git.ipfire.org Git - thirdparty/krb5.git/commit

author	Greg Hudson <ghudson@mit.edu>
	Thu, 22 Mar 2018 23:46:22 +0000 (19:46 -0400)
committer	Greg Hudson <ghudson@mit.edu>
	Wed, 25 Apr 2018 15:45:45 +0000 (11:45 -0400)
commit	0f26c1c7504777d6e7bfa1d3dee575c504ab6c05
tree	1f3bc0c4fa909af67fe7f97a42a47650f414c8e6	tree
parent	20c0296e536b791d051db523cd067398a1c6441d	commit \| diff

Fix PKINIT rule matching against UPN SANs

Commit 46ff765e1fb8cbec2bb602b43311269e695dbedc (for ticket 8528)
broke rule-based matching of UPN SANs using the <SAN> rule type.  To
fix this regression, make crypto_retrieve_cert_sans() return UPN SANs
in their original string form, and only parse them into principal
names in pkinit_srv.c:verify_client_san().  In
pkinit_cert_matching_data, store UPN SANs as strings separately from
PKINIT SANs instead of concatenating them together, and match original
UPN strings against <SAN> rule regexps.  Add a test case.

ticket: 8670
tags: pullup
target_version: 1.16-next

src/plugins/preauth/pkinit/pkinit_crypto.h		diff \| blob \| blame \| history
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c		diff \| blob \| blame \| history
src/plugins/preauth/pkinit/pkinit_matching.c		diff \| blob \| blame \| history
src/plugins/preauth/pkinit/pkinit_srv.c		diff \| blob \| blame \| history
src/plugins/preauth/pkinit/pkinit_trace.h		diff \| blob \| blame \| history
src/tests/t_pkinit.py		diff \| blob \| blame \| history