PKINIT AS-REP "Invalid Signature" (was : PKINIT and -nokey principal addition (krb5-1.13))
smathur at blackbuck.mobi
Thu Jan 8 20:23:29 EST 2015
Hi Greg and others,
As suggested, I used a desktop Kerberos client (v1.13) to talk PKINIT
to the v1.13 server, and now observe the following "Invalid Signature"
in AS-REP signature verification. Any suggestions on to debug this
Interestingly, the CMS_VERIFY() error code from OpenSSL's API varies
between 132 and 106 if I change the principal argument 197f67 to the
form 197f67 at FASTAH.MOBI
kinit -V -X X509_user_identity=FILE:$HOME/client-pkinit-publicKey.pem,$HOME/client-pkinit-privateKey.pem
-X X509_anchors=FILE:$HOME/cert.pem 197f67
pkinit_client_process: returning 0 (Unknown code 0)
pkinit_client_prep_questions: no questions to ask
pkinit_client_prep_questions returning 0
pkinit_client_process 0x2147120 0x214b1a0 0x2166710 0x2176500
as_rep: DH key transport algorithm
untrusted cert chain of size 1
cert #0: /C=US/ST=DE/L=Dover/O=Blackbuck Computing Inc/OU=Technical
Operations/CN=Blackbuck Computing Inc.
trusted cert chain of size 1
cert #0: /CN=Blackbuck Computing Inc CA v5/O=Blackbuck Computing
Operations/ST=DE/C=US/L=Dover/emailAddress=privacy at blackbuck.mobi
CMS_VERIFY error 132
CMS Verification failure
failed to verify pkcs7 signed data
pkinit_as_rep_parse returning -1765328320 (Invalid signature)
pkinit_as_rep_parse returned -1765328320 (Invalid signature)
pkinit_client_process: returning -1765328320 (Invalid signature)
pkinit_client_req_fini: received reqctx at 0x2166710
pkinit_fini_req_crypto: freeing ctx at 0x216a6a0
Thanks for any assistance!
On Tue, Jan 6, 2015 at 12:09 AM, Siddharth Mathur
<smathur at blackbuck.mobi> wrote:
>> It might help to try deploying to a regular Unix client, to help
>> distinguish between client-side issues with the iOS Kerberos
>> implementation (which I'm not very familiar with) and server-side issues.
> Thanks for debugging tips Greg, will try them out ASAP and report back.
> Overall, does what I am trying sounds achievable? No passwords even at
> the first login, and exclusive use of client certificates?
> Thanks, and hope the new year goes well for you!
More information about the Kerberos