[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PKINIT to Windows AD fails about half the time


"Douglas E. Engert" <deengert@anl.gov> writes:

> Love Hörnquist Åstrand wrote:
>
>> Douglas,
>>
>>>Looks like two problems:
>>>
>>>(1) Windows wants the pk_nonce to have the first
>>>bit zero, or it returns the KRB_ERROR 60 with no e-text.
>> It might be us that made it wrong pk-init-09 say INTEGER, I assume
>> they
>> they secretly meant INTEGER (-2147483648..2147483647). I made it into a
>> INTEGER (0..4294967295) when I wrote the asn1 spec file, that also need to
>> be tested if that is the real problem.
>
> If you have something, I can try it.

This worked for me when I finaly manged to convice my microsoft ca to give
me the private key.

This is a problem since the k5 asn1 say nonce is a uint32.

Love



--- lib/krb5/init_creds_pw.c	30 Apr 2005 16:24:00 -0000	1.83
+++ lib/krb5/init_creds_pw.c	1 May 2005 16:46:51 -0000
@@ -1213,6 +1213,7 @@
     /* XXX check if it isn't the that nonce is an unsigned
      * variable so its just a asn1 mismatch */
     ctx->nonce &= 0x7fffffff;
+    ctx->nonce |= 0x80000000;
 #endif
     ctx->pk_nonce = ctx->nonce;
 
--- lib/asn1/pkinit.asn1	8 Mar 2005 20:57:01 -0000	1.1.8.13
+++ lib/asn1/pkinit.asn1	1 May 2005 16:50:22 -0000
@@ -103,7 +103,7 @@
 	kdcRealm		[1] Realm,
 	cusec			[2] INTEGER (0..4294967295),
 	ctime			[3] KerberosTime,
-	nonce                   [4] INTEGER (0..4294967295)
+	nonce                   [4] INTEGER (-2147483648..2147483647)
 }
 
 AuthPack-Win2k ::= SEQUENCE {
@@ -119,7 +119,7 @@
 
 
 KDCDHKeyInfo-Win2k ::= SEQUENCE {
-	nonce			[0] INTEGER (0..4294967295),
+	nonce			[0] INTEGER (-2147483648..2147483647),
 	subjectPublicKey	[2] BIT STRING
 }

PGP signature