**pkinit_identities**
Specifies the location(s) to be used to find the user's X.509
identity information. If this option is specified multiple times,
- the first valid value is used; this can be used to specify an
- environment variable (with **ENV:**\ *envvar*) followed by a
- default value. Note that these values are not used if the user
- specifies **X509_user_identity** on the command line.
+ each value is attempted in order until certificates are found.
+ Note that these values are not used if the user specifies
+ **X509_user_identity** on the command line.
**pkinit_kdc_hostname**
The presence of this option indicates that the client is willing
pkinit_set_deferred_id(&cctx->deferred_ids,
p11name, tinfo.flags, NULL);
free(p11name);
- return KRB5KRB_ERR_GENERIC;
+ return 0;
}
/* Look up a responder-supplied password for the token. */
password = pkinit_find_deferred_id(cctx->deferred_ids, p11name);
id_cryptoctx->slotid = idopts->slotid;
id_cryptoctx->pkcs11_method = 1;
- if (pkinit_open_session(context, id_cryptoctx)) {
- pkiDebug("can't open pkcs11 session\n");
- if (!id_cryptoctx->defer_id_prompt)
- return KRB5KDC_ERR_PREAUTH_FAILED;
- }
+ r = pkinit_open_session(context, id_cryptoctx);
+ if (r != 0)
+ return r;
if (id_cryptoctx->defer_id_prompt) {
/*
* We need to reset all of the PKCS#11 state, so that the next time we
pkinit_req_crypto_context req_cryptoctx,
pkinit_identity_opts *idopts,
pkinit_identity_crypto_context id_cryptoctx,
- const char *value)
+ krb5_principal princ, const char *value)
{
const char *residual;
int idtype;
switch (idtype) {
case IDTYPE_ENVVAR:
return process_option_identity(context, plg_cryptoctx, req_cryptoctx,
- idopts, id_cryptoctx,
+ idopts, id_cryptoctx, princ,
secure_getenv(residual));
break;
case IDTYPE_FILE:
retval = EINVAL;
break;
}
- return retval;
+ if (retval)
+ return retval;
+
+ retval = crypto_load_certs(context, plg_cryptoctx, req_cryptoctx, idopts,
+ id_cryptoctx, princ, TRUE);
+ if (retval)
+ return retval;
+
+ crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx, id_cryptoctx);
+ return 0;
}
static krb5_error_code
if (idopts->identity != NULL) {
retval = process_option_identity(context, plg_cryptoctx,
req_cryptoctx, idopts,
- id_cryptoctx, idopts->identity);
+ id_cryptoctx, princ,
+ idopts->identity);
} else if (idopts->identity_alt != NULL) {
for (i = 0; retval != 0 && idopts->identity_alt[i] != NULL; i++) {
retval = process_option_identity(context, plg_cryptoctx,
req_cryptoctx, idopts,
- id_cryptoctx,
+ id_cryptoctx, princ,
idopts->identity_alt[i]);
}
} else {
pkiDebug("%s: no user identity options specified\n", __FUNCTION__);
goto errout;
}
- if (retval)
- goto errout;
-
- retval = crypto_load_certs(context, plg_cryptoctx, req_cryptoctx,
- idopts, id_cryptoctx, princ, TRUE);
- if (retval)
- goto errout;
-
- crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx,
- id_cryptoctx);
} else {
/* We're the anonymous principal. */
retval = 0;
realm.klist(realm.user_princ)
realm.run([kvno, realm.host_princ])
+# Try using multiple configured pkinit_identities, to make sure we
+# fall back to the second one when the first one cannot be read.
+id_conf = {'realms': {'$realm': {'pkinit_identities': [file_identity + 'X',
+ file_identity]}}}
+id_env = realm.special_env('idconf', False, krb5_conf=id_conf)
+realm.kinit(realm.user_princ, expected_trace=msgs, env=id_env)
+
# Try again using RSA instead of DH.
mark('FILE identity, no password, RSA')
realm.kinit(realm.user_princ,
projects / thirdparty / krb5.git / commitdiff
