pkinit plugin logic in pkinit_srv.c

Greg Hudson ghudson at
Thu Aug 24 11:02:45 EDT 2017

On 08/24/2017 09:39 AM, Craig Huckabee wrote:
> While running some tests with the latest development builds, I noticed that the plugin test logic in pkinit_srv.c might be flawed.  The comment in the plugin check codes says:
>      /*
>      * Check the certificate against each certauth module.  For the certificate
>      * to be authorized at least one module must return 0, and no module can an
>      * error code other than KRB5_PLUGIN_NO_HANDLE (pass).  Add indicators from
>      * modules that return 0 or pass.
>      */
> but that’s not really true as each plugin returns KRB5KDC_ERR_CLIENT_NAME_MISMATCH when a match is not found.  This means the first plugin that fails kicks out of that loop and no other checks are performed.  I noticed this specifically because we were testing with certs that need the dbmatch module to work but it was never being called.

Can you elaborate on "each plugin returns
KRB5KDC_ERR_CLIENT_NAME_MISMATCH when a match is not found"?  Of the
built-in modules, I think only the san module would ever return that
code, and should only return it when it finds PKINIT or UPN SANs in the
certificate and they don't match.  It should return
KRB5_PLUGIN_NO_HANDLE if the cert doesn't have either of those SAN types.

More information about the krbdev mailing list