Improve PKINIT UPN SAN matching Add the match_client() kdcpreauth callback and use it in verify_client_san(). match_client() preserves the direct UPN to request principal comparison and adds a direct comparison to the client principal, falling back to an alias DB search and comparison against the client principal. Change crypto_retreive_X509_sans() to parse UPN values as enterprise principals. [ghudson@mit.edu: use match_client for both kinds of SANs] https://github.com/krb5/krb5/commit/46ff765e1fb8cbec2bb602b43311269e695dbedc Author: Matt Rogers Committer: Greg Hudson Commit: 46ff765e1fb8cbec2bb602b43311269e695dbedc Branch: master src/include/krb5/kdcpreauth_plugin.h | 13 +++++++++ src/kdc/kdc_preauth.c | 28 ++++++++++++++++++- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 4 ++- src/plugins/preauth/pkinit/pkinit_srv.c | 10 ++++--- 4 files changed, 48 insertions(+), 7 deletions(-)