diff --git a/Add-PKINIT-test-case-for-generic-client-cert.patch b/Add-PKINIT-test-case-for-generic-client-cert.patch new file mode 100644 index 0000000..e6fb895 --- /dev/null +++ b/Add-PKINIT-test-case-for-generic-client-cert.patch @@ -0,0 +1,51 @@ +From 22e89e4e2d2819b7371efb848be525914b2750e8 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Fri, 25 Aug 2017 12:39:14 -0400 +Subject: [PATCH] Add PKINIT test case for generic client cert + +In t_pkinit.py, add a test case where a client cert with no extensions +is authorized via subject and issuer using a pkinit_cert_match string +attribute. + +ticket: 8562 +(cherry picked from commit 8c5d50888aab554239fd51306e79c5213833c898) +[rharwood@redhat.com: backport around dbmatch module] +--- + src/tests/t_pkinit.py | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py +index e943f4974..fa5c5199e 100755 +--- a/src/tests/t_pkinit.py ++++ b/src/tests/t_pkinit.py +@@ -26,6 +26,7 @@ user_enc_p12 = os.path.join(certs, 'user-enc.p12') + user_upn_p12 = os.path.join(certs, 'user-upn.p12') + user_upn2_p12 = os.path.join(certs, 'user-upn2.p12') + user_upn3_p12 = os.path.join(certs, 'user-upn3.p12') ++generic_p12 = os.path.join(certs, 'generic.p12') + path = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs') + path_enc = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs-enc') + +@@ -65,6 +66,7 @@ p12_identity = 'PKCS12:%s' % user_p12 + p12_upn_identity = 'PKCS12:%s' % user_upn_p12 + p12_upn2_identity = 'PKCS12:%s' % user_upn2_p12 + p12_upn3_identity = 'PKCS12:%s' % user_upn3_p12 ++p12_generic_identity = 'PKCS12:%s' % generic_p12 + p12_enc_identity = 'PKCS12:%s' % user_enc_p12 + p11_identity = 'PKCS11:soft-pkcs11.so' + p11_token_identity = ('PKCS11:module_name=soft-pkcs11.so:' +@@ -284,6 +286,14 @@ realm.run(['./responder', '-X', 'X509_user_identity=%s' % p12_enc_identity, + realm.klist(realm.user_princ) + realm.run([kvno, realm.host_princ]) + ++# Authorize a client cert with no PKINIT extensions using subject and ++# issuer. (Relies on EKU checking being turned off.) ++rule = '&&CN=user$O=MIT,' ++realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule]) ++realm.kinit(realm.user_princ, ++ flags=['-X', 'X509_user_identity=%s' % p12_generic_identity]) ++realm.klist(realm.user_princ) ++ + if not have_soft_pkcs11: + skip_rest('PKINIT PKCS11 tests', 'soft-pkcs11.so not found') + diff --git a/Add-hostname-based-ccselect-module.patch b/Add-hostname-based-ccselect-module.patch new file mode 100644 index 0000000..87a83c1 --- /dev/null +++ b/Add-hostname-based-ccselect-module.patch @@ -0,0 +1,293 @@ +From 624060dabcc06ea40847ffd98c9b05c66e65d6ba Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Wed, 23 Aug 2017 17:25:17 -0400 +Subject: [PATCH] Add hostname-based ccselect module + +The hostname module selects the ccache whose realm is the longest +parent domain tail of the uppercase server hostname. + +[ghudson@mit.edu: minor edits] + +ticket: 8613 (new) +(cherry picked from commit a4ddc6cf576b4155e6b994307902567f26f752b2) +--- + doc/admin/conf_files/krb5_conf.rst | 4 + + src/lib/krb5/ccache/Makefile.in | 3 + + src/lib/krb5/ccache/cc-int.h | 4 + + src/lib/krb5/ccache/ccselect.c | 5 ++ + src/lib/krb5/ccache/ccselect_hostname.c | 146 ++++++++++++++++++++++++++++++++ + src/tests/gssapi/t_ccselect.py | 9 ++ + 6 files changed, 171 insertions(+) + create mode 100644 src/lib/krb5/ccache/ccselect_hostname.c + +diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst +index c0e4349c0..5f1de2e50 100644 +--- a/doc/admin/conf_files/krb5_conf.rst ++++ b/doc/admin/conf_files/krb5_conf.rst +@@ -744,6 +744,10 @@ disabled with the disable tag): + Uses the service realm to guess an appropriate cache from the + collection + ++**hostname** ++ If the service principal is host-based, uses the service hostname ++ to guess an appropriate cache from the collection ++ + .. _pwqual: + + pwqual interface +diff --git a/src/lib/krb5/ccache/Makefile.in b/src/lib/krb5/ccache/Makefile.in +index 5ac870728..f84cf793e 100644 +--- a/src/lib/krb5/ccache/Makefile.in ++++ b/src/lib/krb5/ccache/Makefile.in +@@ -34,6 +34,7 @@ STLIBOBJS= \ + ccdefops.o \ + ccmarshal.o \ + ccselect.o \ ++ ccselect_hostname.o \ + ccselect_k5identity.o \ + ccselect_realm.o \ + cc_dir.o \ +@@ -52,6 +53,7 @@ OBJS= $(OUTPRE)ccbase.$(OBJEXT) \ + $(OUTPRE)ccdefops.$(OBJEXT) \ + $(OUTPRE)ccmarshal.$(OBJEXT) \ + $(OUTPRE)ccselect.$(OBJEXT) \ ++ $(OUTPRE)ccselect_hostname.$(OBJEXT) \ + $(OUTPRE)ccselect_k5identity.$(OBJEXT) \ + $(OUTPRE)ccselect_realm.$(OBJEXT) \ + $(OUTPRE)cc_dir.$(OBJEXT) \ +@@ -70,6 +72,7 @@ SRCS= $(srcdir)/ccbase.c \ + $(srcdir)/ccdefops.c \ + $(srcdir)/ccmarshal.c \ + $(srcdir)/ccselect.c \ ++ $(srcdir)/ccselect_hostname.c \ + $(srcdir)/ccselect_k5identity.c \ + $(srcdir)/ccselect_realm.c \ + $(srcdir)/cc_dir.c \ +diff --git a/src/lib/krb5/ccache/cc-int.h b/src/lib/krb5/ccache/cc-int.h +index ee9b5e0e9..d920367ce 100644 +--- a/src/lib/krb5/ccache/cc-int.h ++++ b/src/lib/krb5/ccache/cc-int.h +@@ -123,6 +123,10 @@ k5_cccol_force_unlock(void); + krb5_error_code + krb5int_fcc_new_unique(krb5_context context, char *template, krb5_ccache *id); + ++krb5_error_code ++ccselect_hostname_initvt(krb5_context context, int maj_ver, int min_ver, ++ krb5_plugin_vtable vtable); ++ + krb5_error_code + ccselect_realm_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable); +diff --git a/src/lib/krb5/ccache/ccselect.c b/src/lib/krb5/ccache/ccselect.c +index ee4b83a9b..393d39733 100644 +--- a/src/lib/krb5/ccache/ccselect.c ++++ b/src/lib/krb5/ccache/ccselect.c +@@ -71,6 +71,11 @@ load_modules(krb5_context context) + if (ret != 0) + goto cleanup; + ++ ret = k5_plugin_register(context, PLUGIN_INTERFACE_CCSELECT, "hostname", ++ ccselect_hostname_initvt); ++ if (ret != 0) ++ goto cleanup; ++ + ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_CCSELECT, &modules); + if (ret != 0) + goto cleanup; +diff --git a/src/lib/krb5/ccache/ccselect_hostname.c b/src/lib/krb5/ccache/ccselect_hostname.c +new file mode 100644 +index 000000000..475cfabae +--- /dev/null ++++ b/src/lib/krb5/ccache/ccselect_hostname.c +@@ -0,0 +1,146 @@ ++/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ ++/* lib/krb5/ccache/ccselect_hostname.c - hostname ccselect module */ ++/* ++ * Copyright (C) 2017 by Red Hat, Inc. ++ * All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * * Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * * Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ++ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT ++ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS ++ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE ++ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, ++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#include "k5-int.h" ++#include "cc-int.h" ++#include ++#include ++ ++/* Swap a and b, using tmp as an intermediate. */ ++#define SWAP(a, b, tmp) \ ++ tmp = a; \ ++ a = b; \ ++ b = tmp; ++ ++static krb5_error_code ++hostname_init(krb5_context context, krb5_ccselect_moddata *data_out, ++ int *priority_out) ++{ ++ *data_out = NULL; ++ *priority_out = KRB5_CCSELECT_PRIORITY_HEURISTIC; ++ return 0; ++} ++ ++static krb5_error_code ++hostname_choose(krb5_context context, krb5_ccselect_moddata data, ++ krb5_principal server, krb5_ccache *ccache_out, ++ krb5_principal *princ_out) ++{ ++ krb5_error_code ret; ++ char *p, *host = NULL; ++ size_t hostlen; ++ krb5_cccol_cursor col_cursor; ++ krb5_ccache ccache, tmp_ccache, best_ccache = NULL; ++ krb5_principal princ, tmp_princ, best_princ = NULL; ++ krb5_data domain; ++ ++ *ccache_out = NULL; ++ *princ_out = NULL; ++ ++ if (server->type != KRB5_NT_SRV_HST || server->length < 2) ++ return KRB5_PLUGIN_NO_HANDLE; ++ ++ /* Compute upper-case hostname. */ ++ hostlen = server->data[1].length; ++ host = k5memdup0(server->data[1].data, hostlen, &ret); ++ if (host == NULL) ++ return ret; ++ for (p = host; *p != '\0'; p++) { ++ if (islower(*p)) ++ *p = toupper(*p); ++ } ++ ++ /* Scan the collection for a cache with a client principal whose realm is ++ * the longest tail of the server hostname. */ ++ ret = krb5_cccol_cursor_new(context, &col_cursor); ++ if (ret) ++ goto done; ++ ++ for (ret = krb5_cccol_cursor_next(context, col_cursor, &ccache); ++ ret == 0 && ccache != NULL; ++ ret = krb5_cccol_cursor_next(context, col_cursor, &ccache)) { ++ ret = krb5_cc_get_principal(context, ccache, &princ); ++ if (ret) { ++ krb5_cc_close(context, ccache); ++ break; ++ } ++ ++ /* Check for a longer match than we have. */ ++ domain = make_data(host, hostlen); ++ while (best_princ == NULL || ++ best_princ->realm.length < domain.length) { ++ if (data_eq(princ->realm, domain)) { ++ SWAP(best_ccache, ccache, tmp_ccache); ++ SWAP(best_princ, princ, tmp_princ); ++ break; ++ } ++ ++ /* Try the next parent domain. */ ++ p = memchr(domain.data, '.', domain.length); ++ if (p == NULL) ++ break; ++ domain = make_data(p + 1, hostlen - (p + 1 - host)); ++ } ++ ++ if (ccache != NULL) ++ krb5_cc_close(context, ccache); ++ krb5_free_principal(context, princ); ++ } ++ ++ krb5_cccol_cursor_free(context, &col_cursor); ++ ++ if (best_ccache != NULL) { ++ *ccache_out = best_ccache; ++ *princ_out = best_princ; ++ } else { ++ ret = KRB5_PLUGIN_NO_HANDLE; ++ } ++ ++done: ++ free(host); ++ return ret; ++} ++ ++krb5_error_code ++ccselect_hostname_initvt(krb5_context context, int maj_ver, int min_ver, ++ krb5_plugin_vtable vtable) ++{ ++ krb5_ccselect_vtable vt; ++ ++ if (maj_ver != 1) ++ return KRB5_PLUGIN_VER_NOTSUPP; ++ vt = (krb5_ccselect_vtable)vtable; ++ vt->name = "hostname"; ++ vt->init = hostname_init; ++ vt->choose = hostname_choose; ++ return 0; ++} +diff --git a/src/tests/gssapi/t_ccselect.py b/src/tests/gssapi/t_ccselect.py +index 668a2cc62..3503f9269 100755 +--- a/src/tests/gssapi/t_ccselect.py ++++ b/src/tests/gssapi/t_ccselect.py +@@ -33,6 +33,7 @@ host1 = 'p:' + r1.host_princ + host2 = 'p:' + r2.host_princ + foo = 'foo.krbtest.com' + foo2 = 'foo.krbtest2.com' ++foobar = "foo.bar.krbtest.com" + + # These strings specify the target as a GSS name. The resulting + # principal will have the host-based type, with the referral realm +@@ -42,6 +43,7 @@ foo2 = 'foo.krbtest2.com' + # single component. + gssserver = 'h:host@' + foo + gssserver2 = 'h:host@' + foo2 ++gssserver_bar = 'h:host@' + foobar + gsslocal = 'h:host@localhost' + + # refserver specifies the target as a principal in the referral realm. +@@ -77,10 +79,12 @@ r1.addprinc('host/localhost') + r2.addprinc('host/localhost') + r1.addprinc('host/' + foo) + r2.addprinc('host/' + foo2) ++r1.addprinc('host/' + foobar) + r1.extract_keytab('host/localhost', r1.keytab) + r2.extract_keytab('host/localhost', r2.keytab) + r1.extract_keytab('host/' + foo, r1.keytab) + r2.extract_keytab('host/' + foo2, r2.keytab) ++r1.extract_keytab('host/' + foobar, r1.keytab) + + # Get tickets for one user in each realm (zaphod will be primary). + r1.kinit(alice, password('alice')) +@@ -128,6 +132,11 @@ output = r2.run(['./t_ccselect', gsslocal]) + if output != (zaphod + '\n'): + fail('zaphod not chosen via default realm fallback') + ++# Check that realm ccselect fallback works correctly ++r1.run(['./t_ccselect', gssserver_bar], expected_msg=alice) ++r2.kinit(zaphod, password('zaphod')) ++r1.run(['./t_ccselect', gssserver_bar], expected_msg=alice) ++ + # Get a second cred in r1 (bob will be primary). + r1.kinit(bob, password('bob')) + diff --git a/Add-test-cert-with-no-extensions.patch b/Add-test-cert-with-no-extensions.patch new file mode 100644 index 0000000..3734700 --- /dev/null +++ b/Add-test-cert-with-no-extensions.patch @@ -0,0 +1,1120 @@ +From 03402d8462c44c16f85368c803c1a3823507e0f9 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Fri, 25 Aug 2017 12:33:33 -0400 +Subject: [PATCH] Add test cert with no extensions + +Add commands to make-certs.sh to generate a test client certificate +with no certificate extensions. Re-run make-certs.sh. + +ticket: 8562 +(cherry picked from commit 0d23835660ab131d244d395e4568969b5c0dc678) +--- + src/tests/dejagnu/pkinit-certs/ca.pem | 32 +++++++-------- + src/tests/dejagnu/pkinit-certs/generic.p12 | Bin 0 -> 2477 bytes + src/tests/dejagnu/pkinit-certs/generic.pem | 21 ++++++++++ + src/tests/dejagnu/pkinit-certs/kdc.pem | 32 +++++++-------- + src/tests/dejagnu/pkinit-certs/make-certs.sh | 9 +++++ + src/tests/dejagnu/pkinit-certs/privkey-enc.pem | 52 ++++++++++++------------- + src/tests/dejagnu/pkinit-certs/privkey.pem | 50 ++++++++++++------------ + src/tests/dejagnu/pkinit-certs/user-enc.p12 | Bin 2837 -> 2837 bytes + src/tests/dejagnu/pkinit-certs/user-upn.p12 | Bin 2829 -> 2829 bytes + src/tests/dejagnu/pkinit-certs/user-upn.pem | 30 +++++++------- + src/tests/dejagnu/pkinit-certs/user-upn2.p12 | Bin 2813 -> 2813 bytes + src/tests/dejagnu/pkinit-certs/user-upn2.pem | 32 +++++++-------- + src/tests/dejagnu/pkinit-certs/user-upn3.csr | 16 -------- + src/tests/dejagnu/pkinit-certs/user-upn3.p12 | Bin 2829 -> 2829 bytes + src/tests/dejagnu/pkinit-certs/user-upn3.pem | 30 +++++++------- + src/tests/dejagnu/pkinit-certs/user.p12 | Bin 2837 -> 2837 bytes + src/tests/dejagnu/pkinit-certs/user.pem | 30 +++++++------- + 17 files changed, 174 insertions(+), 160 deletions(-) + create mode 100644 src/tests/dejagnu/pkinit-certs/generic.p12 + create mode 100644 src/tests/dejagnu/pkinit-certs/generic.pem + delete mode 100644 src/tests/dejagnu/pkinit-certs/user-upn3.csr + +diff --git a/src/tests/dejagnu/pkinit-certs/ca.pem b/src/tests/dejagnu/pkinit-certs/ca.pem +index 44c917687..f7421ba02 100644 +--- a/src/tests/dejagnu/pkinit-certs/ca.pem ++++ b/src/tests/dejagnu/pkinit-certs/ca.pem +@@ -3,27 +3,27 @@ MIIE5TCCA82gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx + FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG + A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz + dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug +-b3RoZXJ3aXNlMB4XDTE2MTIxMjE0NDYzOVoXDTI3MTEyNTE0NDYzOVowgacxCzAJ ++b3RoZXJ3aXNlMB4XDTE3MDgyNTE4MzIxMFoXDTI4MDgwNzE4MzIxMFowgacxCzAJ + BgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMRIwEAYDVQQHDAlDYW1i + cmlkZ2UxDDAKBgNVBAoMA01JVDEpMCcGA1UECwwgSW5zZWN1cmUgUEtJTklUIEtl + cmJlcm9zIHRlc3QgQ0ExMzAxBgNVBAMMKnBraW5pdCB0ZXN0IHN1aXRlIENBOyBk + byBub3QgdXNlIG90aGVyd2lzZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +-ggEBANOWvXDyubZ/Kf8QYdPSRk/rsogzqS0rycNEJp/6rPpTS40UxGae5MyLHfmN +-l2mSevRoHSqhb7cfT6n9kR2kb3HB0qhhhecHey4sGwd+m7WMhBQgVtYaiWkuEQDC +-7/SWkRYzmYX8J41vrQulXU2/2pOQCmG4NKPsNo+vcKoT2SHl6qr3lflUaIG0wDu4 +-bFrWszkxcuSkU7SSXDf2xTTTJ8QftO6WQY3g0+dAhbjZFKxRO5uipxURez5EemVs +-Re86vXEILka85tiVS4maCn3l3FWMqcBHRFNa+/osTb0J/OmvvdQ3bzvscG7KDRtM +-bRUnpWClr5R+AbGVvKocj5I1+G0CAwEAAaOCARgwggEUMB0GA1UdDgQWBBRrwMkO +-fMoN3ofjotSWjK0c27fYYjCB1AYDVR0jBIHMMIHJgBRrwMkOfMoN3ofjotSWjK0c +-27fYYqGBraSBqjCBpzELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0 ++ggEBAL8HFT/+Uia/TcSFIJJd7Z7ZFvMOYLhEkCyqRhW1ggDp0xrIAoh/fyxq4qId ++S8f7Aurf39kzyS9NtDD2snKwfoLaZpunIXNLCujrlrqdhKsZdtl8aYLmjIhTLu4r ++rN5WZIRQULbkLiuqc6ZFOjOZxkR0NkC/CyfQTJO5a2TaMrweLswmY0k5KlAoevps ++h+LPXsLC66sqgYuWDD8c1Z9GlI8dW2abRPt+WUKskEgHqYJrCkjvPIZgS7UDAzpU ++OCXopDDr/qQ9dnAYzt98r/pCx621/2R4JttZbdsXQDbQaHhV69iJqACqZB0lLyKO ++Ka4Y2U5zy3++t6pd3oGlWCr96D0CAwEAAaOCARgwggEUMB0GA1UdDgQWBBSvEuBX ++VNKtIomCkLcxpsKp9Ag9qzCB1AYDVR0jBIHMMIHJgBSvEuBXVNKtIomCkLcxpsKp ++9Ag9q6GBraSBqjCBpzELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0 + dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoGA1UECgwDTUlUMSkwJwYDVQQLDCBJ + bnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVzdCBDQTEzMDEGA1UEAwwqcGtpbml0 + IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ugb3RoZXJ3aXNlggEBMAsGA1UdDwQE +-AwIB/jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAN82zurZwM +-TugUG6b1symxXxOdDqwinwIlQjzXJ8mTRv31q+YwNdYvdWn1aex8v44qjFDjEP80 +-83y18CjjBHznwxsHll80QmFHjpy6xtRrUC/Ak7jfKnDiTKQYBdgmF4/UiVQu354e +-QI6jPMQlrWZXThlRuBjM55hs4tgRYeTgbd4VSZzVQXdm2ViZkg8SGqw0R2ZRnG91 +-dfXkhu/tTruguPAT3MQ2pTK/CoHHA4W2piQbBDqIl83fphRhYxyW/cCF2mvZZUhE +-AfWhgYDeTDxHKG3Jfmm+ujMo5HscgeUpJ7XjZdobNhkQjD1piyuGzFkUfo2XzA6m +-kMz4Jq4cnvpz ++AwIB/jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQArUoCjqxsY ++/m3nx/5BQSkBAL4T5RgWIX+L4y4GXloYYlafpw+SxRq0QffFm5fpCJBnMd21MbPl ++k/YA+oq0/76cKyQmJ6h/Wl4KHCKKMmvGuhCEXzmrevk/EJ8lJXNdPfbBueAuLeyU ++7X9tO8i9fJ59AZ9YWD9d//puOF+8xeHPxJIxHcR2jHpUOJPtm4yVu1LreHiJJTu4 ++Xotp9yMpJu/uJM3aBKVS5N/5JreraLj9N6N8nZ/7nEw9Dj1zzGHcHCcqtcxz1oOH ++Zbg5Jo8HhVhIHxKdKLvwEk60P+lkGFIE+IUmhWfcbbprTGs7VhxREwxaWyCapCOk ++qlhbJdEcjHr2 + -----END CERTIFICATE----- +diff --git a/src/tests/dejagnu/pkinit-certs/generic.p12 b/src/tests/dejagnu/pkinit-certs/generic.p12 +new file mode 100644 +index 0000000000000000000000000000000000000000..238baa56bc7b4ec4a4cd66861d9a54888ae6baf8 +GIT binary patch +literal 2477 +zcmV;e2~zejf(fYt0Ru3C32z1oDuzgg_YDCD0ic2jU<85*Trh$OSTKSF4+aS;hDe6@ +z4FLxRpn?PdFoFa80s#Opf&=vi2`Yw2hW8Bt2LUh~1_~;MNQU6Cwj5&?-ITdyp+x|XE-*3B|L8H?6tR9A4HUV +zXKXC4=L{;GYOU0TZ%YIlTM6d!F~cR^uf!*<@U_-l*QqJ>xt(al?+>_BvzoP^gL1N$ +z`F-->tkpYWJQUWTg*!blr__$E(F`vAa6$tp#&2s#wO{Z+x9Qj#E{tn`2{H +zg{vzUo0|{iV-+Q+#HBbV5=@9HX*$|bj>(CQqEHI)oQ(#V>5%ee;p0M7*Ncmla{Oaw`~Lk01PKR0)2+7#ypOR +zE<@*23b5&ny_nUSu&QRYf<9ZS$K+zIxKS{-TDjaw +zil6-nf!Sd?4znmK)|t(Kh;^hMN(xELd?H&?xwpdgxQuGz&lqkC*bt7YYcgZyhS`(_ +zV#Eei3)wjY67{AC<7Jdb$1DrskBFGeZl1_X_JSlij;_AeG&Ze&pK!02Uol4a +zAU3nTn}n!jf3MeflZTds*L87yad1DS(dZEx?R=EV`~wYbzuJ+gyipE3%clL}xH|uh +z*0lFO@p4PYUlRKizgu%`-6@}1$(>d}Hi|tilS_mz$63&pG)DTS?u#a3%DdCMr6nS= +zuqM$zP9u98I!aB)2ukr=BA^QLRczSH^0a)!b6RMWsc6m2lXG@=*;qxzKpg}Q;PWP$ +zSPdG{kzh|I5&?lP;`r@Y6C5-O-aNIi>snK{0uoVguzqbh?|wC|;ZdY*FoFd^1_>&L +zNQUi7=~UOR +zVu`0Rq`j%-S6Ff=&?TzqMFSM&gz}ICHc9bAOg}ADuoHHkw?kNR=9F1w*lYN{EG@Q( +z^&Z!5aJ#r-f4w{9{l_?xms3iieP1I%l~D*(t;Nk1aGOf}qn#GuBv85jI+6|9D>yt8 +z=`CiI1xSM|6#z}e8mUO30BVUlR!<3__7-RBW%t*-clA6mka`9Ep#J89G6;43;kLxp +z*-|yA&X1<^zP0+5jK3^7X7_8Ji!05N16zPQD?*Vmuu}Oqin+2p?#8~7bHAc6s#bFC +zBNktoPt|Xx$KKi92&|HGRDq~8=dk}B3c`50V14okG{eS4V-1zL#^Hl>} +zDnU~+pT_`PO~9}`Jv`1wS!fR(ZMPa4i`@TU5bt()(#ACb9{Y+&=*3 +z?16YQJcXXtc1SY}^F0^kPKKB2!~3O%n-3mC^{G$p0l|354kxz5D%&q&VtpxbBv{)* +zpMNnNpUwwe>D5nKequv57A`7WDkH{;SWnT$m6mFQM_4sCy6`Q6+R>fF3xV>`&)a%y +zB1l^2YMSpWB_)PDnwNbAr1q&CK9%#FU7a%regezQN#m#I@aB>MWA)qZGWrv>>pVj~&d(I8p??>w1k}$4P^X +zAWnN%6sS3RRKSDNfisfVQl0_dGxCM!+1Yl>tFQeHvTap~MEH7XV84MrcTfkph~OhN +z{o=b|+k%aoLEyQSSSCuJgEO`uIb&{+Z)uzyj^e7-ow^S5`Lr4TK3IX)>y>`8oiIWy +zH0hllKCxMqW=7K+*+}M2uMG#-iv4KGvA+{{p>ck6qZXw*_yoH?4r-2LxGhvU$-SJ& +z%}Cbjx7lK8OxbcYY6+T8eDcs^;Xvdw>6;}lnp8q +zOI2Bf

+yF}Y41&9t?C1#$YRn~NWY8C%6yHl*AOeW|@!q&2^AvuxK!KnnF`7+J)np +zj6bGtii!U}#abz=^y{$*-&7lSX?~Xs2w?6rihtbpW0dcnT=iZgshJw14vAdMlwyD6 +z|23bFWaw<;jHGdx+WL{QTwvP`6=BXmumW|@H&izw=M#i7|4o2kT^B@DwWN<09-mt* +zH_scbs?(Qg+gx};zbY90=8VD210!z1E&|~fxwzSLg-MMc62*ZwTWl5YDkMj->^Hv+ +zEh;f3Fe3&DDuzgg_YDCF6)_eB6ofmTa$1pK4AutIB1uG5% +r0vZJX1QbFHUUX|Bgz^@{lOae~ZgSk8C3^%24n#rsPDd1M0s;sCf8Be; + +literal 0 +HcmV?d00001 + +diff --git a/src/tests/dejagnu/pkinit-certs/generic.pem b/src/tests/dejagnu/pkinit-certs/generic.pem +new file mode 100644 +index 000000000..706c2f341 +--- /dev/null ++++ b/src/tests/dejagnu/pkinit-certs/generic.pem +@@ -0,0 +1,21 @@ ++-----BEGIN CERTIFICATE----- ++MIIDZjCCAk4CAQcwDQYJKoZIhvcNAQELBQAwgacxCzAJBgNVBAYTAlVTMRYwFAYD ++VQQIDA1NYXNzYWNodXNldHRzMRIwEAYDVQQHDAlDYW1icmlkZ2UxDDAKBgNVBAoM ++A01JVDEpMCcGA1UECwwgSW5zZWN1cmUgUEtJTklUIEtlcmJlcm9zIHRlc3QgQ0Ex ++MzAxBgNVBAMMKnBraW5pdCB0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVy ++d2lzZTAeFw0xNzA4MjUxODMyMTFaFw0yODA4MDcxODMyMTFaMEoxCzAJBgNVBAYT ++AlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMRQwEgYDVQQKDAtLUkJURVNULkNP ++TTENMAsGA1UEAwwEdXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB ++AL8HFT/+Uia/TcSFIJJd7Z7ZFvMOYLhEkCyqRhW1ggDp0xrIAoh/fyxq4qIdS8f7 ++Aurf39kzyS9NtDD2snKwfoLaZpunIXNLCujrlrqdhKsZdtl8aYLmjIhTLu4rrN5W ++ZIRQULbkLiuqc6ZFOjOZxkR0NkC/CyfQTJO5a2TaMrweLswmY0k5KlAoevpsh+LP ++XsLC66sqgYuWDD8c1Z9GlI8dW2abRPt+WUKskEgHqYJrCkjvPIZgS7UDAzpUOCXo ++pDDr/qQ9dnAYzt98r/pCx621/2R4JttZbdsXQDbQaHhV69iJqACqZB0lLyKOKa4Y ++2U5zy3++t6pd3oGlWCr96D0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAAniIG+xJ ++6rXbrH2kt40GE58fFzrIlzhG4VzncNnpFitvPEMzN0kMa5LBX5/zSYiMawQBQ7C0 ++FpCjz+n82VVW8iabCNoqUUNwOP7ZYmsoraHT9klSak/mLfAXOyOG3DUV9jntivnl ++HUIiDO7Pf6GnVVROio9psQEVOX1+W1uq9Vs79+F5GI/s0QR9dG0qXvdJ0h5UdVee ++8LVXQOi3cQKyBOwECwt0HA0pJwwcD6w9e8Y2NYTeOTamWGQVEV3NlcvtdSVuDJ8y ++lTke2YbEKyHdcsQ1vrDHtdyfEmJcgO5c9EL5ptYJB7Yv1QiwWJOhLdT13IBYvOtO ++ebOF6zAD73Bpkw== ++-----END CERTIFICATE----- +diff --git a/src/tests/dejagnu/pkinit-certs/kdc.pem b/src/tests/dejagnu/pkinit-certs/kdc.pem +index 8820ad447..4eb811deb 100644 +--- a/src/tests/dejagnu/pkinit-certs/kdc.pem ++++ b/src/tests/dejagnu/pkinit-certs/kdc.pem +@@ -3,27 +3,27 @@ MIIE4TCCA8mgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx + FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG + A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz + dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug +-b3RoZXJ3aXNlMB4XDTE2MTIxMjE0NDYzOVoXDTI3MTEyNTE0NDYzOVowSTELMAkG ++b3RoZXJ3aXNlMB4XDTE3MDgyNTE4MzIxMFoXDTI4MDgwNzE4MzIxMFowSTELMAkG + A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF + U1QuQ09NMQwwCgYDVQQDDANLREMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +-AoIBAQDTlr1w8rm2fyn/EGHT0kZP67KIM6ktK8nDRCaf+qz6U0uNFMRmnuTMix35 +-jZdpknr0aB0qoW+3H0+p/ZEdpG9xwdKoYYXnB3suLBsHfpu1jIQUIFbWGolpLhEA +-wu/0lpEWM5mF/CeNb60LpV1Nv9qTkAphuDSj7DaPr3CqE9kh5eqq95X5VGiBtMA7 +-uGxa1rM5MXLkpFO0klw39sU00yfEH7TulkGN4NPnQIW42RSsUTuboqcVEXs+RHpl +-bEXvOr1xCC5GvObYlUuJmgp95dxVjKnAR0RTWvv6LE29Cfzpr73UN2877HBuyg0b +-TG0VJ6Vgpa+UfgGxlbyqHI+SNfhtAgMBAAGjggFzMIIBbzAdBgNVHQ4EFgQUa8DJ +-DnzKDd6H46LUloytHNu32GIwgdQGA1UdIwSBzDCByYAUa8DJDnzKDd6H46LUloyt +-HNu32GKhga2kgaowgacxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNl ++AoIBAQC/BxU//lImv03EhSCSXe2e2RbzDmC4RJAsqkYVtYIA6dMayAKIf38sauKi ++HUvH+wLq39/ZM8kvTbQw9rJysH6C2mabpyFzSwro65a6nYSrGXbZfGmC5oyIUy7u ++K6zeVmSEUFC25C4rqnOmRTozmcZEdDZAvwsn0EyTuWtk2jK8Hi7MJmNJOSpQKHr6 ++bIfiz17CwuurKoGLlgw/HNWfRpSPHVtmm0T7fllCrJBIB6mCawpI7zyGYEu1AwM6 ++VDgl6KQw6/6kPXZwGM7ffK/6Qsettf9keCbbWW3bF0A20Gh4VevYiagAqmQdJS8i ++jimuGNlOc8t/vreqXd6BpVgq/eg9AgMBAAGjggFzMIIBbzAdBgNVHQ4EFgQUrxLg ++V1TSrSKJgpC3MabCqfQIPaswgdQGA1UdIwSBzDCByYAUrxLgV1TSrSKJgpC3MabC ++qfQIPauhga2kgaowgacxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNl + dHRzMRIwEAYDVQQHDAlDYW1icmlkZ2UxDDAKBgNVBAoMA01JVDEpMCcGA1UECwwg + SW5zZWN1cmUgUEtJTklUIEtlcmJlcm9zIHRlc3QgQ0ExMzAxBgNVBAMMKnBraW5p + dCB0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZYIBATALBgNVHQ8E + BAMCA+gwDAYDVR0TAQH/BAIwADBIBgNVHREEQTA/oD0GBisGAQUCAqAzMDGgDRsL + S1JCVEVTVC5DT02hIDAeoAMCAQGhFzAVGwZrcmJ0Z3QbC0tSQlRFU1QuQ09NMBIG +-A1UdJQQLMAkGBysGAQUCAwUwDQYJKoZIhvcNAQELBQADggEBABJpKRfoFxyOUp9i +-Z/fWql5anJuZElgBSbEC5sL2mMcmL/1vqkiYF3uF6/Z9g4X1LX4QDuvaXCJSdQ+b +-JpmhklSyFN+E/agxZtSim+AjTgYJ0y+jwNvX6kZQ8fW3VLNJZ+zbb4n4txfgSROn +-7ub+02mo4DYajyD9TE/qLzmVaiKLEKW0osjxX3fB1RN/d7zm//NDPsezzUzmKkgz +-u0ML7HGYUNY3+/SC4ShF/But1IoY3/I46lB6BMrIn9X6fsVKlipqrRFniUk0qDlJ +-fbKVB+MvGEFoqFNlMoGiufmDjnJl4PQZCVEmXO8wAVGeK8NpTBCjltAAsoVJVnjq +-AC5jSAM= ++A1UdJQQLMAkGBysGAQUCAwUwDQYJKoZIhvcNAQELBQADggEBAFMX7ZTpNPdzFwkE ++hrab7fSDeoG+mN0yorY8e5Evx6sE7pXOtHgHIjQY2Ys0lk2mhbsIKptL/R6jTxWR ++rbmU6jFNFeJgn5ba3NWdhlUiZ8WKe2knp6uc9ZDIK007XaKA4rRoHlJ3vHXoF+ga ++JFOYwRzCtAlmsOCQ0UetoC3Ju6Y6NhCXIE8f81dsh6RMADoQT0n/fcLY/JtbbLXK ++ANTIWHm0oSX9wvOU/yZkYGuwcPd91cc6Mea8f3J8D/OiatMZXc3719extmeR6Cv6 ++aba31kv9wtbxVuxkR7HhjlJhzhqfzfIp3tNREaIxPb/qKGWBOjwxGRqSUkdEqMvD ++GjaSlyc= + -----END CERTIFICATE----- +diff --git a/src/tests/dejagnu/pkinit-certs/make-certs.sh b/src/tests/dejagnu/pkinit-certs/make-certs.sh +index 0f07709b0..f77ac5813 100755 +--- a/src/tests/dejagnu/pkinit-certs/make-certs.sh ++++ b/src/tests/dejagnu/pkinit-certs/make-certs.sh +@@ -164,5 +164,14 @@ SUBJECT=user openssl x509 -extfile openssl.cnf -extensions exts_upn3_client \ + openssl pkcs12 -export -in user-upn3.pem -inkey privkey.pem \ + -out user-upn3.p12 -passout pass: + ++# Generate a client certificate and PKCS#12 bundle with no PKINIT extensions. ++SUBJECT=user openssl req -config openssl.cnf -new -subj /CN=user \ ++ -key privkey.pem -out generic.csr ++SUBJECT=user openssl x509 -set_serial 7 -days $DAYS -req -CA ca.pem \ ++ -CAkey privkey.pem -out generic.pem -in generic.csr ++openssl pkcs12 -export -in generic.pem -inkey privkey.pem -out generic.p12 \ ++ -passout pass: ++ + # Clean up. + rm -f openssl.cnf kdc.csr user.csr user-upn.csr user-upn2.csr user-upn3.csr ++rm -f generic.csr +diff --git a/src/tests/dejagnu/pkinit-certs/privkey-enc.pem b/src/tests/dejagnu/pkinit-certs/privkey-enc.pem +index 837fd0b01..ee35e5cdc 100644 +--- a/src/tests/dejagnu/pkinit-certs/privkey-enc.pem ++++ b/src/tests/dejagnu/pkinit-certs/privkey-enc.pem +@@ -1,30 +1,30 @@ + -----BEGIN RSA PRIVATE KEY----- + Proc-Type: 4,ENCRYPTED +-DEK-Info: DES-EDE3-CBC,19FEC334A4D4391D ++DEK-Info: DES-EDE3-CBC,7DF54DB740F92845 + +-S6pSicLj30Jlnu2OnYM0eXCvwAHR3xMhhl2N0gheWUGkjicqTdW6ft1qCmGBre9b +-/aTSF1ajvFC+YQ/iABznWNmRNZKCzTK1dQ6P73p83uNqWt/cfe+pVYdeHw3u8NKA +-fscciBtxnHNaAs16GX5/j1XXRPb+zmUe18A+VFMRgctbaurk+KbxO8qVUkzt9NNa +-v5zHkXnaJf6ixL6zR3cOCJWPGy4GmGeFIytQos5Jgn23Pjn8BHAXf39GMs2n6g5V +-eE5RAGDeXqPv/tO1kN0/RSKDeIPvKW6REklXraRUle0PNN5g5l3umSkg4fkplusp +-nTsQCRWkqyVcMpxcf0wy7F2ZPOYIWDt1/pzAHC7y/fl0uCQPz0Qd1smwt0ABKcZv +-m9zaMq6lkKYnBOxPiYIlWVlQi3RLDiQyAWQz/nF0SKsE88SUlB83quySJsZsLKzk +-MR/C+ccSiHqMiDKVj5Ts1go+gbj8Vhlto8jH6ynQj6lrOIczyMmgUa0v0dFH3i3/ +-WL/8ydJ0otY67A8w5yH3hMzRChXQZlpTmH2dDhAv6EzKBi8eIiB0Em+laz5lDv6C +-SfNxZa1/+bSAvXr7LwllUu+Gzbu7MNLwfB2ieTqdFQGA659DjnMqyBGLFzni4Ir0 +-Hi6Uh6yQubTm07oqyUHAsChGFE4Efh4O0rCbKKPZuSVfimUZcE6JM9IjRC/0DIwr +-LZSYqsFgn44byrc62qV2JAE2ua+/4aHHI28hIZ3MDLwyYpCQL/FAUZtqZvni+zgw +-yoHLRDbdrqPps6P71T6Pw6OQzAYC7AL/FsZnLJK78nI+Yai0dpyv/QWiFSXoDEVN +-6vQoDv/VZbNIctr31OE4XyjIMiTpn3FPa3VSbKM4/h7SthjwEV2ONNfR8XQF+siz +-3NhOjEFrZ6UGHvT06wo/hp4CM7u580fNu5HvyCyIwkx9CZRLHvG6Vu0emlzDfQhE +-qxQs6L7IM8A46/LPSTtmEA8Rrn51YY9NChMdY6j3rLe4NLxxOCE6JYaGWVWBBawK +-k3y9z6L9gWRwxEfCgWIutDrYtmA2aj6y/vRS6LrotCNeN5qBx+TdRnh6uCqbi1T8 +-4rF20TVhNZ/l+pkH/ehY9OJ/zpwdbTq4FlE0wWQZB/vwbYP5CZKF+rU6IXnCZEjt +-Ak6Bka9mFm9Z/TvnKIRYiXELq32zOJAuEOQ576tkDX2rAuIQAfE9biX2qo0gbsJo +-1RIfXekRurD/HX54blv5mNqUV34gl+ngPpV5nNDy7RuTAdP77Mu7/ynaPfnM7nqu +-rECbZVv1HZSgTi+7G9SUjn4Bg36p4NiF0/dZ2W70byYIQvNPNqU1kyeSrZk/43te +-NwFgpoAKVbMD1rZ+0xM2YCFFKQZZMN1a5tn8/1TWPlPU28Tu3ZliGeWMdeKd4/MP +-vfH1pE58qVcyOngjLqGkk0L5A7WOAgu+vibKrxGxywwVLx/GfDFqnNr6H0buwXrk +-vuKBTo0r3pcbaZt3kaYBm0d3zznQI1O/pX+eGiNr/rI86j4KC+jUSoKi4BdUeuDN +-p1x6qyEK37kgVXiUyiEXO7e1arLBZMfFRTNKVsN5ewL441eCIgs5gA== ++3I3F5dJkYmjX49YRQub+AzWPOJock699vQZV3oxcAabcZWtLVbQ75QBXXBPEtm3j ++LAqb3gRxfETHNHsSIEwGtN3rYre1UdKs3Bu9ROQNTvlbCwRdss3JA1kGhJu2o5bu ++hf5sjpfR+ivf2prJ4whfhb4+efCHE0Ll669V33D2kbPKX0VCokkRmxsIoVtHd2qu ++d1HM/EkjxrOy/GHZ+93mkSeWC4hz56VL5ApGOV4wHuphdvKy121mU0mjtQRKF2El ++N7DtM9/AIAkLPx5wxrTJXuELd+BBDPbRMwmvgqCX1m8sJLJT2fBzVKRKWexowp7T ++d3j9hT+kMiWCTgd4vJ+i/KPkK460Cy9PzFrzCtWut4jh6rZ+F9Tdp1g4Np0ygWAg ++q9tV4RC7ylW0DeseRTXTLuohngfu0h7mXuhutr1Xmq+SoRuhBllZyexV4jJMc1kZ ++2nv9RJ+h7mCAQbLSVvWCZpngfK2IcZhi4hfNiiQ/wqc6rE3eaBIR9E60kaCeBpWB ++rxZm4VHOrwJw0GsaCRLQez1F65Ulk4TA+7TYJWnW/MGrvBptuBamwxk28Ts6eOee ++RVwb/AdY4QBVJKKT+/e3Lfy409evmdTAA2N+tbYzALC1cH4ex4sO0BifaLmKo3t1 ++fC2FLna4P9F17bbjcS1lSWVJKodofUEt4H03X7LaMhwe+sLRuKBIoTH2nLPHLIYg ++B8NO1yFiJPFL0a8fi9kG8JJlCPkASQC5vcYg6BE40b7h7T4qw0HmkuH3i6TX6bsG ++nQlryJ2BfQM+IT3MTEh/T1iHPZcTwFLPF9HMnZ/ydL/nM2kElF6YfMClFvuDGULQ ++zmsvG4D/ndSisapJQeoevAwtCHybh8/3cy8CoAjBE9C1JlHOvP2+64rzvFVUAKfa ++z5aZQQJKcdXcKcM8u8PgEyCN5x5tBqWQjSHR904k25KRkePAh8SoiSDuNQPwtzbB ++RHesvkaSXuUaN7q1+oJzeQvzO8i79ud0Diu5y2KePrlB4HBSWCuWmvz9U+WvGBiw ++KpEUAp/YpkqB1as4IUBDNjV1Y77cyUZ+/8EkPgAvB9wltCCAyQ5xi1h70cDJdabj ++swabRD5JV1JLalFMDrOeOPZh1heaTNHXV8f7m8rMVeYVzVTM1JoQLlvKxcc3LVfN ++9RLn/vTN7Ox//+385UiozC/PAo/Cep6Z1Wz+cwsd62HH0LVimVt2mrmHRKY983cw ++U6cZyhvcTB5UOdJdhwbHfnxQipWRu//XRYY/yVdB6W2J4Gzh//adJfKOmHd8+cB+ ++y8Q1yZP3diTGkhyY9pkXS7Gv2Q9mcXlMJtoyb7rqBIL/osVTKdsZn7Cj6ZYB6ftF +++hKQKNs/bKXYs3PF09UOInfUf57pENSr1AQBQceAisAsr8znRYsFlpqZ5L8G6um7 ++XBneZ1RBj41wheB8g3kL6hj2UrXrE2rxDAw175a3BaxP/Wc2JgGcBWyJTVcZ35Ab ++f24UNlrfcJdgEFETEiy12WY2VaqJCSY3J6YSimHDbffX+ku8QgU1shZf9z8K1l1A ++OJQzbjlxPZT/k4cfw/Xi0rHdgWGcmL7tKLkTcrG/AixdEoI9KCSlQGSksI8CfFmj + -----END RSA PRIVATE KEY----- +diff --git a/src/tests/dejagnu/pkinit-certs/privkey.pem b/src/tests/dejagnu/pkinit-certs/privkey.pem +index 7e9beb09a..548e5a8d5 100644 +--- a/src/tests/dejagnu/pkinit-certs/privkey.pem ++++ b/src/tests/dejagnu/pkinit-certs/privkey.pem +@@ -1,27 +1,27 @@ + -----BEGIN RSA PRIVATE KEY----- +-MIIEowIBAAKCAQEA05a9cPK5tn8p/xBh09JGT+uyiDOpLSvJw0Qmn/qs+lNLjRTE +-Zp7kzIsd+Y2XaZJ69GgdKqFvtx9Pqf2RHaRvccHSqGGF5wd7LiwbB36btYyEFCBW +-1hqJaS4RAMLv9JaRFjOZhfwnjW+tC6VdTb/ak5AKYbg0o+w2j69wqhPZIeXqqveV +-+VRogbTAO7hsWtazOTFy5KRTtJJcN/bFNNMnxB+07pZBjeDT50CFuNkUrFE7m6Kn +-FRF7PkR6ZWxF7zq9cQguRrzm2JVLiZoKfeXcVYypwEdEU1r7+ixNvQn86a+91Ddv +-O+xwbsoNG0xtFSelYKWvlH4BsZW8qhyPkjX4bQIDAQABAoIBAH28SS0ygFvLq4gw +-EwJOJYxeswQvNuxp5gcMm6tbyqkjEHVxDtkwuSQ304M1ufF5o2lT6Wko7/sxNyT8 +-Utz7l2JRXL7E3U6R6ohgm1tTyHIVY3OWWCP5Nwjy4BXEwdVmGCfKWAP/+P0ajQmr +-pguK4/fmk9TIIzf6Kd4u0lOvYcu7AYfaBj9OSSF08IoE1EA9gY3Mh9k8C3d3JDhG +-hoJKwMAIX0PRyx6cvmpuAJyPf+19K0/SmzpbdNOHfIXZKtfYw3HxmebhhyCxqNsY +-opI2fpn8joasvfcXICBFRHreSu4nKc8ky6FkMIc5KZRiSP//N3oFM7ZLxciMjfgl +-bCYqST0CgYEA7xfrB4atDYApsmLk92uHnC2bOmJhncfAuLHh8M35fk09Jt6CMYPx +-Ydp4cKYzMemO5zzHxdMnlmISIWWtNbm/gR74KZwOmhFFEP2LE09hpAXRBfQvN5af +-RZwMZ9uyJU5ByecXbIt0cuNerl8sKJfG1S+/maD3dZvr78K4Jd6StTcCgYEA4ozu +-okBTEZ9h7lxdBBbZcO8i/eikPeKnCEBaSryf3K3Pr/k8Ssaa7MYOT9yD+iRwU/uV +-n13BA1I9PvdcWl6ewZdOYX4jCVCIsLs7ed4wfwLxGQMZIVHPZ59lRmVsZFO08g0D +-27U/rUZBpMHl+ppq/FfBjyyUSqayKjcBoFXx0XsCgYAOzQM+pwaldE6gfWDBNEXj +-1Crs1VRHqSr0BAcBmi6cs/laI6IZoJpbvWOBTbiTmWrAQ9H2HBkyRQXsTVgIoGQL +-gThJkyCQRwtoftmSK3LW7Yk//hrCLS/U5lEaSM5hYtPNxOF9VbCywAKHdtrL9IFZ +-hygsQXuwKyPS5tHxfjLExwKBgQC1D+Hg9vvtB67jLBqDHCfopJcYywgJFc5dP+Fp +-/dreKmPkxpMzSAul1Jy3owwvrVPBKz9nwSxzlRSx8Ex1RU4odt8D+CXUWfMFHH7q +-ZXPo7tb2II3DHXlf3fq5CnJYtLXXBiPhQriDqbTpErbVVPjQeOqPnRdfml6mcpPw +-KwA7ZQKBgFzqLmWqy7ZnZdbBo4CUUt6B12eaPCW6YNpOd53zHOphaiZLq4rEhpiZ +-S6JYQTEQYugr0yd6vxsVL2An58niRg1sM6gca9QqBlGMzaQoXaPx6OrLW2WoS5+I +-MmVTeh7yvdop+6gvR8Eoh4cI0HoiJw8oQOOneiXVnh7Izk+WjKXb ++MIIEpAIBAAKCAQEAvwcVP/5SJr9NxIUgkl3tntkW8w5guESQLKpGFbWCAOnTGsgC ++iH9/LGrioh1Lx/sC6t/f2TPJL020MPaycrB+gtpmm6chc0sK6OuWup2Eqxl22Xxp ++guaMiFMu7ius3lZkhFBQtuQuK6pzpkU6M5nGRHQ2QL8LJ9BMk7lrZNoyvB4uzCZj ++STkqUCh6+myH4s9ewsLrqyqBi5YMPxzVn0aUjx1bZptE+35ZQqyQSAepgmsKSO88 ++hmBLtQMDOlQ4JeikMOv+pD12cBjO33yv+kLHrbX/ZHgm21lt2xdANtBoeFXr2Imo ++AKpkHSUvIo4prhjZTnPLf763ql3egaVYKv3oPQIDAQABAoIBAEe7ACa8d9qm4SvX ++FYkAjjakq/JuxrDKxhyPf6utMXjoVGXtDs50matzI1DekVMxlUHe+O5VfMkvc2cj ++a5SXY5n9KqRuGKhzWFBoDnxao7Of5zn5dqE5szGJksjKS6pdZHcutXBHtHKfGbgo ++rJctuf6AaNLdKfI0TFz4NjRznrN2NyFQGhXzPpq34Qm3Rg91hVlU3A8FYjE7ez6b ++vlJBsbKqnvzxEQMWTk0z0bWC79zE1ElH3Hpwfwb2cG7H4EXf0j6N5k2zODg7C45I ++xWtlES+OpZqdDH6mKFBQojU375j6rb2plZGkTA+qxX9GvG7GsF5aOM6Wkge7SUeT ++NUY2lB0CgYEA83u0TtxCMye1p+ykZwQdcEKR+l4aSjNsM2V2s8Zy4eZseR7f5fgZ ++71ggIpzK9pjT55OiYJOwsEkZAPB0gBgiEcqJgow52w3Hg8sUU5LBEahUpx3Qm64W ++64WNIOL9oVXYQu1S/yJ3iWPMQcH1xIlDtPPC1LH+yHyEOnGe4szIeccCgYEAyNkN ++K2JEbbfK7Wsh3/MOtx5KCkzJzFClTSQZ55IxRUf+myauljKt+kI99jYV6eoicAJv ++SMHQeYurLtSkhuyptAHUqo5xgH0HZ7cE7LV1nfam2p588Yg21nIId9XLDPK4AvCx ++Phz1oznaiGMu4jB7esozuW4FKxB1kRmUikM8bdsCgYEA23jMRLFhsr6+jclPP9SD ++vKck8mtUg0Hq7EEvSEk/UMTlTiA4bhC/P/FNtiVjBfkoOXvoR+mYwK6DLUeRm80l ++GKhaXySLGhtHllK91b9Y7NOwypqjaVD5M/9EATraqEy7DUjjITsuSNd+TF/LawbX ++0wpOum5fXNRwVEYKlCFHLA0CgYApr3LeSDzvkK/batrTAj1RoEW5sYpIj4xfYFjI ++CT2UpYagaPzfS5F0WX9GtJ8Dt4aCPN8f+KnuMCDNTXEAV+o45BBhfcLs6gY5bnDl ++OBw7NtAWm8JO1viatXwwcvz7qPysD4yZ2aTZxc4ndH5sj6dxKrpliAIml/nuraJ4 ++t8+49QKBgQCxJ7ZDlM9J0quVivSui5aoZ7iLEiu6GSZ5yF1HSNXY69OnqQK3UxMl ++aERCn/cKqtquJQK3v1IE6k6uAaoM7PXDVKqKSH0Z1Jpqciqjg+J/i7Vym6oCdjer ++6zt6P7Q13f9X9uUlZBnNrT9jk5WjR9pSpxAc0vU78VKa0lZMZ3bROg== + -----END RSA PRIVATE KEY----- +diff --git a/src/tests/dejagnu/pkinit-certs/user-enc.p12 b/src/tests/dejagnu/pkinit-certs/user-enc.p12 +index 049602939def4be1fa9164649b39a801f417e74e..b2648ceaa04be6a560966a414a7bbc8ac022c20e 100644 +GIT binary patch +delta 2706 +zcmV;D3T^e37L^u|U4IAu_0R=Q$07m(2mpYB1u!tho?ixcuO0j=`>lGTs)`UgGm<_) +zpKPe)yNdVeYJWc`4 +zF|P^R?oh5stR*_(MT+TZR4{&W9qoqi)f&pBxOiQbYZZ1lmQ#Pc4q?TD!0ns{qlu}U +zz(Odv2K+dfougnpE_VouJ0!M7bt6;%w@&*9{%SfiDrvUdRZW6CSckeD^E--2MzmZD +zliS3w_y8kT@PFwptW_3@*xAKJ7u%{U_HfDf9jg*K{X<$ZK~Z=^`bq{K)M1SMGVQ^? +zv#j3vs0HG{g~oN&R6FPVPVchC^z{P@wq`t};KFoH0iPJC$e?G@1S`jv>DCV8RB0 +zmIsXlD|}<)cCDUm$lZ#mt_Z{Bv{YU=x+YDXTvPmRZqmcS#sZMLcxp_X>UsXy*q9%5!2Sahq`0+O!z?}T +zi$jc*@c*4b82s)hz9gxO-sN=XmM&gwlz*+BOwds}(8bcfnOwG9>c4M41I>BdyIE6( +zXbn>T;bsx#*{293>WqA>Y^T8DHfefzJaoF~ZIQJHExS&`Tva3s7=r%MBNe?|IHadr +z3;)tG~fkk%kK$~?KlYIw23fnj%9teHJ@ZW*2W?&0_g?~!F +zv4KH{ocV+%s=kSCbfuiTU@S3?HSk;9`=V>fXAVPQ5yJ-A3VGtMn$hyJjBL>)Xat*f +zk>LDwCgwH<7MZbk%enw@_RMCIr@ki6QHeb;WK_J`RwaC8Mfd`O!Ox)RKq~fUu_iU>d?3o +z{a5i;hDvlYB>6O@o?_&bd+Lyi(>Q~@du=M6Hgdv6`ogLgF)jrfhJv2PHS&O?EAOq?#SMnKNcb&pBwlq5g^OegV?n;MEw^ee; +zNAm2zd3N1vCWnEDkE2q@f3WB!pgs=2pUxlBhb1$h(bH{Eh$P!rF3CGZuuACYydDn`l00e>r$h%Gmj<@&l(&Xw}Eidkz +zz@_D66&yL_Rt&B;1I)=kuf6ANgrS(5a+rcm&O0Um(1W@-qtpcTe1y@SR`1y2+!Bjk +zQw=o(lgh9Kq4o>zszLR*B2s9LY?-=8`IIV7);U#dMhstBw7oiDXdQhCe+i9pk0cnV +zMlgF0u95BdPI`jmlfO~!!}altl{kMJXBOyAE&JL=v<&Va3rMzRzEl_6c~VY?np>Zo +zc?iAu&Mt}Dt}KDnI_!(wF&W;btDeR~!+4GFOI$qsL2rSj&Nf1Z`%l4{qYJ4Qo$_}# +zJwxm6gK(!^XH`H3GDvYMf6ZXiHexfG^(D-Fhn88u;X368WggB2*>Np*Ni+Go9sUe9 +z{=o5{uwK>`NVcYMf4tOHNIsnqr!Hx^gA~eWZks4J^1j{2p{HG?g@>qFF8lS7+k^J`&{T!%j#_zl8OmX0^a|L_Hb^Bf&;C%^ +zDRf4UJIncVpMKi6e_ptRh8&L~a0c+OZyUh4xk_H*ZiVT9oPj~^=?cH{ +zvVq3YVa|#w$>d?3-K=B$mSiz|5L=0aU%z0r5=NXvy%;*bv}`8zSe%or`$-|90;plD +zBMc35ZSO>Cs2V+WJaJ0#L+Y2{w9jWYmI~V$Xh0U}91I|Pf1})&1-$>cf4IK3avbmhiO_QH +zUzb|*rY0bBQH(2Dz0^m5V`6s!4}lu+2Z4sL!Z;_w`zlgnxe2p>);eKXeRgPbE8hM) +zh`oOs<_8p$e;6ws?`vcLw-*IKpOB*Ser86?AiRqkbxtkcVjVI7;D@#G#Zz{htm%|t +z{IL@z9azcPs?vP_JN_heR0Dg%Z|rV#jIu&Cz<+D|zX&(+Uz{)Hp2UasosM?7e~B}} +z@Uc>9Lbj7eqH5pI{>XB6W3)`4gbWgDP6bb^t$0U;e~hQjWsuc=W%5osyn#COy+0Wn +zfXyb`UV#nIfFOyKcTxpXT4y|ytF%_1G!x9h^LdFL>`qCd-xJuFe=Cka?oHZzMvv?F +z4Tv$#KpEY*>=SF~eJrHN-&}^_T`nbeQ#*zvBRah$g$#AJtiay_Dr(%Vf`f5yT3Wx4 +zPw9EGe{U+zCREP#EnqfSUY`b6mlSFbnd$rpIUC2?Bx* +z&*ahaHlnLZq_)8PFZU&7S##TPwtTI){S}rL@XarlH4%tMe*>vZ$pfl61)r>6REt#6 +zA1Tmhn;*&xXn8IimR;1v;fwKcbLt}hCu@0Ke_$`LZOuZ5IpYkzdoDeo7LH_jdX(6n +zI8<+LlcXr9=#AM@2Sx-NbWd|hrC&4HEsn(_cD0F-dOu17hU<54gBG6YK=4`U_l4`A +zqM(8cTN||R5H++bkzne?q5MIh^^GwlFe3&DDuzgg_YDCF6)_eB6ccK}Vdj_r1JjB8 +zJcW?bd-abN6XY;4Fd;Ar1_dh)0|FWa00b00NU*E?J0(4Y+o=|f0;Fia+%K{O2)&NJ +M-JAb8(*gnr07yzcC;$Ke + +delta 2706 +zcmV;D3T^e37L^u|U4QCIImcZ#q51*>2mpYB1u)u~5}22I=HT-d(%(f9DXV18Kbvj` +z^Vtj&rJIy-KS(<%B=99oy)c{aYIfUfQ83DHHOZ|j5N)Uw`u|wFUxcIoSdpz_?)9%H +z4jelm#2iJczX|~|@JmP%-E7N|LSD%0aE|sR%YoM&yhB@K41Yz9lq-Pj*c;G_qu!n* +ztG256pZmHRbI1aKr&uCUv>WoW;LeiC%96yY!X+o@FzzAxrOHu)3g?VLl=`oYO=8u* +zFUXhf-E-pg$i=j~J5AnH&n@YvQR-2plWV!|u18vsOGavYQq$5K0c{Y)cD=>F@sB1~ +z#Ce~xs1%rGd4G(-!z|O%#O_xY2j{voND30(DGP7NkMXu3u$QVLc=J6%CHpuQKR%i~VGy#97gZKGgC +zQ)7)_hvF$URord*Z(4C$&;M+0oSafecrT1A>TOAXhJPO!S1Yy!|0t8mhQxU9F8H0X +z{bS7WoDJL|;>UbB#Q8kT45pQxG--}vOh}`IjL4HRI%JT7=!MOS_w{ZYQc1Wgh<|oe +z$UCUD%v2lcu!NkaS+WPMqtPJpP30!cLsAAZhJP@(6PFg+r~_<zPu>L)gER|-RptQ7t2T%-w$coS%U?y2ty)u$&%U58*x^dW7 +z`SK*%R6K^ppp&Wo_dd9jlUx<%Ga!U2uD9oPe){W-$sAC0PPA!QYj{>3|COVWx@pS^ +zdR%$)XWB=Qo{$wdCUX>$?lfD!Jxy3?UC2xmiGLhV`RaM#xn>#Hl~j;aRu7ujxtJdV +z5)OCd6$2Sv{U)1)H|`*tznwIA_Lu0xM(g7cYqXUD@0)zWD;@cM$iz>33hI&n$WKkI +z?VwZyL273la`IMNy;tYMRF(sMS(#LpN^yUMz!Pw$N2vcnTC~i=mtZwXPXpou2Y*IPGGimihPbppn_& +zRXBY89ppNtTpqy$L5I&2jYQ23<2e0@(|?7`1y3bhH4C9A`JcTJ +zs*Mq{z>yus8k4sR)=<1ex`9V?dYzvH0P5C26D4493!(r1*M9|H +zKGdn}RlVi8Q0R29 +z1>lc3?jlMQ$F%QZs$yVaL}+TuF@LQ*|2oQf6gad;5|UIfZNwdOVy>MTwDGXK0pZYq +z^=+s6V0xCsmO-;{zxI2J?FM61!lojJcLxx`>wst*?}YyyRfPPHWL&x?0k-< +z*`9-8I`q-`7+Q?mYB$<2tLTxDr(QAj_V@HuB~m*PuA2~|AbRG>SaP0yE=us-t=HQY +zg~<|Cdt7j{a8>OwxZuklbr=dfAs{AYygi_jsgM*00e>r$Ow~3k+rOeO>(s`grF?$ +zJG{bdqli57x@xMkpB3?9W>*jR4I((MPl$BvNhVhbw?_vgtkh{C4|j=)L!maakLdv;I? +zQAlp`ykIYDUK>4ac3hrzJuJgy{liWNPtKgmw!Von2J@L_?kwdzL +z*LC)1U0nZwV%P}Nl}uhfIo5hPM76mjv_P&mM&vHgsjqj|mewKje*}5b!(zjO+??#p +z^+fSxFa#sKMfh^V7pW(Q%@sfS$_a6jt%35LjT(p^IHot23x3e7QBt|q8Bx!}hMy)p +zjHIkywUCO1=vwR+a-j{-_L(+dG~7>h(22dhbKe&sw5W6hB_qBi~5%rNy$JlVt9!<+)%x(%&o+O+@b0ergOVP5w6uAeaVE|mzfALIEdE(~%cEj*Nx1l?I)xNe5I~CB-XG7RdT=};;vL@W}qgN1X%CMMTb@z`j(^Hxg +z2+k}O+$v2Ie|Z5?WpteEE^-jk3x*2kq +z{l#-|^i)J+)WGL>*FSJ+u}4ad5!NiRTj*bBOEz4N1ylP +z>^0wkW58HZsCHK&O*4YkvSMBQ2tO%OVIE`(y0uWHS!>4~{B#t&21e9&djORBw&Q`g +z2)Kc2)NTqH_|x#q1O6HWS5W|}5BOBUZ%Vo9Qw5NOKV&)yHS`wX9$DV8 +zZ6V?M9adFv7f3LmPCzozft%9ptIIDEtwklxf0b0u(0L&L4qp#ge@p=B*bmxjw(;PV +z;Cshn-XXPKyoA+FG;h}OQpsj+-)bhjhBs`0k|`c7DQ>1~Bt@|RjJJtP6KC(6#0L4m +zt*tS%Rdoj>M3SepE)k;MCOV%w_xv#>Fe3&DDuzgg_YDCF6)_eB6muCT6bLmUm2E6$ +zJled0QvX3lDc~?MFd;Ar1_dh)0|FWa00b0Mw6Ml6`rPp>w1kFoo;UO4PXV|D2xTCM +Meh!`itO5cE0QPz^F#rGn + +diff --git a/src/tests/dejagnu/pkinit-certs/user-upn.p12 b/src/tests/dejagnu/pkinit-certs/user-upn.p12 +index 7a184f651e50d1443e5fe907b5a11455d69bc0d1..6daa5b378b83e9d4134ae48f8d1ebef715bf6cf5 100644 +GIT binary patch +delta 2698 +zcmV;53U&337L68=U4J7*Cd0h`aFqfA2mpYB1t^AZ29wx*eOgc}d`r>Q7K3iXfn7bI +z-h75b<#ho7#K*k@hvV0DY72cD-+GQbBx+_M+%n71zn +z#X29cB(NtFLejt8_}`1}u<)0Fa|N#PFrop1;9l4e3fW%nAm0812NzC2PWtG5Q-Le3SkbJQ8%$`CRQF5lvDMt^VA%Nf7 +z%gqA3e;};~*2a*2L2#V&7p#=9h0m8OkwZeltqP35E+5dzCHJJcdi2I@dxk4_kjEOT +zj0U8U0++mnH-9@Zh;5`5me2`GT}33BIrtwbrAtxQU_u1LtK|{6gpV~{xkE5ejT2ih +zN^~x-hZKe}PsA-74%;xY +z%1B^HDt0=soP3^{EKJ)&_b-pfV8cwL_(1dml;Sji;(r9YP~QfvMIR=;$|FM4HE^b6 +zOll6EI_7z*5>D_vgiic>K%ddTL?+VkF!(XYy-glao-W+_2?bN*!b-%g+(*LW1WU#4Df_kOw0G_-qaOq{v+SRpmK1m*tb3kPzLIGjVa^ +z2hUFOzaEpi%o&g2^lIMNwb&tG?#XFJz%l4U56fY`oz^klt?AK +zuXwGHf}vN7zq;z1mdw(fafua(ZnorQ`;=s@1b^+)-r`oP1|(c=7dWrTM*Y3X!S+-s +z6yvzsNy6{reSb#uzqXA*j?J{*SW(elo9x=4Tgvmk7340ZG;`lvBR3tL))izIU+caHn$AdqnrQly +ze+yjHVauRy-|J4u6<7{TTLNDLr4%Jx7=JHGUoO1>1Jcfv{I7f>&cx$XLd+C6{T;$@ +z!JSbO;_3Sm(&oAtwAZTwA;V25RbO9psZt* +zln}2yx+-4*YnuuI!9EkI82olCom|r^m3LOkVwF_AlZNQc;2PpCjjVZX)YexUPnw2 +z_$_(XXS$6%xZjS13_#*rgWL;?J<7vhZ&suuk^}1zTKrxKS~8Q14u?oGg}H +zlv+EHsJHLYhdzk>*1*x?GypZ%k$)pPwmu21v!s;VGk^k+YzPtgAL>R8DmBl>#+JNk +z9u*4ll2JG9`v}C4*CP{?T!#_a+ScwglwY1hLX}2-)3S}nNh}9HZ+}fv%zwfwr^~k! +z=rp+UoO0)meUalXvhV<156HPdXB0C2j3K;I>+=s(Buy-477MAi_(gcw~VJ;|J3AUk`);%Zg&6=cfM%r$Q?RW!0hdBllOO0 +zTK$e}^K!@?la&QVe>VvCGU(Vo?g9b`00e>r$fO@bT)QV0_0B1+RtRaRQU!+^G+F8ByUATuiqPku)}3=nLROGQxsSbkkY- +zasCODE@NO&{NkW~>X(G9%rXzSV@mm{^~LPTEK*0Wm{&=#e~+kA6Ku&p0j~W>F>f{_ +zePAde#=SNS#X0&z^HzqJYAyDwxNt&TfKJc%3yAgfrUZA4_&$b8o8XaNZw=|8qY +zljvN6gHeh`L6q!)aIAW3M| +zku8zILVI$GTwtMdU?^96# +zg~=M+e>pl9)d2Z?X8#?o-z0==7jEP#m#A>bdA2062BlD8Lkw*A-P*PsR8T~|$qx;D +zg^_hvYQOo650pOQ9dBiuA#&WAk;Ae&G*Kp;Mz#)6aM7P|YSDn6RK +z2FMmd^WV`rg9qo0*gPnx{M#w}w_jIXLt?Htq?997K%)maV%KC#Lbt!#l8-tKoQ$GB +zXiH8|epkkQXRPYNxML#!2-7pL2YG28Kjpo|2b}kK?f)J1gPw({=3$W^com8c3Ye7dJ}RHz +z*vvJzwpsR6M44c_{jk~~Myb{^rc(sqe>x=O*QBRH4UGQB?z&_Bm@zH!#+>l)4pTGr +z&x}!IZ*t34iEdy8K1?hC686S+fvw2MM4b6|ovWo{VfySc*qk^hH|y;Ox->fB-fZW3 +z9P`l12ah8*RP-+LVYybf +z<$s@pM^MUhoQy-XmtfWe_GYFerm2qLg%H>?7HBLGv~=PBmQW8Ay#|QIkK#;jO;$81 +z;Ec&>RSgW` +zXj?}J-UUPY8f7(HIC6UZGfOfO72c@ABwq8tiZ0?s3(7$ +zxM}RzJuAa0`@+dpgSHC=ye;ze6=fI5jLQm5(4O@ywKR%B(SKp;94zpF34Epw$elea +z9!~P+oiqK>Q_>yAd4Fbui&Gbz+?SuIr3+{gn2}D)4zKA +zw6q+|xyzFg{C~CJXs@2^$asn4KAS;Hr!s53%;M>!4_lI!j +zE@siDP@6({Y?SkW5h+LdIH$!`_-XqxelFC+82Tg$EY9PMt$UIeu5 +zj=iT7iUSA-e*52|0Dc!;kRC(OF6vpH^HL(#b3Wr8xr5SNtP6{wfsN>aHEory +zZz-!@F_mMHzsyrd5SFu-?*f)-4@0fWC;9#&dw*SQ32o63t5Zm+f1C1bL*s$N7grel +z=O+Y!#o8f?VAUB9+;Hl3)PR91eu?p_GHL`ZzV(YKX%{M`k(!63Bb|Ob1gX^X;@_0swMf$S~y?O52J5Ow2Ei5EeZ0liT|CpLX3dRe|Y?h-)%* +z1Ahy_Q}w75-Y#V2+pavIB(a*V$3IEPg?T;;_;l~R>6v}Ls7>PH|CSU4@((!&99d`8mJ4VP6tfU(4xw}bWH@+eq;9;I?L2T^2F%;7KMe9jrkMY5 +z;~yqZdv|HCk0HHe6ELR7-?n0PnLebvx^Hl$-REUwC2Ty#$UDZRB}HY213#mttD}( +zBu{Oz+8I6(k)MzWxr$ksqyo=hI1ZhXWX&Y5JiN0mzSsk}t- +zJJ%SucVFN6AEIBj6-I!tXQhuHr>X^w6cJM(yq|zYJ;?@eY;==f{|XXanx4vhND^Z_ +zVG0NghDtq_C2zj$Dz8C#|AZkOPjw>3G!iII-&;gSHv%p#e{RGu#nP4#fobQPcfv18 +zgrG+nAHI;bL{ylamN8W@lZ^DQ(sR +zT%P@xq9c;o5?_9TBIsOs|hcX>KKPL9C6IfhyjT9og;C +zTTYklra)`+#hT@j5b!vTCMRNv-&CN403}aafd@V%?CBOpZa@yL63{b_VYz#)84%BP +zfYP3we-mmC228v;c=3=b_ySr8pLt+9&oCknyR!6tdU*&t03h4#MVDePO!=PdJKgTE +zaHJvVh#iv(yLboW+T3TYbSszMmU_pnlTuRonrN;Bt0)GPvhsgs*~x?(edh&W?F?mzlkD$J3Hfwl`moP6Hg%s+6VJf4+~1Rx+6eBhwZUl;!=3s8jgC!;aQf +zD9Z@?L2PX$Ghgizq~7d-QhTd>iMJ9kiDb%Rq~);boeQ_o6Gz>K3&BxCt+`@~nJAh% +zg!EqIPY9B0ewTqT;i1r~)!+l+G9oP%4++@@;Yo|$z +zMwTf3)yGj9S(sW_1-Kzi6+3#SgOCRWU*>*BPfO6cBnql?REk}m2!l~16V`K&3x=#~ +z05!gcR0QYhTv!?>tIt7C*)hIDp`l^Ge?{+>tH@RY7FrUffN~A>;tlE(3sD|7LUANB +zis>fX5un78BnY6sbwqF=OpLF_K}&sQ>&x9L3ga$y?=2hF63nby&Kn+_8fYj=Q%qs9^LzWtFszxdqjsR&mys<{B|EGHk9GANU8t_m0Fe?x$v +zpy|a!(Wp`ffAoA3^XaeEa(HpQ9c1?JtW^k>aa()*8q(TFBZbOowXt_)DRU3xiT^R= +z=F~RNdSDu1@)T$jO}aMmZ0Z-E9f!w814*M^g*;BUCL)C0s^{0*#IGyLz;78!^?dxg +zVlRVeg08jZ18}h9;65v{AH^?-f8aiTOIbeJluz**@tGI6G+BB)7Q~kN!AQ{g!qteM +zhqd!L(uO>k74-EEJMTAE*X9x#e!==1fh0RBMQN77*2GhWj_q=-;Wz;n_ig?}US0W` +zOuQS?@DtZzW1f~nnyoPEU4QEdRHRCfek}q52mpYB1sD{K_#Ii+3SG3sHqthXJUvY<=YDAc +z9#;0PWo-O>j);dWavz`vlnJdRTmaQEo(0cc+s7lXMT_ckx;wyC2|pOcNMhk2NQEoc +z(*6LSNK&b;J(RKHcLgS$UbyOpsCkh&(Z&4JM6@2PAel3A~|!xb3Th5gvs +z+2ZyxIT3B%aetn&kjA>&caGx0pjK-&f8Q_X>G1awp^&srIY7Je-gw)mNU&6nAKeV@ +zDUyEhZo?kDw^KqVPWeWk-%0aRE+Wjuc3X9h@7jFk@Bt8^KtvL9oxdA)#3I|;*|BOo +z->lHL_8Whhtz?3eZXiK#wkl>sh(V2h>Rg}a(k;J|xPRt2O2Tj<96swuA_=jT#@8zR +zTsY*e-_N+_<&h_dPb%s`G69d~tdf<}E{REDc=M2s^y7fW{0hfw^3IhGV>@v#&Kq3} +zhwf5UAn^i(2RW!~epxan!iiQi1q9E*i^;IyPET${O0wgRN(&2aaM8OE5y7A05(S7? +zsYqm-b$@CJke2fvwgCDwtGEZSH5p4N)(<4?9_pX)FmKp#;CJk)fx47Q!Ji=>(`gLt +zB9@RMXeL6z=WsaVZGDZy +zS;DhvL?nwM{iQ)K1<=B|aQg-X&IDSl$A~zKkYo +zhV&KKYp^vG$Xo#98^t%_%B6ouEDxE%5^=ljeyV}hvfWi+B(755(_^ +zyBq^D^D)}0ODnN{tCc;IJ~a0+z_Z4F{>vTLxtG7v-n?O6^jolP-ZweAlZ6FFe`>0B +zfhbF<9s&Xg00e>r$je4%i&omIruPaAML(chuA&9Npn@rycZovGBZ#}MmPoP7HFyS+ +z5YP1fO@E2>32IZ)3U7So39tUWihv|bt@|JD=G>W@vLbuh$`t2r-H%|(HA#7Z7W-_6 +zMx(NU&So_YHnXHr{(L?L$F@_~eG6X?q6S`WCfKOSVZ2DhB(;a-fB!!0 +zx12RrgaWp +zY5qyxizI4x;ougu@A$3NK6q`unhku}7(r*IjuEbk_W?J+^#5)TU`GEu5)6)&$OQdF +z;-goaN}BKgkRb>#!sPGo0~l6y6J_wWv)T|RQ;IHAJzqBid4iXawd)P0rV6^HMLnb$ +z)*C7%K6%-JP9aAHs48ype~zwJly9JZ$}NYKx-Mp9`1s6RNNL#vLto*^@?m;nGW+I= +zWrFX-+Ya8`rQ6nHMD*!7*jvVb6y)NbtGwi4TGa~%?hH{~D+F~WCg$qzYa5~Jg_L|t +zRR4#x%vZ6tegWzpK5qbxOZlsQw9ed@cuy1?5hFwQI5x`5k*FI1f3=Bo6N?70(6E=! +z)=e3F8h{}lF=#L0^Xd)rP>R2*=*YJFpRmnBBqPdF6~Em{>vK>4KYMxGKc(f49lQR* +zpC5e;d4$#Ea4PR55SyjScaGF=qC5ad8W_NCb&1?YgbKORkd^;He$u%fp+PlI)X|mz +zVstj3!6b2+*r!Dke}#limlzF>9>fdN{BmbrZ}WBUCLIQZ!JJo(?`OTRR|!iY(4U7e +z$^v2Fxgs0I5*}XGJhGl7%`WX>-$vfL?F|tI;2fAi`BD5;7Bd#Vy+Sw;PxmH*ra_J0uID$f8R;tP|Zy-aDWv?@#W%h +zgadvFj)f%M9Vnn?eUJrGfhc=2RDa9V +z>FxIlgkKyC(TX_6Co);|LM8Y_i725KU9m*^TC$^0OB)4Q@!qg|><#|?M~Ctb+P+hI +zkbMqX>Z6#Xe>34_&bOc2;_=J{oyk_Ny}nc=NryDiE!$)Q7+PK!i92EIEojc$?P96m +zc?iK(OD1K6|1g4R+r<@Y5|Jg!GwO8#LjQ})>Ni^dMDAw0p*0`d{zeV3zaLZ3oYpEw +zH%D+{4}P!wbSfTH=8xk$*K9Gx2wGly)4dY^K_bE!e@dLK94%Iux!tn5oCu>-ve@+_7Qen#! +zCcQI#e_G{j=hkznNe7#RtdAbEF26Pu?E0(v%|h1m<)!3M1d@Njft3yg;C}h;Dso!= +zfAFsv_<1EcnjXbW)|JR|FCL)ej`wM6w&%hWM}7Gk&X#(57o~9AdT@&Zbv}$YQU*8&0v05$6?i~s-t + +delta 2682 +zcmV-=3WfFk75x>EU4Nojn7^Afzuf`?2mpYB1sEA6cU;`CoS+7>CyWFQ$f+`W0i)xX +z1IMo8fFTH+Sz>3S>Uht|Eny;NP)?BG$3gXhG8NY)?NxVg6aGis7v1YDigSP`x?im@ +z`?Db1bRoQBgcP>Q+5v3SBB~AyAzr+=xrsL^J*kw{1hZ5%a+ +zHc2Xg8*)=q>SP@L@CC{#w>L^Z+J&6pnI}#Mq2P6X*Nyqox5QLoU(Jpxpoq&?#cuXc +zXJAXQt}I!EzNSb2ejUPkjluI$|4N3SNcUzZvV&GsmZuciaq~wn*p_S%?j(No_hj!&e-e>lt2Pg<@@fsC`72#frhb+0TlAJiVEMe+^V +zdV&&N)e5!qVh}cr=ge)HA7V6&5DHAbYHMo2Cwb?2_HFi@NgTia_2J9}>VmG;PF11h +zuX{^wYCwv%P3F#g(FX%|k23^bb3@-HU&VT%}IkJ8+A94z3vJox8pxZTm +zh96kU7&>62DbVf_jg>pF8CWC|H9xpweRbyo-+3m`BB;l^m|n5?F~-UAw2Eo|Upr51 +zfzm`i1<%YQFY4E;7^kKDXL(Z>fhax#kUom*Hj0_R>A-22fRZK89x=g|&JSE{W{2vI +z^w^gDgMa^gOhBw$Ca*O&b-vw=S;5yL^$nwu8i^;~ +zmVO3ig006aRom{J8v_Oh6k7nJM^oOvgO$e?LIcUe@rCtq|s3&RB^ +zp*ri|HnLH%?bY0wu{FJ?nTgs5ZEh;!_`)$2#t+ZJDuWwlGEIQ!^sZWqrL^=L`giqm +z34aFCQ+hfGDFnHl9}q8BCSMbhWO{0LhibaOL`8zaZw)#kDfpVL!WS$Bf|Wp#SGs8z +zuMxe^2$FU%zGSVpNVe46cBmbY6hqiGm#PP&EQ$kq_W{$pm06H0I%gFf)9CYmtx{e` +zCJomci2D?Z;c$t;*dS$k%-x!+$E95H>*!vWXOLFkcWfP(8vvqEm^ +zD7?NEyE=lGE=5{3&E1qK?Pq*of+X=YNRd~ny(2zVQ$<$apcRzL@uGb_@^{?HAb*II +z$&EQT=ZqVQpB3Q~c_g!iYNSeNLJIbf9LS;cn*N*`225y4pWcO>;8=j3zmG!aoO6zN +zSv~SZC)THX1T9jO_hUY0^=Dn#Xf}@Po+cTbq?@TM`@ji}ttmn2n;Sr4S<{d4l2a2) +zPS}ZZea)SIItKpy^!VN +z+N>iElo8@Mr$PrK`e)v)F{}y9KcSe}c^NmRCcg8to5T>| +z))WBs=1!|VB#mFx`T^_p+=Pn>y_{Zw#nr0X{?<`094{ph7>-~kbq@olS=kAbC8n;u +zqo--UqoV^)&Jq=A_HU}Cbbqn(f6FcUJe4TRe&a}TeVj?vOMT*nA50LwT!xaLWC~?z +zuR;Q1O*uQ+^mH=6@E2eV!vRW8xN1V^ +z7CvAHrt*6lqf)z5mkVEybFjWWrp|)?J*)@-OENCPO5D86?t`Ru9vD!^e;eouy|I2+ +z)$WnuN?<+4|2P~77T6MX&E~%*V{m1X=w~b<4D1y6!fa8v^q-RT@mT(ydAbR9tx)Mg +za`UP#n<^-&N3T@x%5`|IYt`Dh8FG&3*k>3@-f8ZRSjJBYOX+8{Vp2tFEQl+0M92wn~XpZ4n$&REI$O|!A +z|C&upTLIlp;Cd-QTpjF8zK+*zVNtRL8TaU#8gXF2dW4AnLSjby@N|0|VUWjIwuzP7 +z2xQObW)|z43v)#`5QOv~WpJ>Wxk#=te<$e*%Nh%31rZ;eP4F +zCW8>)15kbf%VdCj6aFwL?c2SQo#n52WiFgQTPjU)KxSQV{S``6ngGtn +z|Lk(B1|^3OZUXEj6IkMTS+tQbc2JMX@jaF0-Y)3F&iIGWY3c-<&L!MH-FQs?2>rCo +zW)YfJ#J06pbph*0FRV?dVRUI9mZe(rkQ(0v9mAEpe?l>lDrmYvy^Rh&^F$bAg9aFx +zb;PX}B%WHxJK8;Gcqh-`?*P;qO4xaQT}m-W6F`5&om0=1){V^dwH-A)3GtCm7iP)scf7`!^ +zpcfWDpn~znhuv+jW45rkqMPDQT}e67FE|w_ESX(LKd}_=1_wtRDk{{ei?VevL^v4)*gHc4wiT(y#HLe +z4qSa#+Lf4khNXr}4Pq3ujwKQ%=*c1>#@tMjIH6+JG=JUgo3n9hbV2@&`^09UzLsXx +z1Q0;yi%cyg>96()dg6wn_&qzl`iL-O?IPE57!Zi%GjLm9XfP6c3OXaDg?zmXl_m|- +zD#I>Xh}5fP8${o7N)c1RcdbKF?oNOY6SjNF1NxBu?Xn2B5^2_>uDznS=+!Ntgao5u +zB_17l5`Tuv-3}{<8W0>JB~ZN>!|UwyTJ;p$j>5;?5;Y$w%BzS>?M_-N=&9H^M5*5VIABRGi2Gd*F0<%A61E4i|HUz +zX!OLlQeM2}Z={{ENfa0g*iW|uy6#x-f>|U_zzmuM>X>mvJm2MZn#=zwdTlT-NTv)n +z$gq@JThWUCy5?f5nUaHNcqc>Wi{@iB-%8J0m(YS!7p$&;U$Mx~#YgsS#hfS;=L)-0 +z4}bqab$|EYJ#yJjn${s(M^^4b`Y9ZM%%!e@ka;J&=%N+5kQpuV&Y*NQ6%bqqrp?0c +zvkASQ^E5U0TOV~zI*%0#ts88^z*()E+lgg{*<{;CjX2|_kR5t`3b)2*_|u7AS)zCI +zddqMp*eroBDYq6%$yo$Y{G=>O3TL-|_kTW!!P_2$POnW{>xFSfio_MXs0ww-mo~hi +z=(rSEzL&BlLd#CsC*oqs6C~Fo+9Hg8?ck})d&Mf}w3xopmhhLVP`QjiQyjND61#m- +z@Ti!l54-Aa1EIxMwvv%1+o8lC5XZ?$KpMOoo;_Rth{0DdmNF=oifNM6@T>e +z7}*!D{OdLG!LDBZFZ#;gcf%2Gl4oOl6Fn~r8DNFFQ~AA?eY^)C|5Ly1pjk;wx&r6# +zDrVnH0^2DH(;P{I=T})*lyeFUa6%tU6RtX@SZ<2mTs?v7BL{(|rzuaK5kMkSf)x!P +zMII;x>mr$R@xPVtr{^r7my}%1}E!A}WmbofvFM +zcS!kljv8Z%(&&Qf>ru913`}dK`R}b6!=OYQ|L5CpY15F!mbW2qYdr|JUF9YL8WSuf +ze*bNr&bN?B+Q@E1=uUeEjhQSIS?`-Af4;LXKn5N-XLq6xc|f%_#M%w-*Pn9 +z0f3p>$dACQCD|ZcE0T;i&hLLDWC+>2e_q0`-xh{n0FH%33ag~TcZ@rg112tzut(cYLAtgLWrFG9P}7g>GqSjUx=*%5=Ei(wi;B#qD!D0DdHB=5ne3p +zz7X)28kw|s=IQ-C@X=`XBrP#XfrYOchw)SmxSL>Lf2fV;6VyWK+tGI0@;#9o`ML}b +z=Efu{JvtPd@rn|9u&5^X|3=^8Ur|_(J(G1WEIKJ0`^x9%VSj#?Nk6WwjXxRnu-6m( +zjd)VmBbBWvY@1~+Vw#!O<(3tv)oh)ricul3Rfwl%X8C3a+<33*fD-2-GI5{qDV75o +z>LqpWe?G2-@V5x^ez4WY)5DkL6ZxDB*vBE9%u;E|A>H(s6n}9bH&KQb#zdIBW7MnaIzRarxL@n!O)O +zK=8REHm-D)+!QbFDD>eFGqQGle!kP6e|@)JpgdCP;~7UeyK0@F3NK#SJ0IUT4CA() +zo39%1U#tTOc@;VYuXNuOe?N1eS){UjB$ovmaX=}kj~2dJIL}s}NbDPCos#k!q0k~& +z6(yK2z2-dNY(yJA%`mY1gCo4XY$|Rb{VRvx>}p2VB)BS18|crUeYiOaX8I5uf9e;5 +z!Sp~;hom{dK*GcnV={{eZlquY3=K$u%N;dC3YcZ7Jwid9q$w720~h8_o0`rJ#+e>}#fXz~jOgIgpH5GUFmGfeNWtu%Y@mn$$D4=DMM +z<8V+G_ROuV$#I&3s%U2e{*tn{;XFo~vnDzTiDiOa;XL2_2q1G2#|Ib<`7((J_Ta?x +z6ma$u_FJom0HA=6G# +zp;0g~Fd;Ar1_dh)0|FWa00a~tK>i(z<@;kWV;*m?sLnLjiHbx72-=Fo1r5yv^#TG2 +E0EqGn4gdfE + +delta 2698 +zcmV;53U&337L68=U4OgPIH0Ma|Ih*g2mpYB1t^cgTby1_i4bV`ET($=&EQs+%VWU! +z7EL>iJi4Z78OaT9ubV}bGdi0`Ahw>yNtjoh(jz*K!b%&Ua)hJeCBb!FAt9G4(CLat +z`Rag4jFpnmFT)s@f*z8jt%jD9#v%N*$?L>k;p5=UEuP*lV}GdN&eI?0rjB?@WB}eY +zf)XxYT1q=>J +zymMlumTAK2tc{81$;?wU?RVDyIg)}6Ru7Is8*D-idC>`arMh=W)oa9!1#zHlQH+C= +zxNFQiy$@%pUw>ciB6Pems-P<2y=ikP`PqC(+TZsM6awppC_f0Xl3g4K3t|VAQ*|@t +zqWP;7pCfxOI}DZ9(iJy)rS*nL8a}#DV!e3{QR4jj(Ty7a7d86H_%`o3)tY*5-w|Qk +zembO|Ujs3}!86C73mgV0q^5iPuZU!CsXRr9j$1G30DnT~&96xZ(_w+gVmP}nkT+9^ +zTnBG}hdQN2AJnve+R?%pEbv=8E5(bzWG-#u#DzEycabv3EOTQ^KP}Xh8CNH%dMrC| +zl_ZZqKVqcBMJt^u$Fh!)FjVOw&dWSYUg?omm_rDHAOgriM49P$d0+1``GCJ!ZsQwc +zIeSn5N`Ij~5U5@dvEBjG{TiDpjvP!%Bx(#V7yW^c5vbxvj?}{zE!H+*c6xgo=IhbX +z{ugXqn`P$jl!c&05S&~~#+%)!=U#Kbk5wVT)3ql;lTT$>=q+JLDX30eW_%PenT4Zp +z_goXztU1Ch8>MHCoD|K5H4(V-ja(n=t}k--9Y2&($W_V$rpuB>QO?+3-dA +z-pr3g54LFhpSdbUZ +z|IdewW&nX@Id-7N;;8dTYiF$bj&+Vzp?^hsO`e7M7OU$Gla=8Q4G^LnBF+hG_nBeb +zu}|$?y}&Ypv{-4`sZB4J84gG&-!sF!m9%?q;wc<-;0*nm{J3|%$s#f4g#v)CGLCU4 +z(Yc7zteW+0h{?ByycGWhd;fPj&Dn(4myw17)6pVR`dcE2`6M7x!wVsRwxjCdAb(Wf +z4D$@k@4>yr5z6XWYn7pBxh_HGbj9atGCo7126F9)ewn?kfa;&vg>e{5+wgb3)|=NA +z`o8_Sx*VNIakI&`^qCUyxWkzJM}b~6qYN&iv+v+c(UQ5=%{ok(ekXq$lZ@xKgBHx0Tl@87a+hB943i +zFD%RA(jSI%C|Xca<$+=*lWL`yEop8}Q{X%bQc-xA;u>Z)z-N*eV}?4frikpteC|{% +z^a!Dtv`0%$*x`Vxh#$niPcOGkf}NjScYXD!MU!uL497Oq;pCJOkrMUvRzj(C7>B7| +zirNe8d;&TQyncnqec(ERvcvZ=HhwevKN)GUzDKIn4gl?ZdnRwvb(WT2#ZBk3!kjVD +zJEGu3Mj^N{la&QVe+@0G1;Pz3&jJDn00e>r$OX00Alr(atOG})P|bur1*6+0Wi&x_x{|YhpPm9aRrXy+e>w{XL@?~)eWqce&iDF0 +zqMSy`TNzT_)VB-&hdVeWjEeXb0i{%KpZeK!$PY01Wa=BLfB6xzk$J9wnQ+$8Q?cOh +zQWJ^oEshJdhCpbB9?+gW%#d0mHXCu4Kr$r>M+VFC+yRsa^lQ^YyqVejN5NolmXwl= +zj;AXtkvzSNf4>f%vSi6=NX>a2^%IT&;v29li&z4uXN8vz(uEM&T*Qo=&F?5rk#RQz +zC336+`bfFPsilPKn2a5|Np2S1s2;)B2v;glXVE<%O(u+#u~*}7ksKGB=)IwePkk!6 +zKOP3PmZY@6SqGV+fn{aX%cf@iNQisE!MeAT`8h7je{pcQ%DlZS83P&0<4$9^B?j!n +z0^s^wwN->E=~xLdD_)eKs$i$WQ?$&-S=N4)kY +z8sF-Ce>waid23??s6b(A4ogu;h++fH;y`eEvd@BSm#`s!Ry +z+6L`T@d*j+#(xh*)fPw%XJxi5_WgWEv1C&^jNYt_5ZCvbDlQ07M;HV(J|PE-03cDz +zI%m{>hShEl-wN=n~{2XZ{L*9dR&>p&O5P +zL~0ADX*&QcF)J*1tw=!e<$;FCS~Q>H`vQ6<^=_{tlE=R-j`1+-CyIrhMa^l@GsOkoi*b5gc{|O)u6y +z*Eybgfl##owFc|2DqiQ%>C%TLxKNZ2)Y8q^GKz)qUCCb^Y!~Ouk~utFj^%qDAD7$7 +z4|(O*(4Us`f{<2cXiaTtd7QygQM!6=e^+!{SnFm@Sce*pSUC_>Mud$loY2}d94m?| +z<^OOSjsAsDBC2thdNWvSgLi|B<-_+{K_gsBydMbNjR&C)NZ%Y(>Bs|d@Ni&G^NWGp&(#5%4Z5twBV>={4~8{UuyO)#6}%;xPIHyY{h_i55`b4<${ihODv=^X_GvM2$(ip)-{scMp=K6z4NT0 +zh9qH{M2vDnA%B4RMJV4L3g&uG{}^y>U@_^&s079+Uw;8UwQZawTn!vsnczNryXER< +z^4t|;quLw`bl;E|eEKmn>RrwfXq1zSpT$o-918IoaQn0K1Qcv~32@A!!Yk9d$5)cI +zy{aB^id7jlNY5I{?KJ6dEI`cwQ;~`h@bsE-*#wn1qLARY;aK^Be3VEOF^3YZC +z@z)+dYJm7<$cmm$-`oMA4%n3L(y&2%bYK#IC-~*C61&8wgQwA^>q1bHC}EtDjtVc1 +zELlaHTmHT=Yj$uxFYs(>usRFRqQvn&Y=h-QA_vyh{d+oN#SEVcRq3G;MW*B4{9l6v +zq4IfK2!A=Q^+R+st9#jqW4=?osK-Q)K4Hq5%bbPzj&C#dO##MJ7oXFI1vcvc70Jw{ +zEv_S72+LnOnU;)4y)s1`vlaV>-0o^K1+!777`l65f<`flFo5nDa<3{ccfhQZ2?{|o +z7c|F5o2|#B%7Rj;vzYt{Mut5sSc(Fb-e#e^-GBAX_{?R+=$MOl)HiG~U+;&08^mvP +zHNfv;+m0CZZAMc)NCYtA@^kdgq@Aok`CYuV8^FZ~W1mpM$Y|0UcYycv$Rw~Uk-pz- +z!Dy26%)YpIB<5W?r3BX^eu*^fEgSl~ReH*mqG<*`wedGDz+{; +zx4kLMqty}CrlV-aA&gVt>cAAtAE|kT{Gl>@GBfH-*I9Ut$$mL}Z;Gm~5u@3~UH3u; +zu*RcYkh532p}cjA>7*oslZ7OgH8tToL4TJC&l=yANqs|aNom00jp9FBDbRbjK3>*1 +z%t%A$fhz|l3Z2Gti}j5NxrXYzf=4jVC`TMPTZvUT-H%YSuYeGCOl)KMa1~`sWdLxxWOlH7Hp((U}SX!YNhgfJ)IPf=;Gx +zCA}LPUS!(0kh@$b!MG*{z^TG9-c9BlhSqSqv`*cklbr=df9nY*n}fvB!vX>b00e>r$RI81nSv?+Yi!SD63Wi? +zTpz5uAf~z86j38B#-LJmrSIOk*?dx5rdvPi*JcISr +z;GrMw4kJI_;L|8E8I7#QK@8J%06j|~QeRT5YPYz2e~m|0eC*+N +z;tTbW&k|>^&OYIQAQZ)=e!ZR$EefvbbEa%e@aTI~@iZEV&h?kl_iWbBu8gqL22EWO +z9%e@s!Ln9mn5gIkKyZEbno(BO|N92gh4zi>;+t!DB# +zUD*#wq%14Ws-EP3hBY-&Ihk~ywGtQqB8-6CEv895gq+Y?Ref!PVQoN$e}ep~l&{da +zqe>QuPg-wYhtPeEN!5YpIa21fnSW1kwM|Wu{MOd})a|@aJwy*geIt_-o +zf@_GTcauuKT26Cov}Jb>o;A$hT-*SD}c|OaKX(rQfx^MRmECJ-R!H{CDx2O +ztfI!lXTISDio|vGOxL+yF(#V^*FP|1>(VxK)_HV+LW+m+hM>6nHJtbPD8$YNAI`V} +zJxt8tv;~TeJ|us*$IFJ&gYiOXa5$hQD(6={4wTTv<(s?me|tUC1}n4%7sLR#^%2Z1 +z>wB$BQPVbOEZr-HbQu^qQZZDV0B=qKLSTk0OH6ViZg6t{x4jDwj>Q2g#8kQ3r>Eji +zoCHAsSfZI^gjaN%upLrFe;LL-L(-_It&su|RC&en#x}vk5N84OPL*8oFVPE6rr}-0qN*#i8!ZNM +z-lMCaJq9;t`UH;WVM3PeWlDBk&GJ8MW!kVJPop~_JfAJz8Tv~1W~R=A +zf#mg1W3o+d#@#T-2&}3LjtVGn(SoOHnQi>T=yg_;f6ZBqH!1J@yw>z^@>NitY+5GG +z$_K1gfo*y_T~t97XgHe91xGJb>0;+13X;T-03Pf6IfLg53{}XapD=~I*1UWMmfQ!D +z7Ze1;SJ|?3B4jg+a%x7qjgRh1J9NxeFNvzi*YlS;ci9S +z#DRe^Za5%?_JurFHR(9)uJQ)yN&4iz?H +zSw@t!Q))44>uN8OaX|V82359~wEHn7Fe3&DDuzgg_YDCF6)_eB6ccK}Vdj_r1JjB8 +zJcW?bd-abN6XY;4Fd;Ar1_dh)0|FWa00a~TEWhWcHtRjAj4t&h2$Cd#3qV%{2$+b8 +MPj+1S(*gnr0E_P~i~s-t + +delta 2706 +zcmV;D3T^e37L^u|U4L0@OZ+^lY6AiS2mpYB1u&$H6w%_X?Uh+pizOtCBDzx2lCMDmI_;E4nZypk7SId1QiiG% +zoX$R-HEZK1+~1}@RF*!aKybD>UweVLW#TM}CG=Kw((`3EMgCgE%Wh7i5_PDshVd9Oz|EjKxtnoLw`TW#&7 +zQPy}=X-XKHcQwT5v|u~sb^Inq0NJ4Lak7<6+3Ya}d< +zR^Uti{uWAJB7|b_QADZ~qF1trj0LGAR*qZ!4V-8U)PEs3HV=&h(r8ATc_D(AEnMV1 +zwuVIjs`^7H=|3CS`*aB@;CnPV&TlP!Yu&aLuDOS7Sg0Cqu0xGBQP5;o#gwP}e8{0B +z7jV-rq(ifyxm<=mq)wx^ScfIWLZ7^FtdIF5!b_#_SU{v)$6P6;3c{)K{n+@;OiiQ- +z)v(k`B7Y~QMMOz0exF+cpQ;~*F-}k8OW2c^cHxE_)brp6_t{vy8?fdPQ-ctCS#H(j +z$jQY05`;BJt5Y1_E&P`i?y7~+)+fF@I~p95YmggrA_kkXkLdVu+sQe~jV^LlG=Fp{ +zGMUwQ8FM7Kg20u!G&B)cCNQ!KA|~SY(%9(~dw)NYD5>AwQTYoOym#9ju3MlAj~yL! +z+9RAIsl?+#`6IQ~$`6sGmR#$qABV!__lx-g(mg2@c}g0+B+myWGZ@B1H-hdORvFBr11a5D +zD5mD8X#7lUgZJ09DQa34oE2MSOlRl*Pk;Loc@3DRHQ-tjjjDOpdmBQ1xk?t__INBb +zA2{y5_WewW14^G6WH^SY0hmJ8^Ng^zx=ZpuY7#VI+rLN#wJ0?Q;k^@dZ=X;S&RshD +zWP{?O$!sjtgM5;`y4Wj6`G$m`1OsXIXK)R(Jwf5Zy`3r9HV=gsO7Qi4jzaFFm49h7 +zfsyLIa}fYP4lU}*uw@gGo4t5v27iR`O@MAwyFq8%w;vNMFt1G(wBrYGlM@r4)ff!p +z>8Mmh-L?^v&W!qOH^7S@tzEEwdy!EuK#bBM?x4Wr`(bkkOsAP+#8TbjTL5J_=bS5) +za6olnR}(Db?FG0|ejvnzj +zP}Lz{>_d&8$(MkIB`z>!MW@mnuqJ@W?8->i@)3)j#DPAOs8q=yg6rJ-m=-Lk7xDaXe*1RV@>aTN~)U7 +zHjL@_ge{0Jt7~qq;qj^Jlbr=df11{|CuI2Wr$kBFUM=%p0lc|48g~wmO +zlQm6cm$_s_2>(DlA9cyxg6bmmW)&QR$peuE=vJIf2HTu-u#@{ +znFBj?5I#2g`5TG`?>T^VI($%BFj|uIDfc;L5->4jxZu(nSAc33NNkgSR!9J}GSx4y +z_4M@|c;BpN-D}R->!q&&aVy|TU2Cb!tnn_pGykac3R{dXLJEv0NPZVx+TTgAeJQji@`)5{g< +zcJZ=w(L#L{pjXv2RjibOnkQN957ydC_9_$?NmM?Po^Q&34Z7W?1h2;S>~cDOEpIB3e3RmaS@`juU%CSke_Xs}bPG03Hd`AnWDQe0 +zDzTI!DRp&=;Lw}C)$l@}&C%0-vB~aHYq5NMeTEzqqd+JdVj_`U-$+46eP9-nM7?zc +z5Pgt-^k?oplhg%4^}fJ8S>3v%<7ynPniiv_Z|t!~Z%up1%zf`A$#gTl +z|Itn@fJi}H(elXg%0X;2+!%;)-lR)s0rXj$+}J!$F5z3_l55m6b2_*fC-NqxNFTql +zdv*Y;FP;Z6UFji4Uh@uDeNWtoP&b(ZdpU59uCOvye<+Qgi5uA#^8lnW?w_X5a(Zcq +zqur4>A_O|0nJ|NBvfV)Jmkk!X>5(vIem$?G-`>87E-&XqHpVEiV;~i$OoPodAQ$zu +zHfA}RyWpW+OJ@WK!YX*SO<(GZEW~rTpl2eq>|IbuqzzqN8t!)~kBi0rn7;jaAq#?4)^yQTe=NH@6SxT7)@@3!xd(1))7AABX12%e +zGo=U4kgSi_sg=#zEko}S``7Td_RokC%@eQ1Z`cc&&D0V7DMKQ8X_oz +Date: Wed, 29 Mar 2017 10:35:13 -0400 +Subject: [PATCH] Convert some pkiDebug messages to TRACE macros + +ticket: 8568 (new) +(cherry picked from commit 9852862a83952a94300adfafa3e333f43396ec33) +--- + src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 46 ++++++--------- + src/plugins/preauth/pkinit/pkinit_identity.c | 3 - + src/plugins/preauth/pkinit/pkinit_matching.c | 1 + + src/plugins/preauth/pkinit/pkinit_srv.c | 24 ++++---- + src/plugins/preauth/pkinit/pkinit_trace.h | 68 +++++++++++++++++++++- + 5 files changed, 97 insertions(+), 45 deletions(-) + +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +index 90c30dbf5..70e230ec2 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -2320,7 +2320,6 @@ crypto_check_cert_eku(krb5_context context, + + X509_NAME_oneline(X509_get_subject_name(reqctx->received_cert), + buf, sizeof(buf)); +- pkiDebug("%s: looking for EKUs in cert = %s\n", __FUNCTION__, buf); + + if ((i = X509_get_ext_by_NID(reqctx->received_cert, + NID_ext_key_usage, -1)) >= 0) { +@@ -2354,7 +2353,6 @@ crypto_check_cert_eku(krb5_context context, + + if (found_eku) { + ASN1_BIT_STRING *usage = NULL; +- pkiDebug("%s: found acceptable EKU, checking for digitalSignature\n", __FUNCTION__); + + /* check that digitalSignature KeyUsage is present */ + X509_check_ca(reqctx->received_cert); +@@ -2363,12 +2361,10 @@ crypto_check_cert_eku(krb5_context context, + + if (!ku_reject(reqctx->received_cert, + X509v3_KU_DIGITAL_SIGNATURE)) { +- pkiDebug("%s: found digitalSignature KU\n", +- __FUNCTION__); ++ TRACE_PKINIT_EKU(context); + *valid_eku = 1; + } else +- pkiDebug("%s: didn't find digitalSignature KU\n", +- __FUNCTION__); ++ TRACE_PKINIT_EKU_NO_KU(context); + } + ASN1_BIT_STRING_free(usage); + } +@@ -4317,8 +4313,7 @@ pkinit_get_certs_pkcs12(krb5_context context, + + fp = fopen(idopts->cert_filename, "rb"); + if (fp == NULL) { +- pkiDebug("Failed to open PKCS12 file '%s', error %d\n", +- idopts->cert_filename, errno); ++ TRACE_PKINIT_PKCS_OPEN_FAIL(context, idopts->cert_filename, errno); + goto cleanup; + } + set_cloexec_file(fp); +@@ -4326,8 +4321,7 @@ pkinit_get_certs_pkcs12(krb5_context context, + p12 = d2i_PKCS12_fp(fp, NULL); + fclose(fp); + if (p12 == NULL) { +- pkiDebug("Failed to decode PKCS12 file '%s' contents\n", +- idopts->cert_filename); ++ TRACE_PKINIT_PKCS_DECODE_FAIL(context, idopts->cert_filename); + goto cleanup; + } + /* +@@ -4345,7 +4339,7 @@ pkinit_get_certs_pkcs12(krb5_context context, + char *p12name = reassemble_pkcs12_name(idopts->cert_filename); + const char *tmp; + +- pkiDebug("Initial PKCS12_parse with no password failed\n"); ++ TRACE_PKINIT_PKCS_PARSE_FAIL_FIRST(context); + + if (id_cryptoctx->defer_id_prompt) { + /* Supply the identity name to be passed to the responder. */ +@@ -4386,14 +4380,14 @@ pkinit_get_certs_pkcs12(krb5_context context, + NULL, NULL, 1, &kprompt); + k5int_set_prompt_types(context, 0); + if (r) { +- pkiDebug("Failed to prompt for PKCS12 password"); ++ TRACE_PKINIT_PKCS_PROMPT_FAIL(context); + goto cleanup; + } + } + + ret = PKCS12_parse(p12, rdat.data, &y, &x, NULL); + if (ret == 0) { +- pkiDebug("Second PKCS12_parse with password failed\n"); ++ TRACE_PKINIT_PKCS_PARSE_FAIL_SECOND(context); + goto cleanup; + } + } +@@ -4516,8 +4510,7 @@ pkinit_get_certs_fs(krb5_context context, + } + + if (idopts->key_filename == NULL) { +- pkiDebug("%s: failed to get user's private key location\n", +- __FUNCTION__); ++ TRACE_PKINIT_NO_PRIVKEY(context); + goto cleanup; + } + +@@ -4545,8 +4538,7 @@ pkinit_get_certs_dir(krb5_context context, + char *dirname, *suf; + + if (idopts->cert_filename == NULL) { +- pkiDebug("%s: failed to get user's certificate directory location\n", +- __FUNCTION__); ++ TRACE_PKINIT_NO_CERT(context); + return ENOENT; + } + +@@ -4590,8 +4582,7 @@ pkinit_get_certs_dir(krb5_context context, + retval = pkinit_load_fs_cert_and_key(context, id_cryptoctx, + certname, keyname, i); + if (retval == 0) { +- pkiDebug("%s: Successfully loaded cert (and key) for %s\n", +- __FUNCTION__, dentry->d_name); ++ TRACE_PKINIT_LOADED_CERT(context, dentry->d_name); + i++; + } + else +@@ -4599,8 +4590,7 @@ pkinit_get_certs_dir(krb5_context context, + } + + if (!id_cryptoctx->defer_id_prompt && i == 0) { +- pkiDebug("%s: No cert/key pairs found in directory '%s'\n", +- __FUNCTION__, idopts->cert_filename); ++ TRACE_PKINIT_NO_CERT_AND_KEY(context, idopts->cert_filename); + retval = ENOENT; + goto cleanup; + } +@@ -5370,9 +5360,7 @@ crypto_cert_select_default(krb5_context context, + goto errout; + } + if (cert_count != 1) { +- pkiDebug("%s: ERROR: There are %d certs to choose from, " +- "but there must be exactly one.\n", +- __FUNCTION__, cert_count); ++ TRACE_PKINIT_NO_DEFAULT_CERT(context, cert_count); + retval = EINVAL; + goto errout; + } +@@ -5520,7 +5508,7 @@ load_cas_and_crls(krb5_context context, + switch(catype) { + case CATYPE_ANCHORS: + if (sk_X509_num(ca_certs) == 0) { +- pkiDebug("no anchors in file, %s\n", filename); ++ TRACE_PKINIT_NO_CA_ANCHOR(context, filename); + if (id_cryptoctx->trustedCAs == NULL) + sk_X509_free(ca_certs); + } else { +@@ -5530,7 +5518,7 @@ load_cas_and_crls(krb5_context context, + break; + case CATYPE_INTERMEDIATES: + if (sk_X509_num(ca_certs) == 0) { +- pkiDebug("no intermediates in file, %s\n", filename); ++ TRACE_PKINIT_NO_CA_INTERMEDIATE(context, filename); + if (id_cryptoctx->intermediateCAs == NULL) + sk_X509_free(ca_certs); + } else { +@@ -5540,7 +5528,7 @@ load_cas_and_crls(krb5_context context, + break; + case CATYPE_CRLS: + if (sk_X509_CRL_num(ca_crls) == 0) { +- pkiDebug("no crls in file, %s\n", filename); ++ TRACE_PKINIT_NO_CRL(context, filename); + if (id_cryptoctx->revoked == NULL) + sk_X509_CRL_free(ca_crls); + } else { +@@ -5626,14 +5614,14 @@ crypto_load_cas_and_crls(krb5_context context, + int catype, + char *id) + { +- pkiDebug("%s: called with idtype %s and catype %s\n", +- __FUNCTION__, idtype2string(idtype), catype2string(catype)); + switch (idtype) { + case IDTYPE_FILE: ++ TRACE_PKINIT_LOAD_FROM_FILE(context); + return load_cas_and_crls(context, plg_cryptoctx, req_cryptoctx, + id_cryptoctx, catype, id); + break; + case IDTYPE_DIR: ++ TRACE_PKINIT_LOAD_FROM_DIR(context); + return load_cas_and_crls_dir(context, plg_cryptoctx, req_cryptoctx, + id_cryptoctx, catype, id); + break; +diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c +index a897efa25..737552e85 100644 +--- a/src/plugins/preauth/pkinit/pkinit_identity.c ++++ b/src/plugins/preauth/pkinit/pkinit_identity.c +@@ -608,7 +608,6 @@ pkinit_identity_prompt(krb5_context context, + retval = pkinit_cert_matching(context, plg_cryptoctx, + req_cryptoctx, id_cryptoctx, princ); + if (retval) { +- pkiDebug("%s: No matching certificate found\n", __FUNCTION__); + crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx, + id_cryptoctx); + goto errout; +@@ -621,8 +620,6 @@ pkinit_identity_prompt(krb5_context context, + retval = crypto_cert_select_default(context, plg_cryptoctx, + req_cryptoctx, id_cryptoctx); + if (retval) { +- pkiDebug("%s: Failed while selecting default certificate\n", +- __FUNCTION__); + crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx, + id_cryptoctx); + goto errout; +diff --git a/src/plugins/preauth/pkinit/pkinit_matching.c b/src/plugins/preauth/pkinit/pkinit_matching.c +index a50c50c8d..cad4c2b9a 100644 +--- a/src/plugins/preauth/pkinit/pkinit_matching.c ++++ b/src/plugins/preauth/pkinit/pkinit_matching.c +@@ -812,6 +812,7 @@ pkinit_cert_matching(krb5_context context, + goto cleanup; + } + } else { ++ TRACE_PKINIT_NO_MATCHING_CERT(context); + retval = ENOENT; /* XXX */ + goto cleanup; + } +diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c +index 32ca122f2..9c6e96c9e 100644 +--- a/src/plugins/preauth/pkinit/pkinit_srv.c ++++ b/src/plugins/preauth/pkinit/pkinit_srv.c +@@ -188,6 +188,7 @@ verify_client_san(krb5_context context, + plgctx->opts->allow_upn ? &upns : NULL, + NULL); + if (retval == ENOENT) { ++ TRACE_PKINIT_SERVER_NO_SAN(context); + goto out; + } else if (retval) { + pkiDebug("%s: error from retrieve_certificate_sans()\n", __FUNCTION__); +@@ -224,7 +225,7 @@ verify_client_san(krb5_context context, + krb5_free_unparsed_name(context, san_string); + #endif + if (cb->match_client(context, rock, princs[i])) { +- pkiDebug("%s: pkinit san match found\n", __FUNCTION__); ++ TRACE_PKINIT_SERVER_MATCHING_SAN_FOUND(context); + *valid_san = 1; + retval = 0; + goto out; +@@ -252,7 +253,7 @@ verify_client_san(krb5_context context, + krb5_free_unparsed_name(context, san_string); + #endif + if (cb->match_client(context, rock, upns[i])) { +- pkiDebug("%s: upn san match found\n", __FUNCTION__); ++ TRACE_PKINIT_SERVER_MATCHING_UPN_FOUND(context); + *valid_san = 1; + retval = 0; + goto out; +@@ -300,7 +301,7 @@ verify_client_eku(krb5_context context, + *eku_accepted = 0; + + if (plgctx->opts->require_eku == 0) { +- pkiDebug("%s: configuration requests no EKU checking\n", __FUNCTION__); ++ TRACE_PKINIT_SERVER_EKU_SKIP(context); + *eku_accepted = 1; + retval = 0; + goto out; +@@ -364,6 +365,7 @@ authorize_cert(krb5_context context, certauth_handle *certauth_modules, + ret = KRB5_PLUGIN_NO_HANDLE; + for (i = 0; certauth_modules != NULL && certauth_modules[i] != NULL; i++) { + h = certauth_modules[i]; ++ TRACE_PKINIT_SERVER_CERT_AUTH(context, h->vt.name); + ret = h->vt.authorize(context, h->moddata, cert, cert_len, client, + &opts, db_ent, &ais); + if (ret == 0) +@@ -449,7 +451,7 @@ pkinit_server_verify_padata(krb5_context context, + + switch ((int)data->pa_type) { + case KRB5_PADATA_PK_AS_REQ: +- pkiDebug("processing KRB5_PADATA_PK_AS_REQ\n"); ++ TRACE_PKINIT_SERVER_PADATA_VERIFY(context); + retval = k5int_decode_krb5_pa_pk_as_req(&k5data, &reqp); + if (retval) { + pkiDebug("decode_krb5_pa_pk_as_req failed\n"); +@@ -472,7 +474,7 @@ pkinit_server_verify_padata(krb5_context context, + break; + case KRB5_PADATA_PK_AS_REP_OLD: + case KRB5_PADATA_PK_AS_REQ_OLD: +- pkiDebug("processing KRB5_PADATA_PK_AS_REQ_OLD\n"); ++ TRACE_PKINIT_SERVER_PADATA_VERIFY_OLD(context); + retval = k5int_decode_krb5_pa_pk_as_req_draft9(&k5data, &reqp9); + if (retval) { + pkiDebug("decode_krb5_pa_pk_as_req_draft9 failed\n"); +@@ -500,7 +502,7 @@ pkinit_server_verify_padata(krb5_context context, + goto cleanup; + } + if (retval) { +- pkiDebug("pkcs7_signeddata_verify failed\n"); ++ TRACE_PKINIT_SERVER_PADATA_VERIFY_FAIL(context); + goto cleanup; + } + if (is_signed) { +@@ -830,7 +832,7 @@ pkinit_server_return_padata(krb5_context context, + return ENOENT; + } + +- pkiDebug("pkinit_return_padata: entered!\n"); ++ TRACE_PKINIT_SERVER_RETURN_PADATA(context); + reqctx = (pkinit_kdc_req_context)modreq; + + if (encrypting_key->contents) { +@@ -1463,8 +1465,7 @@ pkinit_san_authorize(krb5_context context, krb5_certauth_moddata moddata, + return ret; + + if (!valid_san) { +- pkiDebug("%s: did not find an acceptable SAN in user certificate\n", +- __FUNCTION__); ++ TRACE_PKINIT_SERVER_SAN_REJECT(context); + return KRB5KDC_ERR_CLIENT_NAME_MISMATCH; + } + +@@ -1490,8 +1491,7 @@ pkinit_eku_authorize(krb5_context context, krb5_certauth_moddata moddata, + return ret; + + if (!valid_eku) { +- pkiDebug("%s: did not find an acceptable EKU in user certificate\n", +- __FUNCTION__); ++ TRACE_PKINIT_SERVER_EKU_REJECT(context); + return KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE; + } + +@@ -1617,7 +1617,7 @@ pkinit_server_plugin_init(krb5_context context, + return ENOMEM; + + for (i = 0, j = 0; i < numrealms; i++) { +- pkiDebug("%s: processing realm '%s'\n", __FUNCTION__, realmnames[i]); ++ TRACE_PKINIT_SERVER_INIT_REALM(context, realmnames[i]); + retval = pkinit_server_plugin_init_realm(context, realmnames[i], &plgctx); + if (retval == 0 && plgctx != NULL) + realm_contexts[j++] = plgctx; +diff --git a/src/plugins/preauth/pkinit/pkinit_trace.h b/src/plugins/preauth/pkinit/pkinit_trace.h +index 458d0961e..6abe28c0c 100644 +--- a/src/plugins/preauth/pkinit/pkinit_trace.h ++++ b/src/plugins/preauth/pkinit/pkinit_trace.h +@@ -52,7 +52,7 @@ + #define TRACE_PKINIT_CLIENT_REP_CHECKSUM_FAIL(c, expected, received) \ + TRACE(c, "PKINIT client checksum mismatch: expected {cksum}, " \ + "received {cksum}", expected, received) +-#define TRACE_PKINIT_CLIENT_REP_DH(c) \ ++#define TRACE_PKINIT_CLIENT_REP_DH(c) \ + TRACE(c, "PKINIT client verified DH reply") + #define TRACE_PKINIT_CLIENT_REP_DH_FAIL(c) \ + TRACE(c, "PKINIT client could not verify DH reply") +@@ -91,6 +91,72 @@ + #define TRACE_PKINIT_OPENSSL_ERROR(c, msg) \ + TRACE(c, "PKINIT OpenSSL error: {str}", msg) + ++#define TRACE_PKINIT_SERVER_CERT_AUTH(c, modname) \ ++ TRACE(c, "PKINIT server authorizing cert with module {str}", \ ++ modname) ++#define TRACE_PKINIT_SERVER_EKU_REJECT(c) \ ++ TRACE(c, "PKINIT server found no acceptable EKU in client cert") ++#define TRACE_PKINIT_SERVER_EKU_SKIP(c) \ ++ TRACE(c, "PKINIT server skipping EKU check due to configuration") ++#define TRACE_PKINIT_SERVER_INIT_REALM(c, realm) \ ++ TRACE(c, "PKINIT server initializing realm {str}", realm) ++#define TRACE_PKINIT_SERVER_MATCHING_UPN_FOUND(c) \ ++ TRACE(c, "PKINIT server found a matching UPN SAN in client cert") ++#define TRACE_PKINIT_SERVER_MATCHING_SAN_FOUND(c) \ ++ TRACE(c, "PKINIT server found a matching SAN in client cert") ++#define TRACE_PKINIT_SERVER_NO_SAN(c) \ ++ TRACE(c, "PKINIT server found no SAN in client cert") ++#define TRACE_PKINIT_SERVER_PADATA_VERIFY(c) \ ++ TRACE(c, "PKINIT server verifying KRB5_PADATA_PK_AS_REQ") ++#define TRACE_PKINIT_SERVER_PADATA_VERIFY_OLD(c) \ ++ TRACE(c, "PKINIT server verifying KRB5_PADATA_PK_AS_REQ_OLD") ++#define TRACE_PKINIT_SERVER_PADATA_VERIFY_FAIL(c) \ ++ TRACE(c, "PKINIT server failed to verify PA data") ++#define TRACE_PKINIT_SERVER_RETURN_PADATA(c) \ ++ TRACE(c, "PKINIT server returning PA data") ++#define TRACE_PKINIT_SERVER_SAN_REJECT(c) \ ++ TRACE(c, "PKINIT server found no acceptable SAN in client cert") ++ ++#define TRACE_PKINIT_EKU(c) \ ++ TRACE(c, "PKINIT found acceptable EKU and digitalSignature KU") ++#define TRACE_PKINIT_EKU_NO_KU(c) \ ++ TRACE(c, "PKINIT found acceptable EKU but no digitalSignature KU") ++#define TRACE_PKINIT_LOADED_CERT(c, name) \ ++ TRACE(c, "PKINIT loaded cert and key for {str}", name) ++#define TRACE_PKINIT_LOAD_FROM_FILE(c) \ ++ TRACE(c, "PKINIT loading CA certs and CRLs from FILE") ++#define TRACE_PKINIT_LOAD_FROM_DIR(c) \ ++ TRACE(c, "PKINIT loading CA certs and CRLs from DIR") ++#define TRACE_PKINIT_NO_CA_ANCHOR(c, file) \ ++ TRACE(c, "PKINIT no anchor CA in file {str}", file) ++#define TRACE_PKINIT_NO_CA_INTERMEDIATE(c, file) \ ++ TRACE(c, "PKINIT no intermediate CA in file {str}", file) ++#define TRACE_PKINIT_NO_CERT(c) \ ++ TRACE(c, "PKINIT no certificate provided") ++#define TRACE_PKINIT_NO_CERT_AND_KEY(c, dirname) \ ++ TRACE(c, "PKINIT no cert and key pair found in directory {str}", \ ++ dirname) ++#define TRACE_PKINIT_NO_CRL(c, file) \ ++ TRACE(c, "PKINIT no CRL in file {str}", file) ++#define TRACE_PKINIT_NO_DEFAULT_CERT(c, count) \ ++ TRACE(c, "PKINIT error: There are {int} certs, but there must " \ ++ "be exactly one.", count) ++#define TRACE_PKINIT_NO_MATCHING_CERT(c) \ ++ TRACE(c, "PKINIT no matching certificate found") ++#define TRACE_PKINIT_NO_PRIVKEY(c) \ ++ TRACE(c, "PKINIT no private key provided") ++#define TRACE_PKINIT_PKCS_DECODE_FAIL(c, name) \ ++ TRACE(c, "PKINIT failed to decode PKCS12 file {str} contents", name) ++#define TRACE_PKINIT_PKCS_OPEN_FAIL(c, name, err) \ ++ TRACE(c, "PKINIT failed to open PKCS12 file {str}: err {errno}", \ ++ name, err) ++#define TRACE_PKINIT_PKCS_PARSE_FAIL_FIRST(c) \ ++ TRACE(c, "PKINIT initial PKCS12_parse with no password failed") ++#define TRACE_PKINIT_PKCS_PARSE_FAIL_SECOND(c) \ ++ TRACE(c, "PKINIT second PKCS12_parse with password failed") ++#define TRACE_PKINIT_PKCS_PROMPT_FAIL(c) \ ++ TRACE(c, "PKINIT failed to prompt for PKCS12 password") ++ + #define TRACE_CERTAUTH_VTINIT_FAIL(c, ret) \ + TRACE(c, "certauth module failed to init vtable: {kerr}", ret) + #define TRACE_CERTAUTH_INIT_FAIL(c, name, ret) \ diff --git a/Fix-certauth-built-in-module-returns.patch b/Fix-certauth-built-in-module-returns.patch new file mode 100644 index 0000000..0c6ac83 --- /dev/null +++ b/Fix-certauth-built-in-module-returns.patch @@ -0,0 +1,124 @@ +From d507d9a78e12418f83c6db6e22052543f3e5db37 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Thu, 24 Aug 2017 11:11:46 -0400 +Subject: [PATCH] Fix certauth built-in module returns + +The PKINIT certauth eku module should never authoritatively authorize +a certificate, because an extended key usage does not establish a +relationship between the certificate and any specific user; it only +establishes that the certificate was created for PKINIT client +authentication. Therefore, pkinit_eku_authorize() should return +KRB5_PLUGIN_NO_HANDLE on success, not 0. + +The certauth san module should pass if it does not find any SANs of +the types it can match against; the presence of other types of SANs +should not cause it to explicitly deny a certificate. Check for an +empty result from crypto_retrieve_cert_sans() in verify_client_san(), +instead of returning ENOENT from crypto_retrieve_cert_sans() when +there are no SANs at all. + +ticket: 8561 +(cherry picked from commit 07243f85a760fb37f0622d7ff0177db3f19ab025) +--- + src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 39 ++++++++++------------ + src/plugins/preauth/pkinit/pkinit_srv.c | 14 +++++--- + 2 files changed, 27 insertions(+), 26 deletions(-) + +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +index 70e230ec2..7fa2efd21 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -2137,7 +2137,6 @@ crypto_retrieve_X509_sans(krb5_context context, + + if (!(ext = X509_get_ext(cert, l)) || !(ialt = X509V3_EXT_d2i(ext))) { + pkiDebug("%s: found no subject alt name extensions\n", __FUNCTION__); +- retval = ENOENT; + goto cleanup; + } + num_sans = sk_GENERAL_NAME_num(ialt); +@@ -2240,31 +2239,29 @@ crypto_retrieve_X509_sans(krb5_context context, + sk_GENERAL_NAME_pop_free(ialt, GENERAL_NAME_free); + + retval = 0; +- if (princs) ++ if (princs != NULL && *princs != NULL) { + *princs_ret = princs; +- if (upns) ++ princs = NULL; ++ } ++ if (upns != NULL && *upns != NULL) { + *upn_ret = upns; +- if (dnss) ++ upns = NULL; ++ } ++ if (dnss != NULL && *dnss != NULL) { + *dns_ret = dnss; ++ dnss = NULL; ++ } + + cleanup: +- if (retval) { +- if (princs != NULL) { +- for (i = 0; princs[i] != NULL; i++) +- krb5_free_principal(context, princs[i]); +- free(princs); +- } +- if (upns != NULL) { +- for (i = 0; upns[i] != NULL; i++) +- krb5_free_principal(context, upns[i]); +- free(upns); +- } +- if (dnss != NULL) { +- for (i = 0; dnss[i] != NULL; i++) +- free(dnss[i]); +- free(dnss); +- } +- } ++ for (i = 0; princs != NULL && princs[i] != NULL; i++) ++ krb5_free_principal(context, princs[i]); ++ free(princs); ++ for (i = 0; upns != NULL && upns[i] != NULL; i++) ++ krb5_free_principal(context, upns[i]); ++ free(upns); ++ for (i = 0; dnss != NULL && dnss[i] != NULL; i++) ++ free(dnss[i]); ++ free(dnss); + return retval; + } + +diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c +index 9c6e96c9e..8e77606f8 100644 +--- a/src/plugins/preauth/pkinit/pkinit_srv.c ++++ b/src/plugins/preauth/pkinit/pkinit_srv.c +@@ -187,14 +187,18 @@ verify_client_san(krb5_context context, + &princs, + plgctx->opts->allow_upn ? &upns : NULL, + NULL); +- if (retval == ENOENT) { +- TRACE_PKINIT_SERVER_NO_SAN(context); +- goto out; +- } else if (retval) { ++ if (retval) { + pkiDebug("%s: error from retrieve_certificate_sans()\n", __FUNCTION__); + retval = KRB5KDC_ERR_CLIENT_NAME_MISMATCH; + goto out; + } ++ ++ if (princs == NULL && upns == NULL) { ++ TRACE_PKINIT_SERVER_NO_SAN(context); ++ retval = ENOENT; ++ goto out; ++ } ++ + /* XXX Verify this is consistent with client side XXX */ + #if 0 + retval = call_san_checking_plugins(context, plgctx, reqctx, princs, +@@ -1495,7 +1499,7 @@ pkinit_eku_authorize(krb5_context context, krb5_certauth_moddata moddata, + return KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE; + } + +- return 0; ++ return KRB5_PLUGIN_NO_HANDLE; + } + + static krb5_error_code diff --git a/Make-certauth-eku-module-restrictive-only.patch b/Make-certauth-eku-module-restrictive-only.patch deleted file mode 100644 index 40c008d..0000000 --- a/Make-certauth-eku-module-restrictive-only.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 2b1a91087b668ab1021f1ca461b8210e7e015c8a Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Thu, 24 Aug 2017 11:11:46 -0400 -Subject: [PATCH] Make certauth eku module restrictive-only - -The PKINIT certauth eku module should never authoritatively authorize -a certificate, because an extended key usage does not establish a -relationship between the certificate and any specific user; it only -establishes that the certificate was created for PKINIT client -authentication. Therefore, pkinit_eku_authorize() should return -KRB5_PLUGIN_NO_HANDLE on success, not 0. - -ticket: 8561 -(cherry picked from commit aca6fd6bc07934a90a18a70116ea3b620228950a) ---- - src/plugins/preauth/pkinit/pkinit_srv.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c -index 32ca122f2..d7a604c80 100644 ---- a/src/plugins/preauth/pkinit/pkinit_srv.c -+++ b/src/plugins/preauth/pkinit/pkinit_srv.c -@@ -1495,7 +1495,7 @@ pkinit_eku_authorize(krb5_context context, krb5_certauth_moddata moddata, - return KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE; - } - -- return 0; -+ return KRB5_PLUGIN_NO_HANDLE; - } - - static krb5_error_code diff --git a/krb5.spec b/krb5.spec index f990581..c4c5b49 100644 --- a/krb5.spec +++ b/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.15.1 # for prerelease, should be e.g., 0.3.beta2%{?dist} -Release: 25%{?dist} +Release: 27%{?dist} # - Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar # - The sources below are stored in a lookaside cache. Upload with @@ -91,7 +91,11 @@ Patch62: Fix-more-time-manipulations-for-y2038.patch Patch63: Use-krb5_timestamp-where-appropriate.patch Patch64: Add-KDC-policy-pluggable-interface.patch Patch65: Fix-bugs-in-kdcpolicy-commit.patch -Patch66: Make-certauth-eku-module-restrictive-only.patch +Patch66: Convert-some-pkiDebug-messages-to-TRACE-macros.patch +Patch67: Fix-certauth-built-in-module-returns.patch +Patch68: Add-test-cert-with-no-extensions.patch +Patch69: Add-PKINIT-test-case-for-generic-client-cert.patch +Patch70: Add-hostname-based-ccselect-module.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -743,6 +747,13 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Tue Sep 05 2017 Robbie Harwood - 1.15.1-27 +- Add hostname-based ccselect module +- Resolves: #1463665 + +* Tue Sep 05 2017 Robbie Harwood - 1.15.1-26 +- Backport upstream certauth EKU fixes + * Fri Aug 25 2017 Robbie Harwood - 1.15.1-25 - Backport certauth eku security fix