[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PKINIT



Daniel Kouril wrote:

> Hi all,
> a pre-beta version of the pkinit implementation for Heimdal is enclosed. You
> can have a look at it but remember it's still under development.
> Unfortunatelly I'm out of my office until end of this week so I assume I'll
> continue in this work (and post a version of the patch) at the end of the
> next week.
>
> regards
>
> --
> Dan
>
>   ------------------------------------------------------------------------
>
>    pkinit.patchName: pkinit.patch
>                Type: Plain Text (text/plain)

I have successfully built and run the KDC with the pre-beta
PKINIT patch.    While getting it to work I found the following
conditions that produce seg faults:

------------------------------------------------------------

1. kinit segmentation fault - 0 length principal's public key certificate

Run kinit using a 0 length file for the principal's public key certificate,
the other files (principal's private key and directory with CA certificates)
are present and good.  Program seg faults calling free_SignedData() in
free_PA_PK_AS_REQ().  Here are some printfs showing sequence of calls:

get_init_creds_common() return = 0
read X509
read X509 end of file
pk_load_config() return = 0
starting krb5_get_in_cred_ext
before init_as_req
init_as_req() check patype
starting pk_mk_padata()
after build_auth_pack()
after encode_auth_pack()
after krb5_data_copy()
pk_create_sign(): starting
pk_create_sign(): 1
pk_create_sign(): 1a
pk_mk_padata(): start end: problem = -1
free_PA_PK_AS_REQ: start
Segmentation fault


2. kinit segmentation fault - no file in directory with CA certificates

Run kinit with no file in directory with CA certificates, other files
(principal's public key certificate and principal's private key) are
present and good.  Program seg faults calling sk_X509_NAME_pop_free() in
free_PA_PK_AS_REQ().  Here are some printfs showing sequence of calls:

get_init_creds_common() return = 0
read X509
read X509
read X509 end of file
pk_load_config() return = 0
starting krb5_get_in_cred_ext
before init_as_req
init_as_req() check patype
starting pk_mk_padata()
after build_auth_pack()
after encode_auth_pack()
after krb5_data_copy()
pk_create_sign(): starting
pk_create_sign(): 1
pk_create_sign(): 2
pk_create_sign(): 3
pk_create_sign(): 4
pk_create_sign(): 5
pk_create_sign(): 6
pk_create_sign(): 7
pk_create_sign(): 8
pk_mk_padata() after pk_create_sign
pk_mk_padata() after trusted certs
pk_mk_padata() after encode_PA
pk_mk_padata(): start end: problem = 0
free_PA_PK_AS_REQ: start
free_PA_PK_AS_REQ: after free_SignedData
free_PA_PK_AS_REQ: before free trusted certifiers
Segmentation fault

3. kinit segmentation fault - receives AS_REPLY without pkinit data

Start the kdc with a 0 length file for the key_file.  Send AS_REQ
using kinit.  KDC recieves AS_REQ and sends normal (non-pkinit)
AS_REPLY.  kinit seg faults reading AS_REPLY.

4. kdc segmentation fault - after second AS_REQ

Both kdc and kinit configured correctly to run using pkinit.
No problem on first AS_REQ from kinit - kdc returns TGT in AS_REPLY.
KDC seg faults when it receives a second AS_REQ from kinit.
Seg fault happens in pk_create_sign() in one of these calls:

  sd->signer_info.sid.issuer = X509_NAME_dup(X509_get_issuer_name(user_cert));
  sd->signer_info.sid.serial =
ASN1_INTEGER_dup(X509_get_serialNumber(user_cert));

--------------------------------------------------------

Christopher