PKINIT with PA-PK-AS-REQ_OLD fails with ASN1_CHECK_TLEN:wrong tag

Jacques Henry caramba696 at gmail.com
Wed Feb 1 11:26:01 EST 2017 

Hello,

I am using kinit (krb5-1.15) from an Ubuntu 14.04 64bits using a smartcard
in a PINPAD reader.

The KDC is an Active Directory Windows 2012 R2.

If I enter the PIN code correctly the first time, it works like a charm.
However if I try again (after a kdestroy) by entering a wrong PIN the first
time it is asked and then then if I use the correct PIN the second time it
fails with the following error: ASN1_CHECK_TLEN:wrong tag

Indeed, the first preauth type which is used is 16 (PA-PK-AS-REQ). The
second preauth type is then 14 (PA-PK-AS-REQ_OLD) and that doesn't work.

Below is the debug output. The first time I entered a wrong PIN (C_Sign:
function failed) but the second time the PIN is correct but is fails (PKCS7
Verification Failure)

Thanks

[...]
pkinit_as_req_create pa_type = 16
[10632] 1485952709.555986: PKINIT client making DH request
as_req: DH key transport algorithm
Warning: dh_check failed with 8
the g value is not a generator
building certificate chain
size of certificate chain = 4
cert #0: /C=FR/O=MYO/OU=0002 110014016/CN=JACQUES
cert #1: /C=FR/O=MYO/OU=0002 110014016/CN=AC
cert #2: /C=FR/O=MYO/OU=0002 110014016/CN=AC RACINE MYO
mech = CKM_RSA_PKCS
found 1 private keys (ok)
C_Sign: function failed
failed to create pkcs7 signed data
pkinit_as_req_create retval=-1765328360
error -1765328360 on pkinit_as_req_create; aborting PKINIT
pkinit_client_process: returning -1765328360 (Preauthentication failed)
[10632] 1485952721.907102: Preauth module pkinit (16) (real) returned:
-1765328360/Preauthentication failed
pkinit_client_process 0x1b010f0 0x1b015e0 0x1b245e0 0x1b01e30
processing KRB5_PADATA_PK_AS_REQ_OLD
pkinit_client_profile 0x1b010f0 0x1b015e0 0x1b245e0 0x1b248d8
kdc_options = 0x50000010  till = 1486039105
[10632] 1485952721.907243: PKINIT client computed kdc-req-body checksum
9/168FCD9B84D3A5345ED38FCA7FADB9A24F4D79B7
pkinit_as_req_create pa_type = 14
[10632] 1485952721.907264: PKINIT client making RSA request
as_req: RSA key transport algorithm
building certificate chain
size of certificate chain = 4
cert #0: /C=FR/O=MYO/OU=0002 110014016/CN=JACQUES
cert #1: /C=FR/O=MYO/OU=0002 110014016/CN=AC
cert #2: /C=FR/O=MYO/OU=0002 110014016/CN=AC RACINE MYO
mech = CKM_RSA_PKCS
found 1 private keys (ok)
sign 35 -> 256
pkinit_as_req_create retval=0
pkinit_client_process: returning 0 (Unknown code 0)
[10632] 1485952735.153607: Preauth module pkinit (14) (real) returned:
0/Success
[10632] 1485952735.153627: Produced preauth for next request: 15, 132
[10632] 1485952735.153755: Sending request (5779 bytes) to AC.INT
[10632] 1485952735.153807: Resolving hostname 10.10.10.10
[10632] 1485952735.153969: Initiating TCP connection to stream
10.10.10.10:88
[10632] 1485952735.154331: Sending TCP request to stream 10.10.10.10:88
[10632] 1485952735.223112: Received answer (8990 bytes) from stream
10.10.10.10:88
[10632] 1485952735.223142: Terminating TCP connection to stream
10.10.10.10:88
[10632] 1485952735.223218: Response was from master KDC
[10632] 1485952735.223288: Processing preauth types: 15
pkinit_client_prep_questions: no questions to ask
pkinit_client_prep_questions returning 0
pkinit_client_process 0x1b010f0 0x1b015e0 0x1b245e0 0x1b01e30
processing KRB5_PADATA_PK_AS_REP_OLD
as_rep: RSA key transport algorithm
found 1 private keys (ok)
data_len = 256
session 0xaf9f9fff edata 0x1b59b80 edata_len 256 data 0x1b4ee70 datalen
@0x7ffff4b10968 256
pData 0x1b4ee70 *pulDataLen 5
decrypt 256 -> 5
PKCS7 decryption successful
[10632] 1485952735.754914: PKINIT OpenSSL error: Failed to decode CMS
message
[10632] 1485952735.754944: PKINIT OpenSSL error: error:0D0680A8:asn1
encoding routines:ASN1_CHECK_TLEN:wrong tag
[10632] 1485952735.754966: PKINIT OpenSSL error: error:0D07803A:asn1
encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
PKCS7 Verification Failure
failed to verify pkcs7 enveloped data
[10632] 1485952735.755014: PKINIT client could not verify RSA reply
pkinit_as_rep_parse returning -1765328360 (Preauthentication failed)
pkinit_as_rep_parse returned -1765328360 (Preauthentication failed)
pkinit_client_process: returning -1765328360 (Preauthentication failed)
[10632] 1485952735.755070: Preauth module pkinit (15) (real) returned:
-1765328360/Failed to decode CMS message: wrong tag
pkinit_client_req_fini: received reqctx at 0x1b245e0
pkinit_fini_req_crypto: freeing ctx at 0x1b24660
pkinit_fini_identity_crypto: freeing ctx at 0x1b24680
kinit: Preauthentication failed while getting initial credentials
pkinit_client_plugin_fini: got plgctx at 0x1b015e0
pkinit_fini_plg_crypto: freeing context at 0x1b23370

More information about the Kerberos mailing list