Kerberos reference messages for testing
Greg Hudson
ghudson at mit.edu
Thu Jan 19 11:31:50 EST 2017
On 01/17/2017 08:42 AM, Turner, Jonathan wrote:
> I am working on implementing kerberos for the client and service sides in
> golang. As part of this I'm looking to implement tests against some
> reference kerberos messages to ensure I am parsing and decrypting them
> correctly. I have been unable to find any suitable references to test
> against.
Unfortunately, most of the Kerberos RFCs do not include reference
encodings, except in the RFC 3961 crypto framework. This omission has
come at some cost; for instance, we had to reissue RFC 4402 (which
specifies gss_pseudo_random()) as RFC 7802, because neither of the two
implementations correctly filled in the counter block--and for a while
they weren't consistent with each other either.
src/tests/asn.1 in the krb5 tree does include some reference encodings,
a small subset of which were independently produced using asn1c (via
make-vectors.c). These references are designed only to test individual
ASN.1 encoders and decoders, and often include garbage values which
wouldn't be seen on the wire. For example, if an ASN.1 type includes an
EncryptedData element, we might fill in "krbASN.1 test message" in that
element instead of a valid RFC 3961 token.
Microsoft has a pretty extensive MS-KILE test suite which has been tried
against some non-Microsoft KDC implementations, but unfortunately I
don't remember any details of how it was made available or whether it
includes reference messages. I can make some inquiries if that's of
interest to you.
You might be able to produce your own reference encodings using packet
captures, if you can set up the desired conditions.
More information about the Kerberos
mailing list