From 39c2499364412185e649b0e5df410b70f166eab2 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@dahyabhai.net>
Date: Mon, 27 Sep 2010 21:14:02 -0400
Subject: [PATCH 007/150] - first pass at create_krb5_trustedCertifiers

---
 src/plugins/preauth/pkinit/pkinit_crypto_nss.c |   83 ++++++++++++++++++++++--
 1 files changed, 78 insertions(+), 5 deletions(-)

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
index 7d29b54..5ea7c0d 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
@@ -52,6 +52,7 @@
 struct _pkinit_plg_crypto_context {
 	PLArenaPool *pool;
 	NSSInitContext *ncontext;
+	CERTCertList *ca_certs, *other_certs;
 };
 
 struct _pkinit_req_crypto_context {
@@ -260,6 +261,8 @@ pkinit_init_plg_crypto(pkinit_plg_crypto_context *plg_cryptoctx)
 								     NULL,
 								     0);
 			if ((*plg_cryptoctx)->ncontext != NULL) {
+				(*plg_cryptoctx)->ca_certs = CERT_NewCertList();
+				(*plg_cryptoctx)->other_certs = CERT_NewCertList();
 				return 0;
 			}
 		}
@@ -271,6 +274,8 @@ pkinit_init_plg_crypto(pkinit_plg_crypto_context *plg_cryptoctx)
 void
 pkinit_fini_plg_crypto(pkinit_plg_crypto_context plg_cryptoctx)
 {
+	CERT_DestroyCertList(plg_cryptoctx->other_certs);
+	CERT_DestroyCertList(plg_cryptoctx->ca_certs);
 	NSS_ShutdownContext(plg_cryptoctx->ncontext);
 	PORT_FreeArena(plg_cryptoctx->pool, PR_TRUE);
 }
@@ -793,6 +798,8 @@ create_issuerAndSerial(krb5_context context,
 	return 0;
 }
 
+/* Populate a list of AlgorithmIdentifier structures with the OIDs of the key
+ * wrap algorithms that we support. */
 krb5_error_code
 create_krb5_supportedCMSTypes(krb5_context context,
 			      pkinit_plg_crypto_context plg_cryptoctx,
@@ -802,10 +809,10 @@ create_krb5_supportedCMSTypes(krb5_context context,
 {
 	SECOidData *oid;
 	SECOidTag oids[] = {
-		SEC_OID_CMS_3DES_KEY_WRAP,
-		SEC_OID_AES_128_KEY_WRAP,
-		SEC_OID_AES_192_KEY_WRAP,
-		SEC_OID_AES_256_KEY_WRAP,
+		SEC_OID_CMS_3DES_KEY_WRAP, /* no parameters */
+		SEC_OID_AES_128_KEY_WRAP, /* no parameters */
+		SEC_OID_AES_192_KEY_WRAP, /* no parameters */
+		SEC_OID_AES_256_KEY_WRAP, /* no parameters */
 	};
 	krb5_algorithm_identifier **ids, *id;
 	unsigned int i;
@@ -843,6 +850,7 @@ create_krb5_supportedCMSTypes(krb5_context context,
 	return 0;
 }
 
+#if 0
 krb5_error_code
 create_krb5_trustedCas(krb5_context context,
 		       pkinit_plg_crypto_context plg_cryptoctx,
@@ -853,7 +861,10 @@ create_krb5_trustedCas(krb5_context context,
 {
 	return ENOSYS;
 }
+#endif
 
+/* Populate a list of trusted certifiers with the list of the root certificates
+ * that we trust. */
 krb5_error_code
 create_krb5_trustedCertifiers(krb5_context context,
 			      pkinit_plg_crypto_context plg_cryptoctx,
@@ -861,7 +872,69 @@ create_krb5_trustedCertifiers(krb5_context context,
 			      pkinit_identity_crypto_context id_cryptoctx,
 			      krb5_external_principal_identifier ***trustedCertifiers)
 {
-	return ENOSYS;
+	CERTCertListNode *node;
+	krb5_external_principal_identifier **ids, *id;
+	unsigned int i, n;
+
+	*trustedCertifiers = NULL;
+
+	/* Count the root certs. */
+	n = 0;
+	if (!CERT_LIST_EMPTY(plg_cryptoctx->ca_certs)) {
+		for (n = 0, node = CERT_LIST_HEAD(plg_cryptoctx->ca_certs);
+		     (node != NULL) && (node->cert != NULL);
+		     node = CERT_LIST_NEXT(node)) {
+			n++;
+		}
+	}
+
+	/* Build the result list. */
+	if (n > 0) {
+		ids = malloc((n + 1) * sizeof(id));
+		if (ids == NULL) {
+			return ENOMEM;
+		}
+		node = CERT_LIST_HEAD(plg_cryptoctx->ca_certs);
+		for (i = 0; i < n; i++) {
+			id = malloc(sizeof(*id));
+			if (id == NULL) {
+				/* Free the earlier items. */
+				while (i > 0) {
+					i--;
+					free(ids[i]->subjectKeyIdentifier.data);
+					free(ids[i]->issuerAndSerialNumber.data);
+					free(ids[i]->subjectName.data);
+					free(ids[i]);
+				}
+				return ENOMEM;
+			}
+			memset(id, 0, sizeof(*id));
+			/* Use the certificate's subject key ID if it's
+			 * actually in the certificate. */
+			if ((node->cert->keyIDGenerated ?
+			     secitem_to_buf_len(&node->cert->subjectKeyID,
+					        &id->subjectKeyIdentifier.data,
+					        &id->subjectKeyIdentifier.length) :
+			     secitem_to_buf_len(&node->cert->derSubject,
+					        &id->subjectName.data,
+					        &id->subjectName.length)) != 0) {
+				/* Free the earlier items. */
+				while (i > 0) {
+					i--;
+					free(ids[i]->subjectKeyIdentifier.data);
+					free(ids[i]->issuerAndSerialNumber.data);
+					free(ids[i]->subjectName.data);
+					free(ids[i]);
+				}
+				return ENOMEM;
+			}
+			ids[i] = id;
+			node = CERT_LIST_NEXT(node);
+		}
+		ids[i] = NULL;
+		*trustedCertifiers = ids;
+	}
+	return 0;
 }
 
 krb5_error_code
-- 
1.7.6.4