Hello community, here is the log from the commit of package krb5-plugin-preauth-pkinit-nss checked in at Tue Jul 3 15:01:16 CEST 2007. -------- --- krb5-plugin-preauth-pkinit-nss/krb5-plugin-preauth-pkinit-nss.changes 2007-06-22 12:09:08.000000000 +0200 +++ /mounts/work_src_done/STABLE/krb5-plugin-preauth-pkinit-nss/krb5-plugin-preauth-pkinit-nss.changes 2007-07-03 11:21:21.777019000 +0200 @@ -1,0 +2,6 @@ +Tue Jul 3 11:04:32 CEST 2007 - mc@suse.de + +- add pkinit-nss-0.6.1-match-default-realms.patch +- fix documentation + +------------------------------------------------------------------- New: ---- pkinit-nss-0.6.1-match-default-realms.patch pkinit-nss-0.7.2-1-documentation.dif ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ krb5-plugin-preauth-pkinit-nss.spec ++++++ --- /var/tmp/diff_new_pack.iH1791/_old 2007-07-03 14:59:33.000000000 +0200 +++ /var/tmp/diff_new_pack.iH1791/_new 2007-07-03 14:59:33.000000000 +0200 @@ -12,12 +12,16 @@ Name: krb5-plugin-preauth-pkinit-nss Version: 0.7.2 -Release: 1 +Release: 3 BuildRequires: keyutils-devel krb5-devel >= 1.6.1 mozilla-nss-devel >= 3.11.2 pkgconfig Summary: PKINIT plugin for MIT Kerberos -License: GNU Library General Public License v. 2.0 and 2.1 (LGPL) +License: LGPL v2 or later Group: Productivity/Networking/Security +Provides: pkinit-nss +Obsoletes: pkinit-nss Source: pkinit-nss-%{version}-1.tar.bz2 +Patch0: pkinit-nss-0.6.1-match-default-realms.patch +Patch1: pkinit-nss-0.7.2-1-documentation.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -32,6 +36,8 @@ %prep %setup -q -n pkinit-nss-%{version}-1 +%patch0 +%patch1 %build %configure --disable-static --enable-gcc-warnings \ @@ -42,20 +48,27 @@ %install make install DESTDIR=$RPM_BUILD_ROOT rm -f $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/preauth/*.{a,la} +# installing docs +mkdir -p $RPM_BUILD_ROOT/%{_docdir}/%{name}/examples +cp doc/openssl/make-certs.sh $RPM_BUILD_ROOT/%{_docdir}/%{name}/examples/ +cp ChangeLog doc/README doc/STANDARDS doc/TODO doc/CONFIGURATION $RPM_BUILD_ROOT/%{_docdir}/%{name}/ +cp backport/*.patch $RPM_BUILD_ROOT/%{_docdir}/%{name}/ %clean rm -fr $RPM_BUILD_ROOT %files %defattr(-,root,root) -%doc ChangeLog doc/README doc/STANDARDS doc/TODO backport/*.patch -%doc doc/CONFIGURATION -%doc doc/openssl/make-certs.sh +%dir %{_docdir}/%{name}/examples +%{_docdir}/%name %{_bindir}/pkinit-show-cert-guid %{_bindir}/pkinit-get-san %{_libdir}/krb5 %changelog +* Tue Jul 03 2007 - mc@suse.de +- add pkinit-nss-0.6.1-match-default-realms.patch +- fix documentation * Fri Jun 22 2007 - mc@suse.de - update to version 0.7.2 * Bug fixes ++++++ pkinit-nss-0.6.1-match-default-realms.patch ++++++ Index: src/certs.c =================================================================== --- src/certs.c.orig +++ src/certs.c @@ -639,6 +639,85 @@ cert_san_matches_dns_for_realm(struct mo return SECSuccess; } +static PRBool +cert_san_matches_upn_check (struct module_context *mcontext, + krb5_context kcontext, + SECItem *unparsed_name, + char *unparsed_realm, + SECItem *ms_upn_name) +{ + unsigned char *ms_upn_domain; + SECItem unparsed_tmp, ms_upn_tmp; + int rc; + PRBool ret; + char **realms; + char ms_upn_host[1024]; + int len; + + /* And it matches, then we're okay. */ + if (SECITEM_ItemsAreEqual(ms_upn_name, unparsed_name)) { + pkinit_debug(mcontext, 2, "UPN Matched.\n"); + return PR_TRUE; + } + + if (!unparsed_realm) { + return PR_FALSE; + } + + ms_upn_domain = memchr (ms_upn_name->data, '@', ms_upn_name->len); + if (!ms_upn_domain) { + return PR_FALSE; + } + + ms_upn_domain++; + + unparsed_tmp.data = unparsed_name->data; + unparsed_tmp.len = unparsed_realm - (char *)unparsed_name->data; + + ms_upn_tmp.data = ms_upn_name->data; + ms_upn_tmp.len = ms_upn_domain - ms_upn_name->data; + + /* compare user names... */ + if (!SECITEM_ItemsAreEqual(&ms_upn_tmp, &unparsed_tmp)) { + return PR_FALSE; + } + + len = ms_upn_name->len - ms_upn_tmp.len; + if (len > 1023) { + len = 1023; + } + + /* ms_upn_domain isn't NULL terminated, so we need to copy it + * out... */ + strncpy (ms_upn_host, (char *)ms_upn_domain, len); + ms_upn_host[len] = '\0'; + rc = krb5_get_host_realm (kcontext, ms_upn_host, &realms); + if (rc != 0) { + pkinit_debug (mcontext, 2, + "Could not get host realm for %s: %d.\n", + ms_upn_domain, rc); + return PR_FALSE; + } else { + pkinit_debug (mcontext, 2, + "Found domain \"%.*s\" mapped to realm \"%s\".\n", + len, ms_upn_domain, realms[0]); + } + + ms_upn_tmp.data = (unsigned char *)realms[0]; + ms_upn_tmp.len = strlen (realms[0]); + + unparsed_tmp.data = (unsigned char *)unparsed_realm; + unparsed_tmp.len = len; + + ret = SECITEM_ItemsAreEqual (&ms_upn_tmp, &unparsed_tmp); + if (ret) { + pkinit_debug (mcontext, 2, "UPN Matched.\n"); + } + free (realms[0]); + free (realms); + return ret; +} + /* Check if the certificate subjectAltName UPN value matches the principal. */ static SECStatus cert_san_matches_upn(struct module_context *mcontext, CERTCertificate *cert, @@ -647,7 +726,7 @@ cert_san_matches_upn(struct module_conte { struct subject_alt_name **names; SECItem san_value, unparsed_name, ms_upn_name; - char *unparsed; + char *unparsed, *unparsed_realm; int i; i = 0; @@ -679,6 +758,11 @@ cert_san_matches_upn(struct module_conte unparsed_name.data = (unsigned char *) unparsed; unparsed_name.len = strlen(unparsed); + unparsed_realm = memchr (unparsed_name.data, '@', unparsed_name.len); + if (unparsed_realm != NULL) { + unparsed_realm++; + } + /* Iterate over all of the values. */ *matches = PR_FALSE; for (i = 0; (names != NULL) && (names[i] != NULL) && !(*matches); i++) { @@ -695,12 +779,11 @@ cert_san_matches_upn(struct module_conte ms_upn_name_template, &names[i]->subject_alt_name_value.other_name.data) == SECSuccess) { /* And it matches, then we're okay. */ - if (SECITEM_ItemsAreEqual(&ms_upn_name, - &unparsed_name)) { - pkinit_debug(mcontext, 2, - "UPN Matched.\n"); - *matches = PR_TRUE; - } else { + *matches = cert_san_matches_upn_check (mcontext, kcontext, + &unparsed_name, + unparsed_realm, + &ms_upn_name); + if (!*matches) { pkinit_debug(mcontext, 2, "\"%.*s\" != " "\"%.*s\"\n", ++++++ pkinit-nss-0.7.2-1-documentation.dif ++++++ --- doc/README +++ doc/README 2007/07/03 09:18:52 @@ -5,7 +5,7 @@ krbtgt/EXAMPLE.COM@EXAMPLE.COM The certificate and its matching key are expected to be found in the NSS database stored in the server's default location, which by - default is /var/kerberos/krb5kdc. + default is /var/lib/kerberos/krb5kdc. 2. Requirements for the client's certificate. The user's certificate should contain a subjectAltName extension @@ -19,13 +19,13 @@ 3. More KDC requirements. The KDC must trust the user's certificate. That means that its NSS - database, which by default is in /var/kerberos/krb5kdc, must include + database, which by default is in /var/lib/kerberos/krb5kdc, must include a CA certificate in the client's signing chain, and it must be configured to trust that certificate. 4. More client requirements. The client system must trust the KDC's certificate. That means that - its NSS database, which by default is in /etc/pki/nssdb, must include + its NSS database, which by default is in /etc/ssl/nssdb, must include a CA certificate in the KDC's signing chain, and it must be configured to trust that certificate. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org