diff options
| author | Greg Hudson <ghudson@mit.edu> | 2018-03-22 19:46:22 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2018-05-02 00:47:59 -0400 |
| commit | 67632329dbacf7b1964df01a88f061d2f16063ef (patch) | |
| tree | 91cdb55122559e683b87cc20108c390c77a1563c /src/tests/t_pkinit.py | |
| parent | 37c517f3a1ec980227dd1e8f40033e439848c1dd (diff) | |
| download | krb5-67632329dbacf7b1964df01a88f061d2f16063ef.zip krb5-67632329dbacf7b1964df01a88f061d2f16063ef.tar.gz krb5-67632329dbacf7b1964df01a88f061d2f16063ef.tar.bz2 | |
Fix PKINIT rule matching against UPN SANs
Commit 46ff765e1fb8cbec2bb602b43311269e695dbedc (for ticket 8528)
broke rule-based matching of UPN SANs using the <SAN> rule type. To
fix this regression, make crypto_retrieve_cert_sans() return UPN SANs
in their original string form, and only parse them into principal
names in pkinit_srv.c:verify_client_san(). In
pkinit_cert_matching_data, store UPN SANs as strings separately from
PKINIT SANs instead of concatenating them together, and match original
UPN strings against <SAN> rule regexps. Add a test case.
(cherry picked from commit 0f26c1c7504777d6e7bfa1d3dee575c504ab6c05)
ticket: 8670
version_fixed: 1.16.1
Diffstat (limited to 'src/tests/t_pkinit.py')
| -rwxr-xr-x | src/tests/t_pkinit.py | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py index b790a7c..86fe661 100755 --- a/src/tests/t_pkinit.py +++ b/src/tests/t_pkinit.py @@ -301,6 +301,13 @@ realm.kinit(realm.user_princ, flags=['-X', 'X509_user_identity=%s' % p12_identity]) realm.klist(realm.user_princ) +# Regression test for #8670: match a UPN SAN with a single rule. +rule = '<SAN>^user@krbtest.com$' +realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule]) +realm.kinit(realm.user_princ, + flags=['-X', 'X509_user_identity=%s' % p12_upn_identity]) +realm.klist(realm.user_princ) + # Match a combined rule (default prefix is &&). rule = '<SUBJECT>CN=user$<KU>digitalSignature,keyEncipherment' realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule]) |