pkinit_apple_server.c [plain text]
#include "pkinit_server.h"
#include "pkinit_asn1.h"
#include "pkinit_cms.h"
#include <assert.h>
#define PKINIT_DEBUG 1
#if PKINIT_DEBUG
#define pkiDebug(args...) printf(args)
#else
#define pkiDebug(args...)
#endif
krb5_error_code pkinit_as_req_parse(
const krb5_data *as_req,
krb5_timestamp *ctime, krb5_ui_4 *cusec, krb5_ui_4 *nonce, krb5_checksum *cksum, pki_cert_sig_status *cert_status,
krb5_boolean *is_signed,
krb5_boolean *is_encrypted,
krb5_data *signer_cert, unsigned *num_all_certs, krb5_data **all_certs, krb5_data *kdc_cert, krb5_data *encrypt_cert,
unsigned *num_trusted_CAs, krb5_data **trustedCAs) {
krb5_error_code krtn;
krb5_data signed_auth_pack = {0, 0, NULL};
krb5_data raw_auth_pack = {0, 0, NULL};
krb5_data *raw_auth_pack_p = NULL;
krb5_boolean proceed = FALSE;
krb5_boolean need_auth_pack = FALSE;
PKI_ContentType content_type;
pkinit_cert_db_t cert_db = NULL;
assert(as_req != NULL);
krtn = pkinit_pa_pk_as_req_decode(as_req, &signed_auth_pack,
num_trusted_CAs, trustedCAs, kdc_cert, encrypt_cert); if(krtn) {
pkiDebug("pkinit_pa_pk_as_req_decode returned %d\n", (int)krtn);
return krtn;
}
if((ctime != NULL) || (cusec != NULL) || (nonce != NULL) || (cksum != NULL)) {
need_auth_pack = TRUE;
raw_auth_pack_p = &raw_auth_pack;
}
if(need_auth_pack || (cert_status != NULL) || (is_signed != NULL) ||
(is_encrypted != NULL) || (signer_cert != NULL) || (all_certs != NULL)) {
proceed = TRUE;
}
if(!proceed) {
krtn = 0;
goto err_out;
}
krtn = pkinit_get_kdc_cert_db(&cert_db);
if(krtn) {
pkiDebug("pa_pk_as_req_parse: error in pkinit_get_kdc_cert_db\n");
goto err_out;
}
krtn = pkinit_parse_content_info(&signed_auth_pack, cert_db,
is_signed, is_encrypted,
raw_auth_pack_p, &content_type, signer_cert, cert_status,
num_all_certs, all_certs);
if(krtn) {
pkiDebug("pkinit_parse_content_info returned %d\n", (int)krtn);
goto err_out;
}
if(need_auth_pack) {
krtn = pkinit_auth_pack_decode(&raw_auth_pack, ctime, cusec, nonce, cksum);
if(krtn) {
pkiDebug("pkinit_auth_pack_decode returned %\n", (int)krtn);
goto err_out;
}
}
err_out:
if(signed_auth_pack.data) {
free(signed_auth_pack.data);
}
if(raw_auth_pack.data) {
free(raw_auth_pack.data);
}
if(cert_db) {
pkinit_release_cert_db(cert_db);
}
return krtn;
}
krb5_error_code pkinit_as_rep_create(
const krb5_keyblock *key_block,
krb5_ui_4 nonce,
pkinit_signing_cert_t signer_cert, krb5_boolean include_server_cert, const krb5_data *recipient_cert, krb5_data *as_rep) {
krb5_data reply_key_pack = {0, 0, NULL};
krb5_error_code krtn;
krb5_data signed_data = {0, 0, NULL};
krb5_data enc_key_pack = {0, 0, NULL};
krtn = pkinit_reply_key_pack_encode(key_block, nonce, &reply_key_pack);
if(krtn) {
return krtn;
}
krtn = pkinit_create_signed_data(&reply_key_pack, signer_cert, include_server_cert,
ECT_PkReplyKeyKata, &signed_data);
if(krtn) {
goto err_out;
}
krtn = pkinit_create_envel_data(&signed_data, recipient_cert, ECT_SignedData,
&enc_key_pack);
if(krtn) {
goto err_out;
}
krtn = pkinit_pa_pk_as_rep_encode(NULL, &enc_key_pack, as_rep);
err_out:
if(reply_key_pack.data) {
free(reply_key_pack.data);
}
if(signed_data.data) {
free(signed_data.data);
}
if(enc_key_pack.data) {
free(enc_key_pack.data);
}
return krtn;
}