pkinit_apple_server.c [plain text]
#include "pkinit_server.h"
#include "pkinit_asn1.h"
#include "pkinit_cms.h"
#include <assert.h>
#define PKINIT_DEBUG 0
#if PKINIT_DEBUG
#define pkiDebug(args...) printf(args)
#else
#define pkiDebug(args...)
#endif
krb5_error_code krb5int_pkinit_as_req_parse(
krb5_context context,
const krb5_data *as_req,
krb5_timestamp *kctime,
krb5_ui_4 *cusec,
krb5_ui_4 *nonce,
krb5_checksum *pa_cksum,
krb5int_cert_sig_status *cert_status,
krb5_ui_4 *num_cms_types,
krb5int_algorithm_id **cms_types,
krb5_data *signer_cert,
krb5_ui_4 *num_all_certs,
krb5_data **all_certs,
krb5_ui_4 *num_trusted_CAs,
krb5_data **trusted_CAs,
krb5_data *kdc_cert)
{
krb5_error_code krtn;
krb5_data signed_auth_pack = {0, 0, NULL};
krb5_data raw_auth_pack = {0, 0, NULL};
krb5_data *raw_auth_pack_p = NULL;
krb5_boolean proceed = FALSE;
krb5_boolean need_auth_pack = FALSE;
krb5int_cms_content_type content_type;
krb5_pkinit_cert_db_t cert_db = NULL;
krb5_boolean is_signed;
krb5_boolean is_encrypted;
assert(as_req != NULL);
krtn = krb5int_pkinit_pa_pk_as_req_decode(as_req, &signed_auth_pack,
num_trusted_CAs, trusted_CAs,
kdc_cert);
if(krtn) {
pkiDebug("krb5int_pkinit_pa_pk_as_req_decode returned %d\n", (int)krtn);
return krtn;
}
if((kctime != NULL) || (cusec != NULL) || (nonce != NULL) || (pa_cksum != NULL) ||
(cms_types != NULL)) {
need_auth_pack = TRUE;
raw_auth_pack_p = &raw_auth_pack;
}
if(need_auth_pack || (cert_status != NULL) ||
(signer_cert != NULL) || (all_certs != NULL)) {
proceed = TRUE;
}
if(!proceed) {
krtn = 0;
goto err_out;
}
krtn = krb5_pkinit_get_kdc_cert_db(&cert_db);
if(krtn) {
pkiDebug("pa_pk_as_req_parse: error in krb5_pkinit_get_kdc_cert_db\n");
goto err_out;
}
krtn = krb5int_pkinit_parse_cms_msg(&signed_auth_pack, cert_db, TRUE,
&is_signed, &is_encrypted,
raw_auth_pack_p, &content_type, signer_cert, cert_status,
num_all_certs, all_certs);
if(krtn) {
pkiDebug("krb5int_pkinit_parse_content_info returned %d\n", (int)krtn);
goto err_out;
}
if(is_encrypted || !is_signed) {
pkiDebug("pkinit_parse_content_info: is_encrypted %s is_signed %s!\n",
is_encrypted ? "true" :"false",
is_signed ? "true" : "false");
krtn = KRB5KDC_ERR_PREAUTH_FAILED;
goto err_out;
}
if(content_type != ECT_PkAuthData) {
pkiDebug("authPack eContentType %d!\n", (int)content_type);
krtn = KRB5KDC_ERR_PREAUTH_FAILED;
goto err_out;
}
if(need_auth_pack) {
krtn = krb5int_pkinit_auth_pack_decode(&raw_auth_pack, kctime, cusec, nonce,
pa_cksum, cms_types, num_cms_types);
if(krtn) {
pkiDebug("krb5int_pkinit_auth_pack_decode returned %d\n", (int)krtn);
goto err_out;
}
}
err_out:
if(signed_auth_pack.data) {
free(signed_auth_pack.data);
}
if(raw_auth_pack.data) {
free(raw_auth_pack.data);
}
if(cert_db) {
krb5_pkinit_release_cert_db(cert_db);
}
return krtn;
}
krb5_error_code krb5int_pkinit_as_rep_create(
krb5_context context,
const krb5_keyblock *key_block,
const krb5_checksum *checksum,
krb5_pkinit_signing_cert_t signer_cert,
krb5_boolean include_server_cert,
const krb5_data *recipient_cert,
krb5_ui_4 num_cms_types,
const krb5int_algorithm_id *cms_types,
krb5_ui_4 num_trusted_CAs,
krb5_data *trusted_CAs,
krb5_data *kdc_cert,
krb5_data *as_rep)
{
krb5_data reply_key_pack = {0, 0, NULL};
krb5_error_code krtn;
krb5_data enc_key_pack = {0, 0, NULL};
krtn = krb5int_pkinit_reply_key_pack_encode(key_block, checksum, &reply_key_pack);
if(krtn) {
return krtn;
}
krtn = krb5int_pkinit_create_cms_msg(&reply_key_pack,
signer_cert,
recipient_cert,
ECT_PkReplyKeyKata,
num_cms_types, cms_types,
&enc_key_pack);
if(krtn) {
goto err_out;
}
krtn = krb5int_pkinit_pa_pk_as_rep_encode(NULL, &enc_key_pack, as_rep);
err_out:
if(reply_key_pack.data) {
free(reply_key_pack.data);
}
if(enc_key_pack.data) {
free(enc_key_pack.data);
}
return krtn;
}