From 36b923f56a7152ef60f95db2758a39dd0ac40554 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Sat, 29 Apr 2006 14:30:01 +0000
Subject: [PATCH] (_kdc_pk_check_client): reorganize and make log when a SAN
 matches.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17348 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 kdc/pkinit.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/kdc/pkinit.c b/kdc/pkinit.c
index 38bfe56b8..76beadf1d 100644
--- a/kdc/pkinit.c
+++ b/kdc/pkinit.c
@@ -1120,14 +1120,6 @@ _kdc_pk_check_client(krb5_context context,
     hx509_name name;
     int i;
 
-    if (config->enable_pkinit_princ_in_cert) {
-	ret = pk_principal_from_X509(context, config, 
-				     client_params->cert,
-				     client_princ);
-	if (ret == 0)
-	    return 0;
-    }
-
     ret = hx509_cert_get_base_subject(kdc_identity->hx509ctx, 
 				      client_params->cert,
 				      &name);
@@ -1143,6 +1135,17 @@ _kdc_pk_check_client(krb5_context context,
 	    "Trying to authorize subject DN %s", 
 	    *subject_name);
 
+    if (config->enable_pkinit_princ_in_cert) {
+	ret = pk_principal_from_X509(context, config, 
+				     client_params->cert,
+				     client_princ);
+	if (ret == 0) {
+	    kdc_log(context, config, 5,
+		    "Found matching PK-INIT SAN in certificate");
+	    return 0;
+	}
+    }
+
     for (i = 0; i < principal_mappings.len; i++) {
 	krb5_boolean b;