dn and san matching

Kevin Coffman kwc at citi.umich.edu
Mon May 21 17:53:41 EDT 2007

The intent here is to provide the ability for an administrator to
configure a machine such that "the" right certificate, among possibly
many on a smartcard, is chosen for pkinit without requiring the user
to specify anything.

My intent is to keep this as simple as possible, yet powerful enough.
Does this syntax look reasonable?  Corrections or suggestions welcome!

(I'm trying to keep parens and quotes and other things out of the
syntax so I don't have to try to parse the regular expressions and
worry about things being escaped within them.)

pkinit_dn_san_match = [&& | ||] [SUBJECT:<reg-exp> | ISSUER:<reg-exp>
| SAN:<reg-exp>]...

There can be multiple instances of this config option.  Examples might be:

pkinit_dn_san_match = &&SUBJECT:.*foo.*ISSUER:.*bar.*

  (This would match if Subject contains "foo" AND Issuer contains "bar")

pkinit_dn_san_match = ||SUBJECT:^OU = CITI,.*ISSUER:.*EDU$

  (This would match if Subject begins with "OU = CITI," OR Issuer ends
with "EDU")

pkinit_dn_san_match = SAN:.*@TEST.COM

  (This would match if there is a San for realm TEST.COM)

If we intend to enforce our rule of failing in the case where we don't
narrow it down to a single certificate, then we'd have to test all the
rules with all the certs to see how many certs match.  Otherwise, we
could change our rule and just return the first cert that matches one of
the rules.  In that case, the admin should define the rules from
most-specific to least-specific.  Opinions?


More information about the krbdev mailing list