[krbdev.mit.edu #7590] PKINIT needs to use the prompter callback for PEM files

Fri Mar 15 10:54:46 EDT 2013

On Fri, Mar 15, 2013 at 01:44:38AM -0400, Greg Hudson via RT wrote:
> Can you please make that change, test it, and resubmit?  I'm not in a 
> position to easily test this functionality, so I'm only comfortable making 
> the most minor of cosmetic changes to the patch.

Sure thing.  Here's an updated version, also modified to just return the
reported length of the reply buffer, as set by the prompter callback:

--- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -656,11 +656,54 @@ cleanup:
     return retval;
 }
 
+struct get_key_cb_data {
+    krb5_context context;
+    pkinit_identity_crypto_context id_cryptoctx;
+    char *filename;
+};
+
+static int
+get_key_cb(char *buf, int size, int rwflag, void *userdata)
+{
+    struct get_key_cb_data *data = userdata;
+    pkinit_identity_crypto_context id_cryptoctx;
+    krb5_data rdat;
+    krb5_prompt kprompt;
+    krb5_prompt_type prompt_type;
+    krb5_error_code retval;
+    char *prompt;
+
+    if (userdata == NULL)
+        return -1;
+    if (asprintf(&prompt, "%s %s", _("Pass phrase for"), data->filename) < 0)
+        return -1;
+    rdat.data = buf;
+    rdat.length = size;
+    kprompt.prompt = prompt;
+    kprompt.hidden = 1;
+    kprompt.reply = &rdat;
+    prompt_type = KRB5_PROMPT_TYPE_PREAUTH;
+
+    /* PROMPTER_INVOCATION */
+    k5int_set_prompt_types(data->context, &prompt_type);
+    id_cryptoctx = data->id_cryptoctx;
+    retval = (data->id_cryptoctx->prompter)(data->context,
+                                            id_cryptoctx->prompter_data,
+                                            NULL, NULL, 1, &kprompt);
+    k5int_set_prompt_types(data->context, 0);
+    free(prompt);
+    if (retval != 0)
+        return -1;
+    return rdat.length;
+}
+
 static krb5_error_code
-get_key(char *filename, EVP_PKEY **retkey)
+get_key(krb5_context context, pkinit_identity_crypto_context id_cryptoctx,
+        char *filename, EVP_PKEY **retkey)
 {
     EVP_PKEY *pkey = NULL;
     BIO *tmp = NULL;
+    struct get_key_cb_data cb_data;
     int code;
     krb5_error_code retval;
 
@@ -676,7 +719,11 @@ get_key(char *filename, EVP_PKEY **retkey)
         retval = errno;
         goto cleanup;
     }
-    pkey = (EVP_PKEY *) PEM_read_bio_PrivateKey(tmp, NULL, NULL, NULL);
+    cb_data.context = context;
+    cb_data.id_cryptoctx = id_cryptoctx;
+    cb_data.filename = filename;
+    pkey = (EVP_PKEY *) PEM_read_bio_PrivateKey(tmp, NULL, get_key_cb,
+                                                &cb_data);
     if (pkey == NULL) {
         retval = EIO;
         pkiDebug("failed to read private key from %s\n", filename);
@@ -4333,7 +4380,7 @@ pkinit_load_fs_cert_and_key(krb5_context context,
         pkiDebug("failed to load user's certificate from '%s'\n", certname);
         goto cleanup;
     }
-    retval = get_key(keyname, &y);
+    retval = get_key(context, id_cryptoctx, keyname, &y);
     if (retval != 0 || y == NULL) {
         pkiDebug("failed to load user's private key from '%s'\n", keyname);
         goto cleanup;

