[krbdev.mit.edu #8670] git commit

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[krbdev.mit.edu #8670] git commit

Jeffrey Arbuckle via RT

Fix PKINIT rule matching against UPN SANs

Commit 46ff765e1fb8cbec2bb602b43311269e695dbedc (for ticket 8528)
broke rule-based matching of UPN SANs using the <SAN> rule type.  To
fix this regression, make crypto_retrieve_cert_sans() return UPN SANs
in their original string form, and only parse them into principal
names in pkinit_srv.c:verify_client_san().  In
pkinit_cert_matching_data, store UPN SANs as strings separately from
PKINIT SANs instead of concatenating them together, and match original
UPN strings against <SAN> rule regexps.  Add a test case.

(cherry picked from commit 0f26c1c7504777d6e7bfa1d3dee575c504ab6c05)

Author: Greg Hudson <[hidden email]>
Commit: 67632329dbacf7b1964df01a88f061d2f16063ef
Branch: krb5-1.16
 src/plugins/preauth/pkinit/pkinit_crypto.h         |    6 +-
 src/plugins/preauth/pkinit/pkinit_crypto_openssl.c |   63 ++++----------------
 src/plugins/preauth/pkinit/pkinit_matching.c       |   20 ++++---
 src/plugins/preauth/pkinit/pkinit_srv.c            |   21 ++++--
 src/plugins/preauth/pkinit/pkinit_trace.h          |    3 +
 src/tests/t_pkinit.py                              |    7 ++
 6 files changed, 52 insertions(+), 68 deletions(-)

krb5-bugs mailing list
[hidden email]