[krbdev.mit.edu #7062] PKINIT pa_pk_as_req_draft9 encoding issues
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Sat Feb 11 00:29:41 EST 2012
The PKINIT client code sets the signedAuthPack and kdcCert fields in
draft9 requests before encoding a draft9 PA-PK-AS-REQ. It contains code
to set the trustedCertifiers field (using, I think, the caName
alternative), but it is #if'd out with the comment "W2K3 KDC doesn't like
this". There is no code to set the encryptionCert field.
The PKINIT server code (if it was ever tested against Microsoft clients)
only appears to care about the signedAuthPack field of a draft9 request.
Heimdal only ever sets the signedAuthPack field when encoding, and never
attempts to decode a draft9 PA-PK-AS-REQ. So the apparently shifted
fields in the Heimdal ASN.1 module probably aren't significant.
More information about the krb5-bugs
mailing list