Date: | Fri, 26 Jan 2018 13:12:48 +0100 |
From: | Sumit Bose <sbose@redhat.com> |
To: | krb5-bugs@mit.edu |
Subject: | PKINIT certid option cannot handle leading zero |
Hi,
If the ID of a certificate on a Smartcard starts with a zero (0x00) it
cannot be selected with the certid option because the PKINIT plugin
converts the input internally into an OpenSSL BIGNUM and the leading
0x00 is lost.
According to
http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html#_Toc416959712
CKA_ID is a byte array which is an 'an arbitrary string (array) of
CK_BYTEs' which is defined as 'unsigned char' without any restrictions.
If I understand it correctly this allows a leading 0x00 in CKA_ID.
Please find attached a patch which replaces the BIGNUM based solution
with a byte-by-byte parsing of the cert_id_str.
The second patch contains some tests for the new function I added. For
simplicity I added them to pkinit_kdf_test, please let me know if you
prefer to have an extra binary for this.
bye,
Sumit
If the ID of a certificate on a Smartcard starts with a zero (0x00) it
cannot be selected with the certid option because the PKINIT plugin
converts the input internally into an OpenSSL BIGNUM and the leading
0x00 is lost.
According to
http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html#_Toc416959712
CKA_ID is a byte array which is an 'an arbitrary string (array) of
CK_BYTEs' which is defined as 'unsigned char' without any restrictions.
If I understand it correctly this allows a leading 0x00 in CKA_ID.
Please find attached a patch which replaces the BIGNUM based solution
with a byte-by-byte parsing of the cert_id_str.
The second patch contains some tests for the new function I added. For
simplicity I added them to pkinit_kdf_test, please let me know if you
prefer to have an extra binary for this.
bye,
Sumit
Message body is not shown because sender requested not to inline it.
Message body is not shown because sender requested not to inline it.