Allow Kerberos ticket init via cryptographic card

1 files changed, 76 insertions, 5 deletions

diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp
index 772596a..7543268 100644
--- a/src/libtdeldap.cpp
+++ b/src/libtdeldap.cpp
@@ -38,6 +38,7 @@
 #include <tdesu/process.h>
 #include <ksslcertificate.h>
 #include <krfcdate.h>
+#include <tdehardwaredevices.h>
 #include <tdecryptographiccarddevice.h>
 
 #include <ldap.h>
@@ -286,7 +287,7 @@ int LDAPManager::bind(TQString* errstr) {
 		havepass = true;
 	}
 	else {
-		LDAPPasswordDialog passdlg(0, 0, (m_krbTickets.count() > 0));
+		LDAPPasswordDialog passdlg(0, 0, (m_krbTickets.count() > 0), false);
 		passdlg.m_base->ldapAdminRealm->setEnabled(false);
 		passdlg.m_base->ldapAdminRealm->insertItem(m_realm);
 		passdlg.m_base->ldapUseTLS->setChecked(true);
@@ -1655,7 +1656,7 @@ LDAPRealmConfigList LDAPManager::fetchAndReadTDERealmList(TQString *defaultRealm
 	return realms;
 }
 
-int LDAPManager::getKerberosPassword(LDAPCredentials &creds, TQString prompt, bool requestServicePrincipal, TQWidget* parent)
+int LDAPManager::getKerberosPassword(LDAPCredentials &creds, TQString prompt, bool requestServicePrincipal, bool allowSmartCard, TQWidget* parent)
 {
 	int i;
 
@@ -1665,7 +1666,7 @@ int LDAPManager::getKerberosPassword(LDAPCredentials &creds, TQString prompt, bo
 	if (creds.realm != "") {
 		defaultRealm = creds.realm;
 	}
-	LDAPPasswordDialog passdlg(parent, 0, false);
+	LDAPPasswordDialog passdlg(parent, 0, false, allowSmartCard);
 	passdlg.m_base->ldapAdminRealm->setEnabled(true);
 	LDAPRealmConfigList::Iterator it;
 	i=0;
@@ -1693,6 +1694,13 @@ int LDAPManager::getKerberosPassword(LDAPCredentials &creds, TQString prompt, bo
 		creds.realm = passdlg.m_base->ldapAdminRealm->currentText();
 		creds.service = passdlg.m_base->kerberosServicePrincipal->text();
 		creds.use_tls = passdlg.m_base->ldapUseTLS->isOn();
+		creds.use_gssapi = false;
+		if (allowSmartCard) {
+			creds.use_smartcard = passdlg.use_smartcard;
+		}
+		else {
+			creds.use_smartcard = false;
+		}
 	}
 	return ret;
 }
@@ -1700,6 +1708,58 @@ int LDAPManager::getKerberosPassword(LDAPCredentials &creds, TQString prompt, bo
 int LDAPManager::obtainKerberosTicket(LDAPCredentials creds, TQString principal, TQString *errstr) {
 	TQCString command = "kinit";
 	QCStringList args;
+	if (creds.use_smartcard) {
+		// Get PKCS#11 slot number from the LDAP configuration file
+		KSimpleConfig* systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" ));
+		systemconfig->setGroup(NULL);
+		int pkcs11_login_card_slot = systemconfig->readNumEntry("PKCS11LoginCardSlot", 0);
+		delete systemconfig;
+
+		TQString pkcsProviderString = "PKCS11:" + TDECryptographicCardDevice::pkcsProviderLibrary();
+		if (pkcs11_login_card_slot != 0) {
+			 pkcsProviderString.append(TQString(",slot=%1").arg(pkcs11_login_card_slot));
+		}
+		args << TQCString("-C") << TQCString(pkcsProviderString);
+
+		// Find certificate on card and set credentials to match
+		TDEGenericDevice *hwdevice;
+		TDEHardwareDevices *hwdevices = TDEGlobal::hardwareDevices();
+		TDEGenericHardwareList cardReaderList = hwdevices->listByDeviceClass(TDEGenericDeviceType::CryptographicCard);
+		for (hwdevice = cardReaderList.first(); hwdevice; hwdevice = cardReaderList.next()) {
+			TDECryptographicCardDevice* cdevice = static_cast<TDECryptographicCardDevice*>(hwdevice);
+			TQString username = TQString::null;
+			TQString realm = TQString::null;
+			X509CertificatePtrList certList = cdevice->cardX509Certificates();
+			if (certList.count() > 0) {
+				TQStringList::Iterator it;
+				KSSLCertificate* card_cert = NULL;
+				card_cert = KSSLCertificate::fromX509(certList[0]);
+				TQStringList cert_subject_parts = TQStringList::split("/", card_cert->getSubject(), false);
+				TQStringList reversed_cert_subject_parts;
+				for (it = cert_subject_parts.begin(); it != cert_subject_parts.end(); it++) {
+					reversed_cert_subject_parts.prepend(*it);
+				}
+				for (it = reversed_cert_subject_parts.begin(); it != reversed_cert_subject_parts.end(); ++it ) {
+					TQString lcpart = (*it).lower();
+					if (lcpart.startsWith("cn=")) {
+						username = lcpart.right(lcpart.length() - strlen("cn="));
+					}
+					else if (lcpart.startsWith("dc=")) {
+						realm.append(lcpart.right(lcpart.length() - strlen("dc=")) + ".");
+					}
+				}
+				if (realm.endsWith(".")) {
+					realm.truncate(realm.length() - 1);
+				}
+				delete card_cert;
+			}
+			if (username != "") {
+				creds.username = username;
+				creds.realm = realm;
+				break;
+			}
+		}
+	}
 	if (principal == "") {
 		args << TQCString(creds.username + "@" + creds.realm.upper());
 	}
@@ -1712,7 +1772,17 @@ int LDAPManager::obtainKerberosTicket(LDAPCredentials creds, TQString principal,
 	kinitProc.exec(command, args);
 	prompt = readFullLineFromPtyProcess(&kinitProc);
 	prompt = prompt.stripWhiteSpace();
-	if (prompt.endsWith(" Password:")) {
+	while (prompt.endsWith(" Password:") || (creds.use_smartcard && prompt.contains("PIN"))) {
+		if (creds.use_smartcard) {
+			TQCString password;
+			int result = KPasswordDialog::getPassword(password, prompt);
+			if (result == KPasswordDialog::Accepted) {
+				creds.password = password;
+			}
+			else {
+				return 0;
+			}
+		}
 		kinitProc.enableLocalEcho(false);
 		kinitProc.writeLine(creds.password, true);
 		do { // Discard our own input
@@ -3560,7 +3630,7 @@ int LDAPManager::setLDAPMasterReplicationSettings(LDAPMasterReplicationInfo repl
 				replicationinfo.syncDN = "cn=admin," + m_basedc;
 			}
 			if (!errstr && replicationinfo.syncPassword.isNull()) {
-				LDAPPasswordDialog passdlg(0, 0, false);
+				LDAPPasswordDialog passdlg(0, 0, false, false);
 				passdlg.m_base->ldapAdminRealm->setEnabled(false);
 				passdlg.m_base->ldapAdminRealm->insertItem(m_realm);
 				passdlg.m_base->ldapUseTLS->hide();
@@ -5433,6 +5503,7 @@ LDAPCredentials::LDAPCredentials() {
 	// TQStrings are always initialized to TQString::null, so they don't need initialization here...
 	use_tls = true;
 	use_gssapi = false;
+	use_smartcard = false;
 }
 
 LDAPCredentials::~LDAPCredentials() {