PKINIT with PA-PK-AS-REQ_OLD fails with ASN1_CHECK_TLEN:wrong tag

Greg Hudson ghudson at mit.edu
Thu Feb 2 11:22:38 EST 2017


On 02/02/2017 06:04 AM, Jacques Henry wrote:
> When talking to the draft9 are you referring to this?
> https://tools.ietf.org/html/draft-ietf-cat-kerberos-pk-init-09

Yes.  Microsoft implemented this version of PKINIT and shipped it in
Windows 2000, Windows XP, and Server 2003.  Later versions of Windows
software implement both the draft 9 version of PKINIT and the final version.

> Indeed, I don't understand this fallback for a wrong PIN.

It's an accident of how preauth is performed.  The KDC offers both
PKINIT mechanisms and our preauth framework tries them in order.  The
framework does not know that the two mechanisms are different versions
of the same standard, or that the client-side failure from the first
module was due to incorrect user input.

I opened http://krbdev.mit.edu/rt/Ticket/Display.html?id=8544 about this
incorrect fallback.  A conservative fix should be pretty simple.

> I have activated the DEBUG_ASN1 flag so I get up with the following file:
> /tmp/client_received_pkcs7_signeddata

If you send me that file as an attachment (no need to cc the list), I
can have a look.


More information about the Kerberos mailing list