Bug 761610 - The system can't authenticate user with none hashed pin
Summary: The system can't authenticate user with none hashed pin
Keywords:
Status: CLOSED EOL
Alias: None
Product: Dogtag Certificate System
Classification: Retired
Component: Authentication
Version: 1.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Christina Fu
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks: 530474
TreeView+ depends on / blocked
 
Reported: 2011-12-08 17:40 UTC by bbonok
Modified: 2020-03-27 18:39 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-27 18:39:49 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description bbonok 2011-12-08 17:40:54 UTC 
Description of problem:
The user can't be authenticated when is generated non hashed pin.

How reproducible:
Genenerate none hashed pin wit setpin tool.

Reason:
Have a look in com.netscape.cms.authentication.UidPwdPinDirAuthentication class 

What actualy system does?

1. Look in LDAP
2. Fetch pin attribute
3. ALWAYS concatenate userdn with value in ldap pin attribute
4. Look in first byte - to hash or not to hash
5. If value is '-' there is no hashing.
6. The validation is comparison between what user is typed in PIN field in web form and "userdn + pin" string. (Expected that system compare entered pin with ldap pin value)


Additional info:
When setpin generate hashed pin it also concatenate userdn with pin. That string (userdn + pin) then is hashed with sha1 hash.(see setpin.c file) 
This is the reason that user can be authenticated when setpin generate pins.

See also bug: #761603
Note You need to log in before you can comment on or make changes to this bug.