gss_buffer_desc subjectAltNameConstraint;
gss_buffer_desc clientCertificate;
gss_buffer_desc privateKey;
+ gss_buffer_desc caCertificateBlob;
#ifdef GSSEAP_ENABLE_REAUTH
krb5_ccache krbCredCache;
gss_cred_id_t reauthCred;
#define CONFIG_BLOB_CLIENT_CERT 0
#define CONFIG_BLOB_PRIVATE_KEY 1
-#define CONFIG_BLOB_MAX 2
+#define CONFIG_BLOB_CA_CERT 2
+#define CONFIG_BLOB_MAX 3
struct gss_eap_initiator_ctx {
unsigned int idleWhile;
eapPeerConfig->ca_cert = (unsigned char *)cred->caCertificate.value;
eapPeerConfig->subject_match = (unsigned char *)cred->subjectNameConstraint.value;
eapPeerConfig->altsubject_match = (unsigned char *)cred->subjectAltNameConstraint.value;
+ configBlobs[CONFIG_BLOB_CA_CERT].data = cred->caCertificateBlob.value;
+ configBlobs[CONFIG_BLOB_CA_CERT].len = cred->caCertificateBlob.length;
/* eap channel binding */
if (ctx->initiatorCtx.chbindData != NULL) {
gss_release_buffer(&tmpMinor, &cred->radiusConfigFile);
gss_release_buffer(&tmpMinor, &cred->radiusConfigStanza);
gss_release_buffer(&tmpMinor, &cred->caCertificate);
+ gss_release_buffer(&tmpMinor, &cred->caCertificateBlob);
gss_release_buffer(&tmpMinor, &cred->subjectNameConstraint);
gss_release_buffer(&tmpMinor, &cred->subjectAltNameConstraint);
gss_release_buffer(&tmpMinor, &cred->clientCertificate);
duplicateBufferOrCleanup(&src->radiusConfigStanza, &dst->radiusConfigStanza);
if (src->caCertificate.value != NULL)
duplicateBufferOrCleanup(&src->caCertificate, &dst->caCertificate);
+ if (src->caCertificateBlob.value != NULL)
+ duplicateBufferOrCleanup(&src->caCertificateBlob, &dst->caCertificateBlob);
if (src->subjectNameConstraint.value != NULL)
duplicateBufferOrCleanup(&src->subjectNameConstraint, &dst->subjectNameConstraint);
if (src->subjectAltNameConstraint.value != NULL)
*/
#include "gssapiP_eap.h"
+#include <openssl/bio.h>
+#include <openssl/pem.h>
+#include <openssl/x509.h>
#ifdef HAVE_MOONSHOT_GET_IDENTITY
#include <libmoonshot.h>
char *subjectNameConstraint = NULL;
char *subjectAltNameConstraint = NULL;
MoonshotError *error = NULL;
+ BIO *bio = NULL;
if (cred->name != GSS_C_NO_NAME) {
major = gssEapDisplayName(minor, cred->name, &initiator, NULL);
goto cleanup;
gss_release_buffer(&tmpMinor, &cred->caCertificate);
+ gss_release_buffer(&tmpMinor, &cred->caCertificateBlob);
gss_release_buffer(&tmpMinor, &cred->subjectNameConstraint);
gss_release_buffer(&tmpMinor, &cred->subjectAltNameConstraint);
cred->caCertificate.length = HASH_PREFIX_LEN + len;
} else if (!stringEmpty(caCertificate)) {
- makeStringBufferOrCleanup(caCertificate, &cred->caCertificate);
+ BUF_MEM *bptr;
+ X509 *cert;
+ gss_buffer_desc tmp;
+
+ bio = BIO_new_mem_buf(caCertificate, -1);
+ if (bio == NULL) {
+ major = GSS_S_FAILURE;
+ *minor = ENOMEM;
+ goto cleanup;
+ }
+ cert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
+ if (cert == NULL) {
+ major = GSS_S_FAILURE;
+ *minor = ENOMEM;
+ goto cleanup;
+ }
+ BIO_free(bio);
+ bio = BIO_new(BIO_s_mem());
+ if (i2d_X509_bio(bio, cert) < 0) {
+ major = GSS_S_FAILURE;
+ *minor = ENOMEM; /* TODO */
+ goto cleanup;
+ }
+ BIO_get_mem_ptr(bio, &bptr);
+ tmp.value = bptr->data;
+ tmp.length = bptr->length;
+ major = duplicateBuffer(minor, &tmp, &cred->caCertificateBlob);
+ if (major != GSS_S_COMPLETE) {
+ goto cleanup;
+ }
+ BIO_free(bio);
+ makeStringBufferOrCleanup("blob://ca-cert", &cred->caCertificate);
}
if (!stringEmpty(subjectNameConstraint))
moonshot_free(caCertificate);
moonshot_free(subjectNameConstraint);
moonshot_free(subjectAltNameConstraint);
+ BIO_free(bio);
gss_release_buffer(&tmpMinor, &initiator);
gss_release_buffer(&tmpMinor, &target);