Hello community,
here is the log from the commit of package krb5-plugin-preauth-pkinit-nss
checked in at Fri Sep 5 23:35:49 CEST 2008.
--------
--- krb5-plugin-preauth-pkinit-nss/krb5-plugin-preauth-pkinit-nss.changes 2008-08-29 10:19:25.000000000 +0200
+++ krb5-plugin-preauth-pkinit-nss/krb5-plugin-preauth-pkinit-nss.changes 2008-09-05 11:33:22.703702000 +0200
@@ -1,0 +2,9 @@
+Thu Sep 4 11:01:44 CEST 2008 - mc@suse.de
+
+- update to version 0.7.7
+ * Learn to match certificates on email addresses, and to handle references to
+ parts of the relevant principal name in matching rules.
+ * Let the KDC use the matching rules to determine if a certificate matches the
+ user for whom a TGT is being requested.
+
+-------------------------------------------------------------------
Old:
----
pkinit-nss-0.7.6-1.tar.bz2
New:
----
pkinit-nss-0.7.7-1.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ krb5-plugin-preauth-pkinit-nss.spec ++++++
--- /var/tmp/diff_new_pack.xw9818/_old 2008-09-05 23:34:26.000000000 +0200
+++ /var/tmp/diff_new_pack.xw9818/_new 2008-09-05 23:34:26.000000000 +0200
@@ -1,5 +1,5 @@
#
-# spec file for package krb5-plugin-preauth-pkinit-nss (Version 0.7.6)
+# spec file for package krb5-plugin-preauth-pkinit-nss (Version 0.7.7)
#
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
@@ -19,7 +19,7 @@
Name: krb5-plugin-preauth-pkinit-nss
-Version: 0.7.6
+Version: 0.7.7
Release: 1
BuildRequires: keyutils-devel krb5-devel >= 1.6.1 mozilla-nss-devel >= 3.11.2 pkgconfig
Summary: MIT Kerberos5 Implementation--PKINIT preauth Plugin
@@ -75,6 +75,12 @@
%{_libdir}/krb5
%changelog
+* Thu Sep 04 2008 mc@suse.de
+- update to version 0.7.7
+ * Learn to match certificates on email addresses, and to handle references to
+ parts of the relevant principal name in matching rules.
+ * Let the KDC use the matching rules to determine if a certificate matches the
+ user for whom a TGT is being requested.
* Fri Aug 29 2008 mc@suse.de
- update to version 0.7.6
* Correctly initialize NSS so that we continue to be able to read the database
++++++ pkinit-nss-0.6.1-match-default-realms.patch ++++++
--- /var/tmp/diff_new_pack.xw9818/_old 2008-09-05 23:34:26.000000000 +0200
+++ /var/tmp/diff_new_pack.xw9818/_new 2008-09-05 23:34:26.000000000 +0200
@@ -2,8 +2,8 @@
===================================================================
--- src/certs.c.orig
+++ src/certs.c
-@@ -639,6 +639,92 @@ cert_san_matches_dns_for_realm(struct mo
- return SECSuccess;
+@@ -1334,6 +1334,92 @@ cert_eku_matches_eku_for_realm(struct mo
+ return status;
}
+static PRBool
@@ -95,7 +95,7 @@
/* Check if the certificate subjectAltName UPN value matches the principal. */
static SECStatus
cert_san_matches_upn(struct module_context *mcontext, CERTCertificate *cert,
-@@ -647,7 +733,7 @@ cert_san_matches_upn(struct module_conte
+@@ -1342,7 +1428,7 @@ cert_san_matches_upn(struct module_conte
{
struct subject_alt_name **names;
SECItem san_value, unparsed_name, ms_upn_name;
@@ -104,7 +104,7 @@
int i;
i = 0;
-@@ -679,6 +765,11 @@ cert_san_matches_upn(struct module_conte
+@@ -1376,6 +1462,11 @@ cert_san_matches_upn(struct module_conte
unparsed_name.data = (unsigned char *) unparsed;
unparsed_name.len = strlen(unparsed);
@@ -116,7 +116,7 @@
/* Iterate over all of the values. */
*matches = PR_FALSE;
for (i = 0; (names != NULL) && (names[i] != NULL) && !(*matches); i++) {
-@@ -695,12 +786,11 @@ cert_san_matches_upn(struct module_conte
+@@ -1392,12 +1483,11 @@ cert_san_matches_upn(struct module_conte
ms_upn_name_template,
&names[i]->subject_alt_name_value.other_name.data) == SECSuccess) {
/* And it matches, then we're okay. */
++++++ pkinit-nss-0.7.6-1.tar.bz2 -> pkinit-nss-0.7.7-1.tar.bz2 ++++++
++++ 11542 lines of diff (skipped)
++++ retrying with extended exclude list
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.6-1/config.h new/pkinit-nss-0.7.7-1/config.h
--- old/pkinit-nss-0.7.6-1/config.h 2008-08-28 21:16:14.000000000 +0200
+++ new/pkinit-nss-0.7.7-1/config.h 2008-09-05 11:26:43.000000000 +0200
@@ -98,13 +98,13 @@
#define PACKAGE_NAME "pkinit-nss"
/* Define to the full name and version of this package. */
-#define PACKAGE_STRING "pkinit-nss 0.7.6"
+#define PACKAGE_STRING "pkinit-nss 0.7.7"
/* Define to the one symbol short name of this package. */
#define PACKAGE_TARNAME "pkinit-nss"
/* Define to the version of this package. */
-#define PACKAGE_VERSION "0.7.6"
+#define PACKAGE_VERSION "0.7.7"
/* Define if your PAL doesn't provide an option for a supply_gic_opts_proc
callback function. */
@@ -121,4 +121,4 @@
#define STDC_HEADERS 1
/* Version number of package */
-#define VERSION "0.7.6"
+#define VERSION "0.7.7"
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.6-1/configure.ac new/pkinit-nss-0.7.7-1/configure.ac
--- old/pkinit-nss-0.7.6-1/configure.ac 2008-08-28 21:15:57.000000000 +0200
+++ new/pkinit-nss-0.7.7-1/configure.ac 2008-09-04 10:24:53.000000000 +0200
@@ -1,4 +1,4 @@
-AC_INIT(pkinit-nss,0.7.6)
+AC_INIT(pkinit-nss,0.7.7)
AM_INIT_AUTOMAKE(foreign)
AM_PROG_LIBTOOL
AM_GLIB_GNU_GETTEXT
@@ -63,7 +63,7 @@
AC_ARG_WITH(krb5-version,[AS_HELP_STRING([--with-krb5-version=AUTO],[Attempt to build for a specified version of MIT Kerberos.])],krb5_version=$withval,krb5_version=AUTO)
if test "x$krb5_version" = xAUTO ; then
AC_MSG_RESULT([Using backport preauth plugin header support.])
- AC_MSG_CHECKING([whether this is Kerberos 1.5, 1.6, 1.6.1/1.6.2, 1.6.3])
+ AC_MSG_CHECKING([whether this is Kerberos 1.5, 1.6, 1.6.1/1.6.2, 1.6.3/1.6.4])
dnl if test x$ac_cv_have_decl_KRB5KDC_ERR_SVC_UNAVAILABLE = xyes ; then
dnl AC_MSG_RESULT([looks like 1.6.3.])
dnl krb5_version=1.6.3
@@ -80,6 +80,11 @@
elif test "$krb5_version" = 1.6.2 ; then
AC_MSG_RESULT([looks like 1.6.1 or 1.6.2.])
krb5_version=1.6.1
+ elif test "$krb5_version" = 1.6.3 ; then
+ AC_MSG_RESULT([looks like 1.6.3 or 1.6.4.])
+ elif test "$krb5_version" = 1.6.4 ; then
+ AC_MSG_RESULT([looks like 1.6.3 or 1.6.4.])
+ krb5_version=1.6.3
else
AC_MSG_RESULT([looks like ${krb5_version}.])
fi
@@ -92,7 +97,7 @@
fi
case "$krb5_version" in
1.6.3)
- AC_MSG_RESULT([Building for Kerberos 1.6.3.])
+ AC_MSG_RESULT([Building for Kerberos 1.6.3/1.6.4.])
if test x$ac_cv_header_krb5_preauth_plugin_h = xno ; then
BACKPORT_CPPFLAGS='-I$(top_srcdir)/backport-1.6.3'
fi
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.6-1/doc/CONFIGURATION new/pkinit-nss-0.7.7-1/doc/CONFIGURATION
--- old/pkinit-nss-0.7.6-1/doc/CONFIGURATION 2008-08-28 21:15:57.000000000 +0200
+++ new/pkinit-nss-0.7.7-1/doc/CONFIGURATION 2008-09-04 10:24:53.000000000 +0200
@@ -41,6 +41,8 @@
<SUBJECT> Regular expression.
<ISSUER> Regular expression.
<SAN> Regular expression.
+ <EMAIL> Regular expression.
+ <COMPONENTS> Number.
<EKU> List of zero or more values, possibly
including "pkinit", "msScLogin",
"clientAuth", and "emailProtection".
@@ -48,6 +50,14 @@
including "digitalSignature" and
"keyEncipherment".
There is no default.
+ Regular expressions can reference parts of the
+ principal name being sought by including these special
+ sequences:
+ %0 (The realm.)
+ %1 (The first component, if defined.)
+ ..
+ %9 (The ninth component, if defined.)
+ %% (The literal value "%".)
ocsp_checking - Enable or disable OCSP checking. Default is "yes" for
KDCs, "no" for clients. Also recognized by the name
"pkinit_require_ocsp_checking".
@@ -65,6 +75,14 @@
in certificates. Default is "yes".
trust_upn_san - Whether or not to trust userPrincipalName subjectAltName
values in certificates. Default is "yes".
+ trust_matching_rules - Whether or not the KDC will use matching rules
+ specified using "pkinit_cert_match" to check if a
+ certificate corresponds to a particular client. If
+ this setting is enabled, each rule should always
+ include a <COMPONENTS> clause and a regex which
+ incorporates the realm and every component of a
+ client's principal name so that false positives can be
+ avoided. Default is "no".
client_database - Location of the certificate/key/token database used by the
client. Default is set at compile-time.
client_certificate - Location of the certificate used by the client. No
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.6-1/NEWS new/pkinit-nss-0.7.7-1/NEWS
--- old/pkinit-nss-0.7.6-1/NEWS 2008-08-28 21:15:57.000000000 +0200
+++ new/pkinit-nss-0.7.7-1/NEWS 2008-09-04 10:24:53.000000000 +0200
@@ -1,3 +1,9 @@
+0.7.7
+* Learn to match certificates on email addresses, and to handle references to
+ parts of the relevant principal name in matching rules.
+* Let the KDC use the matching rules to determine if a certificate matches the
+ user for whom a TGT is being requested.
+
0.7.6
* Correctly initialize NSS so that we continue to be able to read the database
with NSS 3.12.
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.6-1/pkinit-nss.spec new/pkinit-nss-0.7.7-1/pkinit-nss.spec
--- old/pkinit-nss-0.7.6-1/pkinit-nss.spec 2008-08-28 21:16:13.000000000 +0200
+++ new/pkinit-nss-0.7.7-1/pkinit-nss.spec 2008-09-05 11:26:43.000000000 +0200
@@ -1,5 +1,5 @@
Name: pkinit-nss
-Version: 0.7.6
+Version: 0.7.7
Release: 1%{?dist}
Source: http://people.redhat.com/~nalin/pkinit-nss/%{name}-%{version}-1.tar.gz
License: LGPL
@@ -44,16 +44,24 @@
%{_libdir}/krb5
%changelog
+* Tue Sep 2 2008 Nalin Dahyabhai 0.7.7-1
+- add the ability to restrict matching of certificates by the number of
+ components in the principal name to which it is being compared
+- add the ability to include portions of the principal name to which it is
+ being compared in rules which are specified using regular expressions
+- allow the KDC to use configured matching rules to check if a certificate
+ matches a client
+
* Wed Aug 27 2008 Nalin Dahyabhai 0.7.6-1
- correctly initialize NSS after the KDC detaches from the terminal, so that
we can still read the on-disk database with NSS 3.12
- fix new wire-incompatibilities with some implementations by making the
- version number of signed-data items configurable
+ version number of signed-data items configurable (fallout from #242109)
* Fri Aug 22 2008 Nalin Dahyabhai 0.7.5-1
-- add configurable client-side certificate matching
-- add more configurable KDC acceptance criteria
-- fix wire-incompatibilities with some newer implementations
+- add configurable client-side certificate matching (#452916)
+- add more configurable KDC acceptance criteria (related to #452916)
+- fix wire-incompatibilities with some newer implementations (#242109)
* Tue Oct 23 2007 Nalin Dahyabhai 0.7.4-1
- update to be able to provide the new entry points for krb5 1.6.3
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.6-1/pkinit-nss.spec.in new/pkinit-nss-0.7.7-1/pkinit-nss.spec.in
--- old/pkinit-nss-0.7.6-1/pkinit-nss.spec.in 2008-08-28 21:15:57.000000000 +0200
+++ new/pkinit-nss-0.7.7-1/pkinit-nss.spec.in 2008-09-04 10:24:53.000000000 +0200
@@ -44,16 +44,24 @@
%{_libdir}/krb5
%changelog
+* Tue Sep 2 2008 Nalin Dahyabhai 0.7.7-1
+- add the ability to restrict matching of certificates by the number of
+ components in the principal name to which it is being compared
+- add the ability to include portions of the principal name to which it is
+ being compared in rules which are specified using regular expressions
+- allow the KDC to use configured matching rules to check if a certificate
+ matches a client
+
* Wed Aug 27 2008 Nalin Dahyabhai 0.7.6-1
- correctly initialize NSS after the KDC detaches from the terminal, so that
we can still read the on-disk database with NSS 3.12
- fix new wire-incompatibilities with some implementations by making the
- version number of signed-data items configurable
+ version number of signed-data items configurable (fallout from #242109)
* Fri Aug 22 2008 Nalin Dahyabhai 0.7.5-1
-- add configurable client-side certificate matching
-- add more configurable KDC acceptance criteria
-- fix wire-incompatibilities with some newer implementations
+- add configurable client-side certificate matching (#452916)
+- add more configurable KDC acceptance criteria (related to #452916)
+- fix wire-incompatibilities with some newer implementations (#242109)
* Tue Oct 23 2007 Nalin Dahyabhai 0.7.4-1
- update to be able to provide the new entry points for krb5 1.6.3
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.6-1/po/LINGUAS new/pkinit-nss-0.7.7-1/po/LINGUAS
--- old/pkinit-nss-0.7.6-1/po/LINGUAS 2008-08-28 21:15:57.000000000 +0200
+++ new/pkinit-nss-0.7.7-1/po/LINGUAS 1970-01-01 01:00:00.000000000 +0100
@@ -1,11 +0,0 @@
-bal
-bg
-cs
-de
-fr
-hu
-it
-pl
-pt_BR
-sr@latin
-sr
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.6-1/po/Makefile.in.in new/pkinit-nss-0.7.7-1/po/Makefile.in.in
--- old/pkinit-nss-0.7.6-1/po/Makefile.in.in 2008-08-04 21:01:56.000000000 +0200
+++ new/pkinit-nss-0.7.7-1/po/Makefile.in.in 2008-06-16 14:24:29.000000000 +0200
@@ -35,7 +35,6 @@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
-MKINSTALLDIRS = $(top_srcdir)/@MKINSTALLDIRS@
CC = @CC@
GENCAT = @GENCAT@
@@ -56,7 +55,7 @@
SOURCES =
POFILES = @POFILES@
GMOFILES = @GMOFILES@
-DISTFILES = LINGUAS ChangeLog Makefile.in.in POTFILES.in $(GETTEXT_PACKAGE).pot \
+DISTFILES = ChangeLog Makefile.in.in POTFILES.in $(GETTEXT_PACKAGE).pot \
$(POFILES) $(GMOFILES) $(SOURCES)
POTFILES = \
@@ -120,11 +119,7 @@
install-data: install-data-@USE_NLS@
install-data-no: all
install-data-yes: all
- if test -r "$(MKINSTALLDIRS)"; then \
- $(MKINSTALLDIRS) $(DESTDIR)$(datadir); \
- else \
- $(SHELL) $(top_srcdir)/mkinstalldirs $(DESTDIR)$(datadir); \
- fi
+ @mkdir_p@ $(DESTDIR)$(datadir)
@catalogs='$(CATALOGS)'; \
for cat in $$catalogs; do \
cat=`basename $$cat`; \
@@ -134,11 +129,7 @@
esac; \
lang=`echo $$cat | sed 's/\$(CATOBJEXT)$$//'`; \
dir=$(DESTDIR)$$destdir/$$lang/LC_MESSAGES; \
- if test -r "$(MKINSTALLDIRS)"; then \
- $(MKINSTALLDIRS) $$dir; \
- else \
- $(SHELL) $(top_srcdir)/mkinstalldirs $$dir; \
- fi; \
+ @mkdir_p@ $$dir; \
if test -r $$cat; then \
$(INSTALL_DATA) $$cat $$dir/$(GETTEXT_PACKAGE)$(INSTOBJEXT); \
echo "installing $$cat as $$dir/$(GETTEXT_PACKAGE)$(INSTOBJEXT)"; \
@@ -162,11 +153,7 @@
fi; \
done
if test "$(PACKAGE)" = "glib"; then \
- if test -r "$(MKINSTALLDIRS)"; then \
- $(MKINSTALLDIRS) $(DESTDIR)$(gettextsrcdir); \
- else \
- $(SHELL) $(top_srcdir)/mkinstalldirs $(DESTDIR)$(gettextsrcdir); \
- fi; \
+ @mkdir_p@ $(DESTDIR)$(gettextsrcdir); \
$(INSTALL_DATA) $(srcdir)/Makefile.in.in \
$(DESTDIR)$(gettextsrcdir)/Makefile.in.in; \
else \
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.6-1/src/certs.c new/pkinit-nss-0.7.7-1/src/certs.c
--- old/pkinit-nss-0.7.6-1/src/certs.c 2008-08-28 21:15:57.000000000 +0200
+++ new/pkinit-nss-0.7.7-1/src/certs.c 2008-09-04 10:24:53.000000000 +0200
@@ -49,6 +49,7 @@
#define APPDEFAULT_LIST_SEPARATORS " \t,"
#define RULE_LIST_SEPARATORS " \t"
+#define REGEX_SPECIAL_CHARS "[]{}().+?*|\\-^$"
static unsigned char oid_ms_sc_login_data[] = {0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x02};
static const SECOidData
@@ -360,6 +361,10 @@
return &oid_dh_key_agreement.oid;
}
+static char *cert_match_expand_rule(PLArenaPool *pool,
+ krb5_context kcontext,
+ krb5_principal principal,
+ const char *pattern, int length);
static SECStatus cert_eku_matches_text(struct module_context *mcontext,
CERTCertificate *cert,
const char *list, PRBool *matches);
@@ -370,6 +375,10 @@
CERTCertificate *cert,
const regex_t *preg,
size_t nmatch, regmatch_t *pmatch, int eflags);
+static int cert_email_regexec(struct module_context *mcontext,
+ CERTCertificate *cert,
+ const regex_t *preg,
+ size_t nmatch, regmatch_t *pmatch, int eflags);
/* A certificate matching rule set. */
struct cert_match_record {
@@ -378,20 +387,23 @@
char *rule;
/* Rules. */
char operator;
- PRBool match_subject, match_issuer, match_san;
- regex_t reg_subject, reg_issuer, reg_san;
+ long size;
+ PRBool match_subject, match_issuer, match_san, match_email;
+ regex_t reg_subject, reg_issuer, reg_san, reg_email;
char *ku, *eku;
/* The next record. */
struct cert_match_record *next;
};
+
static struct cert_match_record *
cert_match_record_init(struct module_context *mcontext,
krb5_context kcontext, krb5_principal principal)
{
struct cert_match_record *ret, *record;
const char *p, *q;
- char *pattern, *rule, *ruleset;
+ char *pattern, *rule, *ruleset, *s;
int length;
+ long size;
PLArenaPool *arena;
rule = NULL;
@@ -404,7 +416,7 @@
}
pkinit_debug(mcontext, 2, "Parsing pkinit_cert_match ruleset \"%s\".\n",
- rule);
+ ruleset);
arena = PORT_NewArena(sizeof(double));
if (arena == NULL) {
@@ -413,10 +425,12 @@
}
ret = PORT_ArenaZAlloc(arena, sizeof(*ret));
if (ret != NULL) {
- rule = ruleset;
+ rule = cert_match_expand_rule(arena, kcontext, principal,
+ ruleset, strlen(ruleset));
record = ret;
parse_a_rule:
record->arena = arena;
+ record->size = -1;
length = strcspn(rule, RULE_LIST_SEPARATORS);
record->rule = PORT_ArenaZAlloc(record->arena, length + 1);
if (record->rule == NULL) {
@@ -438,6 +452,20 @@
q = p + 1 + strcspn(p + 1, "<");
pkinit_debug(mcontext, 2, "Clause: \"%.*s\".\n",
q - p, p);
+ /* Save the expected size of the principal name. */
+ if (strncasecmp(p, "<COMPONENTS>", 12) == 0) {
+ p += 12;
+ size = strtol(p, &s, 10);
+ if ((*p != '\0') &&
+ (s != NULL) &&
+ ((*s == '\0') || (*s == '<')) &&
+ (size >= 1)) {
+ record->size = size;
+ pkinit_debug(mcontext, 3,
+ "<COMPONENTS>%ld\n",
+ record->size);
+ }
+ }
/* Compile the regular expression for the subject name.
* */
if (strncasecmp(p, "<SUBJECT>", 9) == 0) {
@@ -448,6 +476,7 @@
memcpy(pattern, p, q - p);
if (regcomp(&record->reg_subject,
pattern,
+ REG_NOSUB |
REG_EXTENDED) != 0) {
pkinit_debug(mcontext, 0,
"Error parsing "
@@ -473,6 +502,7 @@
memcpy(pattern, p, q - p);
if (regcomp(&record->reg_issuer,
pattern,
+ REG_NOSUB |
REG_EXTENDED) != 0) {
pkinit_debug(mcontext, 0,
"Error parsing "
@@ -497,6 +527,7 @@
if (pattern != NULL) {
memcpy(pattern, p, q - p);
if (regcomp(&record->reg_san, pattern,
+ REG_NOSUB |
REG_EXTENDED) != 0) {
pkinit_debug(mcontext, 0,
"Error parsing "
@@ -512,7 +543,32 @@
pkinit_debug(mcontext, 3, "<SAN> \"%s\"\n",
pattern);
}
- /* Make an copy of the keyUsage. */
+ /* Compile the regular expression for the
+ * subjectAlternativeName (rfc822Name type). */
+ if (strncasecmp(p, "<EMAIL>", 7) == 0) {
+ p += 7;
+ pattern = PORT_ArenaZAlloc(record->arena,
+ q - p + 1);
+ if (pattern != NULL) {
+ memcpy(pattern, p, q - p);
+ if (regcomp(&record->reg_email, pattern,
+ REG_NOSUB |
+ REG_EXTENDED) != 0) {
+ pkinit_debug(mcontext, 0,
+ "Error parsing "
+ "<EMAIL>"
+ " regex \"%s\"\n",
+ pattern);
+ goto error;
+ }
+ } else {
+ goto error;
+ }
+ record->match_email = PR_TRUE;
+ pkinit_debug(mcontext, 3, "<EMAIL> \"%s\"\n",
+ pattern);
+ }
+ /* Make a copy of the keyUsage. */
if (strncasecmp(p, "<KU>", 4) == 0) {
p += 4;
pattern = PORT_ArenaZAlloc(record->arena,
@@ -526,7 +582,7 @@
pkinit_debug(mcontext, 3, "<KU> %s\n",
pattern);
}
- /* Make an copy of the extendedKeyUsage. */
+ /* Make a copy of the extendedKeyUsage. */
if (strncasecmp(p, "<EKU>", 5) == 0) {
p += 5;
pattern = PORT_ArenaZAlloc(record->arena,
@@ -560,6 +616,9 @@
if (record->match_san) {
regfree(&record->reg_san);
}
+ if (record->match_email) {
+ regfree(&record->reg_email);
+ }
if (record->match_issuer) {
regfree(&record->reg_issuer);
}
@@ -585,6 +644,9 @@
if (record->match_san) {
regfree(&record->reg_san);
}
+ if (record->match_email) {
+ regfree(&record->reg_email);
+ }
if (record->match_issuer) {
regfree(&record->reg_issuer);
}
@@ -599,6 +661,8 @@
static SECStatus
cert_match_record_check(struct module_context *mcontext,
struct cert_match_record *record,
+ krb5_context kcontext,
+ krb5_principal principal,
CERTCertificate *cert)
{
PRBool match;
@@ -653,6 +717,22 @@
record->rule);
}
}
+ if (record->match_email) {
+ clauses++;
+ if (cert_email_regexec(mcontext, cert, &record->reg_email,
+ 0, NULL, 0) == 0) {
+ matches++;
+ pkinit_debug(mcontext, 2,
+ "Certificate \"%s\" matches <EMAIL> in "
+ "\"%s\".\n", cert->subjectName,
+ record->rule);
+ } else {
+ pkinit_debug(mcontext, 2,
+ "Certificate \"%s\" did not match "
+ "<EMAIL> in \"%s\".\n", cert->subjectName,
+ record->rule);
+ }
+ }
if (record->eku != NULL) {
clauses++;
if ((cert_eku_matches_text(mcontext, cert, record->eku,
@@ -670,6 +750,21 @@
record->rule);
}
}
+ if (record->size >= 0) {
+ clauses++;
+ if (krb5_princ_size(kcontext, principal) == record->size) {
+ matches++;
+ pkinit_debug(mcontext, 2,
+ "Certificate \"%s\" matches "
+ "<COMPONENTS> in \"%s\".\n",
+ cert->subjectName, record->rule);
+ } else {
+ pkinit_debug(mcontext, 2,
+ "Certificate \"%s\" did not match "
+ "<COMPONENTS> in \"%s\".\n",
+ cert->subjectName, record->rule);
+ }
+ }
if (record->ku != NULL) {
clauses++;
if ((cert_ku_matches_text(mcontext, cert, record->ku,
@@ -703,6 +798,84 @@
}
}
+static char *
+cert_match_expand_rule(PLArenaPool *pool,
+ krb5_context kcontext, krb5_principal principal,
+ const char *pattern, int length)
+{
+ char *ret;
+ const char *p;
+ int i, len;
+ unsigned int j;
+ krb5_data *data;
+
+ len = 1;
+ for (p = pattern; (p - pattern) < length; p++) {
+ if (*p == '%') {
+ p++;
+ data = NULL;
+ if (*p == '%') {
+ len++;
+ } else
+ if (*p == '0') {
+ data = krb5_princ_realm(kcontext, principal);
+ } else
+ if ((*p >= '1') && (*p <= '9')) {
+ i = *p - '1' + 1;
+ if (i >= krb5_princ_size(kcontext, principal)) {
+ data = krb5_princ_component(kcontext,
+ principal,
+ i - 1);
+ }
+ }
+ if (data != NULL) {
+ len += (data->length * 2);
+ }
+ } else {
+ len++;
+ }
+ }
+
+ ret = PORT_ArenaZAlloc(pool, len + 1);
+ if (ret != NULL) {
+ len = 0;
+ for (p = pattern; (p - pattern) < length; p++) {
+ if (*p == '%') {
+ p++;
+ data = NULL;
+ if (*p == '%') {
+ ret[len++] = '%';
+ } else
+ if (*p == '0') {
+ data = krb5_princ_realm(kcontext,
+ principal);
+ } else
+ if ((*p >= '1') && (*p <= '9')) {
+ i = *p - '1' + 1;
+ if (i >= krb5_princ_size(kcontext,
+ principal)) {
+ data = krb5_princ_component(kcontext,
+ principal,
+ i - 1);
+ }
+ }
+ if (data != NULL) {
+ for (j = 0; j < data->length; j++) {
+ if (strchr(REGEX_SPECIAL_CHARS,
+ data->data[j])) {
+ ret[len++] = '\\';
+ }
+ ret[len++] = data->data[j];
+ }
+ }
+ } else {
+ ret[len++] = *p;
+ }
+ }
+ }
+ return ret;
+}
+
/* Check if the certificate contains the desired OID as an EKU value. */
static SECStatus
cert_eku_matches_oid(struct module_context *mcontext,
@@ -1340,6 +1513,90 @@
}
static int
+cert_email_regexec(struct module_context *mcontext,
+ CERTCertificate *cert,
+ const regex_t *preg,
+ size_t nmatch, regmatch_t *pmatch, int eflags)
+{
+ struct subject_alt_name **names;
+ SECItem san_value;
+ char *pname;
+ int i, ret;
+
+ ret = -1;
+ i = 0;
+ names = NULL;
+
+ /* If the email address pulled out of the certificate's subject name
+ * matches, then we should check it first. Might save us some work. */
+ if ((cert->emailAddr != NULL) && (strlen(cert->emailAddr) > 0)) {
+ if (regexec(preg, cert->emailAddr, nmatch, pmatch,
+ eflags) == 0) {
+ pkinit_debug(mcontext, 2,
+ "Mail address \"%s\" matched.\n",
+ cert->emailAddr);
+ return 0;
+ } else {
+ pkinit_debug(mcontext, 2,
+ "Mail address \"%s\" did not match.\n",
+ cert->emailAddr);
+ }
+ }
+
+ /* Find the subjectAltName extension. */
+ if (CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME,
+ &san_value) != SECSuccess) {
+ pkinit_debug(mcontext, 2,
+ "No subjectAltName extension in cert while "
+ "checking for matching principal.\n");
+ return -1;
+ }
+
+ /* Split up the subjectAltName sequence. */
+ if (SEC_ASN1DecodeItem(cert->arena, &names,
+ san_template, &san_value) != SECSuccess) {
+ pkinit_debug(mcontext, 2,
+ "Error parsing subjectAltName extension.\n");
+ SECITEM_FreeItem(&san_value, PR_FALSE);
+ return -1;
+ }
+
+ /* Iterate over all of the values. */
+ for (i = 0; (names != NULL) && (names[i] != NULL) && (ret != 0); i++) {
+ switch (names[i]->subject_alt_name_type) {
+ case subject_alt_name_rfc822_name:
+ pname = PORT_ArenaZAlloc(cert->arena,
+ names[i]->subject_alt_name_value.rfc822_name.len + 1);
+ if (pname != NULL) {
+ memcpy(pname, names[i]->subject_alt_name_value.rfc822_name.data,
+ names[i]->subject_alt_name_value.rfc822_name.len);
+ pkinit_debug(mcontext, 4,
+ "Comparing \"%s\" using regex.\n",
+ pname);
+ if (regexec(preg, pname, nmatch, pmatch,
+ eflags) == 0) {
+ pkinit_debug(mcontext, 2,
+ "Mail address "
+ "matched.\n");
+ ret = 0;
+ } else {
+ pkinit_debug(mcontext, 2,
+ "Mail address "
+ "did not match.\n");
+ }
+ }
+ default:
+ pkinit_debug(mcontext, 2,
+ "SAN %d is type %d, not an rfc822Name.\n",
+ i + 1, names[i]->subject_alt_name_type);
+ break;
+ };
+ }
+ SECITEM_FreeItem(&san_value, PR_FALSE);
+ return ret;
+}
+
+static int
cert_san_regexec(struct module_context *mcontext,
CERTCertificate *cert,
const regex_t *preg,
@@ -1663,6 +1920,7 @@
if (match_record != NULL) {
while (match_record != NULL) {
if (cert_match_record_check(mcontext, match_record,
+ kcontext, principal,
candidate) == SECSuccess) {
pkinit_debug(mcontext, 2,
"Certificate matched matching "
@@ -2657,6 +2915,7 @@
SECStatus verify_status;
int n_other_certs;
PRBool is_ca, matches;
+ struct cert_match_record *match_record;
*error_epis = NULL;
@@ -2883,15 +3142,27 @@
}
/* Check that it matches the principal name. */
+ if (cert_flags & CERT_MATCHES_CONFIGURATION) {
+ match_record = cert_match_record_init(mcontext, kcontext,
+ client);
+ } else {
+ match_record = NULL;
+ }
if (!cert_is_preferred(mcontext, pool, client_cert, bag,
NULL, NULL, additional_dn_list,
- kcontext, client, cert_flags, NULL,
+ kcontext, client, cert_flags, match_record,
pwcb_args)) {
pkinit_debug(mcontext, 1,
"Client certificate for \"%s\" didn't match "
"client name.\n", client_cert->subjectName);
+ if (match_record != NULL) {
+ cert_match_record_done(match_record);
+ }
return KRB5KDC_ERR_CLIENT_NAME_MISMATCH;
}
+ if (match_record != NULL) {
+ cert_match_record_done(match_record);
+ }
/* Check that it matches the desired EKU. */
if ((cert_eku_matches_oid(mcontext, client_cert,
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.6-1/src/pkinit.c new/pkinit-nss-0.7.7-1/src/pkinit.c
--- old/pkinit-nss-0.7.6-1/src/pkinit.c 2008-08-28 21:15:57.000000000 +0200
+++ new/pkinit-nss-0.7.7-1/src/pkinit.c 2008-09-04 10:24:53.000000000 +0200
@@ -159,7 +159,7 @@
struct domain_parameters **allowed_dh_params;
} server_constraints;
PRBool allow_pkinit, enable_ocsp, owns_nss, try_dh, is_hw;
- PRBool trust_pkinit_san, trust_upn_san;
+ PRBool trust_matching_rules, trust_pkinit_san, trust_upn_san;
int preferred_group;
int client_signed_data_version, kdc_signed_data_version;
unsigned int minimum_dh_prime_size;
@@ -209,7 +209,7 @@
pkinit_late_init(krb5_context kcontext, struct module_context *context)
{
int pkinit, ocsp, try_dh, is_hw, preferred_group, minimum_dh_prime_size;
- int trust_pkinit_san, trust_upn_san;
+ int trust_matching_rules, trust_pkinit_san, trust_upn_san;
int debug_level, debug_syslog, debug_stdout, debug_stderr;
char *p, *q, *mappings_file, *dbdir, *signed_version;
char *cert_file, *key_file, *cacert_file, *cert_pool, *cacert_pool;
@@ -433,6 +433,10 @@
/* Control whether we trust PKINIT SAN values or not. */
krb5_appdefault_boolean(kcontext, "pkinit", default_realm,
"trust_pkinit_san", PR_TRUE, &trust_pkinit_san);
+ /* Control whether we trust clients based on matching rules. */
+ krb5_appdefault_boolean(kcontext, "pkinit", default_realm,
+ "trust_matching_rules", PR_FALSE,
+ &trust_matching_rules);
/* Set debug logging level. */
krb5_appdefault_string(kcontext, "pkinit", default_realm,
"debug_level", "0", &p);
@@ -462,6 +466,7 @@
context->try_dh = try_dh;
context->trust_upn_san = trust_upn_san;
context->trust_pkinit_san = trust_pkinit_san;
+ context->trust_matching_rules = trust_matching_rules;
context->preferred_group = preferred_group;
context->minimum_dh_prime_size = minimum_dh_prime_size;
context->debug_level = debug_level;
@@ -1915,11 +1920,12 @@
n_mapped_certs,
additional_client_dn_list,
CERT_MATCHES_DN_LIST |
+ (context->trust_matching_rules ?
+ CERT_MATCHES_CONFIGURATION : 0) |
(context->trust_pkinit_san ?
CERT_MATCHES_KRB_SAN : 0) |
(context->trust_upn_san ?
- CERT_MATCHES_UPN_SAN : 0) |
- CERT_MATCHES_TRUSTED_SERVERS,
+ CERT_MATCHES_UPN_SAN : 0),
&signer,
&client_sign_version,
&client_public_info,
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org