[PKINIT]Invalid response for AS_REQ with win 2003 sever

Douglas E. Engert deengert at anl.gov
Mon Nov 2 16:24:41 EST 2009



akshar kanak wrote:
> Dear team
>        I ma trying to perfrom Kerberos PKINIT authnetication with windows
> 2003 server .the clinet is able to send AS_REQ packet but the server is
> responding with KRB5KRB_AP_ERR_MODIFIED .In RFC 4120 i could not find
> whether KRB5KRB_AP_ERR_MODIFIED is a proper error response for AS_REQ .
> In the MIT 1.6.3 soucre code in file Pkinit_crypto_openssl , in function
> cms_signeddata_create()
> 
>     /* Some tokens can only do RSAEncryption without sha1 hash */
>     /* to compute sha1WithRSAEncryption, encode the algorithm ID for the
> hash
>      * function and the hash value into an ASN.1 value of type DigestInfo
>      * DigestInfo::=SEQUENCE {
>      * digestAlgorithm  AlgorithmIdentifier,
>      * digest OCTET STRING }
>      */
> 
> Are there any specific cards for which this fix needs to be appiled ?

It looks like this is testing if the PKCS11 supports CKM_SHA1_RSA_PKCS
or only CKM_RSA_PKCS. If it does not support CKM_SHA1_RSA_PKCS the digest is
done here in this code and then CKM_RSA_PKCS is use, so it should not
be an issue.

Are you running into this issue with your card?
Do you require some policy where the digest needs to be done on the card?

Does your pkcs11 driver have any debugging tools?

Have you tried using the OpenSC pkcs11-spy to see all the PKCS11 calls?


> 
> Thanks in advance
> 
> Thanks and Regards
> Akshar
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list