[PKINIT]Invalid response for AS_REQ with win 2003 sever
akshar kanak
I ma trying to perfrom Kerberos PKINIT authnetication with windows
2003 server .the clinet is able to send AS_REQ packet but the server is
responding with KRB5KRB_AP_ERR_MODIFIED .In RFC 4120 i could not find
whether KRB5KRB_AP_ERR_MODIFIED is a proper error response for AS_REQ .
In the MIT 1.6.3 soucre code in file Pkinit_crypto_openssl , in function
cms_signeddata_create()
/* Some tokens can only do RSAEncryption without sha1 hash */
/* to compute sha1WithRSAEncryption, encode the algorithm ID for the
hash
* function and the hash value into an ASN.1 value of type DigestInfo
* DigestInfo::=SEQUENCE {
* digestAlgorithm AlgorithmIdentifier,
* digest OCTET STRING }
*/
Are there any specific cards for which this fix needs to be appiled ?
Thanks in advance
Thanks and Regards
Akshar
Douglas E. Engert
It looks like this is testing if the PKCS11 supports CKM_SHA1_RSA_PKCS
or only CKM_RSA_PKCS. If it does not support CKM_SHA1_RSA_PKCS the digest is
done here in this code and then CKM_RSA_PKCS is use, so it should not
be an issue.
Are you running into this issue with your card?
Do you require some policy where the digest needs to be done on the card?
Does your pkcs11 driver have any debugging tools?
Have you tried using the OpenSC pkcs11-spy to see all the PKCS11 calls?
>
> Thanks in advance
>
> Thanks and Regards
> Akshar
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEn...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444