From: | ghudson@mit.edu |
Subject: | git commit |
Improve PKINIT UPN SAN matching
Add the match_client() kdcpreauth callback and use it in
verify_client_san(). match_client() preserves the direct UPN to
request principal comparison and adds a direct comparison to the
client principal, falling back to an alias DB search and comparison
against the client principal. Change crypto_retreive_X509_sans() to
parse UPN values as enterprise principals.
[ghudson@mit.edu: use match_client for both kinds of SANs]
https://github.com/krb5/krb5/commit/46ff765e1fb8cbec2bb602b43311269e695dbedc
Author: Matt Rogers <mrogers@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 46ff765e1fb8cbec2bb602b43311269e695dbedc
Branch: master
src/include/krb5/kdcpreauth_plugin.h | 13 +++++++++
src/kdc/kdc_preauth.c | 28 ++++++++++++++++++-
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 4 ++-
src/plugins/preauth/pkinit/pkinit_srv.c | 10 ++++---
4 files changed, 48 insertions(+), 7 deletions(-)