - * a specific license from the United States Government. It is the - * responsibility of any person or organization contemplating export to - * obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of Apple Inc. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Apple Inc. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. - */ - -/* - * pkinit_apple_server.c - Server side routines for PKINIT, Mac OS X version - * - * Created 21 May 2004 by Doug Mitchell at Apple. - */ - -#if APPLE_PKINIT - -#include "pkinit_server.h" -#include "pkinit_asn1.h" -#include "pkinit_cms.h" -#include <assert.h> - -#define PKINIT_DEBUG 0 -#if PKINIT_DEBUG -#define pkiDebug(args...) printf(args) -#else -#define pkiDebug(args...) -#endif - -/* - * Parse PA-PK-AS-REQ message. Optionally evaluates the message's certificate chain. - * Optionally returns various components. - */ -krb5_error_code krb5int_pkinit_as_req_parse( - krb5_context context, - const krb5_data *as_req, - krb5_timestamp *kctime, /* optionally RETURNED */ - krb5_ui_4 *cusec, /* microseconds, optionally RETURNED */ - krb5_ui_4 *nonce, /* optionally RETURNED */ - krb5_checksum *pa_cksum, /* optional, contents mallocd and RETURNED */ - krb5int_cert_sig_status *cert_status,/* optionally RETURNED */ - krb5_ui_4 *num_cms_types, /* optionally RETURNED */ - krb5int_algorithm_id **cms_types, /* optionally mallocd and RETURNED */ - - /* - * Cert fields, all optionally RETURNED. - * - * signer_cert is the full X.509 leaf cert from the incoming SignedData. - * all_certs is an array of all of the certs in the incoming SignedData, - * in full X.509 form. - */ - krb5_data *signer_cert, /* content mallocd */ - krb5_ui_4 *num_all_certs, /* sizeof *all_certs */ - krb5_data **all_certs, /* krb5_data's and their content mallocd */ - - /* - * Array of trustedCertifiers, optionally RETURNED. These are DER-encoded - * issuer/serial numbers. - */ - krb5_ui_4 *num_trusted_CAs, /* sizeof *trusted_CAs */ - krb5_data **trusted_CAs, /* krb5_data's and their content mallocd */ - - /* KDC cert specified by client as kdcPkId. DER-encoded issuer/serial number. */ - krb5_data *kdc_cert) -{ - krb5_error_code krtn; - krb5_data signed_auth_pack = {0, 0, NULL}; - krb5_data raw_auth_pack = {0, 0, NULL}; - krb5_data *raw_auth_pack_p = NULL; - krb5_boolean proceed = FALSE; - krb5_boolean need_auth_pack = FALSE; - krb5int_cms_content_type content_type; - krb5_pkinit_cert_db_t cert_db = NULL; - krb5_boolean is_signed; - krb5_boolean is_encrypted; - - assert(as_req != NULL); - - /* - * We always have to decode the top-level AS-REQ... - */ - krtn = krb5int_pkinit_pa_pk_as_req_decode(as_req, &signed_auth_pack, - num_trusted_CAs, trusted_CAs, /* optional */ - kdc_cert); /* optional */ - if (krtn) { - pkiDebug("krb5int_pkinit_pa_pk_as_req_decode returned %d\n", (int)krtn); - return krtn; - } - - /* Do we need info about or from the ContentInto or AuthPack? */ - if ((kctime != NULL) || (cusec != NULL) || (nonce != NULL) || - (pa_cksum != NULL) || (cms_types != NULL)) { - need_auth_pack = TRUE; - raw_auth_pack_p = &raw_auth_pack; - } - if (need_auth_pack || (cert_status != NULL) || - (signer_cert != NULL) || (all_certs != NULL)) { - proceed = TRUE; - } - if (!proceed) { - krtn = 0; - goto err_out; - } - - /* Parse and possibly verify the ContentInfo */ - krtn = krb5_pkinit_get_kdc_cert_db(&cert_db); - if (krtn) { - pkiDebug("pa_pk_as_req_parse: error in krb5_pkinit_get_kdc_cert_db\n"); - goto err_out; - } - krtn = krb5int_pkinit_parse_cms_msg(&signed_auth_pack, cert_db, TRUE, - &is_signed, &is_encrypted, - raw_auth_pack_p, &content_type, signer_cert, cert_status, - num_all_certs, all_certs); - if (krtn) { - pkiDebug("krb5int_pkinit_parse_content_info returned %d\n", (int)krtn); - goto err_out; - } - - if (is_encrypted || !is_signed) { - pkiDebug("pkinit_parse_content_info: is_encrypted %s is_signed %s!\n", - is_encrypted ? "true" :"false", - is_signed ? "true" : "false"); - krtn = KRB5KDC_ERR_PREAUTH_FAILED; - goto err_out; - } - if (content_type != ECT_PkAuthData) { - pkiDebug("authPack eContentType %d!\n", (int)content_type); - krtn = KRB5KDC_ERR_PREAUTH_FAILED; - goto err_out; - } - - /* optionally parse contents of authPack */ - if (need_auth_pack) { - krtn = krb5int_pkinit_auth_pack_decode(&raw_auth_pack, kctime, - cusec, nonce, pa_cksum, - cms_types, num_cms_types); - if(krtn) { - pkiDebug("krb5int_pkinit_auth_pack_decode returned %d\n", (int)krtn); - goto err_out; - } - } - -err_out: - /* free temp mallocd data that we didn't pass back to caller */ - if(signed_auth_pack.data) { - free(signed_auth_pack.data); - } - if(raw_auth_pack.data) { - free(raw_auth_pack.data); - } - if(cert_db) { - krb5_pkinit_release_cert_db(cert_db); - } - return krtn; -} - -/* - * Create a PA-PK-AS-REP message, public key (no Diffie Hellman) version. - * - * PA-PK-AS-REP is based on ReplyKeyPack like so: - * - * PA-PK-AS-REP ::= EnvelopedData(SignedData(ReplyKeyPack)) - */ -krb5_error_code krb5int_pkinit_as_rep_create( - krb5_context context, - const krb5_keyblock *key_block, - const krb5_checksum *checksum, /* checksum of corresponding AS-REQ */ - krb5_pkinit_signing_cert_t signer_cert, /* server's cert */ - krb5_boolean include_server_cert,/* include signer_cert in SignerInfo */ - const krb5_data *recipient_cert, /* client's cert */ - - /* - * These correspond to the same out-parameters from - * krb5int_pkinit_as_req_parse(). All are optional. - */ - krb5_ui_4 num_cms_types, - const krb5int_algorithm_id *cms_types, - krb5_ui_4 num_trusted_CAs, - krb5_data *trusted_CAs, - krb5_data *kdc_cert, - - krb5_data *as_rep) /* mallocd and RETURNED */ -{ - krb5_data reply_key_pack = {0, 0, NULL}; - krb5_error_code krtn; - krb5_data enc_key_pack = {0, 0, NULL}; - - /* innermost content = ReplyKeyPack */ - krtn = krb5int_pkinit_reply_key_pack_encode(key_block, checksum, - &reply_key_pack); - if (krtn) { - return krtn; - } - - /* - * Put that in an EnvelopedData(SignedData) - * -- SignedData.EncapsulatedData.ContentType = id-pkinit-rkeyData - */ - krtn = krb5int_pkinit_create_cms_msg(&reply_key_pack, - signer_cert, - recipient_cert, - ECT_PkReplyKeyKata, - num_cms_types, cms_types, - &enc_key_pack); - if (krtn) { - goto err_out; - } - - /* - * Finally, wrap that inside of PA-PK-AS-REP - */ - krtn = krb5int_pkinit_pa_pk_as_rep_encode(NULL, &enc_key_pack, as_rep); - -err_out: - if (reply_key_pack.data) { - free(reply_key_pack.data); - } - if (enc_key_pack.data) { - free(enc_key_pack.data); - } - return krtn; -} - -#endif /* APPLE_PKINIT */ diff --git a/src/kdc/pkinit_server.h b/src/kdc/pkinit_server.h deleted file mode 100644 index 26e8edfc11..0000000000 --- a/src/kdc/pkinit_server.h +++ /dev/null @@ -1,112 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* - * Copyright (c) 2004-2008 Apple Inc. All Rights Reserved. - * - * Export of this software from the United States of America may require - * a specific license from the United States Government. It is the - * responsibility of any person or organization contemplating export to - * obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of Apple Inc. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Apple Inc. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. - */ - -/* - * pkinit_server.h - Server side routines for PKINIT - * - * Created 21 May 2004 by Doug Mitchell at Apple. - */ - -#ifndef _PKINIT_SERVER_H_ -#define _PKINIT_SERVER_H_ - -#include "krb5.h" -#include "pkinit_cms.h" - -#ifdef __cplusplus -extern "C" { -#endif - - -/* - * Parse PA-PK-AS-REQ message. Optionally evaluates the message's certificate chain - * if cert_status is non-NULL. Optionally returns various components. - */ -krb5_error_code krb5int_pkinit_as_req_parse( - krb5_context context, - const krb5_data *as_req, - krb5_timestamp *kctime, /* optionally RETURNED */ - krb5_ui_4 *cusec, /* microseconds, optionally RETURNED */ - krb5_ui_4 *nonce, /* optionally RETURNED */ - krb5_checksum *pa_cksum, /* optional, contents mallocd and RETURNED */ - krb5int_cert_sig_status *cert_status, /* optionally RETURNED */ - krb5_ui_4 *num_cms_types, /* optionally RETURNED */ - krb5int_algorithm_id **cms_types, /* optionally mallocd and RETURNED */ - - /* - * Cert fields, all optionally RETURNED. - * - * signer_cert is the full X.509 leaf cert from the incoming SignedData. - * all_certs is an array of all of the certs in the incoming SignedData, - * in full X.509 form. - */ - krb5_data *signer_cert, /* content mallocd */ - krb5_ui_4 *num_all_certs, /* sizeof *all_certs */ - krb5_data **all_certs, /* krb5_data's and their content mallocd */ - - /* - * Array of trustedCertifiers, optionally RETURNED. These are DER-encoded - * issuer/serial numbers. - */ - krb5_ui_4 *num_trusted_CAs, /* sizeof *trustedCAs */ - krb5_data **trusted_CAs, /* krb5_data's and their content mallocd */ - - /* KDC cert specified by client as kdcPkId. DER-encoded issuer/serial number. */ - krb5_data *kdc_cert); - - -/* - * Create a PA-PK-AS-REP message, public key (no Diffie Hellman) version. - * - * PA-PK-AS-REP is based on ReplyKeyPack like so: - * - * PA-PK-AS-REP ::= EnvelopedData(SignedData(ReplyKeyPack)) - */ -krb5_error_code krb5int_pkinit_as_rep_create( - krb5_context context, - const krb5_keyblock *key_block, - const krb5_checksum *checksum, /* checksum of corresponding AS-REQ */ - krb5_pkinit_signing_cert_t signer_cert, /* server's cert */ - krb5_boolean include_server_cert, /* include signer_cert in SignerInfo */ - const krb5_data *recipient_cert, /* client's cert */ - - /* - * These correspond to the same out-parameters from - * krb5int_pkinit_as_req_parse(). All are optional. - */ - krb5_ui_4 num_cms_types, - const krb5int_algorithm_id *cms_types, - krb5_ui_4 num_trusted_CAs, - krb5_data *trusted_CAs, - krb5_data *kdc_cert, - - /* result here, mallocd and RETURNED */ - krb5_data *as_rep); - -#ifdef __cplusplus -} -#endif - -#endif /* _PKINIT_SERVER_H_ */ |