summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/plugins/preauth/pkinit/pkinit_crypto_openssl.c9
1 files changed, 8 insertions, 1 deletions
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 0136d4f47..7120ecf47 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -1398,8 +1398,15 @@ cms_signeddata_verify(krb5_context context,
X509_STORE_set_verify_cb_func(store, openssl_callback_ignore_crls);
X509_STORE_set_flags(store, vflags);
- /* get the signer's information from the CMS message */
+ /*
+ * Get the signer's information from the CMS message. Match signer ID
+ * against anchors and intermediate CAs in case no certs are present in the
+ * SignedData. If we start sending kdcPkId values in requests, we'll need
+ * to match against the source of that information too.
+ */
CMS_set1_signers_certs(cms, NULL, 0);
+ CMS_set1_signers_certs(cms, idctx->trustedCAs, CMS_NOINTERN);
+ CMS_set1_signers_certs(cms, idctx->intermediateCAs, CMS_NOINTERN);
if (((si_sk = CMS_get0_SignerInfos(cms)) == NULL) ||
((si = sk_CMS_SignerInfo_value(si_sk, 0)) == NULL)) {
/* Not actually signed; anonymous case */
generated by cgit (git 2.34.1) at 2025-10-04 04:46:33 +0000