pkinit plugin logic in pkinit_srv.c
Greg Hudson
ghudson at mit.edu
Tue Aug 29 16:18:01 EDT 2017
On 08/24/2017 03:26 PM, Greg Hudson wrote:
> It may be that we presently have the wrong behavior if the cert contains
> a UPN SAN and pkinit_allow_upn = false (the default). In that case the
> upn module should probably return KRB5_PLUGIN_NO_HANDLE but might now be
> returning a mismatch.
Just to close the loop on this: it turns out the san module was
explicitly rejecting certs with any SANs at all, even if they have
nothing to do with PKINIT. This will be fixed soon.
More information about the krbdev
mailing list