[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT

On Jan 25, 2008, at 1:03 PM, Timothy J. Miller wrote:

> Also, the requirement for the IETF EKU, id-pkekuoid, was not  
> enforced.  This patch enforces it, but I've not been able to test it.

I meant to type: I haven't been able to test the IETF EKU.  I *have*  
tested the MS EKU to death, and it works like a champ.  This is  
because while I have an abundance of CACs and smartcard logon enabled  
Windows domains, I have no KDC against which I can test with the RFC  
values (my lab space is, shall we say, constrained).

I also haven't profiled this patch to ensure no memory leakage.  I'm  
pretty sure I was a good boy (only hx509_query_match_on_eku() does  
anything that could leak memory) but I've been known to make  
mistakes.  Just FYI.

-- Tim