Skip Menu |
 

Subject: PAC resigning should support buffer resizing
krb5_pac_sign allows an existing signed PAC to be re-signed, but only if
the mandatory cksumtype corresponding to the key enctypes has the same
hash size as the cksumtypes used in the existing signatures. This
restriction makes re-signing PACs fairly useless because most of the time
you're trying to transfer a PAC from one ticket to another (say, from a
TGT to a service ticket) and the service key for the target ticket won't
necessarily be of the same time as the service key for the source, which
means the checksum types may be different.

So, we should add a routine to resize a buffer within a PAC and support
buffer resizing while re-signing. In the meantime, code which wants to
re-sign a PAC needs to construct a new PAC, using krb5_pac_get_types and
krb5_pac_get_buffer to copy information from the old one.