Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make certauth eku module restrictive-only #694

Merged
merged 3 commits into from
Aug 29, 2017
Merged

Make certauth eku module restrictive-only #694

merged 3 commits into from
Aug 29, 2017

Commits on Aug 29, 2017

  1. Fix certauth built-in module returns 

    The PKINIT certauth eku module should never authoritatively authorize
a certificate, because an extended key usage does not establish a
relationship between the certificate and any specific user; it only
establishes that the certificate was created for PKINIT client
authentication.  Therefore, pkinit_eku_authorize() should return
KRB5_PLUGIN_NO_HANDLE on success, not 0.

The certauth san module should pass if it does not find any SANs of
the types it can match against; the presence of other types of SANs
should not cause it to explicitly deny a certificate.  Check for an
empty result from crypto_retrieve_cert_sans() in verify_client_san(),
instead of returning ENOENT from crypto_retrieve_cert_sans() when
there are no SANs at all.

ticket: 8561
    @greghudson
    greghudson committed Aug 29, 2017
    Configuration menu
    Copy the full SHA
    07243f8 View commit details
    Browse the repository at this point in the history

  2. Add test cert with no extensions 

    Add commands to make-certs.sh to generate a test client certificate
with no certificate extensions.  Re-run make-certs.sh.

ticket: 8562
    @greghudson
    greghudson committed Aug 29, 2017
    Configuration menu
    Copy the full SHA
    0d23835 View commit details
    Browse the repository at this point in the history

  3. Add PKINIT test case for generic client cert 

    In t_pkinit.py, add a test case where a client cert with no extensions
is authorized via subject and issuer using a pkinit_cert_match string
attribute.

ticket: 8562
    @greghudson
    greghudson committed Aug 29, 2017
    Configuration menu
    Copy the full SHA
    8c5d508 View commit details
    Browse the repository at this point in the history