Skip Menu |

Subject: Wrong PKCS11 PIN can trigger PKINIT draft9 code
In a common PKINIT scenario, the KDC method data offers both RFC 4556
PKINIT and draft 9 PKINIT padata types. We try the PKINIT module on
both types, and typically they either both succeed or both fail.

However, if there is a PKCS11 token in the mix, the user could trigger
a failure with the RFC 4556 PKINIT code path by entering the wrong
PIN, and then a success with the draft 9 code path by entering the
right PIN. This scenario results in downgrading to draft 9 when the
KDC supports RFC 4556.

A conservative solution is to use request context state to prevent the
draft9 code from operating if the RFC 4556 code has already made an
attempt. A more aggressive solution is to remove the draft9 code
This issue doesn't manifest if C_Login() fails with the wrong PIN,
because that failure will be remembered in the identity_prompt_retval
field of the pkinit_req_context structure, and pkinit_client_process()
on the draft9 padata type will give up before prompting again. This
makes it hard to reproduce the issue in using soft-pkcs11.

In the failing scenario, C_Login() succeeds, but C_Sign() later fails.
I'm not quite sure what the draft9 code path is that results in another
prompt, since identity_prompted should be true at that point.
Subject: git commit

Avoid draft 9 fallback after PKINIT failure

If a KDC offers both RFC 4556 and draft 9 PKINIT, and we experience a
client-side failure trying RFC 4556 PKINIT (e.g. due to the user
entering the wrong PKCS #11 PIN), do not try to use draft 9 PKINIT.
Author: Greg Hudson <>
Commit: 0963fa5f0d01d81d3c4088088b94c455f033e921
Branch: master
src/plugins/preauth/pkinit/pkinit.h | 1 +
src/plugins/preauth/pkinit/pkinit_clnt.c | 7 +++++++
src/plugins/preauth/pkinit/pkinit_trace.h | 2 ++
src/tests/ | 8 ++++++++
4 files changed, 18 insertions(+), 0 deletions(-)