[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT

To: Timothy J Miller <tmiller@mitre.org>
Subject: Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
From: Love Hörnquist Åstrand <lha@kth.se>
Date: Tue, 18 Mar 2008 17:08:52 +0100
Cc: "Henry B. Hotz" <hotz@jpl.nasa.gov>, heimdal-discuss@sics.se
In-Reply-To: <2EBDABBB-8698-4D48-AA2A-AA211C3EB4E3@mitre.org>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <6455A0C9-FF84-46A3-A05F-DDC6C0500A12@mitre.org> <37AB5B0F-20FB-4B1B-92B0-A1C79AF19643@kth.se> <2BDE73D6-2FBA-4A71-9E3E-A1166B77CB9C@mitre.org> <8978F34A-2F2F-4BC5-8797-8E71E3C5F90E@kth.se> <0EAE1BB4-FB2B-4D56-A84F-DBCC41ADF43E@jpl.nasa.gov> <8BDC7CE6-1359-4F26-889D-C7F6FD8A1D84@kth.se> <6550F2DB-EC48-4D9F-B6F1-AB85E1BBAF66@jpl.nasa.gov> <E49FDDDD-BB90-4563-B601-1171D6FE3C93@kth.se> <2EBDABBB-8698-4D48-AA2A-AA211C3EB4E3@mitre.org>
Reply-To: heimdal-discuss@sics.se, Love Hörnquist Åstrand <lha@kth.se>


18 mar 2008 kl. 14.50 skrev Timothy J Miller:

> On Mar 14, 2008, at 1:55 PM, Love Hörnquist Åstrand wrote:
>>
>> Ok, I just added a certificate selection language to heimdal's hx509.
>>
>> hxtool query \
>> 	--expr='"1.3.6.1.5.2.3.5" IN %{certificate.eku} AND % 
>> {certificate.subject} TAILMATCH "C=SE"'  \
>> 	FILE:$srcdir/data/kdc.crt > /dev/null || exit 1
>>
>> Would this do ?
>
> How rich is this expression allowed to be?

Variables are really trees and, matching on a level of the subtrees  
(keyword IN) is possible.

4.3 Matching syntax
===================

This is the language definitions somewhat slopply descriped:


      expr = TRUE,
           FALSE,
           ! expr,
           expr AND expr,
           expr OR expr,
           ( expr )
           compare

      compare =
           word == word,
           word != word,
           word IN ( word [, word ...])
           word IN %{variable.subvariable}

      word =
           STRING,
           %{variable}


Love

References:
- Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
  - From: Love Hörnquist Åstrand <lha@kth.se>
- Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
  - From: Love Hörnquist Åstrand <lha@kth.se>
- Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
  - From: Timothy J Miller <tmiller@mitre.org>

Prev by Date: Re: Heimdal 1.1
Next by Date: Contact Accredited Agent Immediately,
Prev by thread: Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
Next by thread: SPNEGO and credentials delegation
Index(es):
- Date
- Thread