[krbdev.mit.edu #8670] git commit
Greg Hudson via RT
rt-comment at KRBDEV-PROD-APP-1.mit.edu
Wed Apr 25 12:01:50 EDT 2018
Fix PKINIT rule matching against UPN SANs
Commit 46ff765e1fb8cbec2bb602b43311269e695dbedc (for ticket 8528)
broke rule-based matching of UPN SANs using the <SAN> rule type. To
fix this regression, make crypto_retrieve_cert_sans() return UPN SANs
in their original string form, and only parse them into principal
names in pkinit_srv.c:verify_client_san(). In
pkinit_cert_matching_data, store UPN SANs as strings separately from
PKINIT SANs instead of concatenating them together, and match original
UPN strings against <SAN> rule regexps. Add a test case.
https://github.com/krb5/krb5/commit/0f26c1c7504777d6e7bfa1d3dee575c504ab6c05
Author: Greg Hudson <ghudson at mit.edu>
Commit: 0f26c1c7504777d6e7bfa1d3dee575c504ab6c05
Branch: master
src/plugins/preauth/pkinit/pkinit_crypto.h | 6 +-
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 63 ++++----------------
src/plugins/preauth/pkinit/pkinit_matching.c | 20 ++++---
src/plugins/preauth/pkinit/pkinit_srv.c | 21 ++++--
src/plugins/preauth/pkinit/pkinit_trace.h | 3 +
src/tests/t_pkinit.py | 7 ++
6 files changed, 52 insertions(+), 68 deletions(-)
More information about the krb5-bugs
mailing list