[16108] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

[krbdev.mit.edu #8733] Multiple pkinit_identities semantics are

daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Wed Sep 5 13:04:36 2018

Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: "Greg Hudson via RT" <rt-comment@KRBDEV-PROD-APP-1.mit.edu>
In-Reply-To: <rt-8733@krbdev.mit.edu>
Message-ID: <rt-8733-48800.4.38738353926048@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #8733'":;
Date: Wed,  5 Sep 2018 13:04:24 -0400 (EDT)
Reply-To: rt-comment@KRBDEV-PROD-APP-1.mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu

The documentation for pkinit_identities states:

    This option may be specified multiple
    times.  Each value is attempted in order until identity
    information is found and authentication is attempted.

This could be interpreted in several ways.  In reality, the loop in 
pkinit_identity_initialize() tries each value until one of them 
successfully parses, regardless of whether the parsed values point to 
valid identity information.  These don't seem like very useful 
semantics, but I can think of one useful scenarios: an ENV: value 
will fail to parse if the environment variable isn't defined, so the 
first value could specify an override variable and the second value 
could specify a default.  (A PKCS11: value will also fail to parse if 
the library has no PKCS11 support, but that doesn't seem very 

Other possible semantics for multiple pkinit_identities values 

* Try to load all of them into the creds array and then use identity 
selection to pick one.  This meaning doesn't match the current 
documentation but hews closely to what we do for multiple creds 
obtained via a single DIR: value.

* Try each value until not just until one of them parses, but until 
one of them results in a PKINIT request (as indicated by "and 
authentication is attempted" in the documentation).

Both approaches would require substantial code changes and (as far as 
I can remember) nobody has really asked for either of them, so 
clarifying the documentation may be the best change for now.

krb5-bugs mailing list

home help back first fref pref prev next nref lref last post