svn commit: r364971 - in projects/nfs-over-tls: . usr.sbin/rpctlssd

[Rick Macklem]

Author: rmacklem
Date: Sun Aug 30 01:09:15 2020
New Revision: 364971
URL: https://svnweb.freebsd.org/changeset/base/364971

Log:
  Set the OID for a user at domain subjAltName otherName component to one
  assigned under the FreeBSD MIB registry.

Modified:
  projects/nfs-over-tls/nfs-over-tls-setup.txt
  projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.8
  projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c

Modified: projects/nfs-over-tls/nfs-over-tls-setup.txt
==============================================================================
--- projects/nfs-over-tls/nfs-over-tls-setup.txt	Sat Aug 29 22:24:41 2020	(r364970)
+++ projects/nfs-over-tls/nfs-over-tls-setup.txt	Sun Aug 30 01:09:15 2020	(r364971)
@@ -212,10 +212,10 @@ to nfsv4-server.uoguelph.ca and the other to nfsv4-ser
 
 For a client where you wish all RPCs to be done as the user rmacklem
 on the above server:
-# openssl req -new -key key.pem -addext "subjectAltName=otherName:1.2.3.4.6.9;UTF8:rmacklem at uoguelph.ca" -out req.pem
+# openssl req -new -key key.pem -addext "subjectAltName=otherName:1.3.6.1.4.1.2238.1.1.1;UTF8:rmacklem at uoguelph.ca" -out req.pem
 
 For a client similar to the above, but has a FQDN of nfsv4-client.uoguelph.ca:
-# openssl req -new -key key.pem -addext "subjectAltName=DNS:nfsv4-client.uoguelph.ca,othername:1.2.3.4.6.9;UTF8:rmacklem at uoguelph.ca" -out req.pem
+# openssl req -new -key key.pem -addext "subjectAltName=DNS:nfsv4-client.uoguelph.ca,othername:1.3.6.1.4.1.2238.1.1.1;UTF8:rmacklem at uoguelph.ca" -out req.pem
 
 If you want to look at the CSR:
 # openssl req -in req.pem -noout -text

Modified: projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.8
==============================================================================
--- projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.8	Sat Aug 29 22:24:41 2020	(r364970)
+++ projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.8	Sun Aug 30 01:09:15 2020	(r364971)
@@ -75,7 +75,7 @@ The
 option in the
 .Xr exports 5
 file specifies that the client must provide a certificate
-that verifies and has a otherName:1.2.3.4.6.9;UTF8: field of
+that verifies and has a otherName:1.3.6.1.4.1.2238.1.1.1;UTF8: field of
 subjectAltName of the form
 .Dq user at dns_domain
 that maps to a <uid, gid_list>.
@@ -237,7 +237,7 @@ have been specified.
 .It Fl u
 This option specifies that if the client provides a certificate
 that both verifies and has a subjectAltName with an otherName of the form
-.Dq otherName:1.2.3.4.6.9;UTF8:user at dns_domain
+.Dq otherName:1.3.6.1.4.1.2238.1.1.1;UTF8:user at dns_domain
 the daemon will attempt to map
 .Dq user at dns_domain
 in the above

Modified: projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c
==============================================================================
--- projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c	Sat Aug 29 22:24:41 2020	(r364970)
+++ projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c	Sun Aug 30 01:09:15 2020	(r364971)
@@ -94,7 +94,7 @@ static uint64_t		rpctls_ssl_usec = 0;
 static bool		rpctls_gothup = false;
 static bool		rpctls_cnuser = false;
 static char		*rpctls_dnsname;
-static const char	*rpctls_cnuseroid = "1.2.3.4.6.9";
+static const char	*rpctls_cnuseroid = "1.3.6.1.4.1.2238.1.1.1";
 
 /*
  * A linked list of all current "SSL *"s and socket "fd"s