[krb5/f16] backport RT#7183
Nalin Dahyabhai
nalin at fedoraproject.org
Fri Jun 22 21:12:53 UTC 2012
commit 4c6323b0c574033cbeb6913131c99fa07da9b212
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date: Fri Jun 22 17:12:23 2012 -0400
backport RT#7183
- backport a fix to allow a PKINIT client to handle SignedData from a KDC
that's signed with a certificate that isn't in the SignedData, but which
is available as an anchor or intermediate on the client (RT#7183)
krb5-1.9-pkinit-anchorsign.patch | 42 ++++++++++++++++++++++++++++++++++++++
1 files changed, 42 insertions(+), 0 deletions(-)
---
diff --git a/krb5-1.9-pkinit-anchorsign.patch b/krb5-1.9-pkinit-anchorsign.patch
new file mode 100644
index 0000000..7e81e4d
--- /dev/null
+++ b/krb5-1.9-pkinit-anchorsign.patch
@@ -0,0 +1,42 @@
+
+
+commit db83abc7dcfe369bd4467c78eebb7028ba0c0e0d
+Author: Greg Hudson <ghudson at mit.edu>
+Date: Thu Jun 21 17:20:29 2012 -0400
+
+ Handle PKINIT DH replies with no certs
+
+ If a PKINIT Diffie-Hellman reply contains no certificates in the
+ SignedData object, that may be because the signer certificate was a
+ trust anchor as transmitted to the KDC. Heimdal's KDC, for instance,
+ filters client trust anchors out of the returned set of certificates.
+ Match against idctx->trustedCAs and idctx->intermediateCAs to handle
+ this case. This fix only works with OpenSSL 1.0 or later; when built
+ against OpenSSL 0.9.x, the client will still require a cert in the
+ reply.
+
+ Code changes suggested by nalin at redhat.com.
+
+ ticket: 7183
+
+diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+index 0136d4f..7120ecf 100644
+--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+@@ -1398,8 +1398,15 @@ cms_signeddata_verify(krb5_context context,
+ X509_STORE_set_verify_cb_func(store, openssl_callback_ignore_crls);
+ X509_STORE_set_flags(store, vflags);
+
+- /* get the signer's information from the CMS message */
++ /*
++ * Get the signer's information from the CMS message. Match signer ID
++ * against anchors and intermediate CAs in case no certs are present in the
++ * SignedData. If we start sending kdcPkId values in requests, we'll need
++ * to match against the source of that information too.
++ */
+ CMS_set1_signers_certs(cms, NULL, 0);
++ CMS_set1_signers_certs(cms, idctx->trustedCAs, CMS_NOINTERN);
++ CMS_set1_signers_certs(cms, idctx->intermediateCAs, CMS_NOINTERN);
+ if ((si_sk = CMS_get0_SignerInfos(cms)) == NULL)
+ goto cleanup;
+ if ((si = sk_CMS_SignerInfo_value(si_sk, 0)) == NULL)
More information about the scm-commits
mailing list