Skip Menu |
 

Subject: Better logging needed for PKINIT client name mismatch
Download (untitled) / with headers
text/plain 1.1KiB
If a PKINIT client certificate does not contain SANs sufficient to match
the client principal, we generate only "Client name mismatch" in the KDC
logs. Because we have no tools to examine the PKINIT extensions in
certificates and OpenSSL cannot display them, there is no
straightforward way to identify and resolve the problem.

The PKINIT kdcpreauth module should generate extended error messages
addressing these cases:

1. There are no principal or UPN SANs in the certificate.
2. There are only UPN SANs in the certificate but the KDC is not
configured to accept UPNs.
3. There is one principal SAN (and no UPN SANs) and it doesn't match
(log the unparsed principal SAN).
4. There is one UPN SAN and it doesn't match (log the unparsed UPN SAN).
5. There are multiple SANs and none of them match (this case should be
rare, so not logging the SANs is okay).

When we call crypto_retrieve_cert_sans from verify_client_san, we should
request UPN SANs unconditionally so that we can distinguish case 1 from
case 2.

Here is an example of someone getting the vague error:

http://mailman.mit.edu/pipermail/kerberos/2014-June/019922.html