Fix PKINIT rule matching against UPN SANs Commit 46ff765e1fb8cbec2bb602b43311269e695dbedc (for ticket 8528) broke rule-based matching of UPN SANs using the rule type. To fix this regression, make crypto_retrieve_cert_sans() return UPN SANs in their original string form, and only parse them into principal names in pkinit_srv.c:verify_client_san(). In pkinit_cert_matching_data, store UPN SANs as strings separately from PKINIT SANs instead of concatenating them together, and match original UPN strings against rule regexps. Add a test case. (cherry picked from commit 0f26c1c7504777d6e7bfa1d3dee575c504ab6c05) https://github.com/krb5/krb5/commit/67632329dbacf7b1964df01a88f061d2f16063ef Author: Greg Hudson Commit: 67632329dbacf7b1964df01a88f061d2f16063ef Branch: krb5-1.16 src/plugins/preauth/pkinit/pkinit_crypto.h | 6 +- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 63 ++++---------------- src/plugins/preauth/pkinit/pkinit_matching.c | 20 ++++--- src/plugins/preauth/pkinit/pkinit_srv.c | 21 ++++-- src/plugins/preauth/pkinit/pkinit_trace.h | 3 + src/tests/t_pkinit.py | 7 ++ 6 files changed, 52 insertions(+), 68 deletions(-)