You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by pl...@apache.org on 2016/07/06 02:51:58 UTC
[1/7] directory-kerby git commit: NPE fix for pkinit if the client
principal is not known
Repository: directory-kerby
Updated Branches:
refs/heads/kadmin-remote 38282872b -> 333982376
NPE fix for pkinit if the client principal is not known
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/4600ee35
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/4600ee35
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/4600ee35
Branch: refs/heads/kadmin-remote
Commit: 4600ee351ff44bb90e58710e5441a423e4a6bf71
Parents: 054db32
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Jul 5 12:16:03 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Jul 5 12:16:03 2016 +0100
----------------------------------------------------------------------
.../apache/kerby/kerberos/kerb/server/request/AsRequest.java | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/4600ee35/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java
index 7cb7dbb..37e89bb 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java
@@ -82,15 +82,15 @@ public class AsRequest extends KdcRequest {
} else {
clientEntry = getEntry(clientPrincipal.getName());
}
- if (isAnonymous()) {
- clientEntry.setPrincipal(new PrincipalName(clientPrincipal.getName(), NameType.NT_WELLKNOWN));
- }
-
if (clientEntry == null) {
LOG.warn("Can't get the client entry.");
throw new KrbException(KrbErrorCode.KDC_ERR_C_PRINCIPAL_UNKNOWN);
}
+ if (isAnonymous()) {
+ clientEntry.setPrincipal(new PrincipalName(clientPrincipal.getName(), NameType.NT_WELLKNOWN));
+ }
+
setClientEntry(clientEntry);
for (EncryptionType encType : request.getReqBody().getEtypes()) {
[2/7] directory-kerby git commit: Fix NPE if the KDC does not
configure identity keys for PKINIT
Posted by pl...@apache.org.
Fix NPE if the KDC does not configure identity keys for PKINIT
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/2d31702f
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/2d31702f
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/2d31702f
Branch: refs/heads/kadmin-remote
Commit: 2d31702f083c0c27b1469a805f81212995b96c84
Parents: 4600ee3
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Jul 5 12:29:18 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Jul 5 12:29:18 2016 +0100
----------------------------------------------------------------------
.../server/preauth/pkinit/PkinitPreauth.java | 48 +++++++++++---------
1 file changed, 26 insertions(+), 22 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/2d31702f/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java
index f0080c9..0e4867d 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java
@@ -302,32 +302,36 @@ public class PkinitPreauth extends AbstractPreauthPlugin {
private PaPkAsRep makePaPkAsRep(DHPublicKey severPubKey, String identityString) throws KrbException {
- List<String> identityList = Arrays.asList(identityString.split(","));
-
List<X509Certificate> certificates = new ArrayList<>();
- for (String identity : identityList) {
- File file = new File(identity);
- try (Scanner scanner = new Scanner(file, "UTF-8")) {
- String found = scanner.findInLine("CERTIFICATE");
-
- if (found != null) {
- InputStream res = null;
- try {
- res = new FileInputStream(identity);
- } catch (FileNotFoundException e) {
- e.printStackTrace();
- }
- X509Certificate certificate = null;
- try {
- certificate = (X509Certificate) CertificateHelper.loadCerts(res).iterator().next();
- } catch (KrbException e) {
- e.printStackTrace();
+ if (identityString != null) {
+ List<String> identityList = Arrays.asList(identityString.split(","));
+ for (String identity : identityList) {
+ File file = new File(identity);
+ try (Scanner scanner = new Scanner(file, "UTF-8")) {
+ String found = scanner.findInLine("CERTIFICATE");
+
+ if (found != null) {
+ InputStream res = null;
+ try {
+ res = new FileInputStream(identity);
+ } catch (FileNotFoundException e) {
+ e.printStackTrace();
+ }
+ X509Certificate certificate = null;
+ try {
+ certificate = (X509Certificate) CertificateHelper.loadCerts(res).iterator().next();
+ } catch (KrbException e) {
+ e.printStackTrace();
+ }
+ certificates.add(certificate);
+ res.close();
}
- certificates.add(certificate);
+ } catch (IOException e) {
+ e.getMessage();
}
- } catch (FileNotFoundException e) {
- e.getMessage();
}
+ } else {
+ LOG.warn("No PKINIT identity keys specified");
}
PaPkAsRep paPkAsRep = new PaPkAsRep();
[5/7] directory-kerby git commit: Make it possible to load
certificates from the classpath and not just a filename
Posted by pl...@apache.org.
Make it possible to load certificates from the classpath and not just a filename
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/5c76b64f
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/5c76b64f
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/5c76b64f
Branch: refs/heads/kadmin-remote
Commit: 5c76b64f618bef19cbaae50469a45a1cea89dee4
Parents: 35fb465
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Jul 5 12:49:00 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Jul 5 12:49:00 2016 +0100
----------------------------------------------------------------------
.../kerb/client/preauth/pkinit/PkinitPreauth.java | 7 +++++--
.../kerb/preauth/pkinit/CertificateHelper.java | 16 ++++++++++++----
2 files changed, 17 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/5c76b64f/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
index 9b37eb2..b47a46f 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
@@ -358,8 +358,11 @@ public class PkinitPreauth extends AbstractPreauthPlugin {
X509Certificate x509Certificate = null;
try {
- x509Certificate = (X509Certificate) CertificateHelper.loadCerts(
- anchorFileName).iterator().next();
+ List<java.security.cert.Certificate> certs =
+ CertificateHelper.loadCerts(anchorFileName);
+ if (certs != null && !certs.isEmpty()) {
+ x509Certificate = (X509Certificate) certs.iterator().next();
+ }
} catch (KrbException e) {
e.printStackTrace();
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/5c76b64f/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/CertificateHelper.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/CertificateHelper.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/CertificateHelper.java
index db96ed6..53096d4 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/CertificateHelper.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/CertificateHelper.java
@@ -21,6 +21,7 @@ package org.apache.kerby.kerberos.kerb.preauth.pkinit;
import org.apache.kerby.kerberos.kerb.KrbException;
+import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.InputStream;
@@ -35,12 +36,19 @@ public class CertificateHelper {
public static List<Certificate> loadCerts(String filename) throws KrbException {
+
+ File file = new File(filename);
InputStream res = null;
- try {
- res = new FileInputStream(filename);
- } catch (FileNotFoundException e) {
- e.printStackTrace();
+ if (file.isFile()) {
+ try {
+ res = new FileInputStream(file);
+ } catch (FileNotFoundException e) {
+ e.printStackTrace();
+ }
+ } else {
+ res = CertificateHelper.class.getClassLoader().getResourceAsStream(filename);
}
+
return loadCerts(res);
}
[7/7] directory-kerby git commit: Merge remote-tracking branch
'asf/trunk' into kadmin-remote
Posted by pl...@apache.org.
Merge remote-tracking branch 'asf/trunk' into kadmin-remote
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/33398237
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/33398237
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/33398237
Branch: refs/heads/kadmin-remote
Commit: 3339823769284cb0fa0864c9fe968f97dec46f65
Parents: 3828287 708456f
Author: plusplusjiajia <ji...@intel.com>
Authored: Wed Jul 6 10:57:43 2016 +0800
Committer: plusplusjiajia <ji...@intel.com>
Committed: Wed Jul 6 10:57:43 2016 +0800
----------------------------------------------------------------------
.../client/preauth/pkinit/PkinitPreauth.java | 21 ++++--
.../kerb/preauth/pkinit/CertificateHelper.java | 16 +++--
.../kerb/preauth/pkinit/PkinitCrypto.java | 68 ++++++++++++--------
.../server/preauth/pkinit/PkinitPreauth.java | 48 +++++++-------
.../kerberos/kerb/server/request/AsRequest.java | 8 +--
5 files changed, 100 insertions(+), 61 deletions(-)
----------------------------------------------------------------------
[4/7] directory-kerby git commit: Another NPE fix if it fails to load
the PKINIT trust anchor
Posted by pl...@apache.org.
Another NPE fix if it fails to load the PKINIT trust anchor
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/35fb465a
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/35fb465a
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/35fb465a
Branch: refs/heads/kadmin-remote
Commit: 35fb465a7b6d63e1ba4e886f162b1b1cddd677a7
Parents: 36ed64d
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Jul 5 12:34:18 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Jul 5 12:34:18 2016 +0100
----------------------------------------------------------------------
.../kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java | 6 ++++++
1 file changed, 6 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/35fb465a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
index 9a15c4e..9b37eb2 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
@@ -363,6 +363,12 @@ public class PkinitPreauth extends AbstractPreauthPlugin {
} catch (KrbException e) {
e.printStackTrace();
}
+
+ if (x509Certificate == null) {
+ LOG.error("Failed to load PKINIT anchor");
+ throw new KrbException("Failed to load PKINIT anchor");
+ }
+
Certificate archorCertificate = PkinitCrypto.changeToCertificate(x509Certificate);
CertificateSet certificateSet = signedData.getCertificates();
[6/7] directory-kerby git commit: Some fixes for certificate
validation for anon PKINIT
Posted by pl...@apache.org.
Some fixes for certificate validation for anon PKINIT
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/708456f0
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/708456f0
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/708456f0
Branch: refs/heads/kadmin-remote
Commit: 708456f0405e5e21d9b0b28bbef2fb386b3f214e
Parents: 5c76b64
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Jul 5 14:56:56 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Jul 5 14:58:28 2016 +0100
----------------------------------------------------------------------
.../client/preauth/pkinit/PkinitPreauth.java | 4 +-
.../kerb/preauth/pkinit/PkinitCrypto.java | 68 ++++++++++++--------
2 files changed, 43 insertions(+), 29 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/708456f0/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
index b47a46f..df4af89 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
@@ -372,8 +372,6 @@ public class PkinitPreauth extends AbstractPreauthPlugin {
throw new KrbException("Failed to load PKINIT anchor");
}
- Certificate archorCertificate = PkinitCrypto.changeToCertificate(x509Certificate);
-
CertificateSet certificateSet = signedData.getCertificates();
List<Certificate> certificates = new ArrayList<>();
if (certificateSet != null) {
@@ -383,7 +381,7 @@ public class PkinitPreauth extends AbstractPreauthPlugin {
}
}
try {
- PkinitCrypto.validateChain(certificates, archorCertificate);
+ PkinitCrypto.validateChain(certificates, x509Certificate);
} catch (Exception e) {
throw new KrbException(KrbErrorCode.KDC_ERR_INVALID_CERTIFICATE, e);
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/708456f0/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.java
index cc09a37..63e3e44 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.java
@@ -18,6 +18,33 @@
*/
package org.apache.kerby.kerberos.kerb.preauth.pkinit;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.math.BigInteger;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.cert.CertPath;
+import java.security.cert.CertPathValidator;
+import java.security.cert.CertPathValidatorException;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.PKIXParameters;
+import java.security.cert.TrustAnchor;
+import java.security.cert.X509Certificate;
+import java.security.spec.InvalidKeySpecException;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import javax.crypto.interfaces.DHPublicKey;
+import javax.crypto.spec.DHParameterSpec;
+import javax.crypto.spec.DHPublicKeySpec;
+
import org.apache.kerby.asn1.type.Asn1ObjectIdentifier;
import org.apache.kerby.cms.type.CertificateSet;
import org.apache.kerby.cms.type.DigestAlgorithmIdentifiers;
@@ -36,25 +63,6 @@ import org.apache.kerby.x509.type.DhParameter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import javax.crypto.interfaces.DHPublicKey;
-import javax.crypto.spec.DHParameterSpec;
-import javax.crypto.spec.DHPublicKeySpec;
-import java.io.IOException;
-import java.math.BigInteger;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.KeyFactory;
-import java.security.NoSuchAlgorithmException;
-import java.security.NoSuchProviderException;
-import java.security.cert.CertPathValidatorException;
-import java.security.cert.CertificateEncodingException;
-import java.security.cert.CertificateException;
-import java.security.cert.CertificateExpiredException;
-import java.security.cert.CertificateNotYetValidException;
-import java.security.cert.X509Certificate;
-import java.security.spec.InvalidKeySpecException;
-import java.util.ArrayList;
-import java.util.List;
-
/**
* Ref. pkinit_crypto_openssl.c in MIT krb5 project.
*/
@@ -329,16 +337,25 @@ public class PkinitCrypto {
* @throws NoSuchAlgorithmException e
* @throws InvalidAlgorithmParameterException e
* @throws CertPathValidatorException e
+ * @throws IOException
*/
- public static void validateChain(List<Certificate> certificateList, Certificate anchor)
+ public static void validateChain(List<Certificate> certificateList, X509Certificate anchor)
throws CertificateException, NoSuchAlgorithmException, NoSuchProviderException,
- InvalidAlgorithmParameterException, CertPathValidatorException {
+ InvalidAlgorithmParameterException, CertPathValidatorException, IOException {
- //TODO
- /*
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
- CertPath certPath = certificateFactory.generatertPath(certificateList);
-
+
+ // Convert into a list of X509Certificates
+ List<X509Certificate> certsList = new ArrayList<>(certificateList.size());
+ for (Certificate cert : certificateList) {
+ X509Certificate parsedCert =
+ (X509Certificate) certificateFactory.generateCertificate(
+ new ByteArrayInputStream(cert.encode()));
+ certsList.add(parsedCert);
+ }
+
+ CertPath certPath = certificateFactory.generateCertPath(certsList);
+
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
TrustAnchor trustAnchor = new TrustAnchor(anchor, null);
@@ -347,7 +364,6 @@ public class PkinitCrypto {
parameters.setRevocationEnabled(false);
cpv.validate(certPath, parameters);
- */
}
/**
[3/7] directory-kerby git commit: Avoid array out of bounds exception
if the client forgets to configure pkinit trust anchors
Posted by pl...@apache.org.
Avoid array out of bounds exception if the client forgets to configure pkinit trust anchors
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/36ed64d8
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/36ed64d8
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/36ed64d8
Branch: refs/heads/kadmin-remote
Commit: 36ed64d8f02753adb37c22c0bd16231674c2e607
Parents: 2d31702
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Jul 5 12:31:29 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Jul 5 12:31:29 2016 +0100
----------------------------------------------------------------------
.../kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java | 4 ++++
1 file changed, 4 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/36ed64d8/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
index 3620f23..9a15c4e 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
@@ -350,6 +350,10 @@ public class PkinitPreauth extends AbstractPreauthPlugin {
PkinitCrypto.verifyCmsSignedData(
CmsMessageType.CMS_SIGN_SERVER, signedData);
+ if (kdcRequest.getContext().getConfig().getPkinitAnchors().isEmpty()) {
+ LOG.error("No PKINIT anchors specified");
+ throw new KrbException("No PKINIT anchors specified");
+ }
String anchorFileName = kdcRequest.getContext().getConfig().getPkinitAnchors().get(0);
X509Certificate x509Certificate = null;