[krbdev.mit.edu #6851] pkinit can't parse some valid cms messages
nalin@redhat.com via RT
rt-comment at krbdev.mit.edu
Wed Jun 20 14:12:29 EDT 2012
While PKCS7_cert_from_signer_info(), the function which PKINIT
previously used to pull out the signer's certificate, always retrieved
the signer's certificate by searching the signed-data's list of
certificates for a match, CMS_SignerInfo_get0_algs() only returns the
certificate from the "signer" field of the CMS_SignerInfo it's given, so
that field needs to be set beforehand.
I gather that's usually expected to be accomplished as a by-product of
calling CMS_verify(), which calls CMS_set1_signers_certs(), which calls
CMS_SignerInfo_set1_signer_cert(), which actually sets the field.
Because PKINIT uses CMS_SignerInfo_get0_algs() to read the signer
certificate before it calls CMS_verify(), PKINIT also calls
CMS_set1_signers_certs() first, directly, to make sure that the
CMS_SignerInfo's "signer" field will have been populated, and that was
enough when this ticket was created.
I just built a test KDC running Heimdal 1.2.1 and pointed a krb5 1.10.2
client at it, both running on the same system with OpenSSL 1.0.1c, and
I'm able to get a TGT, so I can't see anything that's obviously wrong.
More information about the krb5-bugs
mailing list