krb5-1.8-beta1 is available
Marcus Watts
mdw at umich.edu
Wed Feb 24 19:16:08 EST 2010
OK. I now have more information on what's going on.
1. What is AD-SIGNEDPATH?
2. sample ticket files
3. decrypted enc_parts
____ 1. What is AD-SIGNEDPATH?
Is there a draft that describes
AD-SIGNEDPATH
?
____ 2. sample ticket files
with 1.7.1, here is a sample ticket file:
==> ,171.ticket-2 <==
Ticket cache: FILE:/tmp/krb5cc_25131
Default principal: mdw at CATS.UMICH.EDU
Valid starting Expires Service principal
02/24/10 18:15:12 02/25/10 04:15:12 rxk5/test at CATS.UMICH.EDU
000000: 5 4 0 c 0 1 0 8 ff ff ff fe 0 0 0 0 ................
000010: 0 0 0 1 0 0 0 1 0 0 0 e 43 41 54 53 ............CATS
000020: 2e 55 4d 49 43 48 2e 45 44 55 0 0 0 3 6d 64 .UMICH.EDU....md
000030: 77 0 0 0 1 0 0 0 1 0 0 0 e 43 41 54 w............CAT
000040: 53 2e 55 4d 49 43 48 2e 45 44 55 0 0 0 3 6d S.UMICH.EDU....m
000050: 64 77 0 0 0 1 0 0 0 2 0 0 0 e 43 41 dw............CA
000060: 54 53 2e 55 4d 49 43 48 2e 45 44 55 0 0 0 4 TS.UMICH.EDU....
000070: 72 78 6b 35 0 0 0 4 74 65 73 74 0 12 0 0 rxk5....test....
000080: 0 20 8e e3 db 56 3c 32 db ab b7 a4 45 c6 84 89 . ...V<2....E...
000090: cf 1c 1 24 46 5c 32 69 7 7a 13 7 7b 3d 33 54 ...$F\2i.z..{=3T
0000a0: fd d5 4b 85 b3 0 4b 85 b3 0 4b 86 3f a0 0 0 ..K...K...K.?...
0000b0: 0 0 0 0 40 0 0 0 0 0 0 0 0 0 0 0 .... at ...........
0000c0: 0 0 fb 61 81 f8 30 81 f5 a0 3 2 1 5 a1 10 ...a..0.........
0000d0: 1b e 43 41 54 53 2e 55 4d 49 43 48 2e 45 44 55 ..CATS.UMICH.EDU
0000e0: a2 17 30 15 a0 3 2 1 1 a1 e 30 c 1b 4 72 ..0........0...r
0000f0: 78 6b 35 1b 4 74 65 73 74 a3 81 c2 30 81 bf a0 xk5..test...0...
000100: 3 2 1 12 a1 3 2 1 3 a2 81 b2 4 81 af c0 ................
000110: 5d 3 4 f8 2b 3c 2b bf 4f 1a 57 89 c0 f5 99 cc ]...+<+.O.W.....
000120: f9 a4 1f 47 69 4a ea f5 d4 45 a9 ff de be 38 d6 ...GiJ...E....8.
000130: fd 46 5c 6d 41 66 ca ff 44 67 8 3c ac 9 1e 99 .F\mAf..Dg.<....
000140: 16 b2 99 f4 a1 5d 45 97 11 12 31 50 1d 46 f6 9f .....]E...1P.F..
000150: b3 80 bf 0 d8 4c 1b 9 73 5a e5 4 c3 9e a0 97 .....L..sZ......
000160: 37 9d 70 3f 9f 69 f2 93 82 8e ef c8 fe 86 25 15 7.p?.i........%.
000170: 6c 12 ad f6 ca 22 64 91 4e b9 93 8f 80 dc b6 ea l...."d.N.......
000180: 4e 49 df 5d 8f be 77 1e 9e e9 70 c7 29 53 a8 d NI.]..w...p.)S..
000190: ec 69 d6 bc b5 fe 8c 4f 73 46 65 40 0 2f af 43 .i.....OsFe at ./.C
0001a0: c1 9 6b 98 df dc 51 a7 bf 64 49 3d 5d 1b d0 79 ..k...Q..dI=]..y
0001b0: 80 3 ec b8 7c 1f 1d e2 b7 a3 25 51 c2 21 0 0 ....|.....%Q.!..
0001c0: 0 0 ..
0001c2:
Here's a 1.8-beta1 sample ticket file:
==> ,18b1.ticket-2 <==
Ticket cache: FILE:/tmp/krb5cc_25131
Default principal: mdw at CATS.UMICH.EDU
Valid starting Expires Service principal
02/24/10 18:40:33 02/25/10 04:40:33 rxk5/test at CATS.UMICH.EDU
000000: 5 4 0 c 0 1 0 8 ff ff ff fd 0 0 0 0 ................
000010: 0 0 0 1 0 0 0 1 0 0 0 e 43 41 54 53 ............CATS
000020: 2e 55 4d 49 43 48 2e 45 44 55 0 0 0 3 6d 64 .UMICH.EDU....md
000030: 77 0 0 0 1 0 0 0 1 0 0 0 e 43 41 54 w............CAT
000040: 53 2e 55 4d 49 43 48 2e 45 44 55 0 0 0 3 6d S.UMICH.EDU....m
000050: 64 77 0 0 0 1 0 0 0 2 0 0 0 e 43 41 dw............CA
000060: 54 53 2e 55 4d 49 43 48 2e 45 44 55 0 0 0 4 TS.UMICH.EDU....
000070: 72 78 6b 35 0 0 0 4 74 65 73 74 0 12 0 0 rxk5....test....
000080: 0 20 80 8b 9f 76 90 f1 c5 85 2b d8 ff 9 f2 a6 . ...v....+.....
000090: 1 60 b9 45 d7 7e 55 3 9b bf 5c b3 47 a0 53 c1 .`.E.~U...\.G.S.
0000a0: e6 6d 4b 85 b8 f1 4b 85 b8 f1 4b 86 45 91 0 0 .mK...K...K.E...
0000b0: 0 0 0 0 41 0 0 0 0 0 0 0 0 0 0 0 ....A...........
0000c0: 0 1 3a 61 82 1 36 30 82 1 32 a0 3 2 1 5 ..:a..60..2.....
0000d0: a1 10 1b e 43 41 54 53 2e 55 4d 49 43 48 2e 45 ....CATS.UMICH.E
0000e0: 44 55 a2 17 30 15 a0 3 2 1 1 a1 e 30 c 1b DU..0........0..
0000f0: 4 72 78 6b 35 1b 4 74 65 73 74 a3 81 ff 30 81 .rxk5..test...0.
000100: fc a0 3 2 1 12 a1 3 2 1 3 a2 81 ef 4 81 ................
000110: ec 67 be 8c 2b c1 20 f6 3b 76 fc c7 7d e3 f6 16 .g..+. .;v..}...
000120: 2e 22 47 e4 ab b5 1c a6 6d a1 1c 24 b 51 ec 91 ."G.....m..$.Q..
000130: c2 6e 60 3b a2 ff 8b 8d f6 2a ce 8 8f de 63 7e .n`;.....*....c~
000140: 48 bc 49 40 b3 45 fe 95 f8 75 e2 8a a8 14 1b bb H.I at .E...u......
000150: 4 2f 13 c3 59 3f 8a 7 3e 72 5f 48 b3 a6 ec ed ./..Y?..>r_H....
000160: 23 fa dd b2 2a cf 4c 1e bf 7f d1 d7 2b e b5 a4 #...*.L.....+...
000170: 5f 50 48 44 1 71 e0 9d 5a 90 bd 88 4f 6 f1 0 _PHD.q..Z...O...
000180: 3c 4a ce d4 13 b4 d9 38 ef bb e6 eb 1c 4e e7 f7 <J.....8.....N..
000190: a cd 9c dc d8 1b b2 e0 bc ab a8 9a de 39 42 cf .............9B.
0001a0: 6f 33 36 eb dd 4b d4 8f f9 40 b1 6d 67 1d e0 b5 o36..K... at .mg...
0001b0: 21 97 46 c3 ee e d3 74 36 b8 e2 2f c 71 c7 14 !.F....t6../.q..
0001c0: 33 a8 73 21 b7 c8 e 1d c8 1c 17 a9 39 eb 21 e7 3.s!........9.!.
0001d0: 4c bb 1c 76 44 37 d9 fe 40 4d 53 d4 e3 88 46 de L..vD7.. at MS...F.
0001e0: 42 6 7c 45 e9 47 b1 7c d9 61 3a 53 d7 53 7c e7 B.|E.G.|.a:S.S|.
0001f0: 69 a 72 f2 fe 91 dd d8 5d d c4 67 f6 0 0 0 i.r.....]..g....
000200: 0 .
000201:
Definitely different lengths.
Note: these ticket files are probably not the same as the ones I used
to trace the actual code (session keys and such will differ).
____ 3. decrypted enc_parts
Code fails doing an asn.1 decode of "enc_part" -> "enc_part2".
asn.1 decode from decode_krb5_enc_tkt_part.
First the successful run (with 1.7.1)
Here's the decrypted enc_part:
000000: 63 81 90 30 81 8d a0 7 3 5 0 0 40 0 0 a1 c..0........ at ...
000010: 2b 30 29 a0 3 2 1 12 a1 22 4 20 8e e3 db 56 +0)......". ...V
000020: 3c 32 db ab b7 a4 45 c6 84 89 cf 1c 1 24 46 5c <2....E......$F\
000030: 32 69 7 7a 13 7 7b 3d 33 54 fd d5 a2 10 1b e 2i.z..{=3T......
000040: 43 41 54 53 2e 55 4d 49 43 48 2e 45 44 55 a3 10 CATS.UMICH.EDU..
000050: 30 e a0 3 2 1 1 a1 7 30 5 1b 3 6d 64 77 0........0...mdw
000060: a4 b 30 9 a0 3 2 1 1 a1 2 4 0 a5 11 18 ..0.............
000070: f 32 30 31 30 30 32 32 34 32 33 31 35 31 32 5a .20100224231512Z
000080: a7 11 18 f 32 30 31 30 30 32 32 35 30 39 31 35 ....201002250915
000090: 31 32 5a 12Z
000093:
(length = 147).
Here's asn1parse of that,
galois$ openssl asn1parse -inform der -offset 0 -i -in good1.data
0:d=0 hl=3 l= 144 cons: appl [ 3 ]
3:d=1 hl=3 l= 141 cons: SEQUENCE
6:d=2 hl=2 l= 7 cons: cont [ 0 ]
8:d=3 hl=2 l= 5 prim: BIT STRING
15:d=2 hl=2 l= 43 cons: cont [ 1 ]
17:d=3 hl=2 l= 41 cons: SEQUENCE
19:d=4 hl=2 l= 3 cons: cont [ 0 ]
21:d=5 hl=2 l= 1 prim: INTEGER :12
24:d=4 hl=2 l= 34 cons: cont [ 1 ]
26:d=5 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:8EE3DB563C32DBABB7A445C68489CF1C0124465C3269077A13077B3D3354FDD5
60:d=2 hl=2 l= 16 cons: cont [ 2 ]
62:d=3 hl=2 l= 14 prim: GENERALSTRING
78:d=2 hl=2 l= 16 cons: cont [ 3 ]
80:d=3 hl=2 l= 14 cons: SEQUENCE
82:d=4 hl=2 l= 3 cons: cont [ 0 ]
84:d=5 hl=2 l= 1 prim: INTEGER :01
87:d=4 hl=2 l= 7 cons: cont [ 1 ]
89:d=5 hl=2 l= 5 cons: SEQUENCE
91:d=6 hl=2 l= 3 prim: GENERALSTRING
96:d=2 hl=2 l= 11 cons: cont [ 4 ]
98:d=3 hl=2 l= 9 cons: SEQUENCE
100:d=4 hl=2 l= 3 cons: cont [ 0 ]
102:d=5 hl=2 l= 1 prim: INTEGER :01
105:d=4 hl=2 l= 2 cons: cont [ 1 ]
107:d=5 hl=2 l= 0 prim: OCTET STRING
109:d=2 hl=2 l= 17 cons: cont [ 5 ]
111:d=3 hl=2 l= 15 prim: GENERALIZEDTIME :20100224231512Z
128:d=2 hl=2 l= 17 cons: cont [ 7 ]
130:d=3 hl=2 l= 15 prim: GENERALIZEDTIME :20100225091512Z
Now the failed run,
Here's the decrypted enc_part:
000000: 63 81 cd 30 81 ca a0 7 3 5 0 0 41 0 0 a1 c..0........A...
000010: 2b 30 29 a0 3 2 1 12 a1 22 4 20 40 3d 5 f3 +0)......". @=..
000020: ed c3 bd 9f 19 e7 77 74 f9 ac e4 1a 67 ea 21 e1 ......wt....g.!.
000030: 53 39 29 5b df bd 72 7a 27 4 a ca a2 10 1b e S9)[..rz'.......
000040: 43 41 54 53 2e 55 4d 49 43 48 2e 45 44 55 a3 10 CATS.UMICH.EDU..
000050: 30 e a0 3 2 1 1 a1 7 30 5 1b 3 6d 64 77 0........0...mdw
000060: a4 b 30 9 a0 3 2 1 1 a1 2 4 0 a5 11 18 ..0.............
000070: f 32 30 31 30 30 32 32 34 32 30 33 34 30 30 5a .20100224203400Z
000080: a7 11 18 f 32 30 31 30 30 32 32 35 30 36 33 34 ....201002250634
000090: 30 30 5a aa 3b 30 39 30 37 a0 3 2 1 1 a1 30 00Z.;0907......0
0000a0: 4 2e 30 2c 30 2a a0 4 2 2 0 8e a1 22 4 20 ..0,0*.......".
0000b0: 30 1e a0 3 2 1 12 a1 17 30 15 a0 3 2 1 10 0........0......
0000c0: a1 e 4 c 93 5 ad 25 4a ed 6c a e3 18 39 3e .......%J.l...9>
0000d0:
(length = 208).
Here's asn1parse of that,
galois$ openssl asn1parse -inform der -offset 0 -i -in bad1.data
0:d=0 hl=3 l= 205 cons: appl [ 3 ]
3:d=1 hl=3 l= 202 cons: SEQUENCE
6:d=2 hl=2 l= 7 cons: cont [ 0 ]
8:d=3 hl=2 l= 5 prim: BIT STRING
15:d=2 hl=2 l= 43 cons: cont [ 1 ]
17:d=3 hl=2 l= 41 cons: SEQUENCE
19:d=4 hl=2 l= 3 cons: cont [ 0 ]
21:d=5 hl=2 l= 1 prim: INTEGER :12
24:d=4 hl=2 l= 34 cons: cont [ 1 ]
26:d=5 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:403D05F3EDC3BD9F19E77774F9ACE41A67EA21E15339295BDFBD727A27040ACA
60:d=2 hl=2 l= 16 cons: cont [ 2 ]
62:d=3 hl=2 l= 14 prim: GENERALSTRING
78:d=2 hl=2 l= 16 cons: cont [ 3 ]
80:d=3 hl=2 l= 14 cons: SEQUENCE
82:d=4 hl=2 l= 3 cons: cont [ 0 ]
84:d=5 hl=2 l= 1 prim: INTEGER :01
87:d=4 hl=2 l= 7 cons: cont [ 1 ]
89:d=5 hl=2 l= 5 cons: SEQUENCE
91:d=6 hl=2 l= 3 prim: GENERALSTRING
96:d=2 hl=2 l= 11 cons: cont [ 4 ]
98:d=3 hl=2 l= 9 cons: SEQUENCE
100:d=4 hl=2 l= 3 cons: cont [ 0 ]
102:d=5 hl=2 l= 1 prim: INTEGER :01
105:d=4 hl=2 l= 2 cons: cont [ 1 ]
107:d=5 hl=2 l= 0 prim: OCTET STRING
109:d=2 hl=2 l= 17 cons: cont [ 5 ]
111:d=3 hl=2 l= 15 prim: GENERALIZEDTIME :20100224203400Z
128:d=2 hl=2 l= 17 cons: cont [ 7 ]
130:d=3 hl=2 l= 15 prim: GENERALIZEDTIME :20100225063400Z
147:d=2 hl=2 l= 59 cons: cont [ 10 ]
149:d=3 hl=2 l= 57 cons: SEQUENCE
151:d=4 hl=2 l= 55 cons: SEQUENCE
153:d=5 hl=2 l= 3 cons: cont [ 0 ]
155:d=6 hl=2 l= 1 prim: INTEGER :01
158:d=5 hl=2 l= 48 cons: cont [ 1 ]
160:d=6 hl=2 l= 46 prim: OCTET STRING [HEX DUMP]:302C302AA0040202008EA1220420301EA003020112A1173015A003020110A10E040C9305AD254AED6C0AE318393E
galois$ openssl asn1parse -inform der -offset 162 -i -in bad1.data
0:d=0 hl=2 l= 44 cons: SEQUENCE
2:d=1 hl=2 l= 42 cons: SEQUENCE
4:d=2 hl=2 l= 4 cons: cont [ 0 ]
6:d=3 hl=2 l= 2 prim: INTEGER :8E
10:d=2 hl=2 l= 34 cons: cont [ 1 ]
12:d=3 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:301EA003020112A1173015A003020110A10E040C9305AD254AED6C0AE318393E
galois$ openssl asn1parse -inform der -offset 176 -i -in bad1.data
0:d=0 hl=2 l= 30 cons: SEQUENCE
2:d=1 hl=2 l= 3 cons: cont [ 0 ]
4:d=2 hl=2 l= 1 prim: INTEGER :12
7:d=1 hl=2 l= 23 cons: cont [ 1 ]
9:d=2 hl=2 l= 21 cons: SEQUENCE
11:d=3 hl=2 l= 3 cons: cont [ 0 ]
13:d=4 hl=2 l= 1 prim: INTEGER :10
16:d=3 hl=2 l= 14 cons: cont [ 1 ]
18:d=4 hl=2 l= 12 prim: OCTET STRING [HEX DUMP]:9305AD254AED6C0AE318393E
galois$
It's possible I'm doing something wrong while decoding what should become
ticket->enc_part2->authorization_data
I'll look at my logic more carefully this evening. I don't see anything
above that looks immediately obviously wrong to me. I assume the last
few decoded bits are AD-SIGNEDPATH...?
-Marcus Watts
More information about the krbdev
mailing list