[krbdev.mit.edu #8544] Wrong PKCS11 PIN can trigger PKINIT draft9 code
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Tue Feb 7 14:12:34 EST 2017
This issue doesn't manifest if C_Login() fails with the wrong PIN,
because that failure will be remembered in the identity_prompt_retval
field of the pkinit_req_context structure, and pkinit_client_process()
on the draft9 padata type will give up before prompting again. This
makes it hard to reproduce the issue in t_pkinit.py using soft-pkcs11.
In the failing scenario, C_Login() succeeds, but C_Sign() later fails.
I'm not quite sure what the draft9 code path is that results in another
prompt, since identity_prompted should be true at that point.
More information about the krb5-bugs
mailing list