Issue in generating Authenticator Data in AP_REQ

Greg Hudson ghudson at MIT.EDU
Tue Aug 21 12:47:03 EDT 2012

On 08/21/2012 08:22 AM, Sankar Das wrote:
> Still I am facing the same problem i.e. "Decrypt integrity check
> failed". Now I am sending the checksum as part of the authenticator
> data. Is there any way to know what part of my authenticator data is wrong?

That error generally indicates a problem decrypting the EncryptedData
and verifying its integrity, not a problem with the decrypted contents
of the Authenticator.

You haven't said how you're invoking OpenSSL, but I don't believe
OpenSSL has direct support for doing RFC 3961 encryption.  If you are
just doing something like an OpenSSL CBC encryption to populate an
EncryptedData cipher element, that's not going to work.

More information about the krbdev mailing list