Kerberos reference messages for testing
Turner, Jonathan
jt at jtnet.co.uk
Fri Jan 20 04:34:58 EST 2017
Greg,
Thank you for your response. After a quick look at src/tests/asn.1 I think
this will be very helpful for me to test my encoding and decoding. I am
also generating some packet captures to test against as you suggest. This
should be plenty for now for me to get started with. Thank you for your
offer to inquire about the MS-KILE test suite, I think I'll see how I get
on with the src/tests/asn.1 and the captures first before looking into this.
Thank you again for your help,
Jonathan
On 19 January 2017 at 16:31, Greg Hudson <ghudson at mit.edu> wrote:
> On 01/17/2017 08:42 AM, Turner, Jonathan wrote:
> > I am working on implementing kerberos for the client and service sides in
> > golang. As part of this I'm looking to implement tests against some
> > reference kerberos messages to ensure I am parsing and decrypting them
> > correctly. I have been unable to find any suitable references to test
> > against.
>
> Unfortunately, most of the Kerberos RFCs do not include reference
> encodings, except in the RFC 3961 crypto framework. This omission has
> come at some cost; for instance, we had to reissue RFC 4402 (which
> specifies gss_pseudo_random()) as RFC 7802, because neither of the two
> implementations correctly filled in the counter block--and for a while
> they weren't consistent with each other either.
>
> src/tests/asn.1 in the krb5 tree does include some reference encodings,
> a small subset of which were independently produced using asn1c (via
> make-vectors.c). These references are designed only to test individual
> ASN.1 encoders and decoders, and often include garbage values which
> wouldn't be seen on the wire. For example, if an ASN.1 type includes an
> EncryptedData element, we might fill in "krbASN.1 test message" in that
> element instead of a valid RFC 3961 token.
>
> Microsoft has a pretty extensive MS-KILE test suite which has been tried
> against some non-Microsoft KDC implementations, but unfortunately I
> don't remember any details of how it was made available or whether it
> includes reference messages. I can make some inquiries if that's of
> interest to you.
>
> You might be able to produce your own reference encodings using packet
> captures, if you can set up the desired conditions.
>
>
More information about the Kerberos
mailing list