From 2d3502659502c42cbab4beada60ad5811335f4f9 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@dahyabhai.net>
Date: Mon, 4 Oct 2010 20:02:47 -0400
Subject: [PATCH 041/150] - first cut at implementing
 pkinit_create_td_invalid_certificate

---
 src/plugins/preauth/pkinit/pkinit_crypto_nss.c |   49 +++++++++++++++++++++++-
 1 files changed, 48 insertions(+), 1 deletions(-)

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
index d76b61e..b1a3a2c 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
@@ -2006,7 +2006,54 @@ pkinit_create_td_invalid_certificate(krb5_context context,
 				     pkinit_identity_crypto_context id_cryptoctx,
 				     krb5_data **edata)
 {
-	return ENOSYS;
+	krb5_external_principal_identifier id;
+	const krb5_external_principal_identifier *ids[2];
+	struct issuer_and_serial_number isn;
+	krb5_data *data;
+	krb5_typed_data typed_datum;
+	SECItem item;
+	const krb5_typed_data *typed_data[2];
+	krb5_error_code code;
+
+	/* We didn't trust the peer's certificate. */
+	if (req_cryptoctx->peer_cert == NULL) {
+		return ENOENT;
+	}
+
+	/* Fill in the identifier. */
+	memset(&id, 0, sizeof(id));
+	if (req_cryptoctx->peer_cert->keyIDGenerated) {
+		isn.issuer = req_cryptoctx->peer_cert->derIssuer;
+		isn.serial = req_cryptoctx->peer_cert->serialNumber;
+		if (SEC_ASN1EncodeItem(req_cryptoctx->pool, &item, &isn,
+				       issuer_and_serial_number_template) != &item) {
+			return ENOMEM;
+		}
+		id.issuerAndSerialNumber.data = item.data;
+		id.issuerAndSerialNumber.length = item.len;
+	} else {
+		item = req_cryptoctx->peer_cert->subjectKeyID;
+		id.subjectKeyIdentifier.data = item.data;
+		id.subjectKeyIdentifier.length = item.len;
+	}
+	ids[0] = &id;
+	ids[1] = NULL;
+
+	/* Pass it back up. */
+	data = NULL;
+	code = k5int_encode_krb5_td_trusted_certifiers(ids, &data);
+	if (code != 0) {
+		return code;
+	}
+	memset(&typed_datum, 0, sizeof(typed_datum));
+	typed_datum.type = TD_INVALID_CERTIFICATES;
+	typed_datum.length = data->length;
+	typed_datum.data = (unsigned char *) data->data;
+	typed_data[0] = &typed_datum;
+	typed_data[1] = NULL;
+	code = k5int_encode_krb5_typed_data(typed_data, edata);
+	krb5_free_data(context, data);
+	return code;
 }
 
 krb5_error_code
-- 
1.7.6.4