Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.427 (Entity 5.427)
Subject: Better logging needed for PKINIT client name mismatch
X-RT-Original-Encoding: iso-8859-1
Content-Length: 1145

If a PKINIT client certificate does not contain SANs sufficient to match 
the client principal, we generate only "Client name mismatch" in the KDC 
logs.  Because we have no tools to examine the PKINIT extensions in 
certificates and OpenSSL cannot display them, there is no 
straightforward way to identify and resolve the problem.

The PKINIT kdcpreauth module should generate extended error messages 
addressing these cases:

1. There are no principal or UPN SANs in the certificate.
2. There are only UPN SANs in the certificate but the KDC is not 
configured to accept UPNs.
3. There is one principal SAN (and no UPN SANs) and it doesn't match 
(log the unparsed principal SAN).
4. There is one UPN SAN and it doesn't match (log the unparsed UPN SAN).
5. There are multiple SANs and none of them match (this case should be 
rare, so not logging the SANs is okay).

When we call crypto_retrieve_cert_sans from verify_client_san, we should 
request UPN SANs unconditionally so that we can distinguish case 1 from 
case 2.

Here is an example of someone getting the vague error:

http://mailman.mit.edu/pipermail/kerberos/2014-June/019922.html