Subject: | Wrong PKCS11 PIN can trigger PKINIT draft9 code |
In a common PKINIT scenario, the KDC method data offers both RFC 4556
PKINIT and draft 9 PKINIT padata types. We try the PKINIT module on
both types, and typically they either both succeed or both fail.
However, if there is a PKCS11 token in the mix, the user could trigger
a failure with the RFC 4556 PKINIT code path by entering the wrong
PIN, and then a success with the draft 9 code path by entering the
right PIN. This scenario results in downgrading to draft 9 when the
KDC supports RFC 4556.
A conservative solution is to use request context state to prevent the
draft9 code from operating if the RFC 4556 code has already made an
attempt. A more aggressive solution is to remove the draft9 code
(#8543).
http://mailman.mit.edu/pipermail/kerberos/2017-February/021585.html
PKINIT and draft 9 PKINIT padata types. We try the PKINIT module on
both types, and typically they either both succeed or both fail.
However, if there is a PKCS11 token in the mix, the user could trigger
a failure with the RFC 4556 PKINIT code path by entering the wrong
PIN, and then a success with the draft 9 code path by entering the
right PIN. This scenario results in downgrading to draft 9 when the
KDC supports RFC 4556.
A conservative solution is to use request context state to prevent the
draft9 code from operating if the RFC 4556 code has already made an
attempt. A more aggressive solution is to remove the draft9 code
(#8543).
http://mailman.mit.edu/pipermail/kerberos/2017-February/021585.html