Skip Menu |
 

From: ghudson@mit.edu
Subject: git commit

Improve PKINIT UPN SAN matching

Add the match_client() kdcpreauth callback and use it in
verify_client_san(). match_client() preserves the direct UPN to
request principal comparison and adds a direct comparison to the
client principal, falling back to an alias DB search and comparison
against the client principal. Change crypto_retreive_X509_sans() to
parse UPN values as enterprise principals.

[ghudson@mit.edu: use match_client for both kinds of SANs]

https://github.com/krb5/krb5/commit/46ff765e1fb8cbec2bb602b43311269e695dbedc
Author: Matt Rogers <mrogers@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 46ff765e1fb8cbec2bb602b43311269e695dbedc
Branch: master
src/include/krb5/kdcpreauth_plugin.h | 13 +++++++++
src/kdc/kdc_preauth.c | 28 ++++++++++++++++++-
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 4 ++-
src/plugins/preauth/pkinit/pkinit_srv.c | 10 ++++---
4 files changed, 48 insertions(+), 7 deletions(-)
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 1.4KiB

Add test cert generation to make-certs.sh

Add additional test certificates for UPN matching. Run make-certs.sh
to regenerate certs.

https://github.com/krb5/krb5/commit/5a1d0388ba2e4ec510ed715ce5fbc7f748941425
Author: Matt Rogers <mrogers@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 5a1d0388ba2e4ec510ed715ce5fbc7f748941425
Branch: master
src/tests/dejagnu/pkinit-certs/ca.pem | 54 +++++++++++-----------
src/tests/dejagnu/pkinit-certs/kdc.pem | 50 +++++++++++----------
src/tests/dejagnu/pkinit-certs/make-certs.sh | 53 ++++++++++++++++++++++-
src/tests/dejagnu/pkinit-certs/privkey-enc.pem | 52 +++++++++++-----------
src/tests/dejagnu/pkinit-certs/privkey.pem | 50 +++++++++++-----------
src/tests/dejagnu/pkinit-certs/user-enc.p12 | Bin 3029 -> 2837 bytes
src/tests/dejagnu/pkinit-certs/user-upn.p12 | Bin 0 -> 2829 bytes
src/tests/dejagnu/pkinit-certs/user-upn.pem | 28 ++++++++++++
src/tests/dejagnu/pkinit-certs/user-upn2.p12 | Bin 0 -> 2813 bytes
src/tests/dejagnu/pkinit-certs/user-upn2.pem | 28 ++++++++++++
src/tests/dejagnu/pkinit-certs/user-upn3.csr | 16 +++++++
src/tests/dejagnu/pkinit-certs/user-upn3.p12 | Bin 0 -> 2829 bytes
src/tests/dejagnu/pkinit-certs/user-upn3.pem | 28 ++++++++++++
src/tests/dejagnu/pkinit-certs/user.p12 | Bin 3104 -> 2837 bytes
src/tests/dejagnu/pkinit-certs/user.pem | 56 +++++++++++-------------
15 files changed, 283 insertions(+), 132 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Add PKINIT UPN tests to t_pkinit.py

[ghudson@mit.edu: simplify and explain tests; add test for
id-pkinit-san match against canonicalized client principal]

https://github.com/krb5/krb5/commit/d520fd3f032121b61b22681838af96ee505fe44d
Author: Matt Rogers <mrogers@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: d520fd3f032121b61b22681838af96ee505fe44d
Branch: master
src/tests/t_pkinit.py | 57 +++++++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 57 insertions(+), 0 deletions(-)