[37852] in Kerberos
Re: PKINIT with PA-PK-AS-REQ_OLD fails with ASN1_CHECK_TLEN:wrong tag
daemon@ATHENA.MIT.EDU (Jacques Henry)
Thu Feb 2 11:13:47 2017
MIME-Version: 1.0
In-Reply-To: <e5d07eb6-6bac-0db3-e1b3-b8246248f415@mit.edu>
From: Jacques Henry <caramba696@gmail.com>
Date: Thu, 2 Feb 2017 12:04:44 +0100
Message-ID: <CAMiydLnbauh1x2qc4xi6W1umcePN0urpMF4A1stn6AkX8A1xJw@mail.gmail.com>
To: Greg Hudson <ghudson@mit.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>
> 1. The old draft9 support isn't intended to be used as a wrong-PIN
> fallback; it is only there for interoperability with old PKINIT
> implementations. It might be time to remove that support, since Windows
> Server 2003 hit the end of its extended support life in 2015.
>
When talking to the draft9 are you referring to this?
https://tools.ietf.org/html/draft-ietf-cat-kerberos-pk-init-09
Indeed, I don't understand this fallback for a wrong PIN.
We have mainly 2008R2 and 2012R2 and soon 2016.
Keeping a Server 2000/2003 compatibility is another debate.
> 2. We can't decode the Windows PKINIT reply due to some ASN.1 tagging
> issue.
>
> To debug the second problem, I would need a packet capture of the AS-REP
> from the Windows KDC. But it's also not likely to be a high priority
> for me because of the first issue, so if it isn't convenient to get that
> information, it probably isn't worth a lot of effort.
>
You would need the raw AS-REP packet from Wireshark?
I have activated the DEBUG_ASN1 flag so I get up with the following file:
/tmp/client_received_pkcs7_signeddata
Indeed OpenSSL complains about this file
# openssl pkcs7 -in /tmp/client_received_pkcs7_signeddata -inform der
unable to load PKCS7 object
140362212865696:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:tasn_dec.c:1338:
140362212865696:error:0D07803A:asn1 encoding
routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:390:Type=PKCS7
using the asn1parse command print the structure but I don't want to
copy/paste all the output here.
Thanks.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
