RT RT/krbdev.mit.edu: Ticket #8670 Regression in rule-based matching of PKINIT client certs with UPN SANs Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
8670
Status
resolved
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
Tags
Version_reported
Version_Fixed
  • 1.16.1
Target_Version
  • 1.16-next
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
  • 8528: (ghudson) Improve PKINIT UPN SAN matching [resolved]
Referred to by:
 
 Dates  
Created: Tue Apr 24 11:41:30 2018
Starts: Not set
Started: Not set
Last Contact: Not set
Due: Not set
Updated: Wed May 2 10:16:07 2018 by ghudson
 

 People  
Owner
 ghudson
Requestors
 ghudson@mit.edu
Cc
 
AdminCc
 
 

 More about Greg Hudson  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Tue Apr 24 11:41:30 2018  ghudson - Ticket created    
     
Subject: Regression in rule-based matching of PKINIT client certs with UPN

Standard PKINIT client certificates use Subject Alternative Name
(SAN) values of type id-pkinit-san containing an ASN.1 DER
representation of the principal name and realm.  Client certificates
issued for use with Windows KDCs may instead contain SAN values of
type id-ms-san-sc-logon-upn containing a UTF-8 string giving the
UserPrincipalName (UPN) of the client account object.

Ticket 8528 improved matching of UPN SAN certificates against the
client principal.  As part of that improvement, UPN SANs values are
correctly parsed as enterprise principal names (one data component
usually containing an "@" character, no realm).  Unfortunately this
change breaks matching of UPN SANs against pkinit_cert_match rules.
The matching code concatenates PKINIT SAN and UPN SAN principals
together without remembering which is which, and unparses each
principal normally (yielding a string like "a\@b@DEFAULT.REALM" for
an enterprise principal name) before matching them against the
regular expression in the rule.  If the rule is written naturally as
"<SAN>^a@b$", it will not match.

The best fix is to record the original UPN SAN string in the matching
data and match that against the rule regexp.  An acceptable fix would
be to unparse UPN SANs with the KRB5_PRINCIPAL_UNPARSE_NO_REALM flag,
which would usually yield the original UPN string.


Download (untitled) 1.3k
      Tue Apr 24 11:41:42 2018  ghudson - Ticket 8670 RefersTo ticket 8528.    
      Wed Apr 25 12:01:50 2018  ghudson - Status changed from open to resolved    
      Wed Apr 25 12:01:50 2018  ghudson - Target_Version 1.16-next added    
      Wed Apr 25 12:01:50 2018  ghudson - Given to ghudson    
      Wed Apr 25 12:01:50 2018  ghudson - Tags pullup added    
      Wed Apr 25 12:01:50 2018  ghudson - Correspondence added    
     
From: ghudson@mit.edu
Subject: git commit


Fix PKINIT rule matching against UPN SANs

Commit 46ff765e1fb8cbec2bb602b43311269e695dbedc (for ticket 8528)
broke rule-based matching of UPN SANs using the <SAN> rule type.  To
fix this regression, make crypto_retrieve_cert_sans() return UPN SANs
in their original string form, and only parse them into principal
names in pkinit_srv.c:verify_client_san().  In
pkinit_cert_matching_data, store UPN SANs as strings separately from
PKINIT SANs instead of concatenating them together, and match original
UPN strings against <SAN> rule regexps.  Add a test case.

https://github.com/krb5/krb5/commit/0f26c1c7504777d6e7bfa1d3dee575c504ab6c05
Author: Greg Hudson <ghudson@mit.edu>
Commit: 0f26c1c7504777d6e7bfa1d3dee575c504ab6c05
Branch: master
 src/plugins/preauth/pkinit/pkinit_crypto.h         |    6 +-
 src/plugins/preauth/pkinit/pkinit_crypto_openssl.c |   63 ++++----------------
 src/plugins/preauth/pkinit/pkinit_matching.c       |   20 ++++---
 src/plugins/preauth/pkinit/pkinit_srv.c            |   21 ++++--
 src/plugins/preauth/pkinit/pkinit_trace.h          |    3 +
 src/tests/t_pkinit.py                              |    7 ++
 6 files changed, 52 insertions(+), 68 deletions(-)


Download (untitled) 1.1k
      Wed May  2 01:25:46 2018  ghudson - Version_Fixed 1.16.1 added    
      Wed May  2 01:25:46 2018  ghudson - Correspondence added    
     
From: ghudson@mit.edu
Subject: git commit


Fix PKINIT rule matching against UPN SANs

Commit 46ff765e1fb8cbec2bb602b43311269e695dbedc (for ticket 8528)
broke rule-based matching of UPN SANs using the <SAN> rule type.  To
fix this regression, make crypto_retrieve_cert_sans() return UPN SANs
in their original string form, and only parse them into principal
names in pkinit_srv.c:verify_client_san().  In
pkinit_cert_matching_data, store UPN SANs as strings separately from
PKINIT SANs instead of concatenating them together, and match original
UPN strings against <SAN> rule regexps.  Add a test case.

(cherry picked from commit 0f26c1c7504777d6e7bfa1d3dee575c504ab6c05)

https://github.com/krb5/krb5/commit/67632329dbacf7b1964df01a88f061d2f16063ef
Author: Greg Hudson <ghudson@mit.edu>
Commit: 67632329dbacf7b1964df01a88f061d2f16063ef
Branch: krb5-1.16
 src/plugins/preauth/pkinit/pkinit_crypto.h         |    6 +-
 src/plugins/preauth/pkinit/pkinit_crypto_openssl.c |   63 ++++----------------
 src/plugins/preauth/pkinit/pkinit_matching.c       |   20 ++++---
 src/plugins/preauth/pkinit/pkinit_srv.c            |   21 ++++--
 src/plugins/preauth/pkinit/pkinit_trace.h          |    3 +
 src/tests/t_pkinit.py                              |    7 ++
 6 files changed, 52 insertions(+), 68 deletions(-)


Download (untitled) 1.2k
      Wed May  2 10:16:07 2018  ghudson - Keyword pullup deleted