Hallo.
There are several patches from the openSUSE pam_pkcs11 package.
Feel free to pick them for the upstream package.
All of them should apply on current trunk:
pam_pkcs11-implicit-declaration.patch: Fixes implicit declaration and
possible crash on 64 bits. More information in the patch header.
pam_pkcs11-mapfile-syntax.patch: Fix syntax error in the example config
file. More information including reference to the opensc trac in the
patch header.
pam_pkcs11-msnickname.patch: Patch from Jacob Berkman implements
"domainnickname" support.
pam_pkcs11-0.5.3-nss-conf.patch: Patch from Jacob Berkman changes
default NSS configuration.
pam_pkcs11-0.6.0-ms-upn-oid.patch: Patch from Jacob Berkman improves
Microsoft UPN OID support.
pam_pkcs11-missing.patch: Adds missing header file to the tarball.
Untested.
--
Best Regards / S pozdravem,
Stanislav Brabec
software developer
---------------------------------------------------------------------
SUSE LINUX, s. r. o. e-mail: [EMAIL PROTECTED]
Lihovarská 1060/12 tel: +420 284 028 966, +49 911 740538747
190 00 Praha 9 fax: +420 284 028 951
Czech Republic http://www.suse.cz/
ldap_mapper.c: In function 'ldap_get_certificate':
ldap_mapper.c:757: warning: implicit declaration of function 'd2i_X509'
ldap_mapper.c:757: warning: assignment makes pointer from integer without a cast
ldap_mapper.c: In function 'ldap_mapper_match_user':
ldap_mapper.c:871: warning: implicit declaration of function 'X509_cmp'
================================================================================
--- src/mappers/ldap_mapper.c
+++ src/mappers/ldap_mapper.c
@@ -36,6 +36,7 @@
#include <ldap.h>
#include <pwd.h>
+#include <ssl/x509.h>
#include "../common/cert_st.h"
#include "../common/debug.h"
https://bugzilla.novell.com/show_bug.cgi?id=293026
http://www.opensc-project.org/opensc/ticket/154
================================================================================
--- etc/pam_pkcs11.conf.example
+++ etc/pam_pkcs11.conf.example
@@ -131,7 +131,7 @@
# Use one of "cn" , "subject" , "kpn" , "email" , "upn" or "uid"
cert_item = cn;
# Define mapfile if needed, else select "none"
- mapfile = file:///etc/pam_pkcs11/generic_mapping
+ mapfile = file:///etc/pam_pkcs11/generic_mapping;
# Decide if use getpwent() to map login
use_getpwent = false;
}
--- pam_pkcs11-0.5.3/src/mappers/ms_mapper.c~ 2005-09-12 05:12:55.000000000 -0400
+++ pam_pkcs11-0.5.3/src/mappers/ms_mapper.c 2007-01-17 14:27:52.000000000 -0500
@@ -52,6 +52,7 @@
static int ignorecase = 0;
static int ignoredomain =0;
static const char *domainname="";
+static const char *domainnickname="";
static int debug =0;
/* check syntax and domain match on provided string */
@@ -73,6 +74,16 @@
DBG2("Domain '%s' doesn't match UPN domain '%s'",domainname,domain);
return NULL;
}
+ if (domainnickname && domainnickname[0]) {
+ char *tmp;
+ size_t tmp_len;
+ DBG1("Adding domain nick name '%s'",domainnickname);
+ tmp_len = strlen (str) + strlen (domainnickname) + 2;
+ tmp = malloc (tmp_len);
+ snprintf (tmp, tmp_len, "%s\\%s", domainnickname, str);
+ free (str);
+ str = tmp;
+ }
return str;
}
@@ -179,6 +190,7 @@
ignorecase = scconf_get_bool(blk,"ignorecase",ignorecase);
ignoredomain = scconf_get_bool(blk,"ignoredomain",ignoredomain);
domainname = scconf_get_str(blk,"domainname",domainname);
+ domainnickname = scconf_get_str(blk,"domainnickname",domainnickname);
} else {
DBG1("No block declaration for mapper '%s'",mapper_name);
}
--- pam_pkcs11-0.5.3/etc/pam_pkcs11.conf.example~ 2005-09-12 05:12:55.000000000 -0400
+++ pam_pkcs11-0.5.3/etc/pam_pkcs11.conf.example 2007-03-01 10:42:20.000000000 -0500
@@ -9,7 +9,7 @@ pam_pkcs11 {
nullok = true;
# Enable debugging support.
- debug = true;
+ debug = false;
# Do not prompt the user for the passwords but take them from the
# PAM_ items instead.
@@ -24,7 +24,12 @@ pam_pkcs11 {
use_authtok = false;
# Filename of the PKCS #11 module. The default value is "default"
- use_pkcs11_module = opensc;
+ use_pkcs11_module = nss;
+
+ pkcs11_module nss {
+ nss_dir = /etc/ssl/nssdb;
+ crl_policy = none;
+ }
pkcs11_module opensc {
module = /usr/lib/opensc-pkcs11.so;
@@ -112,7 +112,7 @@
# If used null mapper should be the last in the list :-)
# Also you should select at least one mapper, otherwise
# certificate will not match :-)
- use_mappers = digest, cn, pwent, uid, mail, subject, null;
+ use_mappers = ms;
# When no absolute path or module info is provided, use this
# value as module search path
--- pam_pkcs11-0.6.0/src/common/cert_info.c~ 2007-06-06 05:28:08.000000000 -0400
+++ pam_pkcs11-0.6.0/src/common/cert_info.c 2007-07-18 12:48:08.000000000 -0400
@@ -52,7 +52,7 @@ static const SECOidData kerberosPN_Entry
SECOidTag CERT_MicrosoftUPN_OID = SEC_OID_UNKNOWN;
/* { 1.3.6.1.4.1.311 } */
static const unsigned char microsoftUPNOID[] =
- { 0x2b, 0x6, 0x1, 0x4, 0x1, 0x82, 0x37 }; /*, xxxx */
+{ 0x2b, 0x6, 0x1, 0x4, 0x1, 0x82, 0x37, 0x14, 0x2, 0x3 };
static const SECOidData microsoftUPN_Entry =
{ TO_ITEM(microsoftUPNOID), SEC_OID_UNKNOWN,
"Microsoft Universal Priniciple", CKM_INVALID_MECHANISM,
@@ -127,6 +127,75 @@ static char **cert_info_digest(X509 *x50
return entries;
}
+static char **
+cert_info_upn (X509 *x509)
+{
+ SECItem alt_name;
+ SECStatus status;
+ PRArenaPool *arena = NULL;
+ CERTGeneralName *nameList;
+ CERTGeneralName *current;
+ SECOidTag tag;
+ static char *results[CERT_INFO_SIZE] = { NULL };
+ int result = 0;
+ SECItem decoded;
+
+ DBG("Looking for ALT_NAME");
+
+ status = CERT_FindCertExtension (x509, SEC_OID_X509_SUBJECT_ALT_NAME, &alt_name);
+ if (status != SECSuccess) {
+ DBG("Not found");
+ goto no_upn;
+ }
+
+ arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
+ if (!arena) {
+ DBG("Could not allocate arena");
+ goto no_upn;
+ }
+
+ nameList = current = CERT_DecodeAltNameExtension (arena, &alt_name);
+ if (!nameList) {
+ DBG("Could not decode name");
+ goto no_upn;
+ }
+
+ cert_fetchOID(&CERT_MicrosoftUPN_OID, µsoftUPN_Entry);
+ do {
+ if (current->type == certOtherName) {
+ tag = SECOID_FindOIDTag (¤t->name.OthName.oid);
+ DBG1("got other name with tag %#x", tag);
+ if (tag == CERT_MicrosoftUPN_OID) {
+ status = SEC_ASN1DecodeItem (arena, &decoded,
+ SEC_UTF8StringTemplate,
+ ¤t->name.OthName.name);
+ if (status == SECSuccess) {
+ results[result] = malloc (decoded.len + 1);
+ memcpy (results[result], decoded.data, decoded.len);
+ results[result][decoded.len] = '\0';
+ DBG1("Got upn: %s", results[result]);
+ result++;
+ } else {
+ DBG("Could not decode upn...");
+ }
+ }
+ } else {
+ DBG("not other name...");
+ }
+ current = CERT_GetNextGeneralName (current);
+ } while (current != nameList && result < CERT_INFO_MAX_ENTRIES);
+
+no_upn:
+ if (arena) {
+ PORT_FreeArena (arena, PR_FALSE);
+ }
+
+ if (alt_name.data) {
+ SECITEM_FreeItem (&alt_name, PR_FALSE);
+ }
+
+ return results;
+}
/**
* request info on certificate
@@ -174,8 +243,7 @@ char **cert_info(X509 *x509, int type, A
break;
/* need oid tag. */
case CERT_UPN : /* Microsoft's Universal Principal Name */
- cert_fetchOID(&CERT_MicrosoftUPN_OID ,& microsoftUPN_Entry);
- return cert_GetNameElements(&x509->subject, CERT_MicrosoftUPN_OID);
+ return cert_info_upn (x509);
case CERT_UID : /* Certificate Unique Identifier */
return cert_GetNameElements(&x509->subject, SEC_OID_RFC1274_UID);
break;
--- pam_pkcs11-0.6.0/src/mappers/ms_mapper.c~ 2007-07-18 12:48:41.000000000 -0400
+++ pam_pkcs11-0.6.0/src/mappers/ms_mapper.c 2007-07-18 13:21:02.000000000 -0400
@@ -70,7 +70,7 @@ static char *check_upn(char *str) {
return NULL;
}
if (ignoredomain) return str;
- if (!strcmp(domainname,domain)) {
+ if (strcmp(domainname,domain)) {
DBG2("Domain '%s' doesn't match UPN domain '%s'",domainname,domain);
return NULL;
}
Index: src/common/Makefile.am
===================================================================
--- src/common/Makefile.am (revision 334)
+++ src/common/Makefile.am (working copy)
@@ -9,7 +9,8 @@
noinst_HEADERS = debug.h error.h uri.h strings.h \
cert_vfy.h cert_info.h base64.h pkcs11_lib.h \
- cert_st.h alg_st.h SSLerrs.h SECerrs.h NSPRerrs.h
+ cert_st.h alg_st.h SSLerrs.h SECerrs.h NSPRerrs.h \
+ secutil.h
noinst_PROGRAMS =
noinst_LTLIBRARIES = libcommon.la
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
