On 11/08/15 15:31, Martin Babinsky wrote:
On 08/11/2015 03:23 PM, Fraser Tweedale wrote:
On Sun, Aug 09, 2015 at 08:03:47PM +1000, Fraser Tweedale wrote:
The attached patch fixes a bug in KRB5PrincipalName / UPN SAN
validation.

Thanks,
Fraser

For testing this, the following `openssl req' config will serve as a
starting point; customise the names / realm as appropriate.

[ req ]
prompt = no
encrypt_key = no

distinguished_name = dn
req_extensions = exts

[ dn ]
commonName = "alice"

[ exts ]
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:krb5principal

[ krb5principal ]
realm = EXPLICIT:0,GeneralString:IPA.LOCAL
principalname = EXPLICIT:1,SEQUENCE:principalname

[ principalname ]
nametype = EXPLICIT:0,INT:0
namestring = EXPLICIT:1,SEQUENCE:namestring

[ namestring ]
part1 = GeneralString:alice


Thank for help, I'm ASN.1 n00b.

ACK.

Pushed to:
master: ba7e5df19433faddc1369a26824e7fc6efd7f983
ipa-4-2: 58cf1cd65fc1e8d02a8b5f43fd5157786e232486

--
Martin Basti

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to