[krbdev.mit.edu #7072] PKINIT pk_as_rep_draft9 encoding issues
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Fri Feb 10 21:53:42 EST 2012
It turns out we don't use decode_krb5_pa_pk_as_rep_draft9 anywhere in the
PKINIT plugin.
Instead, we pass both kinds of PKINIT replies through
decode_krb5_pa_pk_as_rep, which should succeed for the encKeyPack
alternative and fail for the Diffie-Hellman alternative. For the
encKeyPack alternative, the unwrapped envelope data is then decoded as
either an RFC or draft9 ReplyKeyPack.
So the broken pa_pk_as_rep_draft9 decoder can be removed.
More information about the krb5-bugs
mailing list