[EXTERNAL] Re: Heimdahl Kerberos on MacOSX 10.9.5 using pkinit produces verify error

Glenn Machin gmachin at sandia.gov
Tue Aug 25 00:50:23 EDT 2015


Greg you asking me what version my openssl was triggered a 4 year old 
memory.

Looks like it is an openssl issue, apparently fixed in version 1.0.1f 
.   Seems I asked a similar question then and found this on the 
krb5-bugs list - 
http://mailman.mit.edu/pipermail/krb5-bugs/2011-January/008510.html

I will take a closer look at the build process and see if I am linking 
in an old SSL version, or I'll have to patch what I have.

Thanks for looking at this.   Hopefully I won't be asking again in 
another 4 years ;-)


Glenn



On 8/24/15 4:17 PM, Greg Hudson wrote:
> On 08/24/2015 12:59 PM, Glenn Machin wrote (off list):
>> Here is the raw packet.   Let me know if there  is anything else I can do.
> I am unfortunately not able to duplicate the error in my setup using
> either krb5 1.10.x or the master branch, sending this exact packet to
> the KDC.  If I temporarily modify the code to suppress all of the
> expected errors from X509_verify(), SAN checking, EKU checking, minimum
> DH parameter enforcement, and timestamp checking, the KDC issues a
> ticket.  None of the suppressed errors appear as ASN.1 errors like
> you're seeing.
>
> My system has OpenSSL 1.0.1f.  What version do you have?  Also, it's
> conceivable that your error is manifesting in X509_verify() after trust
> is established, or happens while encoding AD-INITIAL-VERIFIED-CAS.  If
> you send me your CA certificate (not the private key, of course, just
> the cert), I can perform a better test.

-------- Forwarded Message --------
Subject: 	Re: MacOsx 10.6 pkinit to 1.83 MIT KDC
Date: 	Thu, 31 Mar 2011 15:41:21 -0400
From: 	Kevin Coffman <kwc at umich.edu>
To: 	Glenn Machin <gmachin at sandia.gov>



Hi Glenn!

(I'll reply to the easy one first.)  I seem to recall that we were
attempting to make the PKINIT code work with a certain level of
openssl that was widely deployed at the time.  I remember Olga not
being really happy with some of the issues we had to work around to
make that happen.  I don't remember if that was 0.9.7 or not.

I'm not really tied into the Kerberos dev team any more.  I think
there has been an almost complete turnover since we did the PKINIT
work.  (Sam is still involved with them, but is no longer part of the
group.)  I've worked a bit with Greg Hudson on mostly unrelated
issues.

I'm glad Nalin was able to find the solution for you!

I'll try to answer your other question about the mapping stuff, but my
memory is not what it used to be!

K.C.


On Thu, Mar 31, 2011 at 2:02 PM, Glenn Machin <gmachin at sandia.gov> wrote:
> Kevin I sent this problem to you some time ago.   It turns out that it was
> an openssl and cms issue.
>
> This came across the Kerberos devel list
> http://mailman.mit.edu/pipermail/krb5-bugs/2011-January/008510.html
>
> I installed the patch an upgraded the openssl version that the Kerberos
> libraries would link to and it fixed the problem.
>
> I know I did not respond to you and I don't think I responded to the
> Kerberos list, but if you are still tied into the dev team for pkinit I
> figured you might want to know.
>
> Glenn
>
>
>
>
>
> On 12/18/10 6:45 PM, Machin, Glenn D wrote:
>>
>> Kevin sorry to bother you but since you authored a good part of the MIT
>> pkinit code I thought I would ask if you have seen this before.
>>
>> I am testing the Macosx 10.6 pkinit code
>> "/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kinit -C
>> KEYCHAIN: -D KEYCHAIN:"
>> with the 1.8.3 MIT KDC and the HSPD-12 PIV Card.  Note the MIT code
>> built on Macosx 10.6 works fine. The configuration supplied indicated
>> that it was primary tested against ActiveDirectory, however since this
>> will be the Mac standard I wanted to make sure I could authenticate with
>> the MIT KDC.
>>
>> What is happening is the MIT is failing processing the
>> KRB5_PADATA_PK_AS_REQ request in the routine at
>> pkinit_server_verify_padata()
>>
>> 401            retval = cms_signeddata_verify(context, plgctx->cryptoctx
>>
>>
>>
>> The error returned is:
>> cms_signeddata_verify: failed to decode message: error:0D0680A8:asn1
>> encoding routines:ASN1_CHECK_TLEN:wrong tag
>>
>>
>> Below is the stack trace:
>>
>> 401            retval = cms_signeddata_verify(context, plgctx->cryptoctx,
>>
>>>  #0  pkinit_server_verify_padata (context=0x62b700,
>>> client=0x7fffffffe640,
>>>         req_pkt=0x7fffffffe7c0, request=0x652ce0,
>>>  enc_tkt_reply=0x7fffffffe4b0,
>>>         data=0x65c060, server_get_entry_data=0x4142ca<get_entry_data>,
>>>         pa_plugin_context=0x630540, pa_request_context=0x64dbd8,
>>>         e_data=0x7fffffffe1d0, authz_data=0x7fffffffe1c8) at
>>> pkinit_srv.c:401
>>>  #1  0x00000000004152c6 in check_padata (context=0x62b700,
>>>         client=0x7fffffffe640, req_pkt=0x7fffffffe7c0, request=0x652ce0,
>>>         enc_tkt_reply=0x7fffffffe4b0, padata_context=0x7fffffffe3c8,
>>>         e_data=0x7fffffffe410) at kdc_preauth.c:1206
>>>  #2  0x0000000000406ef3 in process_as_req (request=0x652ce0,
>>>         req_pkt=0x7fffffffe7c0, from=0x65a890, response=0x65a8d8)
>>>         at do_as_req.c:511
>>>  #3  0x0000000000406061 in dispatch (pkt=0x7fffffffe7c0, from=0x65a890,
>>>         response=0x65a8d8) at dispatch.c:99
>>>  #4  0x000000000041dab9 in process_tcp_connection (conn=0x65a7c0,
>>> selflags=1)
>>>         at network.c:1617
>>>  #5  0x000000000041db86 in service_conn (conn=0x65a7c0, selflags=1)
>>>         at network.c:1638
>>>  #6  0x000000000041df02 in listen_and_process () at network.c:1729
>>>  #7  0x000000000041a852 in main (argc=2, argv=0x7fffffffe998) at
>>> main.c:1022
>>
>>
>> I have attached the signed data being passed into the
>> cms_signeddata_verify().
>> When I run openssl pkcs7 -inform DER -in /tmp/kdc_signed_data
>>
>>>  unable to load PKCS7 object
>>>  29930:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
>>>  tag:tasn_dec.c:1306:
>>>  29930:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
>>>  error:tasn_dec.c:380:Type=PKCS7_ISSUER_AND_SERIAL
>>>  29930:error:0D08303A:asn1 encoding
>>>  routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
>>>  error:tasn_dec.c:749:Field=issuer_and_serial, Type=PKCS7_SIGNER_INFO
>>>  29930:error:0D08303A:asn1 encoding
>>>  routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
>>>  error:tasn_dec.c:710:Field=signer_info, Type=PKCS7_SIGNED
>>>  29930:error:0D08303A:asn1 encoding
>>>  routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:749:
>>>  29930:error:0D08403A:asn1 encoding routines:ASN1_TEMPLATE_EX_D2I:nested
>>>  asn1 error:tasn_dec.c:578:Field=d.sign, Type=PKCS7
>>
>> Do you know of any issues between Heimdahl implementation of
>> KRB5_PADATA_PK_AS_REQ?
>>
>>
>>
>> Glenn
>>
>>
>
>





More information about the Kerberos mailing list