[krb5-auth-dialog] make pkinit anchors configurable



commit 94e4fb1e162eedb1093eb8791047b67bbb3d20e6
Author: Guido Günther <agx sigxcpu org>
Date:   Mon Apr 13 18:30:55 2009 +0200

    make pkinit anchors configurable
    
    and pass pkint options to krb5_get_init_creds_opt_set_pa (MIT pkinit) if
    available.
---
 ChangeLog                                      |   27 +++++++++
 configure.ac                                   |   27 ++++-----
 preferences/krb5-auth-dialog-preferences.c     |   74 +++++++++++++++++++++++-
 preferences/krb5-auth-dialog-preferences.glade |   43 +++++++++++++-
 src/krb5-auth-applet.c                         |   22 +++++++
 src/krb5-auth-dialog.c                         |   67 +++++++++++++++-------
 src/krb5-auth-dialog.schemas.in                |   17 +++++-
 src/krb5-auth-gconf-tools.h                    |    1 +
 src/krb5-auth-gconf.c                          |   17 ++++++
 9 files changed, 256 insertions(+), 39 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 540f364..d5442f9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,30 @@
+Fri Apr 17 13:20:09 CEST 2009 Guido Günther <agx sigxcpu org>
+
+	make pkinit anchors configurable and pass pkinit options to
+	krb5_get_init_creds_opt_set_pa (MIT pkinit), if available.
+	* configure.ac: check for krb5_get_init_creds_opt_set_pa
+	* preferences/krb5-auth-dialog-preferences.c
+	  (ka_preferences_pkanchors_notify,
+	   ka_preferences_dialog_pkanchors_changed,
+	   ka_preferences_dialog_setup_pkanchors_entry): new functions
+	  (ka_preferences_dialog_init: call
+	   ka_preferences_dialog_setup_pkanchors_entry to handle pk_anchors
+	* preferences/krb5-auth-dialog-preferences.glade: add pkanchors_entry
+	  GtkEntry
+	* src/krb5-auth-applet.c (ka_applet-{set,get}_property,
+	  ka_applet_class_init): handle pk-anchors property
+	* src/krb5-auth-dialog.c (ka_set_ticket_options): pass pkinit userid
+	   and anchors to krb5_get_init_creds_opt_set_pa if available.
+	  (ka_auth_pkinit): rename to ka_auth_heimdal_pkinit
+	  (ka_auth_heimdal_pkinit): pass pk_anchors
+	  (grab_credentials): fetch pk_anchors from pk-anchors property and
+	   pass it to ka_auth_{password,heimdal_pkinit}
+	* src/krb5-auth-gconf.c (ka_gconf_set_pk_anchors): new function
+	  (ka_gconf_key_changed_callback): handle pk_anchors
+	  (ka_gconf_init); likewise
+	* src/krb5-auth-gconf-tools.h: add pk_anchors
+	* src/krb5-auth-dialog.schemas.in: add pk_anchors
+
 Fri Apr 17 13:19:18 CEST 2009 Guido Günther <agx sigxcpu org>
 
 	* AUTHORS: add Colin
diff --git a/configure.ac b/configure.ac
index be95999..3b9c983 100644
--- a/configure.ac
+++ b/configure.ac
@@ -65,10 +65,13 @@ AC_CHECK_MEMBERS(krb5_creds.flags.b.forwardable,,,[#include <krb5.h>])
 AC_CHECK_MEMBERS(krb5_creds.flags.b.renewable,,,[#include <krb5.h>])
 AC_CHECK_MEMBERS(krb5_creds.flags.b.proxiable,,,[#include <krb5.h>])
 AC_CHECK_MEMBERS(krb5_creds.flags,,,[#include <krb5.h>])
-AC_CHECK_FUNCS([krb5_get_error_message])
-AC_CHECK_FUNCS([krb5_get_renewed_creds])
-AC_CHECK_FUNCS([krb5_get_init_creds_opt_set_default_flags])
-AC_CHECK_FUNCS([krb5_cc_clear_mcred])
+AC_CHECK_FUNCS([krb5_get_error_message krb5_get_renewed_creds \
+                krb5_get_init_creds_opt_set_default_flags \
+                krb5_cc_clear_mcred])
+AC_CHECK_FUNCS([krb5_get_init_creds_opt_set_pkinit],
+		[heimdal_pkinit=yes],[heimdal_pkinit=no])
+AC_CHECK_FUNCS([krb5_get_init_creds_opt_set_pa],
+		[mit_pkinit=yes],[mit_pkinit=no])
 AC_MSG_CHECKING(if a krb5_principal->realm is a char*)
 AC_COMPILE_IFELSE([
 $ac_includes_default
@@ -95,29 +98,25 @@ main(int argc, char **argv)
 	foo->realm = bar;
 	return 0;
 }],[AC_DEFINE(HAVE_KRB5_PRINCIPAL_REALM_AS_DATA,1,[Define if the realm of a krb5_principal is a krb5_data])
-AC_MSG_RESULT(yes)],
-AC_MSG_RESULT(no))
+AC_MSG_RESULT(yes)], AC_MSG_RESULT(no))
+
 dnl pkinit
 AC_MSG_CHECKING([whether to enable pkinit support])
 AC_ARG_ENABLE([pkinit],
 	AS_HELP_STRING([--enable-pkinit],[whether to enable preauth via pkinit support]),
 	[],[enable_pkinit=autodetect])
-AC_MSG_RESULT([$enable_pkinit])
 
-if test "x$enable_pkinit" != "xno"; then
-	AC_CHECK_FUNCS([krb5_get_init_creds_opt_set_pkinit],
-		[enable_pkinit=yes],[enable_pkinit=no])
-fi
-
-if test "x$enable_pkinit" = "xyes"; then
+if test "x$heimdal_pkinit" = "xyes" -o \
+        "x$mit_pkinit" = "xyes"; then
+	enable_pkinit=yes
 	AC_DEFINE([ENABLE_PKINIT],[1],[Define for pkinit support])
 fi
+AC_MSG_RESULT([$enable_pkinit])
 AM_CONDITIONAL([ENABLE_PKINIT],[test "x$enable_pkinit" = "xyes"])
 CFLAGS="$savedCFLAGS"
 LIBS="$savedLIBS"
 
 
-
 dnl NetworkManager
 AC_MSG_CHECKING([whether to enable NetworkManager support])
 AC_ARG_ENABLE([network-manager],
diff --git a/preferences/krb5-auth-dialog-preferences.c b/preferences/krb5-auth-dialog-preferences.c
index caf9ed9..ab463a0 100644
--- a/preferences/krb5-auth-dialog-preferences.c
+++ b/preferences/krb5-auth-dialog-preferences.c
@@ -36,7 +36,7 @@
 
 #include "krb5-auth-gconf-tools.h"
 
-#define N_LISTENERS 7
+#define N_LISTENERS 8
 
 typedef struct {
   GladeXML    *xml;
@@ -45,6 +45,7 @@ typedef struct {
   GtkWidget *dialog;
   GtkWidget *principal_entry;
   GtkWidget *pkuserid_entry;
+  GtkWidget *pkanchors_entry;
   GtkWidget *forwardable_toggle;
   GtkWidget *proxiable_toggle;
   GtkWidget *renewable_toggle;
@@ -198,6 +199,76 @@ ka_preferences_dialog_setup_pkuserid_entry (KaPreferencesDialog *dialog)
 
 
 static void
+ka_preferences_pkanchors_notify (GConfClient *client G_GNUC_UNUSED,
+                           guint cnx_id G_GNUC_UNUSED,
+                           GConfEntry *entry,
+                           KaPreferencesDialog *dialog)
+{
+  const char *pkanchors;
+
+  if (!entry->value || entry->value->type != GCONF_VALUE_STRING)
+      return;
+
+  pkanchors = gconf_value_get_string (entry->value);
+
+  if (!pkanchors || !strlen(pkanchors))
+      gtk_entry_set_text (GTK_ENTRY (dialog->pkanchors_entry), "");
+  else {
+      const char *old_pkanchors;
+
+      old_pkanchors = gtk_entry_get_text (GTK_ENTRY (dialog->pkanchors_entry));
+      if (!old_pkanchors || (old_pkanchors && strcmp (old_pkanchors, pkanchors)))
+          gtk_entry_set_text (GTK_ENTRY (dialog->pkanchors_entry), pkanchors);
+  }
+}
+
+
+static void
+ka_preferences_dialog_pkanchors_changed (GtkEntry *entry,
+                                   KaPreferencesDialog *dialog)
+{
+  const char *pkanchors;
+
+  pkanchors = gtk_entry_get_text (entry);
+
+  if (!pkanchors || !strlen(pkanchors))
+      gconf_client_unset (dialog->client, KA_GCONF_KEY_PK_ANCHORS, NULL);
+  else
+      gconf_client_set_string (dialog->client, KA_GCONF_KEY_PK_ANCHORS, pkanchors, NULL);
+}
+
+
+static void
+ka_preferences_dialog_setup_pkanchors_entry (KaPreferencesDialog *dialog)
+{
+  char     *pkanchors = NULL;
+
+  dialog->pkanchors_entry = glade_xml_get_widget (dialog->xml, "pkanchors_entry");
+  g_assert (dialog->pkanchors_entry != NULL);
+
+  if (!ka_gconf_get_string (dialog->client, KA_GCONF_KEY_PK_ANCHORS, &pkanchors))
+      g_warning ("Getting pkanchors failed");
+
+  if (pkanchors && strlen(pkanchors))
+      gtk_entry_set_text (GTK_ENTRY (dialog->pkanchors_entry), pkanchors);
+  if (pkanchors)
+      g_free (pkanchors);
+
+  g_signal_connect (dialog->pkanchors_entry, "changed",
+      G_CALLBACK (ka_preferences_dialog_pkanchors_changed), dialog);
+  if (!gconf_client_key_is_writable (dialog->client, KA_GCONF_KEY_PK_ANCHORS, NULL)) {
+      gtk_widget_set_sensitive (dialog->pkanchors_entry, FALSE);
+  }
+
+  dialog->listeners [dialog->n_listeners] = gconf_client_notify_add (dialog->client,
+                          KA_GCONF_KEY_PK_ANCHORS,
+                          (GConfClientNotifyFunc) ka_preferences_pkanchors_notify,
+                          dialog, NULL, NULL);
+  dialog->n_listeners++;
+}
+
+
+static void
 ka_preferences_dialog_forwardable_toggled (GtkToggleButton *toggle,
                                      KaPreferencesDialog *dialog)
 {
@@ -552,6 +623,7 @@ ka_preferences_dialog_init(KaPreferencesDialog* dialog)
 
   ka_preferences_dialog_setup_principal_entry (dialog);
   ka_preferences_dialog_setup_pkuserid_entry (dialog);
+  ka_preferences_dialog_setup_pkanchors_entry(dialog);
   ka_preferences_dialog_setup_forwardable_toggle (dialog);
   ka_preferences_dialog_setup_proxiable_toggle (dialog);
   ka_preferences_dialog_setup_renewable_toggle (dialog);
diff --git a/preferences/krb5-auth-dialog-preferences.glade b/preferences/krb5-auth-dialog-preferences.glade
index b4e5cd5..10d9086 100644
--- a/preferences/krb5-auth-dialog-preferences.glade
+++ b/preferences/krb5-auth-dialog-preferences.glade
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE glade-interface SYSTEM "glade-2.0.dtd">
-<!--Generated with glade3 3.4.5 on Thu Apr  2 18:10:14 2009 -->
+<!--Generated with glade3 3.4.5 on Mon Apr 13 18:26:03 2009 -->
 <glade-interface>
   <widget class="GtkDialog" id="krb5_auth_dialog_prefs">
     <property name="border_width">5</property>
@@ -138,6 +138,47 @@
                                 <property name="position">3</property>
                               </packing>
                             </child>
+                            <child>
+                              <widget class="GtkLabel" id="label3">
+                                <property name="visible">True</property>
+                                <property name="xalign">0</property>
+                                <property name="label" translatable="yes">PKINT anchors:</property>
+                              </widget>
+                              <packing>
+                                <property name="expand">False</property>
+                                <property name="fill">False</property>
+                                <property name="position">4</property>
+                              </packing>
+                            </child>
+                            <child>
+                              <widget class="GtkHBox" id="hbox12">
+                                <property name="visible">True</property>
+                                <property name="spacing">6</property>
+                                <child>
+                                  <widget class="GtkLabel" id="label20">
+                                    <property name="visible">True</property>
+                                    <property name="label" translatable="yes">    </property>
+                                  </widget>
+                                  <packing>
+                                    <property name="expand">False</property>
+                                    <property name="fill">False</property>
+                                  </packing>
+                                </child>
+                                <child>
+                                  <widget class="GtkEntry" id="pkanchors_entry">
+                                    <property name="visible">True</property>
+                                    <property name="can_focus">True</property>
+                                    <property name="tooltip" translatable="yes">Path to CA certificates used as trust anchors for PKINIT</property>
+                                  </widget>
+                                  <packing>
+                                    <property name="position">1</property>
+                                  </packing>
+                                </child>
+                              </widget>
+                              <packing>
+                                <property name="position">5</property>
+                              </packing>
+                            </child>
                           </widget>
                           <packing>
                             <property name="position">1</property>
diff --git a/src/krb5-auth-applet.c b/src/krb5-auth-applet.c
index daaef2e..6e02ed8 100644
--- a/src/krb5-auth-applet.c
+++ b/src/krb5-auth-applet.c
@@ -41,6 +41,7 @@ enum
   KA_PROP_0 = 0,
   KA_PROP_PRINCIPAL,
   KA_PROP_PK_USERID,
+  KA_PROP_PK_ANCHORS,
   KA_PROP_TRAYICON,
   KA_PROP_PW_PROMPT_MINS,
   KA_PROP_TGT_FORWARDABLE,
@@ -76,6 +77,7 @@ struct _KaAppletPrivate
 	char* principal;		/* the principal to request */
 	gboolean renewable;		/* credentials renewable? */
 	char* pk_userid;		/* "userid" for pkint */
+	char* pk_anchors;		/* trust anchors for pkint */
 	gboolean tgt_forwardable;	/* request a forwardable ticket */
 	gboolean tgt_renewable;		/* request a renewable ticket */
 	gboolean tgt_proxiable;		/* request a proxiable ticket */
@@ -102,6 +104,12 @@ ka_applet_set_property (GObject      *object,
 	KA_DEBUG ("%s: %s", pspec->name, self->priv->pk_userid);
 	break;
 
+     case KA_PROP_PK_ANCHORS:
+	g_free (self->priv->pk_anchors);
+	self->priv->pk_anchors = g_value_dup_string (value);
+	KA_DEBUG ("%s: %s", pspec->name, self->priv->pk_anchors);
+	break;
+
     case KA_PROP_TRAYICON:
 	self->priv->show_trayicon = g_value_get_boolean (value);
 	KA_DEBUG ("%s: %s", pspec->name, self->priv->show_trayicon ? "True" : "False");
@@ -152,6 +160,10 @@ ka_applet_get_property (GObject    *object,
 	g_value_set_string (value, self->priv->pk_userid);
 	break;
 
+    case KA_PROP_PK_ANCHORS:
+	g_value_set_string (value, self->priv->pk_anchors);
+	break;
+
     case KA_PROP_TRAYICON:
 	g_value_set_boolean (value, self->priv->show_trayicon);
 	break;
@@ -207,6 +219,7 @@ ka_applet_finalize(GObject *object)
 
 	g_free (applet->priv->principal);
 	g_free (applet->priv->pk_userid);
+	g_free (applet->priv->pk_anchors);
 	/* no need to free applet->priv */
 
 	if (parent_class->finalize != NULL)
@@ -252,6 +265,15 @@ ka_applet_class_init(KaAppletClass *klass)
                                          KA_PROP_PK_USERID,
                                          pspec);
 
+	pspec = g_param_spec_string ("pk-anchors",
+				     "PKinit trust anchors",
+				     "Get/Set Pkinit trust anchors",
+				     "",
+				     G_PARAM_CONSTRUCT | G_PARAM_READWRITE);
+	g_object_class_install_property (object_class,
+                                         KA_PROP_PK_ANCHORS,
+                                         pspec);
+
 	pspec = g_param_spec_boolean("show-trayicon",
 				     "Show tray icon",
 				     "Show/Hide the tray icon",
diff --git a/src/krb5-auth-dialog.c b/src/krb5-auth-dialog.c
index c443cd3..32cc016 100644
--- a/src/krb5-auth-dialog.c
+++ b/src/krb5-auth-dialog.c
@@ -382,14 +382,14 @@ out:
  * set ticket options by looking at krb5.conf and gconf
  */
 static void
-ka_set_ticket_options(KaApplet* applet,
-		      krb5_get_init_creds_opt *out)
+ka_set_ticket_options(KaApplet* applet, krb5_context context,
+		      krb5_get_init_creds_opt *out,
+		      const char* pk_userid, const char* pk_anchors)
 {
 	gboolean flag;
-
 #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_DEFAULT_FLAGS
-	krb5_get_init_creds_opt_set_default_flags(kcontext, PACKAGE,
-		krb5_principal_get_realm(kcontext, kprincipal), out);
+	krb5_get_init_creds_opt_set_default_flags(context, PACKAGE,
+		krb5_principal_get_realm(context, kprincipal), out);
 #endif
 	g_object_get(applet, "tgt-forwardable", &flag, NULL);
 	if (flag)
@@ -402,6 +402,20 @@ ka_set_ticket_options(KaApplet* applet,
 		krb5_deltat r = 3600*24*30; /* 1 month */
 		krb5_get_init_creds_opt_set_renew_life (out, r);
 	}
+
+#if ENABLE_PKINIT && HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PA
+	/* pkinit optins for MIT Kerberos */
+	if (pk_userid && strlen(pk_userid)) {
+		KA_DEBUG("pkinit with '%s'", pk_userid);
+		krb5_get_init_creds_opt_set_pa(context, out,
+			"X509_user_identity", pk_userid);
+		if (pk_anchors && strlen(pk_anchors)) {
+			KA_DEBUG("pkinit anchors '%s'", pk_anchors);
+			krb5_get_init_creds_opt_set_pa(context, out,
+				"X509_anchors", pk_anchors);
+		}
+	}
+#endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PA */
 }
 
 
@@ -445,24 +459,29 @@ set_options_from_creds(const KaApplet* applet,
 }
 
 
-#ifdef ENABLE_PKINIT
+#if ENABLE_PKINIT && HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PKINIT
 static krb5_error_code
-ka_auth_pkinit(KaApplet* applet, krb5_creds* creds, const char* pk_userid)
+ka_auth_heimdal_pkinit(KaApplet* applet, krb5_creds* creds,
+                       const char* pk_userid, const char* pk_anchors)
 {
 	krb5_get_init_creds_opt *opts = NULL;
 	krb5_error_code retval;
+	const char* pkinit_anchors = NULL;
 
 	KA_DEBUG("pkinit with '%s'", pk_userid);
+	if (pk_anchors && strlen (pk_anchors)) {
+		pkinit_anchors = pk_anchors;
+		KA_DEBUG("pkinit anchors '%s'", pkinit_anchors);
+	}
 
-	retval = krb5_get_init_creds_opt_alloc (kcontext, &opts);
-	if (retval)
+	if ((retval = krb5_get_init_creds_opt_alloc (kcontext, &opts)))
 		goto out;
-	ka_set_ticket_options (applet, opts);
 
+	ka_set_ticket_options (applet, kcontext, opts, NULL, NULL);
 	retval = krb5_get_init_creds_opt_set_pkinit(kcontext, opts,
 						    kprincipal,
 						    pk_userid,
-						    NULL, /* x509 anchors */
+						    pkinit_anchors,
 						    NULL,
 						    NULL,
 						    0,	  /* pk_use_enc_key */
@@ -484,15 +503,17 @@ out:
 #endif /* ! ENABLE_PKINIT */
 
 static krb5_error_code
-ka_auth_password(KaApplet* applet, krb5_creds* creds)
+ka_auth_password(KaApplet* applet, krb5_creds* creds,
+                 const char* pk_userid, const char* pk_anchors)
 {
 	krb5_error_code retval;
 	krb5_get_init_creds_opt *opts = NULL;
 
-	retval = krb5_get_init_creds_opt_alloc (kcontext, &opts);
-	if (retval)
+	if ((retval = krb5_get_init_creds_opt_alloc (kcontext, &opts)))
 		goto out;
-	ka_set_ticket_options (applet, opts);
+	ka_set_ticket_options (applet, kcontext, opts,
+	                       pk_userid, pk_anchors);
+
 	retval = krb5_get_init_creds_password(kcontext, creds, kprincipal,
 					      NULL, auth_dialog_prompter, applet,
 					      0, NULL, opts);
@@ -585,6 +606,7 @@ grab_credentials (KaApplet* applet)
 	krb5_creds my_creds;
 	krb5_ccache ccache;
 	gchar *pk_userid = NULL;
+	gchar *pk_anchors = NULL;
 	gboolean pw_auth = TRUE;
 
 	memset(&my_creds, 0, sizeof(my_creds));
@@ -599,18 +621,22 @@ grab_credentials (KaApplet* applet)
 	if (retval)
 		goto out2;
 
-	g_object_get(applet, "pk-userid", &pk_userid, NULL);
-#ifdef ENABLE_PKINIT
+	g_object_get(applet, "pk-userid", &pk_userid,
+	                     "pk-anchors", &pk_anchors,
+	                     NULL);
+#if ENABLE_PKINIT && HAVE_HX509_ERR_H && HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PKINIT
 	/* pk_userid set: try pkinit */
 	if (pk_userid && strlen(pk_userid)) {
-		retval = ka_auth_pkinit(applet, &my_creds, pk_userid);
+		retval = ka_auth_heimdal_pkinit(applet, &my_creds,
+		                                pk_userid, pk_anchors);
 		/* other error than: "no token found" - no need to try password auth: */
 		if (retval != HX509_PKCS11_NO_TOKEN && retval != HX509_PKCS11_NO_SLOT)
 			pw_auth = FALSE;
 	}
 #endif /* ENABLE_PKINIT */
 	if (pw_auth)
-		retval = ka_auth_password(applet, &my_creds);
+		retval = ka_auth_password(applet, &my_creds,
+		                          pk_userid, pk_anchors);
 
 	creds_expiry = my_creds.times.endtime;
 	if (canceled)
@@ -621,8 +647,7 @@ grab_credentials (KaApplet* applet)
 			case KRB5KRB_AP_ERR_BAD_INTEGRITY:
 #ifdef HAVE_HX509_ERR_H
 			case HX509_PKCS11_LOGIN:
-#endif
-				/* Invalid password/pin, try again. */
+#endif 				/* Invalid password/pin, try again. */
 				invalid_auth = TRUE;
 				break;
 			default:
diff --git a/src/krb5-auth-dialog.schemas.in b/src/krb5-auth-dialog.schemas.in
index 13b05b2..4b7adb8 100644
--- a/src/krb5-auth-dialog.schemas.in
+++ b/src/krb5-auth-dialog.schemas.in
@@ -34,8 +34,21 @@
       <default></default>
 
       <locale name="C">
-        <short>Pkinit identifier</short>
-        <long>The principal's public/private/certificate identifier when using pkinit</long>
+        <short>PKINIT identifier</short>
+        <long>The principal's public/private/certificate identifier when using PKINIT</long>
+      </locale>
+    </schema>
+
+    <schema>
+      <key>/schemas/apps/::PACKAGE::/pk_anchors</key>
+      <applyto>/apps/::PACKAGE::/pk_anchors</applyto>
+      <owner>::PACKAGE::</owner>
+      <type>string</type>
+      <default></default>
+
+      <locale name="C">
+        <short>PKINIT trust anchors</short>
+        <long>PKINIT CA certificates</long>
       </locale>
     </schema>
 
diff --git a/src/krb5-auth-gconf-tools.h b/src/krb5-auth-gconf-tools.h
index 9786b2f..9f9020f 100644
--- a/src/krb5-auth-gconf-tools.h
+++ b/src/krb5-auth-gconf-tools.h
@@ -28,6 +28,7 @@
 #define KA_GCONF_PATH			"/apps/" PACKAGE
 #define KA_GCONF_KEY_PRINCIPAL		KA_GCONF_PATH "/principal"
 #define KA_GCONF_KEY_PK_USERID		KA_GCONF_PATH "/pk_userid"
+#define KA_GCONF_KEY_PK_ANCHORS		KA_GCONF_PATH "/pk_anchors"
 #define KA_GCONF_KEY_PROMPT_MINS	KA_GCONF_PATH "/prompt_minutes"
 #define KA_GCONF_KEY_SHOW_TRAYICON	KA_GCONF_PATH "/show_trayicon"
 #define KA_GCONF_KEY_FORWARDABLE	KA_GCONF_PATH "/forwardable"
diff --git a/src/krb5-auth-gconf.c b/src/krb5-auth-gconf.c
index 25eb555..b63d833 100644
--- a/src/krb5-auth-gconf.c
+++ b/src/krb5-auth-gconf.c
@@ -54,6 +54,20 @@ ka_gconf_set_pk_userid (GConfClient* client, KaApplet* applet)
 
 
 static gboolean
+ka_gconf_set_pk_anchors (GConfClient* client, KaApplet* applet)
+{
+	gchar*  pk_anchors = NULL;
+
+	if(!ka_gconf_get_string (client, KA_GCONF_KEY_PK_ANCHORS, &pk_anchors)) {
+		pk_anchors = g_strdup ("");
+	}
+	g_object_set(applet, "pk_anchors", pk_anchors, NULL);
+	g_free (pk_anchors);
+	return TRUE;
+}
+
+
+static gboolean
 ka_gconf_set_prompt_mins (GConfClient* client, KaApplet* applet)
 {
 	gint prompt_mins = 0;
@@ -140,6 +154,8 @@ ka_gconf_key_changed_callback (GConfClient* client,
 		ka_gconf_set_show_trayicon (client, applet);
 	} else if (g_strcmp0 (key, KA_GCONF_KEY_PK_USERID) == 0) {
 		ka_gconf_set_pk_userid (client, applet);
+	} else if (g_strcmp0 (key, KA_GCONF_KEY_PK_ANCHORS) == 0) {
+		ka_gconf_set_pk_anchors(client, applet);
 	} else if (g_strcmp0 (key, KA_GCONF_KEY_FORWARDABLE) == 0) {
 		ka_gconf_set_tgt_forwardable (client, applet);
 	} else if (g_strcmp0 (key, KA_GCONF_KEY_RENEWABLE) == 0) {
@@ -176,6 +192,7 @@ ka_gconf_init (KaApplet* applet,
 	ka_gconf_set_prompt_mins (client, applet);
 	ka_gconf_set_show_trayicon (client, applet);
 	ka_gconf_set_pk_userid(client, applet);
+	ka_gconf_set_pk_anchors(client, applet);
 	ka_gconf_set_tgt_forwardable(client, applet);
 	ka_gconf_set_tgt_renewable(client, applet);
 	ka_gconf_set_tgt_proxiable(client, applet);



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]