X-CACHECONF in cache type 0504

Greg Hudson ghudson at MIT.EDU
Fri Nov 19 00:52:32 EST 2010

On Thu, 2010-11-18 at 22:18 -0500, Weijun Wang wrote:
> Java 1.6 currently just reads all entries as normal credential cache. It 
> fails on the new type of entry when trying to interpret the last 2 
> fields as ticket and second ticket. For the new entry, the field used to 
> be the ticket is a 3-bytes sequence which is not a DER encoding at
> all.

I see.  In hindsight, we perhaps should have made the config entries
preserve the Ticket ASN.1 structure of the ticket field.  But that ship
has sailed.

> What's your suggestion? and how does MIT handles a ccache file?

Our cache code (and krb5_creds structure) treats the ticket and
second_ticket fields as opaque data.  They aren't decoded until
krb5_mk_req() or krb5_make_tgs_request_ext() needs to use them.

If it's necessary to do ASN.1 decoding on any fields of ccache entries
at cache read time, I'd suggest ignoring entries which experience ASN.1
decoding failures, and only erroring out if an entry isn't well-formed
according to the fixed-field cache format.

For the purposes of ignoring config entries in our klist, we recognize
config entries if they match both the realm (X-CACHECONF:) and the first
component of the name (krb5_ccache_conf_data).

More information about the krbdev mailing list