File pam_pkcs11-0.6.0-ms-upn-oid.patch of Package pam_pkcs11
--- pam_pkcs11-0.6.0/src/common/cert_info.c~ 2007-06-06 05:28:08.000000000 -0400
+++ pam_pkcs11-0.6.0/src/common/cert_info.c 2007-07-18 12:48:08.000000000 -0400
@@ -52,7 +52,7 @@ static const SECOidData kerberosPN_Entry
SECOidTag CERT_MicrosoftUPN_OID = SEC_OID_UNKNOWN;
/* { 1.3.6.1.4.1.311 } */
static const unsigned char microsoftUPNOID[] =
- { 0x2b, 0x6, 0x1, 0x4, 0x1, 0x82, 0x37 }; /*, xxxx */
+{ 0x2b, 0x6, 0x1, 0x4, 0x1, 0x82, 0x37, 0x14, 0x2, 0x3 };
static const SECOidData microsoftUPN_Entry =
{ TO_ITEM(microsoftUPNOID), SEC_OID_UNKNOWN,
"Microsoft Universal Priniciple", CKM_INVALID_MECHANISM,
@@ -127,6 +127,75 @@ static char **cert_info_digest(X509 *x50
return entries;
}
+static char **
+cert_info_upn (X509 *x509)
+{
+ SECItem alt_name;
+ SECStatus status;
+ PRArenaPool *arena = NULL;
+ CERTGeneralName *nameList;
+ CERTGeneralName *current;
+ SECOidTag tag;
+ static char *results[CERT_INFO_SIZE] = { NULL };
+ int result = 0;
+ SECItem decoded;
+
+ DBG("Looking for ALT_NAME");
+
+ status = CERT_FindCertExtension (x509, SEC_OID_X509_SUBJECT_ALT_NAME, &alt_name);
+ if (status != SECSuccess) {
+ DBG("Not found");
+ goto no_upn;
+ }
+
+ arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
+ if (!arena) {
+ DBG("Could not allocate arena");
+ goto no_upn;
+ }
+
+ nameList = current = CERT_DecodeAltNameExtension (arena, &alt_name);
+ if (!nameList) {
+ DBG("Could not decode name");
+ goto no_upn;
+ }
+
+ cert_fetchOID(&CERT_MicrosoftUPN_OID, µsoftUPN_Entry);
+ do {
+ if (current->type == certOtherName) {
+ tag = SECOID_FindOIDTag (¤t->name.OthName.oid);
+ DBG1("got other name with tag %#x", tag);
+ if (tag == CERT_MicrosoftUPN_OID) {
+ status = SEC_ASN1DecodeItem (arena, &decoded,
+ SEC_UTF8StringTemplate,
+ ¤t->name.OthName.name);
+ if (status == SECSuccess) {
+ results[result] = malloc (decoded.len + 1);
+ memcpy (results[result], decoded.data, decoded.len);
+ results[result][decoded.len] = '\0';
+ DBG1("Got upn: %s", results[result]);
+ result++;
+ } else {
+ DBG("Could not decode upn...");
+ }
+ }
+ } else {
+ DBG("not other name...");
+ }
+ current = CERT_GetNextGeneralName (current);
+ } while (current != nameList && result < CERT_INFO_MAX_ENTRIES);
+
+no_upn:
+ if (arena) {
+ PORT_FreeArena (arena, PR_FALSE);
+ }
+
+ if (alt_name.data) {
+ SECITEM_FreeItem (&alt_name, PR_FALSE);
+ }
+
+ return results;
+}
/**
* request info on certificate
@@ -174,8 +243,7 @@ char **cert_info(X509 *x509, int type, A
break;
/* need oid tag. */
case CERT_UPN : /* Microsoft's Universal Principal Name */
- cert_fetchOID(&CERT_MicrosoftUPN_OID ,& microsoftUPN_Entry);
- return cert_GetNameElements(&x509->subject, CERT_MicrosoftUPN_OID);
+ return cert_info_upn (x509);
case CERT_UID : /* Certificate Unique Identifier */
return cert_GetNameElements(&x509->subject, SEC_OID_RFC1274_UID);
break;
--- pam_pkcs11-0.6.0/src/mappers/ms_mapper.c~ 2007-07-18 12:48:41.000000000 -0400
+++ pam_pkcs11-0.6.0/src/mappers/ms_mapper.c 2007-07-18 13:21:02.000000000 -0400
@@ -70,7 +70,7 @@ static char *check_upn(char *str) {
return NULL;
}
if (ignoredomain) return str;
- if (!strcmp(domainname,domain)) {
+ if (strcmp(domainname,domain)) {
DBG2("Domain '%s' doesn't match UPN domain '%s'",domainname,domain);
return NULL;
}
