[krbdev.mit.edu #8544] Wrong PKCS11 PIN can trigger PKINIT draft9 code
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Wed Feb 1 15:36:34 EST 2017
In a common PKINIT scenario, the KDC method data offers both RFC 4556
PKINIT and draft 9 PKINIT padata types. We try the PKINIT module on
both types, and typically they either both succeed or both fail.
However, if there is a PKCS11 token in the mix, the user could trigger
a failure with the RFC 4556 PKINIT code path by entering the wrong
PIN, and then a success with the draft 9 code path by entering the
right PIN. This scenario results in downgrading to draft 9 when the
KDC supports RFC 4556.
A conservative solution is to use request context state to prevent the
draft9 code from operating if the RFC 4556 code has already made an
attempt. A more aggressive solution is to remove the draft9 code
(#8543).
http://mailman.mit.edu/pipermail/kerberos/2017-February/021585.html
More information about the krb5-bugs
mailing list