PKINIT with PA-PK-AS-REQ_OLD fails with ASN1_CHECK_TLEN:wrong tag

Greg Hudson ghudson at mit.edu
Wed Feb 1 13:56:23 EST 2017


On 02/01/2017 11:26 AM, Jacques Henry wrote:
> I am using kinit (krb5-1.15) from an Ubuntu 14.04 64bits using a smartcard
> in a PINPAD reader.
> 
> The KDC is an Active Directory Windows 2012 R2.
> 
> If I enter the PIN code correctly the first time, it works like a charm.

I'm glad to hear that, since we don't do frequent PKINIT
interoperability testing between MIT krb5 and Active Directory.

> However if I try again (after a kdestroy) by entering a wrong PIN the first
> time it is asked and then then if I use the correct PIN the second time it
> fails with the following error: ASN1_CHECK_TLEN:wrong tag

There are two problems here:

1. The old draft9 support isn't intended to be used as a wrong-PIN
fallback; it is only there for interoperability with old PKINIT
implementations.  It might be time to remove that support, since Windows
Server 2003 hit the end of its extended support life in 2015.

2. We can't decode the Windows PKINIT reply due to some ASN.1 tagging issue.

To debug the second problem, I would need a packet capture of the AS-REP
from the Windows KDC.  But it's also not likely to be a high priority
for me because of the first issue, so if it isn't convenient to get that
information, it probably isn't worth a lot of effort.


More information about the Kerberos mailing list