[krbdev.mit.edu #7596] PKINIT should allow missing DH param Q
Reinhard Kugler via RT
rt-comment at krbdev.mit.edu
Fri Mar 29 05:08:04 EDT 2013
thank you!
I applied the patch to the krb-1.11.1 source, compiled pkinit and installed it.
Unfortunately the test was not successful
The client shows the error 0x41 KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED
But the log output of krbkdc changed:
crypto_check_cert_eku: found eku info in the cert
crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
crypto_check_cert_eku: found digitalSignature KU
crypto_check_cert_eku: returning retval 0, valid_eku 1
verify_client_eku: returning retval 0, eku_accepted 1
p is not well-known group 2 dhparameter
bad group 2 q dhparameter
p is not well-known group 2 dhparameter
bad dh parameters
pkinit_verify_padata failed: creating e-data
pkinit_create_edata: creating edata for error -1765328319 (Key
parameters not accepted)
pkinit_fini_kdc_req_context: freeing reqctx at 0xd5ce50
pkinit_fini_req_crypto: freeing ctx at 0xd560e0
pkinit_fini_identity_crypto: freeing ctx at 0xd40640
pkinit_fini_plg_crypto: freeing context at 0xd3ee70
pkinit_server_plugin_fini: freeing context at 0xd2a220
On Fri, Mar 29, 2013 at 12:18 AM, Tom Yu via RT
<rt-comment at krbdev.mit.edu> wrote:
> Please try the patch linked below; I don't have an easy way to test it.
>
> https://github.com/tlyu/krb5/commit/c12dcd46510fb8466586c936dc0c434fe0861473
>
More information about the krb5-bugs
mailing list