[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT

>> I guess that wont work for you Henry. How does your selection  
>> language look like.
>> Love
> If we can do things the way we want, then it should work fine.  I  
> think.  We hope to put both a MS eku and the ietf pk-init eku on the  
> card with different values.
> Our problem is that the organization issuing the cards covers more  
> than one utilizing organization.  The utilizing organizations will  
> need different priorities (we think), and they will want to access  
> each other's infrastructure.

Ok, I just added a certificate selection language to heimdal's hx509.

hxtool query \
	--expr='"" IN %{certificate.eku} AND % 
{certificate.subject} TAILMATCH "C=SE"'  \
	FILE:$srcdir/data/kdc.crt > /dev/null || exit 1

Would this do ?