pkinit plugin logic in pkinit_srv.c
Greg Hudson
ghudson at mit.edu
Thu Aug 24 15:26:49 EDT 2017
On 08/24/2017 03:09 PM, Craig Huckabee wrote:
>> We didn't expect people to want to authorize client certs with an
>> id-pkinit-san SAN containing the wrong principal name. The only way to
>> make that work in the current code is to use module configuration to
>> disable the san certauth module, which would mean that you'd have to use
>> dbmatch for everyone.
> Unfortunately the SAN present isn’t a id-pkinit-san, these cards are
> only issued with the NT-Principal type SAN, so that is what I have to
> work with.
By NT-Principal type SAN, you mean 1.3.6.1.4.1.311.20.2.3 (User
Principal Name)? We can handle those, if you set
"pkinit_allow_upn = true" in kdc.conf in the realm configuration (or in
[kdcdefaults]). The value has to match the request client principal, of
course.
It may be that we presently have the wrong behavior if the cert contains
a UPN SAN and pkinit_allow_upn = false (the default). In that case the
upn module should probably return KRB5_PLUGIN_NO_HANDLE but might now be
returning a mismatch.
More information about the krbdev
mailing list