Kevin Coffman wrote:
> Are you aware that there are two different flavors of pkinit? There
> is the original protocol deployed by Microsoft in Windows 2000
> (sometimes referred to as the "Draft 9 version" because it was
> basically the version defined by draft 9 of the RFC) and then the
> finalized RFC version (which was something like draft number 24).
>
> Do you know which version your client uses? The code in MIT 1.6.3
> supports both versions of the protocol. It would be up to your client
> to make sure that it correctly identifies the protocol version it is
> using. (There are different preauth padata types for each version.)
>
> #define KRB5_PADATA_PK_AS_REQ_OLD 14 /* PKINIT */
> #define KRB5_PADATA_PK_AS_REP_OLD 15 /* PKINIT */
> #define KRB5_PADATA_PK_AS_REQ 16 /* PKINIT */
> #define KRB5_PADATA_PK_AS_REP 17 /* PKINIT */
>
> Beyond that, you would probably need to compile the KDC code to
> support debugging and trace through to find the portion of the
> client's request that the server code does not like. You might start
> looking at the code in src/lib/krb5/asn.1/asn1_k_decode.c.
>
> K.C.
>
> On Fri, Jun 27, 2008 at 8:42 AM, naveen.bn wrote:
>
>> Hi Kevin,
>>
>> I am facing a problem and would like to get suggestion from you regarding it
>> .
>>
>> My seniors had come up with a kerberos client which took the reference from
>> krb5-1.2.2, which was with out PKINIT support and they
>> had added the PKINIT support for it. I have no contact with them , I have
>> no idea what server they had used.
>> But, now that the krb5-1.6.3 supports PKINIT, I am trying to use it as
>> Server . My client works without PKINIT, but with PKINIT
>> support the server (krb5-1.6.3) is not able to decode AS_REQ packet and
>> the kdc log says
>> preauth (pkinit) verify failure: ASN.1 identifier doesn't match expected
>> value.
>>
>> I tested the AS_REQ with the tool dumpasn1.c, I found no problem in pkinit
>> asn1 dump.
>>
>> Kindly help me in solving this problem
>> Thank you
>>
>> naveen
>>
>>
>>
>>
>>
>>
>> This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely
>> for the use of the addressee(s). If you are not the intended recipient,
>> please notify the sender by e-mail and delete the original message.Global
>> Edge Software Ltd has taken every reasonable precaution to minimize this
>> risk, but is not liable for any damage you may sustain as a result of any
>> virus in this e-mail. You should carry out your own virus checks before
>> opening the e-mail or attachment. Global Edge Software Ltd reserves the
>> right to monitor and review the content of all messages sent to or from this
>> e-mail address
>>
>> This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely
>> for the use of the addressee(s). If you are not the intended recipient,
>> please notify the sender by e-mail and delete the original message.Global
>> Edge Software Ltd has taken every reasonable precaution to minimize this
>> risk, but is not liable for any damage you may sustain as a result of any
>> virus in this e-mail. You should carry out your own virus checks before
>> opening the e-mail or attachment. Global Edge Software Ltd reserves the
>> right to monitor and review the content of all messages sent to or from this
>> e-mail address
>>
>>
>>

>
>


Hi Kevin,

I found the problem, please help me in solving it. When decoding
AS_REQ pa-data from the function asn1_decode_pa_pk_as_req_draft9( ..)
in file asn1_k_decode.c the macro
get_implicit_octet_string(val->signedAuthPack.length,
val->signedAuthPack.data, 0) is invoked.

which checks for asn1class = CONTEXT_SPECIFIC and construction = PRIMITIVE, but when i logged these values it was asn1class

= CONTEXT_SPECIFIC and construction = CONSTRUCTED because of which it is failing to decode pa_data of AS_REQ.

How can i make the pa_data to be have the expected decoding value for construction( expected value is PRIMITIVE ).

Please guide me to solve this


Thank you

with regards
naveen








This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message.Global Edge Software Ltd has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Global Edge Software Ltd reserves the right to monitor and review the content of all messages sent to or from this e-mail address