On 08/11/2015 03:23 PM, Fraser Tweedale wrote:
On Sun, Aug 09, 2015 at 08:03:47PM +1000, Fraser Tweedale wrote:
The attached patch fixes a bug in KRB5PrincipalName / UPN SAN
validation.
Thanks,
Fraser
For testing this, the following `openssl req' config will serve as a
starting point; customise the names / realm as appropriate.
[ req ]
prompt = no
encrypt_key = no
distinguished_name = dn
req_extensions = exts
[ dn ]
commonName = "alice"
[ exts ]
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:krb5principal
[ krb5principal ]
realm = EXPLICIT:0,GeneralString:IPA.LOCAL
principalname = EXPLICIT:1,SEQUENCE:principalname
[ principalname ]
nametype = EXPLICIT:0,INT:0
namestring = EXPLICIT:1,SEQUENCE:namestring
[ namestring ]
part1 = GeneralString:alice
Thank for help, I'm ASN.1 n00b.
ACK.
--
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
