[krbdev.mit.edu #7596] PKINIT should allow missing DH param Q
Tom Yu via RT
rt-comment at krbdev.mit.edu
Mon Apr 1 17:27:52 EDT 2013
"Reinhard Kugler via RT" <rt-comment at krbdev.mit.edu> writes:
> pkinit_init_req_crypto: returning ctx at 0x1e2e2c0
> pkinit_init_kdc_req_context: returning reqctx at 0x1e27010
> processing KRB5_PADATA_PK_AS_REQ
> CMS Verification successful
> #0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130 at kerberos.3ve.bmlv.at
> #1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
> crypto_retrieve_X509_sans: looking for SANs in cert =
> /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130 at kerberos.3ve.bmlv.at
> crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
> crypto_retrieve_X509_sans: SAN type = 1 expecting 0
> verify_client_san: Checking pkinit sans
> verify_client_san: no pkinit san match found
> verify_client_san: Checking upn sans
> verify_client_san: upn san match found
> verify_client_san: returning retval 0, valid_san 1
> crypto_check_cert_eku: looking for EKUs in cert =
> /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130 at kerberos.3ve.bmlv.at
> crypto_check_cert_eku: found eku info in the cert
> crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
> crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
> crypto_check_cert_eku: found digitalSignature KU
> crypto_check_cert_eku: returning retval 0, valid_eku 1
> verify_client_eku: returning retval 0, eku_accepted 1
> client sent dh params with 1024 bits, we require 2048
The above looks like a possible configuration problem. For some
reason, the Windows 7 client is sending 1024 bits, while the KDC
requires 2048 bits.
> bad dh parameters
> pkinit_verify_padata failed: creating e-data
> pkinit_create_edata: creating edata for error -1765328319 (Key
> parameters not accepted)
> pkinit_fini_kdc_req_context: freeing reqctx at 0x1e27010
> pkinit_fini_req_crypto: freeing ctx at 0x1e2e2c0
> pkinit_verify_padata: entered!
> pkinit_find_realm_context: returning context at 0x1df1790 for realm
> 'kerberos.3ve.bmlv.at'
> pkinit_init_req_crypto: returning ctx at 0x1e2e7a0
> pkinit_init_kdc_req_context: returning reqctx at 0x1e2ca90
> processing KRB5_PADATA_PK_AS_REQ
> CMS Verification successful
> #0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130 at kerberos.3ve.bmlv.at
> #1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
> crypto_retrieve_X509_sans: looking for SANs in cert =
> /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130 at kerberos.3ve.bmlv.at
> crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
> crypto_retrieve_X509_sans: SAN type = 1 expecting 0
> verify_client_san: Checking pkinit sans
> verify_client_san: no pkinit san match found
> verify_client_san: Checking upn sans
> verify_client_san: upn san match found
> verify_client_san: returning retval 0, valid_san 1
> crypto_check_cert_eku: looking for EKUs in cert =
> /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130 at kerberos.3ve.bmlv.at
> crypto_check_cert_eku: found eku info in the cert
> crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
> crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
> crypto_check_cert_eku: found digitalSignature KU
> crypto_check_cert_eku: returning retval 0, valid_eku 1
> verify_client_eku: returning retval 0, eku_accepted 1
> p is not well-known group 2 dhparameter
> good 2048 dhparams
Is the above also from the same Windows 7 client during the same
authentication attempt?
More information about the krb5-bugs
mailing list