Push PKINIT configuration into default_config.c

[abartlet/lorikeet-heimdal.git/.git] / kdc / default_config.c

diff --git a/kdc/default_config.c b/kdc/default_config.c
index e376cbbddf82410d9732401c292a2ecbd0b439d4..118bdf97aa62723b56d626e69ca76e8a58d7c666 100644 (file)
--- a/kdc/default_config.c
+++ b/kdc/default_config.c
@@ -259,6 +259,35 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
                                    "kdc", "pkinit_dh_min_bits", NULL);
 
 
+#ifdef __APPLE__
+    c->enable_pkinit = 1;
+
+    if (c->pkinit_kdc_identity == NULL) {
+       if (c->pkinit_kdc_friendly_name == NULL)
+           c->pkinit_kdc_friendly_name =
+               strdup("O=System Identity,CN=com.apple.kerberos.kdc");
+       c->pkinit_kdc_identity = strdup("KEYCHAIN:");
+    }
+    if (c->pkinit_kdc_anchors == NULL)
+       c->pkinit_kdc_anchors = strdup("KEYCHAIN:");
+
+#endif
+
+    if (c->enable_pkinit) {
+       if (c->pkinit_kdc_identity == NULL)
+           krb5_errx(context, 1, "pkinit enabled but no identity");
+
+       if (c->pkinit_kdc_anchors == NULL)
+           krb5_errx(context, 1, "pkinit enabled but no X509 anchors");
+
+       krb5_kdc_pk_initialize(context, c,
+                              c->pkinit_kdc_identity,
+                              c->pkinit_kdc_anchors,
+                              c->pkinit_kdc_cert_pool,
+                              c->pkinit_kdc_revoke);
+
+    }
+
     *config = c;
 
     return 0;