Skip Menu |
 

Date: Fri, 26 Jan 2018 13:12:48 +0100
From: Sumit Bose <sbose@redhat.com>
To: krb5-bugs@mit.edu
Subject: PKINIT certid option cannot handle leading zero
Hi,

If the ID of a certificate on a Smartcard starts with a zero (0x00) it
cannot be selected with the certid option because the PKINIT plugin
converts the input internally into an OpenSSL BIGNUM and the leading
0x00 is lost.

According to
http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html#_Toc416959712
CKA_ID is a byte array which is an 'an arbitrary string (array) of
CK_BYTEs' which is defined as 'unsigned char' without any restrictions.
If I understand it correctly this allows a leading 0x00 in CKA_ID.

Please find attached a patch which replaces the BIGNUM based solution
with a byte-by-byte parsing of the cert_id_str.

The second patch contains some tests for the new function I added. For
simplicity I added them to pkinit_kdf_test, please let me know if you
prefer to have an extra binary for this.

bye,
Sumit

Message body is not shown because sender requested not to inline it.

Message body is not shown because sender requested not to inline it.

From: ghudson@mit.edu
Subject: git commit

Fix hex conversion of PKINIT certid strings

When parsing a PKCS11 token specification, correctly convert from hex
to binary instead of using OpenSSL bignum functions (which would strip
leading zeros).

[ghudson@mit.edu: made hex_string_to_bin() a bit less verbose; wrote
commit message]

https://github.com/krb5/krb5/commit/63e8b8142fd7b3931a7bf2d6448978ca536bafc0
Author: Sumit Bose <sbose@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 63e8b8142fd7b3931a7bf2d6448978ca536bafc0
Branch: master
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 55 ++++++++++++++++----
1 files changed, 44 insertions(+), 11 deletions(-)