char * catype2string(int catype);
krb5_error_code pkinit_identity_initialize
+ (krb5_context context, /* IN */
+ pkinit_plg_crypto_context plg_cryptoctx, /* IN */
+ pkinit_req_crypto_context req_cryptoctx, /* IN */
+ pkinit_identity_opts *idopts, /* IN */
+ pkinit_identity_crypto_context id_cryptoctx, /* IN/OUT */
+ krb5_clpreauth_callbacks cb, /* IN/OUT */
+ krb5_clpreauth_rock rock, /* IN/OUT */
+ krb5_principal princ); /* IN (optional) */
+
+krb5_error_code pkinit_identity_prompt
(krb5_context context, /* IN */
pkinit_plg_crypto_context plg_cryptoctx, /* IN */
pkinit_req_crypto_context req_cryptoctx, /* IN */
if (processing_request) {
pkinit_client_profile(context, plgctx, reqctx, cb, rock,
&request->server->realm);
+ retval = pkinit_identity_initialize(context, plgctx->cryptoctx, NULL,
+ reqctx->idopts, reqctx->idctx,
+ cb, rock, request->client);
+ if (retval) {
+ TRACE_PKINIT_CLIENT_NO_IDENTITY(context);
+ pkiDebug("pkinit_identity_prompt returned %d (%s)\n",
+ retval, error_message(retval));
+ return retval;
+ }
+ /*
+ * Load identities (again, potentially), prompting, if we can, for
+ * anything for which we didn't get an answer from the responder
+ * callback.
+ */
pkinit_identity_set_prompter(reqctx->idctx, prompter, prompter_data);
- retval = pkinit_identity_initialize(context, plgctx->cryptoctx,
- reqctx->cryptoctx, reqctx->idopts,
- reqctx->idctx, cb, rock,
- reqctx->do_identity_matching,
- request->client);
+ retval = pkinit_identity_prompt(context, plgctx->cryptoctx,
+ reqctx->cryptoctx, reqctx->idopts,
+ reqctx->idctx, cb, rock,
+ reqctx->do_identity_matching,
+ request->client);
if (retval) {
TRACE_PKINIT_CLIENT_NO_IDENTITY(context);
- pkiDebug("pkinit_identity_initialize returned %d (%s)\n",
+ pkiDebug("pkinit_identity_prompt returned %d (%s)\n",
retval, error_message(retval));
return retval;
}
pkinit_req_crypto_context req_cryptoctx, /* IN */
pkinit_identity_opts *idopts, /* IN */
pkinit_identity_crypto_context id_cryptoctx, /* IN/OUT */
- krb5_principal princ); /* IN */
+ krb5_principal princ, /* IN */
+ krb5_boolean defer_id_prompts); /* IN */
/*
* Free up information held from crypto_load_certs()
pkinit_req_crypto_context req_cryptoctx,
pkinit_identity_opts *idopts,
pkinit_identity_crypto_context id_cryptoctx,
- krb5_principal princ)
+ krb5_principal princ,
+ krb5_boolean defer_id_prompts)
{
SECStatus status;
pkinit_req_crypto_context req_cryptoctx,
pkinit_identity_opts *idopts,
pkinit_identity_crypto_context id_cryptoctx,
- krb5_principal princ)
+ krb5_principal princ,
+ krb5_boolean defer_id_prompts)
{
krb5_error_code retval;
idtype, catype, residual);
}
+/*
+ * Load any identity information which doesn't require us to ask a controlling
+ * user any questions, and record the names of anything else which would
+ * require us to ask questions.
+ */
krb5_error_code
pkinit_identity_initialize(krb5_context context,
pkinit_plg_crypto_context plg_cryptoctx,
pkinit_identity_crypto_context id_cryptoctx,
krb5_clpreauth_callbacks cb,
krb5_clpreauth_rock rock,
- int do_matching,
krb5_principal princ)
{
krb5_error_code retval = EINVAL;
- const char *signer_identity;
int i;
pkiDebug("%s: %p %p %p\n", __FUNCTION__, context, idopts, id_cryptoctx);
- if (!(princ && krb5_principal_compare_any_realm (context, princ, krb5_anonymous_principal()))) {
+ if (!(princ &&
+ krb5_principal_compare_any_realm(context, princ,
+ krb5_anonymous_principal()))) {
if (idopts == NULL || id_cryptoctx == NULL)
goto errout;
goto errout;
retval = crypto_load_certs(context, plg_cryptoctx, req_cryptoctx,
- idopts, id_cryptoctx, princ);
+ idopts, id_cryptoctx, princ, TRUE);
+ if (retval)
+ goto errout;
+ } else {
+ /* We're the anonymous principal. */
+ retval = 0;
+ }
+
+errout:
+ return retval;
+}
+
+/*
+ * Load identity information, including that which requires us to ask a
+ * controlling user any questions. If we have PIN/password values which
+ * correspond to a given identity, use that, otherwise, if one is available,
+ * we'll use the prompter callback.
+ */
+krb5_error_code
+pkinit_identity_prompt(krb5_context context,
+ pkinit_plg_crypto_context plg_cryptoctx,
+ pkinit_req_crypto_context req_cryptoctx,
+ pkinit_identity_opts *idopts,
+ pkinit_identity_crypto_context id_cryptoctx,
+ krb5_clpreauth_callbacks cb,
+ krb5_clpreauth_rock rock,
+ int do_matching,
+ krb5_principal princ)
+{
+ krb5_error_code retval = EINVAL;
+ const char *signer_identity;
+ int i;
+
+ pkiDebug("%s: %p %p %p\n", __FUNCTION__, context, idopts, id_cryptoctx);
+ if (!(princ &&
+ krb5_principal_compare_any_realm(context, princ,
+ krb5_anonymous_principal()))) {
+ retval = crypto_load_certs(context, plg_cryptoctx, req_cryptoctx,
+ idopts, id_cryptoctx, princ, FALSE);
if (retval)
goto errout;
if (do_matching) {
+ /*
+ * Try to select exactly one certificate based on matching
+ * criteria. Typical used for clients.
+ */
retval = pkinit_cert_matching(context, plg_cryptoctx,
req_cryptoctx, id_cryptoctx, princ);
if (retval) {
goto errout;
}
} else {
- /* Tell crypto code to use the "default" */
+ /*
+ * Tell crypto code to use the "default" identity. Typically used
+ * for KDCs.
+ */
retval = crypto_cert_select_default(context, plg_cryptoctx,
req_cryptoctx, id_cryptoctx);
if (retval) {
retval = pkinit_identity_initialize(context, plgctx->cryptoctx, NULL,
plgctx->idopts, plgctx->idctx,
- NULL, NULL, 0, NULL);
+ NULL, NULL, NULL);
+ if (retval)
+ goto errout;
+ retval = pkinit_identity_prompt(context, plgctx->cryptoctx, NULL,
+ plgctx->idopts, plgctx->idctx,
+ NULL, NULL, 0, NULL);
if (retval)
goto errout;
projects / thirdparty / krb5.git / commitdiff
