etc/pam_pkcs11.conf.example.in | 5 +++-- src/common/cert_vfy.c | 12 +++++++++++- src/common/cert_vfy.h | 1 + src/pam_pkcs11/pam_config.c | 4 ++++ 4 files changed, 19 insertions(+), 3 deletions(-) diff --git a/etc/pam_pkcs11.conf.example.in b/etc/pam_pkcs11.conf.example.in index 648ec7a..f8e1f27 100644 --- a/etc/pam_pkcs11.conf.example.in +++ b/etc/pam_pkcs11.conf.example.in @@ -69,7 +69,8 @@ pam_pkcs11 { # Sets the Certificate verification policy. # "none" Performs no verification - # "ca" Does CA check + # "global_ca" Does CA check against system-wide cert storage + # "ca" Does CA check against ca_dir # "crl_online" Downloads the CRL form the location given by the # CRL distribution point extension of the certificate # "crl_offline" Uses the locally stored CRLs @@ -81,7 +82,7 @@ pam_pkcs11 { # and public key matches # You can use a combination of ca,crl, and signature flags, or just # use "none". - cert_policy = ca,signature; + cert_policy = global_ca,ca,signature; # What kind of token? # The value of the token_type parameter will be used in the user prompt diff --git a/src/common/cert_vfy.c b/src/common/cert_vfy.c index 7efb0cb..c15250d 100644 --- a/src/common/cert_vfy.c +++ b/src/common/cert_vfy.c @@ -342,6 +342,16 @@ static X509_STORE * setup_store(cert_policy *policy) { return NULL; } + /* if needed add default paths */ + if ( (policy->global_ca_policy) ) { + DBG("Adding default paths to x509_store"); + rv = X509_STORE_set_default_paths(store); + if (!rv) { + X509_STORE_free(store); + set_error("X509_STORE_set_default_paths() failed: %s", ERR_error_string(ERR_get_error(), NULL)); + return NULL; + } + } /* if needed add hash_dir lookup methods */ if ( (is_dir(policy->ca_dir)>0) || (is_dir(policy->crl_dir)>0) ) { DBG("Adding hashdir lookup to x509_store"); @@ -412,7 +422,7 @@ int verify_certificate(X509 * x509, cert_policy *policy) X509_STORE_CTX *ctx; /* if neither ca nor crl check are requested skip */ - if ( (policy->ca_policy==0) && (policy->crl_policy==CRLP_NONE) ) { + if ( (policy->global_ca_policy==0) && (policy->ca_policy==0) && (policy->crl_policy==CRLP_NONE) ) { DBG("Neither CA nor CRL check requested. CertVrfy() skipped"); return 1; } diff --git a/src/common/cert_vfy.h b/src/common/cert_vfy.h index 657b212..94a8d7d 100644 --- a/src/common/cert_vfy.h +++ b/src/common/cert_vfy.h @@ -46,6 +46,7 @@ typedef enum { } ocsp_policy_t; struct cert_policy_st { + int global_ca_policy; int ca_policy; int crl_policy; int signature_policy; diff --git a/src/pam_pkcs11/pam_config.c b/src/pam_pkcs11/pam_config.c index 6739def..ef0ce62 100644 --- a/src/pam_pkcs11/pam_config.c +++ b/src/pam_pkcs11/pam_config.c @@ -55,6 +55,7 @@ struct configuration_st configuration = { /* cert policy; */ { 0, + 0, CRLP_NONE, 0, CONFDIR "/cacerts", @@ -184,6 +185,7 @@ static void parse_config_file(void) { if ( !strcmp(policy_list->data,"none") ) { configuration.policy.crl_policy=CRLP_NONE; configuration.policy.ocsp_policy=OCSP_NONE; + configuration.policy.global_ca_policy=0; configuration.policy.ca_policy=0; configuration.policy.signature_policy=0; break; @@ -195,6 +197,8 @@ static void parse_config_file(void) { configuration.policy.crl_policy=CRLP_OFFLINE; } else if ( !strcmp(policy_list->data,"ocsp_on") ) { configuration.policy.ocsp_policy=OCSP_ON; + } else if ( !strcmp(policy_list->data,"global_ca") ) { + configuration.policy.global_ca_policy=1; } else if ( !strcmp(policy_list->data,"ca") ) { configuration.policy.ca_policy=1; } else if ( !strcmp(policy_list->data,"signature") ) {