-- thanks to Ken Renard, fixed checksum problem in the KDC.

   The KDC may alter the original request after decoding it.
   We need to do the checksum on the original request contents
   from the client.  Use the original packet data to calculate
   the checksum.
-- client now sends the certificate chain in the request
-- added a debug message for when we fail to create a certificate
   chain on the client and fail the request

git-svn-id: svn://anonsvn.mit.edu/krb5/users/coffman/pkinit@19058 dc483132-0cff-0310-8789-dd5450dbe970

3 files changed, 24 insertions, 5 deletions

diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index 74d9fb8..3101fa5 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -134,6 +134,7 @@ pa_pkinit_gen_req(krb5_context context,
     cksum.contents = NULL;
     reqctx->pa_type = in_padata->pa_type;
 
+    pkiDebug("option included = %d till=%d\n", request->kdc_options, request->till);
     /* If we don't have a client, we're done */
     if (request->client == NULL) {
 	pkiDebug("No request->client; aborting PKINIT\n");
@@ -372,7 +373,7 @@ pkinit_as_req_create(krb5_context context,
 		goto cleanup;
 	    }
 	    retval = cms_signeddata_create(context, plgctx->cryptoctx,
-		reqctx->cryptoctx, reqctx->idctx, CMS_SIGN_CLIENT, 0,
+		reqctx->cryptoctx, reqctx->idctx, CMS_SIGN_CLIENT, 1,
 		coded_auth_pack->data, coded_auth_pack->length,
 		&req->signedAuthPack.data, &req->signedAuthPack.length);
 #if 0	/* VISTA HACK */
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 3f36296..ee28ce2 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -595,8 +595,13 @@ cms_signeddata_create(krb5_context context,
 	X509_STORE_CTX_init(&certctx, certstore, cert,
 			    id_cryptoctx->intermediateCAs);
 	X509_STORE_CTX_trusted_stack(&certctx, id_cryptoctx->trustedCAs);
-	if (!X509_verify_cert(&certctx))
+	if (!X509_verify_cert(&certctx)) {
+	    pkiDebug("failed to create a certificate chain: %s\n", 
+	    X509_verify_cert_error_string(X509_STORE_CTX_get_error(&certctx)));
+	    if (!sk_X509_num(id_cryptoctx->trustedCAs)) 
+		pkiDebug("No trusted CAs found. Check your X509_anchors\n");
 	    goto cleanup;
+	}
 	certstack = X509_STORE_CTX_get1_chain(&certctx);
 	size = sk_X509_num(certstack);
 	pkiDebug("size of certificate chain = %d\n", size);
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
index 4e73be5..fbfa86c 100644
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -163,6 +163,7 @@ pkinit_server_verify_padata(krb5_context context,
     krb5_data *der_req = NULL;
     int valid_eku = 0, valid_san = 0;
     krb5_authdata **my_authz_data = NULL;
+    krb5_kdc_req *tmp_as_req = NULL;
 
     pkiDebug("pkinit_verify_padata: entered!\n");
 
@@ -294,8 +295,19 @@ pkinit_server_verify_padata(krb5_context context,
 		    goto cleanup;
 		}
 	    }
-	    /* check the checksum */
-	    retval = encode_krb5_kdc_req_body(request, &der_req);
+	    /*
+	     * The KDC may have modified the request after decoding it.
+	     * We need to compute the checksum on the data that
+	     * came from the client.  Therefore, we use the original
+	     * packet contents.
+	     */
+	    retval = decode_krb5_as_req(req_pkt, &tmp_as_req); 
+	    if (retval) {
+		pkiDebug("decode_krb5_as_req returned %d\n", (int)retval);
+		goto cleanup;
+	    }
+		
+	    retval = encode_krb5_kdc_req_body(tmp_as_req, &der_req);
 	    if (retval) {
 		pkiDebug("encode_krb5_kdc_req_body returned %d\n", (int) retval);
 		goto cleanup;
@@ -419,7 +431,8 @@ pkinit_server_verify_padata(krb5_context context,
 	case KRB5_PADATA_PK_AS_REQ_OLD:
 	    free_krb5_pa_pk_as_req_draft9(&reqp9);
     }
-
+    if (tmp_as_req != NULL)
+	krb5_free_kdc_req(context, tmp_as_req); 
     if (scratch.data != NULL)
 	free(scratch.data);
     if (krb5_authz.data != NULL)