[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

More on pkinit and proxy certificates

To: Heimdal-discuss list <heimdal-discuss@sics.se>
Subject: More on pkinit and proxy certificates
From: Athanasios Moralis <amoral@netmode.ntua.gr>
Date: Wed, 31 Jan 2007 02:03:37 +0200
Sender: owner-heimdal-discuss@sics.se
User-Agent: Thunderbird 2.0b2 (Macintosh/20070116)

Hi all,
I have a problem when using pkinit with a proxy certificate. Using the 
normal certificate works fine.

I am using the globus grid-proxy-init to produce the proxy certificate:
    root@black:~# grid-proxy-init -out /root/proxycert.pem
This produces a file that has the proxy certificate, the proxy key and 
the initial certificate.
Then I execute
    root@black:~# /usr/heimdal/bin/kinit -C FILE:/root/proxycert.pem 
root@GRIDCC.ORG
that returns
    kinit: Password incorrect

Looking at the kdc I have:

2007-01-31T01:32:03 AS-REQ root@GRIDCC.ORG from IPv4:147.102.13.3 for 
krbtgt/GRIDCC.ORG@GRIDCC.ORG
2007-01-31T01:32:03 Client sent patypes: PK-INIT(ietf)
2007-01-31T01:32:03 Looking for PKINIT pa-data -- root@GRIDCC.ORG
2007-01-31T01:32:03 PKINIT: failed to verify signature: Key usage 
missing from CA certificate; Key usage keyCertSign required but missing 
from certifiate CN=User Name,OU=org unit ,O=organization,C=GR: 569872
2007-01-31T01:32:03 Failed to decode PKINIT PA-DATA -- root@GRIDCC.ORG
2007-01-31T01:32:03 Looking for ENC-TS pa-data -- root@GRIDCC.ORG
2007-01-31T01:32:03 No preauth found, returning PREAUTH-REQUIRED -- 
root@GRIDCC.ORG
2007-01-31T01:32:03 sending 380 bytes to IPv4:147.102.13.3
2007-01-31T01:32:03 AS-REQ root@GRIDCC.ORG from IPv4:147.102.13.3 for 
krbtgt/GRIDCC.ORG@GRIDCC.ORG
2007-01-31T01:32:03 Client sent patypes: encrypted-timestamp, PK-INIT(ietf)
2007-01-31T01:32:03 Looking for PKINIT pa-data -- root@GRIDCC.ORG
2007-01-31T01:32:03 PKINIT: failed to verify signature: Key usage 
missing from CA certificate; Key usage keyCertSign required but missing 
from certifiate CN=User Name,OU=org unit ,O=organization,C=GR: 569872
2007-01-31T01:32:03 Failed to decode PKINIT PA-DATA -- root@GRIDCC.ORG
2007-01-31T01:32:03 Looking for ENC-TS pa-data -- root@GRIDCC.ORG
2007-01-31T01:32:03 Failed to decrypt PA-DATA -- root@GRIDCC.ORG 
(enctype aes256-cts-hmac-sha1-96) error Decrypt integrity check failed
2007-01-31T01:32:03 Failed to decrypt PA-DATA -- root@GRIDCC.ORG
2007-01-31T01:32:03 sending 125 bytes to IPv4:147.102.13.3

The failure seems to be associated with the lack of Key usage 
keyCertSign for the client certificate. What can be done in order to 
solve this?

I have also tested the above procedure by manually changing the proxy 
and produced the key to resemble the one in the tests 
(lib/hx509/data/pkinit-proxy-chain.crt) and excecuted the command
    root@black:~# /usr/heimdal/bin/kinit -C 
FILE:/root/proxycert.pem,/root/proxykey.pem root@GRIDCC.ORG
 the result was failure again with
    kinit: Password incorrect

At the KDC the error was similar to the previous:
PKINIT: failed to verify signature: Key usage missing from CA 
certificate; Key usage keyCertSign required but missing from certificate....

--
Sakis

Follow-Ups:
- Re: More on pkinit and proxy certificates
  - From: Love Hörnquist Åstrand <lha@kth.se>
- Re: More on pkinit and proxy certificates
  - From: Daniel Kouril <kouril@ics.muni.cz>

Prev by Date: Re: rc4 make check hang
Next by Date: Re: More on pkinit and proxy certificates
Prev by thread: Determine if gss_cred_id_t will trigger SPNEGO?
Next by thread: Re: More on pkinit and proxy certificates
Index(es):
- Date
- Thread