packages/kanidm: init with support for 389ds PBKDF2_SHA256

This commit is contained in:
Max Headroom 2023-06-10 16:34:02 +02:00
parent dfd5e3306b
commit 29f2c20e64
3 changed files with 35 additions and 0 deletions

View file

@ -6,6 +6,7 @@
in { in {
inherit (patched) inherit (patched)
kanidm
powerdns-admin powerdns-admin
prometheus-jitsi-exporter prometheus-jitsi-exporter
sssd sssd

View file

@ -76,6 +76,8 @@ super: rec {
}; };
in jre // { meta = jre.meta // { inherit (super.jdk17_headless.meta) platforms; }; }; in jre // { meta = jre.meta // { inherit (super.jdk17_headless.meta) platforms; }; };
kanidm = patch super.kanidm "patches/base/kanidm";
keycloak = super.keycloak.override { keycloak = super.keycloak.override {
jre = jre17_standard; jre = jre17_standard;
}; };

View file

@ -0,0 +1,32 @@
diff --git a/libs/crypto/src/lib.rs b/libs/crypto/src/lib.rs
index 1ca99d5..8edc071 100644
--- a/libs/crypto/src/lib.rs
+++ b/libs/crypto/src/lib.rs
@@ -295,6 +295,27 @@ impl TryFrom<&str> for Password {
});
}
+ if let Some(ds_pbkdf2_b64) = value.strip_prefix("{PBKDF2_SHA256}") {
+ let base64_decoder_config = general_purpose::GeneralPurposeConfig::new()
+ .with_decode_allow_trailing_bits(true);
+ let base64_decoder =
+ GeneralPurpose::new(&alphabet::STANDARD, base64_decoder_config);
+ let ds_pbkdf2 = base64_decoder.decode(ds_pbkdf2_b64).map_err(|e| {
+ error!(?e, "Invalid base64 in 389ds PBKDF2_SHA256");
+ })?;
+ let cost = u32::from_be_bytes(ds_pbkdf2[0..4].try_into().unwrap());
+ let c: usize = cost.try_into().unwrap();
+ let s: Vec<u8> = ds_pbkdf2[4..68].try_into().unwrap();
+ let h: Vec<u8> = ds_pbkdf2[68..ds_pbkdf2.len()].try_into().unwrap();
+ if h.len() < PBKDF2_MIN_NIST_KEY_LEN {
+ warn!("389ds PBKDF2_SHA256: hash length {} too short vs. {}!", h.len(), PBKDF2_MIN_NIST_KEY_LEN);
+ return Err(());
+ }
+ return Ok(Password {
+ material: Kdf::PBKDF2(c, s, h)
+ })
+ }
+
// Test for OpenLDAP formats
if value.starts_with("{PBKDF2}")
|| value.starts_with("{PBKDF2-SHA1}")